Governance, Risk, and Compliance Flashcards
Security risks are out there
- Many different types to consider
Assets are also varied
- Data, physical property, computer systems
Prevent security events, minimize the impact, and limit the damage
Security controls
Controls that addresses security design and implementation
Security policies, standard operating procedures
Managerial control
Controls that are implemented by people
Security guards, awareness programs
Operational controls
Controls implemented using systems
Operating system controls
Firewalls, anti-virus
Technical controls
Physically control access
Door lock
Security guard
Firewall
Preventive (control type)
May not prevent access
Identifies and records any intrusion attempt
Motion detector, IDS/IPS
Detective (control type)
Designed to mitigate damage
IPS can block an attacker
Backups can mitigate a ransomware infection
A backup site can provide options when a storm hits
Corrective (control type)
May not directly prevent access
Discourages an intrusion attempt
Warning signs, login banner
Deterrent (control type)
Doesn’t prevent an attack
Restores using other means
Re-image or restore from backup
Hot-site
Backup power system
Compensating (control type)
Fences, locks, mantraps
Real-world security
Physical (control type)
Meeting the standards of law, policies, and regulations
A healthy catalog of regulations and laws
- Across many aspects of business and life
- Many are industry-specific or situational
Penalties
- Fines, incarceration, loss of employment
Scope
- Covers national territory, or state laws
- Domestic and international requirements
Compliance
European Union regulation
- Data protection and privacy for individuals in the EU
- Name, address, photo, email address, bank details, posts on social networking websites, medical information, a computer’s IP address, etc
Controls export of personal data
- Users can decide where their data goes
Gives individuals control of their personal data
- A right to be forgotten
Site privacy policy
- Details all of the privacy rights for a user
European Union data protection and privacy
Personal data must be protected and managed for privacy
General Data Protection Regulation (GDPR)
A standard for protecting credit cards
Six control objectives
- Build and maintain a secure network and systems
- Protect cardholder data
- Maintain a vulnerability management program
- Implement strong access control measures
- Regularly monitor and test networks
- Maintain and information security policy
Payment Card Industry Data Security Standard (PCI DSS)
Secure your data
Often a complex problem
- Unique organizational requirements
- Compliance and regulatory requirements
- Many different processes and tools are available
- Documented process
- A guide for creating a security program
- Define tasks and prioritize projects
Security frameworks
Critical Security Controls for Effective Cyber Defense
Improve cyber defenses
- Twenty key actions (the critical security controls)
- Categorized for different organizational sizes
Designed for implementation - Written for IT professionals
- Includes practical and actionable tasks
Center for Internet Security (CIS)
Mandatory for US federal agencies and organizations that handle federal data
Six step process
- Step 1: Categorize - Define the environment
- Step 2: Select - Pick appropriate controls
- Step 3: Implement - Define proper implementation
- Step 4: Access - Determine if controls are working
- Step 5 Authorize - Make a decision to authorize the system
- Step 6 Monitor - Check for ongoing compliance
National Institute of Standards and Technology - Risk Management Framework (NIST RMF)
Framework Core
- Identify, Protect, Detect, Respond, and Recover
Framework Implementation Tiers
- An organization’s view of cybersecurity risk and processes to manage the risk
Framework Profile
- The alignment of standards, guidelines, and practices to the Framework Core
National Institute of Standards and Technology - Cybersecurity Framework (NIST CSF)
Standard for Information Security Management System (ISMS)
ISO/IEC 27001
Code of practice for information security controls
ISO/IEC 27002
Privacy Information Management Systems (PIMS)
ISO/IEC 27701
International standards for risk management practices
ISO 31000
The American Institute of Certified Public Accountants auditing standard Statement on Standards for Attestation Engagements number 18
SSAE 18
Trust Services Criteria (security controls)
- Firewalls, intrusion detection, and multi-factor authentication
SOC 2
Tests controls in place at a particular point in time
Type I audit
Tests controls over a period of at least six consecutive months
Type II audit
Security in cloud computing
- Not-for-profit organization
Cloud Controls Matrix (CCM)
- Cloud-specific security controls
- Controls are mapped to standards, best practices, and regulations
Enterprise Architecture
- Methodology and tools
- Access internal IT groups and cloud providers
- Determine security capabilities
- Build a roadmap
Cloud Security Alliance (CSA)
No system is secure with the default configurations
- You need some guidelines to keep everything safe
Hardening guides are specific to the software or platform
- Get feedback from the manufacturer or Internet interest group
- They’ll have the best details
Other general-purpose guides are available online
Secure configurations
Access a server with your browser
- The fundamental server on the Internet
- Microsoft Internet Information Server, Apache HTTP Server, et al
Huge potential for access issues
- Data leaks, server access
Secure configuration
- Information leakage: Banner information, directory browsing
- Permissions: Run from a non-privileged account, configure file permissions
- Configure SSL: Manage and install certificates
- Log files: Monitor access and error logs
Web server hardening
Many and varied - Windows, Linux, iOS, Android, et al
Updates
- Operating system updates/service packs, security patches
User accounts
- Minimum password lengths and complexity
- Account limitations
Network access and security
- Limit network access
Monitor and secure
- Anti-virus, anti-malware
Operating system hardening
Programming languages, runtime libraries, etc
- Usually between the web server and the database
- Middleware
Very specific functionality
- Disable all unnecessary services
Operating system updates
- Security patches
File permissions and access controls
- Limit rights to what’s required
- Limit access from other devices
Application server
Switches, routers, firewalls, IPS, etc
- You never see them, but they’re always there
Purpose-build devices
- Embedded OS, limited OS access
Configure authentication
- Don’t use the defaults
Check with the manufacturer
- Security updates
- Not usually updated frequently
- Updates are usually important
Network infrastructure devices
What is an acceptable use of company assets?
