Lesson 1 Security Roles and Controls Flashcards
CIA Triad
Secure information has three important properties, often referred to as the CIA Triad:
Confidentiality
- information known to certain people
- enforced by permissions, Authentication, encryption : Gov likes
Integrity
- data is correct and transferred as intended
- enforced by hash/cksum
Availability
- data is accessible by authorized users to view/modify
- enforced by backups/redundancy
a 4th properties: non-repudiation
- subject can not deny creating or modifying the data
-enforced by signing electronically
non-repudiation
Another important property of InfoSec
Non-repudiation means that a subject cannot deny doing something, such as creating, modifying, or sending a resource
Enforced by signing electronically
Security Control Categories
Managerial
- Controls which give oversight of the system
Operational
- Controls which depend on a person for implementation
Technical
- Controls implemented in operating systems, sw, and security appliances
Security Control Functional Types
Type 1:
Preventative - before attack - physical or logical
Detective - during attack - record successful or failed attacks - security guard monitoring camera
Corrective - after attack - responds to and/or fixes an incident - security guard response
Type 2:
Deterrent - psychological - unmonitored camera, signs
Physical - gates, fences, locks, camera
Compensating - substitute for principle control as recommended by security standard
lesson 1
NIST Cybersecurity Framework
Provides:
statement of current capabilities
measure progress
verifiable for regulatory compliance reporting
recall diagram for it's 5 functions to protect against attacks identify protect detect respond recover
Info Sec Roles
CSO
CISO
ISSO
Overall responsibility for internal security CSO - Chief Security Officer CISO - Chief Info Sec Office Managerial - responsible for domain Technical ISSO - Info Sys Sec Officer - implements, monitors and maintains the policy non-technical Due care/liablity
SOC
Sec Ops Center
part of Info Sec Business Unit
CIRT
Cyber Incident response team
part of incident response for Info Sec business Unit
CSIRT
Computer Sec Incident Response Team
part of incident response for a Info Sec Business Unit
CERT
Computer Emergency Response Team
part of incident response for a Info Sec Business Unit
ISO Framework
International Organization for Standards 27k - info sec standards 27001 - rules and regs for Info sec 27002 - best pracitices for Info sec 27701 - rules tied to privacy for Info sec
31k - Enterprise Risk Management (ERM)
suggestions for managing risk and response
Cloud Frameworks
Cloud Security Alliance
Sec guides for CSPs (cloud service providers)
Enterprise reference architecture
Cloud controls matrix
SSAE - Statements on Standards for Attestation Engagements
SOC - Service Organization Control
SOC2 for service provider evaluation
SOC3 for public compliance report
Benchmarks and Secure Configuration Guides
CIS - Center for Internet Security
OS/network platform/vender-specific guides and benchmarks
- vendor provided info
- CIS benchmarks
- DoD Cyber Exchange
- NIST National Checklist Program (NCP)
App Svrs and Web Svr Apps
- client/svr
- multi-tier (front end, middleware (business logic), back end (data)
- OWASP
Regs, Stnrds, Legislation
Due Diligence:
Sarbanes-Oxley (SOX)
Computer Sec Act (1987)
Federal Info Sec Mgmt Act (FISMA)
General Data Protection Regulation (GPDR)
-EU based privacy for Info Sec
National, territory or state laws
GLBA
HIPAA
CCPA - Calif Consumer Privacy Act
PCI DSS
Payment Card Industry Data Security Standard
PCI DSS requirements
Top three:
Annual security test/audit of the companies security policies
All user accounts must be unique
Never storing the CVV code
