Security and Risk Management Flashcards
CIA Triad
Confidentiality
Integrity
Availability
ISO 27001/27002
“The International Standards Organization (ISO) is recognized globally, and it is probably the most pervasive and used source of security standards outside the United States (American organizations often use standards from other sources). ISO 27001 is known as the information security management system (ISMS) and is a comprehensive, holistic view of security governance within an organization, mostly focused on policy. “
COBIT
Created and maintained by ISACA, the COBIT framework (currently COBIT 5) is designed as a way to manage and document enterprise IT and IT security functions for an organization. COBIT widely uses a governance and process perspective for resource management and is intended to address:
IT performance,
security operations,
risk management,
and regulatory compliance
ITIL
IT Infrastructure Library - Best practices for IT core operational processes, not technologies to business customers
ITIL v3 has 5 Phases
- Service Strategy
- Service Design
- Service Transition
- Service Operation
- Continuous service improvement
RMF
RISK MANAGEMENT FRAMEWORK
“NIST, the U.S. National Institute of Standards and Technology, publishes two methods that work in concert (similar to how ISO 27001 and 27002 function); the Risk Management ““Framework (RMF), and the applicable list of security and privacy controls that goes along with it (respectively, these documents are Special Publications (SPs) 800-37 and 800-53). While the NIST SP series is only required to be followed by federal agencies in the United States, it can easily be applied to any kind of organization as the methods and concepts are universal. Also, like all American government documents, it is in the public domain; private organizations do not have to pay to adopt and use this framework. However, there is no private certification for the NIST framework.”
CSA STAR
“The Cloud Security Alliance (CSA)
is a volunteer organization with participant members from both public and private sectors, concentrating—as the name suggests—on security aspects of cloud computing. The CSA publishes standards and tools for industry and practitioners, at no charge. The CSA also hosts the Security, Trust, and Assurance Registry (STAR), which is a voluntary list of all cloud service providers who comply with the STAR program framework and agree to publish documentation on the STAR website attesting to compliance. Customers and potential customers can review and consider cloud vendors at no cost by accessing the STAR website. The STAR framework is a composite of various standards, regulations, and statutory requirements from around the world, covering a variety of subjects related to IT and data security; entities that choose to subscribe to the STAR program are required to complete and publish a questionnaire (the Consensus Assessments Initiative Questionnaire (CAIQ), colloquially pronounced “cake”) published by CSA. The STAR program has three tiers, 1–3, in ascending order of complexity. Tier 1 only requires the vendor self-assessment, using the CAIQ. Tier 2 is an assessment of the organization by an external auditor certified by CSA to perform CAIQ audits. Tier 3 is in draft form as of the time of publication of this CBK; it will require continuous monitoring of the target organization by independent, certified entities.”
DUE CARE
Obligation
(looking out for safety of others)
“due” = required or legally required
“is a legal concept pertaining to the duty owed by a provider to a customer. In essence, a vendor has to engage in a reasonable manner so as not to endanger the customer: the vendor’s products/services should deliver what the customer expects, without putting the customer at risk of undue harm”
DUE DILIGENCE
Action that support “due care”
- verifying background checks
- information security assessments
- risk assessment of physical security systems
- threat intelligence services
RISK
The possibility of damage or harm and likelihood that damage or harm will be realized.
ACCEPTABLE RISK
The level of risk that is suitable relative to the rewards offered by conducting operations.
Business Impact Analysis (BIA)
Measures the value of an asset, the threats and risks posed by the asset, and the impact to the organization if the asset were affected.
Intellectual Property Laws
Intellectual Property
Patent
Copyright
Trademark Laws
Trade Secrets
THREATS
Any aspects that create a risk to the organization, its function or assets:
Natural
Criminal
User error
VULNERABILITIES
Any aspect of the organization’s operation that could enhance a risk or the possibility of a risk being realized:
Software
Physical
Personnel
VULNERABILITY
An inherent weakness in an information system, security procedures, internal controls, or implementation that could be exploited by a threat source.
Tends to focus on technology aspects
DATA BREACH TECHNOLOGY
Incident
Breach
Data disclosure
RISK AVOIDANCE
The practice of coming up with alternatives so the risk in question is not realized.
RISK TRANSFERENCE
The practice of passing on the risk to another entity.
RISK MITIGATION
The decrease in the level of risk through implementation of controls.