- Detailed documentation
- May be documented in the Rules of Behavior
Covers many topics
- Internet use, telephones, computers, mobile devices, etc
Used by an organization to limit legal liability
- If someone is dismissed, these are the well-documented reasons why
Acceptable use policy (AUP)
Keep people moving between responsibilities
- No one person maintains control for long periods of time
Job rotation
Rotate others through the job
- The longer the vacation, the better chance to identify fraud
- Especially important in high-security environments
Mandatory vacations
Split knowledge
- No one person has all of the details
- Half of the safe combination
Separation of duties
Two people must be present to perform the business function
- Two keys open a safe (or launch a mission)
Dual control
When you leave, nothing is left on your desk
- Limit the exposure of sensitive data to third-parties
Clean desk policy
Rights and permissions should be set to the bare minimum
- You only get exactly what’s needed to complete your objective
All user accounts must be limited
- Applications should run with minimal privileges
Don’t allow users to run with administrative privileges
- Limits the scope of malicious behavior
Least privilege
Pre-employment screening
Verify the applicant’s claims
Discover criminal history, workers compensation claims, etc
Legalities vary by country
Adverse actions
- An action that denies employment based on this
- May require extensive documentation
- Can also include existing employees
Background checks
Confidentiality agreement/Legal contract
- Prevents the use and dissemination of confidential information
Confidentiality agreement between parties
- Information in the agreement should not be disclosed
Protects confidential information
- Trade secrets
- Business activities
- Anything else listed
Unilateral or bilateral (or multilateral)
- One-way or mutual
Foreign contract
- Signatures are usually required
Non-disclosure agreement (NDA)
Gather data from social media
Facebook, Twitter, Linkedin, Instagram
Build a personal profile
Another data point when making a hiring decision
Social media analysis
Bring a new person into the organization
- New hires or transfers
IT agreements need to be signed
- May be part of the employee handbook or a separate AUP
Create accounts
- Associate the user with the proper groups and departments
Provide required IT hardware
- Laptops, tablets, etc
On-boarding
This process should be pre-planned
- You don’t want to decide how to do things at this point
What happens to the hardware and the data?
Account information is usually deactivated
- But not always deleted
Off-boarding
Gamification
- Score points, compete with others, collect badges
Capture the flag (CTF)
- Secure competition
- Hack into a server to steal data (the flag)
- Can involve highly technical simulations
- A practical learning environment
Phishing simulation
- Send simulated phishing emails
- Make vishing calls
- See which users are susceptible to phishing attacks without being a victim of phishing
Computer-based training (CBT)
- Automated pre-built training
- May include video, audio, and Q&A
- Users all receive the same training experience
User training
Before providing access, train your users
- Detailed security requirements
Specialized training
- Each user role has unique security responsibilities
Also applies to third-parties
- Contractors, partners, suppliers
Detailed documentation and records
- Problems later can be severe for everyone
Role-based security awareness training
Every organization works with vendors
- Payroll, customer relationship management, email marketing, travel, raw materials
Important company data is often shared
- May be required for cloud-based services
Perform a risk assessment
- Categorize risk by vendor and manage the risk
Use contracts for clear understanding
- Make sure everyone understands the expectations
- Use the contract to enforce a secure environment
Vendors
The system involved when creating a product
- Involves organizations, people, activities, and resources
Assessment
- Get a product or service from supplier to customer
- Evaluate coordination between groups
- Identify areas of improvement
- Assess the IT systems supporting the operation
- Document the business process changes
Supply chain
Much closer to your data than a vendor
- May require direct access
- May be a larger security concern than an outside hacker
Often involves communication over a trusted connection
- More difficult to identify malicious activity
Partner risk management should be included
- Requirements for best practices, data handling, intellectual property
Include additional security between partners
- Firewalls and traffic filters
Business partners
Minimum terms for services provided
Uptime, response time agreement, etc
Commonly used between customers and service providers
Service Level Agreement (SLA)
Both sides agree on the contents
Usually includes statements of confidentiality
Informal letter of intent; not a signed contract
Memorandum of Understanding (MOU)
Don’t make decisions based on incorrect data!
Used with quality management systems
Access the measurement process
Calculate measurement uncertainty
Measurement system analysis (MSA)
Going into business together
Owner stake
Financial contract
Decision-making agreements
Prepare for contingencies
Business Partnership Agreement (BPA)
