Information Security Governance and Risk Management Flashcards
Principles and Terms
CIA Triad
Vulnerability
Threat
Threat Agents
CIA Triad - Confidentiality, Integrity, Availability
Vulnerability - absence or weakness of a countermeasure
Threat - occurs when vulnerability is identified or exploited by an attacker
Threat Agents - Entity that carries out the threat. Not all will actually exploit a vulnerability
Principles and Terms
Risk
Exposure
Countermeasures
Due Care
Risk - Probability that a threat agent will exploit a vulnerability and the impact if it’s carried out
Exposure - Occurs when an asset is exposed to loss
Countermeasures - A Control or Mechanism that reduces potential risk. AKA safeguards or controls
Due Care - Organization took all reasonable measures to perfect security breaches and took steps to mitigate damages caused by successful breaches. NOT due diligence. Lack of due care means company new about a risk and did nothing to prevent it
Principles and Terms
Due Diligence
Job Rotation
Due Diligence - Organization investigated all vulnerabilities. Includes performing audits and assessments to ensure they’re protected
Job Rotation - Ensures more than one person can perform job tasks, providing redundancy. Important tool to help recognize when fraudulent activities have occurred
Principles and Terms
Separation of Duties and 2 ways to do it
split knowledge
dual controls
Ensures one person can’t compromise organizational security.
split knowledge - no single employee knows all details to perform task
dual controls - requires 2 employees to be available to do a certain task to complete the job
Security Frameworks and Methodologies
ISO / IEC 27000 Series (over 40)
27001 - overview, vocabulary 27002 - ISMS requirements 27003 - code of practice for infosec mgmt 27004 - ISMS implementation guidelines 27005 - ISMS measurement guidelines
Security program development standard on how to develop and maintain information security management system (ISMS)
These standards are developed by ISO / IEC bodies but certification or conformity assessment is provided by third parties
Security Frameworks and Methodologies
Zachman Framework
2D, 6x6 grid of questions and views
Enterprise architecture framework
2-Dimensional classification system based on 6 questions (What, Where, When, Why, Who, How) that intersect with different views (Planner, Owner, Designer, Builder, Subcontractor, Actual System)
Allows analysis of an org. to be presented to different groups in the org. in ways that relate to their responsibilities
Not security oriented, but helps relay information in a language and format that is useful to target audience
Security Frameworks and Methodologies
The Open Group Architecture Framework (TOGAF)
TOGAF - enteprise architecture framework
helps orgs design, plan, implement, govern an enterprise information architecture.
Based on 4 domains: technology, applications, data, business
Security Frameworks and Methodologies
Department of Defense Architecture Framework (DoDAF)
DoDAF - architecture framework
organizes set of products under 4 views: operational (OV), system (SV), technical standards (TV), all view (AV)
ensures new DoD technologies integrate properly with current infrastructure
Security Frameworks and Methodologies
British Ministry of Defense Architecture Framework (MODAF)
MODAF - architecture framework
Divides information into 7 viewpoints:
strategic (StV) operational (OV) service-oriented (SOV) systems (SV) acquisition (ACV) technical (TV) all (AV)
Security Frameworks and Methodologies
Sherwood Applied Business Security Architecture (SABSA)
Enterprise security architecture framework that is risk driven
Similar to Zachman framework
uses same 6 communication questions that intersect with six layers instead of views (operational, component, physical, logical, conceptual)
Security Frameworks and Methodologies
Control Objectives for Information and Related Technology (COBIT)
Security Controls development framework
Uses process model to subdivide IT into 4 domains: Plan and Organize (PO) Acquire and Implement (AI) Deliver and Support (DS) Monitor and Evaluate (ME)
4 domains are further broken down into 34 processes
aligns with ITIL, PMI, ISO, TOGAF frameworks
mainly used in private sector
Security Frameworks and Methodologies
NIST SP 800-53
NIST SP 800-55
SP 800-53
Security CONTROLS DEVELOPMENT framework
Divides controls into 3 classes: technical, operational, mgmt
each class contains categories, or control families
SP 800-55
information security METRICS framework
provides guidance on developing performance measuring procedures with a US Govt viewpoint
Security Frameworks and Methodologies
NIST SP 800-53
NIST SP 800-55
SP 800-53
Security CONTROLS DEVELOPMENT framework
Divides controls (countermeasures) into 3 classes: technical, operational, mgmt
each class contains categories, or control families
SP 800-55
information security METRICS framework
provides guidance on developing performance measuring procedures with a US Govt viewpoint
Security Frameworks and Methodologies
Committee of Sponsoring Organizations (COSO) of the Treadway Commission Framework
COSO
Corporate governance framework.