RISK ACCEPTANCE
The practice of accepting certain risks based on a business decision that weighs the cost vs. the benefit of a risk.
RESIDUAL RISK
The risk that remains after controls are put in place.
Who is responsible for security at company
Security is responsibility of everyone at a company.
SECURITY CONTROLS
Methods, tools, mechanisms, and processes used in risk mitigation.
Safeguards - before risk is realized
Countermeasures - after the risk is realized
All security controls have detrimental effects on operations; control selection must entail cost/benefit analysis.
ANNUAL LOSS EXPECTANCY
QUANTITATIVE RISK ANALYSIS
Single Loss Expectancy (SLE) X Annual Rate of Occurance (ARO)
Cost of countermeasures must be smaller than ALE
TYPES OF CONTROLS
Technological/logical
Physical
Administrative (Procedures/ policy)
CONTROLS CONTINUUM
Pre-Event
- Directive
- Preventative
- Compensating
- Deterrent
- Detective
Post-Event
- Corrective
- Recovery
DEFENSE IN DEPTH
OPTIMAL CONTROL IMPLEMENTATION
with layered defenses.
MONITORING AND MEASUREMENT
After control selection, monitoring and enforcement is necessary.
May involve a Security Control Assessment (SCA).
Should include continuous improvement efforts
Vulnerability Assessments
Penetration Testing
RISK FRAMEWORKS
ISO
COSO
ISACA
NIST
COSO
Identifies 5 internal control areas to meet financial reporting and disclosure objectives:
Control Environment
Risk Assessment
Control Activities
Information and Communications
Monitoring
THIRD PARTY REVIEW ENTITIES
ISO certified audits
CSA STAR Evaluation
AICPA SSAE 16 SOC Reports
RISK MANAGEMENT METHODOLOGIES
Governance Review
Site Security Review
Formal Security
Penetration Testing
THREAT MODELING
Looking at an environment, system, or application from an attacker’s point of view and trying to determine vulnerabilities the attacker would exploit.
STRIDE MODEL
SPOOFING
TAMPERING
REPUDIATION
INFORMATION DISCLOSURE
DOS (Denial of Service)
Elevation of privilege
MINIMUM SECURITY REQUIREMENTS
Involve stakeholders as soon as possible
Ensure requirements are specific, realistic and measurable
Restate your understanding of the requirements back to them to confirm
Don’t choose tools or solutions until the requirements are understood
Create prototypes, diagrams or visuals to help solidify understanding on all sides
SERVICE LEVEL REQUIREMENTS (SLR)
Detailed service level requirements
Mutual responsibilities
Other requirements specific to certain customer groups
Both SLR and SLA become addendum to contracts
Compares agreed against achieved performance
Includes information service usage
Provides ongoing measures for service improvement
Exceptional events
SERVICE LEVEL REQUIREMENTS (SLA)
Defines the minimum requirements of a business arrangement and codifies their provision
Every element of the SLA should include a discrete, objective, numeric metric to judge success or failure
Often used as a payment calculator / discriminator
Best serves recurring, continual requirements, not singular or infrequent events
Both SLR and SLA become addendum to contracts
Define the agreed upon level of performance and compensation or penalty between the provider and the customer
if it’s not measurable, a metric or reoccurring it’s NOT a SLA
ASSURANCE
Can only be gained through inspection, review and assessment
COMPLIANCE
Adherence to an external mandate.
PRIVACY
The right of a human being to control the manner and extent to which information about him is distributed.
AUDITS AND AUDITING
The tools, processes, and activities used to perform compliance reviews ( finding the truth)
PCI
PAYMENT CARD INDUSTRY DATA SECURITY STANDARD (PCI DSS)
- Voluntary
-Comprehensive
-Consequences enforced by the PCI Council
Multiple merchant levels
Requirements for :
—Protecting cardholder data
—Not saving the CVV
Not a contract - Not a law
LEGAL STANDARDS
Case law sets precedents used in future cases; these can become legal standards the courts use to determine expectations such as due care.
