Domain 7. Chapter 16 Flashcards
Chapter 16. Managing Security Operations
Resource protection ensures that resources are securely provisioned when they’re deployed and throughout their lifecycle.
Configuration management ensures that systems are configured correctly, and change management processes protect against outages from unauthorized changes.
Patch and vulnerability management controls ensure that systems are up to date and protected against known vulnerabilities.
- Apply Foundational Security Operations Concepts
1.1 Need-to-Know Access
1.2 The Principle of Least Privilege
1.3 Separation of Duties (SoD) and Responsibilities
1.4 Two-Person Control
1.5 Job Rotation
1.6 Mandatory Vacations
1.7 Privileged Account Management
1.8 Service Level Agreements (SLAs)
1.1 Need-to-Know Access
The need-to-know principle imposes the requirement to grant users access only to data or resources they need to perform assigned work tasks. The primary purpose is to keep secret information secret.
Need to know is commonly associated with security clearances, such as a person having a Secret clearance.
Restricting access based on a need to know helps protect against unauthorized access that could result in a loss of confidentiality.
1.2 The Principle of Least Privilege
The least privilege principle states that subjects are granted only the privileges necessary to perform assigned work tasks and no more. Keep in mind that privilege in this context includes both permissions to data and rights to perform systems tasks.
Limiting and controlling privileges based on this concept protects confidentiality and data integrity.
1.3 Separation of Duties (SoD) and Responsibilities
Separation of duties (SoD) and responsibilities ensures that no single person has total control over a critical function or system. This is necessary to ensure that no single person can compromise the system or its security. Instead, two or more people must conspire or collude against the organization, which increases the risk for these people.
A separation of duties policy creates a checks-and-balances system where two or more users verify each other’s actions and must work in concert to accomplish necessary work tasks.
Similarly, organizations often break down processes into multiple tasks or duties and assign these duties to different individuals to prevent fraud.
conspire or collude сговориться или сговориться
checks-and-balances система сдержек и противовесов
1.4 Two-Person Control
Two-person control (sometimes called the two-man rule) requires the approval of two individuals for critical tasks.
For example, safe deposit boxes in banks often require two keys.
Using two-person controls within an organization ensures peer review and reduces the likelihood of collusion and fraud. For example, an organization can require two individuals within the company (such as the chief financial officer and the chief executive officer) to approve key business decisions.
Split knowledge combines the concepts of separation of duties and two-person control into a single solution. The basic idea is that the information or privilege required to perform an operation is divided among two or more users. This ensures that no single person has sufficient privileges to compromise the security of the environment.
1.5 Job Rotation
Job rotation (sometimes called rotation of duties) means that employees rotate through jobs or rotate job responsibilities with other employees.
Using job rotation as a security control provides peer review, reduces fraud, and enables cross-training. Cross-training helps make an environment less dependent on any single individual.
Ротация должностей (иногда называемая ротацией обязанностей) означает, что сотрудники чередуют должности или чередуют рабочие обязанности с другими сотрудниками.
Использование ротации должностей в качестве средства контроля безопасности обеспечивает экспертную оценку, снижает уровень мошенничества и обеспечивает перекрестное обучение. Перекрестное обучение помогает сделать среду менее зависимой от какого-либо отдельного человека.
1.6 Mandatory Vacations
Many organizations require employees to take mandatory vacations in one-week or two-week increments.
This provides a form of peer review and helps detect fraud and collusion. This policy ensures that another employee takes over an individual’s job responsibilities for at least a week. If an employee is involved in fraud, the person taking over the responsibilities is likely to discover it.
Financial organizations are at risk of significant losses from fraud by employees. They often use job rotation, separation of duties and responsibilities, and mandatory vacation policies to reduce these risks. Combined, these policies help prevent incidents and help detect them when they occur.
Многие организации требуют, чтобы сотрудники брали обязательные отпуска с интервалом в одну или две недели.
peer review экспертная оценка
Это обеспечивает форму экспертной оценки и помогает выявить мошенничество и сговор. Эта политика гарантирует, что другой сотрудник возьмет на себя рабочие обязанности человека как минимум на неделю. Если сотрудник замешан в мошенничестве, лицо, принимающее на себя ответственность, скорее всего, обнаружит это.
Финансовые организации рискуют понести значительные убытки от мошенничества со стороны сотрудников. Чтобы снизить эти риски, они часто используют ротацию должностей, разделение обязанностей и ответственности, а также политику обязательных отпусков. В совокупности эти политики помогают предотвращать инциденты и обнаруживать их при возникновении.
1.7 Privileged Account Management
Privileged account management (PAM) solutions restrict access to privileged accounts or detect when accounts use any elevated privileges.
In this context, privileged accounts are administrator accounts or any accounts that have specific elevated privileges. This can include help desk workers who have been granted limited privileges to perform certain activities.