Consists of 5 inter-related components: control environment, risk assessment, control activities, information and communication, monitoring
COSO is for IT governance
COBIT was derived from COSO and is for corporate governance
Security Frameworks and Methodologies
ITIL
Process Management Development. Primary concern is managing SLA’s, but has a security component
5 Core Publications containing 26 processes ITIL Service Strategy ITIL Service Design ITiL Service Transition ITIL Service Operation ITiL Continual Service Improvement
As part of OMB circular A-130 Independent review of security controls should be performed every 3 years
Security Frameworks and Methodologies
Six Sigma
Process Improvement Standard. Designed to ID and remove defects in manufacturing process, but can be applied to many business functions incl. security
2 project methodologies inspired by Deming’s Plan/Do/Check/Act cycle
DMAIC - Define, Measure, Analyze, Improve, Control
DMADV - Define, Measure,Analyze, Design, Verify
Security Frameworks and Methodologies
Capability Maturity Model Integration (CMMI)
Process Improvement Approach
Addresses 3 areas of interest:
Product, Service Development (CMMI Development)
Service Establishment, Mgmt (CMMI Services)
Product Service, Acquisition (CMM Acquisitions)
5 levels of maturity for processes 1 Initial 2 Managed 3 Defined 4 Quantitatively Managed 5 Optimized
All processes in each level of interest are assigned one of the 5 levels of maturity
Security Frameworks and Methodologies
Top-Down vs Bottom-Up approach
Top-Down
management initiates, supports, directs security program
Bottom-Up
staff members develop security program before getting direction and support from management
top-down is more efficient because management support is so important
Security Frameworks and Methodologies
Steps of Security Program Life Cycle
- Plan and Organize
- Implement
- Operate and maintain
- Monitor and evaluate
plan and organize
perform risk assessment, establish mgmt and steering committee, evaluate business drivers, get mgmt approval
implement
ID and manage assets, manage risk, identity and access control, training on security and awareness, implement solutions
operate and maintain
perform audits, do tasks, manage SLA’s
monitor and evaluate
review auditing and logs, evaluate security goals, develop improvement plans for integration into Step 1 - Plan and Organize
Risk Assessment
Tool to identify vulnerabilities and threats, asses impact of them and determine which controls to implement
Risk Assessment
4 goals of risk Assessment
ID assets and asset value
ID vulnerabilities and threats
calculate threat probability and business impact
balance threat impact with countermeasure cost
Risk Assessment Process
before starting risk assessment, determine which assets and threats to consider to establish the size of the project
risk assessment team provides report to mgmt on value of assets considered
mgmt finalizes the asset list and determines budget of risk assessment project
if risk assessment project not support by sr. mgmt, it will fail
mgmt must define the purpose and scope, allocate personnel, time and budget for the project
Risk Assessment
NIST SP 800-30
Identifies these steps in risk assessment process
ID Assets and value ID threats ID vulnerabilities Determinte likelihood ID impact Determine risk as combination of likelihood and impact
Asset Values, Vulnerabilities and Threats
Information and Asset (tangible and intangible) Values and Costs
6 considerations to determine asset value
after determining value, then determine vulnerabilities and threats
Tangible assets
Intangible assets - IP, data, reputation
6 considerations to determine asset value:
value to owner work needed to develop or obtain asset costs to maintain asset damage caused by losing asset cost competitors would pay for asset penalties if asset was lost
Asset Values, Vulnerabilities and Threats
Vulnerabilities and Threats Identification
Threat agents can be grouped into 6 Categories
Human - malicious, non malicious, insiders, outsiders, terrorists
Natural - flood, fire, etc
Technical - hardware, software failure, malware, new tech
Physical - failures of CCTV, biometrics, perimeter security
Environmental - power failure, traffic, hazmat spills, biological warfare, traffic issues
Operational - any process or procedure than can affect CIA
Quantitative Risk Analysis
Assigns monetary and numerical values t all facets of the risk analysis process.
Includes asset value, threat frequency, vulnerability severity, impact, safeguard costs, etc
Quantitative Risk Analysis
Single Loss Expectancy (SLE)
SLE - monetary impact of each threat occurrence.
To determine it, you must know the Asset Value (AV) and the Exposure Factor (EF).
EF is the % value or functionality of an asset that is lost when a threat occurs
SLE = AV * EF
asset costs $20,000 and assessment says exposure factor for power failure is 25% then SLE is $5000