INDUSTRY STANDARDS
Set by industry participants and concerned entities
Can eventually evolve into a legal standard
May be accepted by regulators
Standards you should be familiar with:
ISO
CSA STAR
Uptime Institute
REGULATORY STANDARDS
Standards set by government bodies
Regulations you should know of: GDPR(EU) The Privacy Act (Australia) HIPAA APPI (Japan) Personal Data Protection Law (Argentina) Personal Data Protection Law (Singapore) GLBA PIEDA SOX FISMA
COMMON PRIVACY TENETS
Notification Participation Scope Limitation Accuracy Retention Security Dissemination
INTELLECTUAL PROPERTY
Intellectual property: intangible assets.
The use of someone else’s intellectual property (including software) often requires licensing. Some forms include:
Site
Per-seat
Shareware
Public Domain (not a license but property type)
DRM
DIGITAL RIGHTS MANAGEMENT
Some countries limit import of security tools, particularity encryption solution (Russia, Brunei, Mongolia)
International legal restrictions (Wassenaar Arrangement)
Some countries limit export (United States)
DRM TRAITS:
Persistence (access controls follow protected material)
Dynamic policy control(centralized capability to modify permissions)
Automatic Expiration(enforce the time expiration)
Continuous audit trail
Interoperability
IMPORT/EXPORT CONTROLS
International Traffic in Arms Regulations (ITAR)
Controls manufacture, sale, and distribution of defense and and space-related articles and services as defined in the United States Munitions List (USML)
Export Administration Regulation (EAR)
Contains a list called the Commerce Control List(CCL). The CCL is a limited list of items within the scope of the EAR which merit particular attention because they could potentially have military use in addition to commercial use. CCL-listed items are therefore often referred to as “dual-use”.
GDPR
General Data Protection Regulation (GDPR) prevents any EU citizen’s privacy data from going to any country that does not have equivalent privacy laws.
GDPR COMPLIANCE
Countries that have equivalent laws: All EU Countries Andorra Singapore Switzerland Japan Israel Australia Argentina Uruguay Canada NOT US
PRIVACY SHIELD PROGRAM
EU/US and US/Swiss Safe Harbor Frameworks to preserve data flows from the EU and Switzerland to the US
REP
Reasonable Expectation of Privacy - all individuals have this.
WREP
WAIVER OF REASONABLE EXPECTATION OF PRIVACY
Communication about the organization’s privacy is key to ensuring understanding of WREP.
PII
Personally Identifiable Information (PII)
Any data about a human being that could be used to identify that person.
Examples: Name Tax id/social security number Home address Mobile phone number Specific computer (MAC address, IP address of PC)
PRIVACY TERMS
Credit Card Number Bank Account Number Facial Photograph Data Subject Data Owner/Data controller Data Processor Data Custodian
RISK OPTIONS
Avoidance
Acceptance
Mitigation (controls)
Transfer
SECURITY CONTROL CATEGORIES
DIRECTIVE (impose)mandates or requirements
DETERRENT (reduce likelihood)
PREVENTATIVE (prohibit certain activities)
COMPENSATING (mitigate the effects of losing primary controls)
DETECTIVE (recognize hostile activity)
CORRECTIVE (reacting to activity to do remediation or restoration
RECOVERY (restore operations of state)
VULNERABILITY ASSESSMENT
Reviews organization IT environment for known vulnerabilities. (usually done via automated tools)
PENETRATION TESTING
Trusted party attempts to gain access to protected environment to test security defenses.
COSO
Committee of Sponsoring Organizations of the Treadway Commission. Formed after 10980’s financial scandals.
In 2004 it published the Enterprise Risks Management - Integrated Framework - seen as definitive guide on the topic.
ISACA
Published the RISK IT Framework - described as connecting risk management from a strategic perspective with risk-related IT management.
RISK BASED MGMT FOR SUPPLY CHAIN
Governance review
Site security review
Formal security audit
Penetration testing
OCTAVE
Carnagie-Mellon University model -
Designed for viewing the overall risk of IT systems across the organization.
TRIKE
Open source methodology and tool-set from MIT
UPTIME INSTITUTE
Certification program for data-centers - in support of CIA elements
SSAE 16
Audit standard designed for publicly traded companies , including managed cloud providers, devised by the AICPA.
GLBA
Graham-Leach-Bliley Act
Federal law that allowed banks to merge with insurance companies and includes protection, collection and dissemination protections.
FISMA
Federal Information Systems Management
US law that applies to federal government agencies requiring the compliance to NIST guidance and standards.
DATA SUBJECT
Individual human being that the PII refers to.