Many automated tools are available that can monitor the usage of special privileges. When an administrator or privileged operator performs one of these activities, the tool can log the event and send an alert. Additionally, access review audits detect misuse of these privileges.
Решения для управления привилегированными учетными записями (PAM) ограничивают доступ к привилегированным учетным записям или определяют, когда учетные записи используют какие-либо повышенные привилегии.
В этом контексте привилегированные учетные записи — это учетные записи администратора или любые учетные записи, имеющие определенные повышенные привилегии. Сюда могут входить сотрудники службы поддержки, которым предоставлены ограниченные права на выполнение определенных действий.
1.8 Service Level Agreements (SLAs)
A service level agreement (SLA) is an agreement between an organization and an outside entity, such as a vendor. The SLA stipulates (оговариваетб определяет) performance expectations and often includes penalties if the vendor doesn’t meet these expectations.
As an example, many organizations use cloud-based services to rent servers
- Addressing Personnel Safety and Security
Organizations should implement security controls that enhance personnel safety.
2.1 Duress
2.2 Travel
2.3 Emergency Management
2.4 Security Training and Awareness
Duress - давление
принуждение
заключение
You can add a meaning to your dictionary
лишение свободы
2.1 Duress
Duress systems are useful when personnel are working alone.
A simple duress system is just a button that sends a distress call. A monitoring entity receives the distress call and responds based on established procedures. The monitoring entity could initiate a phone call or text message back to the person who sent the distress call. In this example, the guard responds by confirming the situation.
Some electronic cipher locks support two or more codes, such as one for regular use and one to raise an alarm. Normally, employees would enter a code (such as 1 2 3 4) to open the door to a secure area. In a duress situation, they could enter a different code (such as 5 6 7 8) that would open the door and set off a silent alarm.
Простая система принуждения — это всего лишь кнопка, которая отправляет сигнал бедствия. Объект мониторинга получает сигнал бедствия и отвечает на него в соответствии с установленными процедурами. Объект мониторинга может инициировать телефонный звонок или текстовое сообщение обратно лицу, отправившему сигнал бедствия. В этом примере охранник отвечает, подтверждая ситуацию.
2.2 Travel
Another safety concern is when employees travel because criminals might target an organization’s employees while they are traveling.
This includes simple things such as verifying a person’s identity before opening the hotel door.
Employees should also be warned about the many risks associated with electronic devices (such as smartphones, tablets, and laptops) when traveling. These risks include the following:
- Sensitive Data Ideally, the devices should not contain any sensitive data. This prevents the loss of data if the devices are lost or stolen. If an employee needs this data while traveling, it should be protected with strong encryption.
- Malware and Monitoring Devices There have been many reported cases of malware being installed on systems while employees were visiting a foreign country. However, this is more than enough time for someone who otherwise looks like hotel staff to enter your room, install malware in the operating system, and install a physical listening device inside the computer. Maintaining physical control of devices at all times can prevent these attacks. Security experts recommend that employees do not bring their personal devices but instead bring temporary devices to be used during the trip. After the trip, these can be wiped clean and reimaged.
- Free Wi-Fi Free Wi-Fi often sounds appealing while traveling. However, it can easily be a trap configured to capture all the user’s traffic. Instead, users should have a method of creating their own internet connection, such as through a smartphone or with a mobile wireless hotspot device.
- VPNs Employers should have access to virtual private networks (VPNs) that they can use to create secure connections. These can be used to access resources in the internal network, including their work-related email.
2.3 Emergency Management
Emergency management plans and practices help an organization address personnel safety and security after a disaster. “Disaster Recovery Planning.”
2.4 Security Training and Awareness
Chapter 2, “Personnel Security and Risk Management Concepts,”. If an organization has a training and awareness program in place, it’s relatively easy to add personnel safety and security topics. These programs help ensure that personnel are aware of duress systems, travel best practices, emergency management plans, and general safety and security best practices.
- Provision Resources Securely
3.1 Information and Asset Ownership
3.2 Asset Management
3.3 Hardware Asset Inventories
3.4 Software Asset Inventories
3.5 Intangible Inventories
3.1 Information and Asset Ownership
The key point is that by identifying the assets’ owners, an organization also identifies the individuals responsible for protecting those assets. Data owners typically delegate data protection tasks to others in the organization. For example, employees in the data custodian security role typically perform daily tasks such as implementing access controls, performing backups, and managing data storage.
3.2 Asset Management
Asset management refers to managing both tangible and intangible assets. This typically starts with inventories of assets, tracking the assets, and taking additional steps to protect them throughout their lifetime.
Tangible assets include hardware and software assets owned by the company. Intangible assets include patents, copyrights, a company’s reputation, and other assets representing potential revenue. By managing assets successfully, an organization prevents losses.
Many organizations use an automated configuration management system (CMS) to help with hardware asset management.
tangible and intangible assets. материальное и нематериальное
inventories of assets инвентаризация активов