DATA OWNER/CONTROLLER
Entity that collects and creates PII
DO and CO are legally responsible for the protection of the PII and are liable for any unauthorized release of PII.
Organizations are the owner/controller usually.
DATA PROCESSOR
Entity working on behalf of the data owner that processes PII. The data owner is still legally liable - regardless of what the Processor does.
DATA CUSTODIAN
Person within an organization that manages the data on a day-to-day basis on behalf of the owner/controller. This could be the database administrator or anyone with privileged to the database.
POLICY
Communicate management expectations, which are fulfilled through the execution of procedures and adherence to standards, baselines, and guidelines.
This is what companies adopt in the absence of laws and contractual obligations.
Candidate Screening and Hiring
Detailed job descriptions
Checking references
Employment history
Background check
Financial profile
CANDIDATE SCREENING
JOB DESCRIPTIONS
REFERENCE CHECKS
BACKGROUND INVESTIGATION
EDUCATION LICENSING CERTIFICATION VERIFICATION
EMPLOYMENT AGREEMENTS AND POLICIES
Employee handbook
Employment contract
Non-disclosure agreement
ONBOARDING
Review of contract terms and job description
Formal initial training to familiarize the new employee with the organization’s security policy and procedures
Signing NDA
Secure process for issuing the employee any access, information or tools
TERMINATION
Lock user account
Do exit interview
Review NDA with person leaving
Recover organization property
VENDOR, CONSULTANT and CONTRACTOR Agreements and Controls
Additional contractual protections
Distinct accounts
Escort requirements
Distinguishing identification
NDA
COMPLIANCE POLICY REQUIREMENTS
Acceptable Use Policy
Common Facets: Data Access System Access Data Disclosure Passwords Data Retention Internet Usage
Surveillance, within restraints of applicable law
PRIVACY POLICY REQUIREMENTS
Document organization’s privacy requirements, within constrain of the law
Available to all staff
Available to customers
FORMS OF INSTRUCTION
Education (formal classes)
Training (semi-formal by SME’s)
Awareness (informal unscheduled)
METHODS AND TECHNIQUES for AWARENESS AND TRAINING
Computer based training
Live instruction
Reward mechanism
Regular communications
PERIODIC CONTENT REVIEWS
Any instruction must be kept current - instructor shall review the following on a regular basis:
Applicable laws
Security tools
Organizational security policy
Recent widespread attack styles and methodology
PROGRAM EFFECTIVENESS EVALUATION
Participant testing
Penetration testing
Log reviews
BUSINESS CONTINUITY REQUIREMENTS
BUSINESS CONTINUITY (BC) - actions, processes, and tools for ensuring an organization can continue critical operations during a contingency
DISASTER RECOVERY (DR) - tasks and activities required to bring an organization back from a contingency operations and reinstate regular operations
Often referred to as BCDR
MAXIMUM ALLOWABLE DOWNTIME (MAD)
Measures how long an organization can survive an interruption can survive an interruption of critical functions (also referred to as maximum tolerable downtime MTD)
RECOVERY TIME OBJECTIVE (RTO)
The target time set or recovering from an interruption..
If RTO > MTD company is not viable
RECOVERY POINT OBJECTIVE (RPO)
Measure of how much data the organization can lose before the organization is no longer viable.
BUSINESS IMPACT ANALYSIS
The effort to determine the value of each asset belonging to the organization, as well as the potential risk of losing assets, the threats likely to affect the organization, and the potential for common threats to be realized.
Methods:
Survey
Financial Audit
Customer Response
The Organization benefits from information about potential threats and attacks (specifically combination of threats)
External business/security intelligence vendors
Open sources
Malware management firms
Government and industry feeds
ETHICS
Moral principles that govern a person’s behavior, or conducting an activity
Ethics is about the methods and ways we interact with each other
Not limited to human-to-human interaction
ISC2 CODE OF ETHICS
Preamble:
The safety and welfare of society and the common good, duty to our principles, and to each other, requires that we adhere, and be seen to adhere, to the highest ethical standards of behavior.
Therefore, strict adherence to this Code is a condition of certification.
Global to local priority…
ORGANIZATIONAL CODE OF ETHICS
An organization can create internal guidance, as well , reflecting applicable law, social norms, and cultural mores.
Example:
Is the admin’s report acceptable and valid?
What should be done with/to the employee?
What should be done with/to the admin?
