Security Governance

Question 1

AAA

Answer 1

Five elements = foundational concepts for any security program:

Identification
Authentication
Authorization
Auditing
Accounting

Question 2

Governance vs Management

Answer 2

1. Governance = C Level Execs (not me!)&raquo_space; Ultimately Liable
   
   1. Set company objectives
   2. Set risk appetite (aggressive - neutral - adverse)
   3. Monitor performance and compliance
2. Management (this is me!)
   
   1. Plans, builds, runs, monitors objectives set by Governance
   2. Risk tolerance (how are we going to work with the set Risk Appetite..)

Question 3

4 elements of a corporate security policy:

Answer 3

• [ ] Policy = broad security statements - Mandatory
• [ ] Standards (Baseline) = specific use of technology (all laptop are Win10, 64Gbit, 8gig RAM, etc) - Mandatory
• [ ] Guidelines = recommendations > used then there is not a Procedure – Non Mandatory
• [ ] Procedures = step by step instructions. – Mandatory

Baselines (Benchmarks) = Mandatory – minimum requirements / server hardening, etc.

Question 4

IAAA

Answer 4

1. Identification
2. Authentication
   
   1. Type I = password
   2. Type II = ID, smart card, PIN, cookie on PC, etc.
   3. Type III = biometric
3. Authorization
   
   1. What are you allowed to access?
      
      1. DAC, MAC, RBAC, ABAC
4. Accountability
   
   1. Link activity to subject identity (non-repudiation)

Question 5

OCTAVE

Answer 5

Operationally Critical Threat, Asset, and Vulnerability Evaluation (OCTAVE)

A comprehensive evaluation method that allows an organization (i.e., self directed) to identify the information assets that are important to the mission of the organization, the threats to those assets, and the vulnerabilities that may expose those assets to the threats.

Question 6

COBIT

Answer 6

Control
OBjectives for
Information
and related Technologies (COBIT)

GOALS FOR IT — stakeholder needs are mapped down to IT related goals.

The goal of the COBIT framework is to provide a common language for IT professionals, business executives and compliance auditors to communicate with each other about IT controls, goals, objectives and outcomes.

TIP: is the most commonly used framework for achieving compliance with the Sarbanes-Oxley Act (SOX).

Question 7

COSO

Answer 7

Committee of Sponsoring Organizations of the Treadway Commission (COSO).

Goals for ENTIRE ORG - Outlines how you can can develop a strong, effective internal control system.

The original COSO framework was developed in 1992, with the most recent version published in 2013. To understand the framework, you must understand what it covers. According to COSO, internal control:

Focuses on achieving objectives in operations, reporting and/or compliance
Is an ongoing process
Depends on people’s actions, not merely written policies and procedures
Provides assurance senior management of security to a reasonable degree
Can be adapted to the needs of the whole organization as well as each department, unit or process

Question 8

ITIL

Answer 8

Information Technology Infrastructure Library

IT Services Management (ITSM).

ITIL describes processes, procedures, tasks, and checklists which are neither organization-specific nor technology-specific, but can be applied by an organization toward strategy, delivering value, and maintaining a minimum level of competency.

Question 9

FRAP

Answer 9

Facilitated Risk Analysis Process

a qualitative approach, using brainstorming techniques to identify risks. Estimated risk assessments are then made (probability x impact) and appropriate measures determined.

Analyzed one business unit, application or system at a time in a roundtable brainstorm with INTERNAL employees. The impact is analyzed and the threats and the risks are prioritized.

Question 10

ISO 27001

Answer 10

The objective of the standard itself is to “provide requirements for establishing, implementing, maintaining and continuously improving an Information Security Management System (ISMS)”

Question 11

ISO 27002

Answer 11

It basically outlines hundreds of potential controls and control mechanisms, which may be implemented via ISO 27001, in theory, subject to the guidance provided within ISO 27001.

The standard “established guidelines and general principles for initiating, implementing, maintaining, and improving information security management within an organization”. The actual controls listed in the standard are intended to address the specific requirements identified via a formal risk assessment.

Question 12

ISO 27004

Answer 12

Provides metrics for measuring the success of your ISMS.

provides guidance on the development and use of measures and measurement for the assessment of the effectiveness of an implemented information security management system and controls, as specified in ISO 27001.

It is intended to help an organization establish the effectiveness of its ISMS implementation, embracing benchmarking and performance targeting within the PDCA cycle.

Question 13

ISO 27005

Answer 13

The standard provides guidelines for information security risk management (ISRM) in an organization, specifically supporting the requirements of an information security management system defined by ISO 27001 (a standards based approach).

The ISO 27005 standard comprises 55 pages, and is applicable to all types of organization. It does not provide or recommend a specific methodology. This will depend upon a number of factors, such as the actual scope of the Information Security Management System (ISMS), or perhaps the industry/commercial sector.

Question 14

ISO 27799

Answer 14

Directives on how to protect PHI (protected health info)

By implementing ISO 27799:2016, healthcare organizations and other custodians of health information will be able to ensure a minimum requisite level of security that is appropriate to their organization’s circumstances and that will maintain the confidentiality, integrity and availability of personal health information in their care.

Question 15

Seven steps to implement a data classification scheme:

Answer 15

1. Identify the custodian & define their responsibilities
2. Specify the evaluation criteria for how the data will be classified and labeled
3. Classify and label each resource (the owner usually does this with a reviewer)
4. Document any exceptions discovered, and then integrate them
5. Select security controls that will be applied to each classification level
6. Specify the procedures for Declassifying resources and how to transfer custody
7. Create enterprise=wide training on the classification system created

Question 16

Which commercial business/private sector data classification is used to control information about individuals within an organization?

Answer 16

A. Confidential
B. Private
C. Sensitive
D. Proprietary

Question 17

rule-based access control

Answer 17

uses Global rules that apply to all users

Question 18

RBAC

Answer 18

role based access control

The Role Based Access Control (RBAC) model is based on role or group membership, and users can be members of multiple groups.

Role Based Access Control (RBAC) models define a subject’s access based on job-related roles.

Question 19

MAC

Answer 19

mandatory access control

The Mandatory Access Control (MAC) model uses assigned labels (top secret, secret, etc) to identify access.

The Mandatory Access Control (MAC) model is prohibitive, and it uses an implicit-deny philosophy (not an explicit-deny philosophy).

Question 20

DAC
MAC
RBAC
Nondiscretionary

Answer 20

Mandatory Access Control (MAC) models rely on the use of labels for subjects and objects.

Discretionary Access Control (DAC) models allow an owner of an object to control access to the object.

Nondiscretionary access controls have centralized management such as a rule-based access control model deployed on a firewall.

Role Based Access Control (RBAC) models define a subject’s access based on job-related roles.

Question 21

Threat Modeling

Answer 21

Threat modeling helps identify, understand, and categorize potential threats.

used to identify potential attackers

Question 22

Common Criteria

Answer 22

Replaces TCSEC (orange book / rainbow series) DoD security evaluation standards.

CC is based on two key elements:

1. Protection Profiles = product to be evaluated
2. Security Targets = specific claims of security by vendor in TOE

Question 23

What part of the Common Criteria specifies the claims of security from the vendor that are built into a target of evaluation?

Answer 23

A. Protection profiles
B. Evaluation assurance level
C. Certificate authority
D. Security target

Security targets (STs) specify the claims of security from the vendor that are built into a TOE.

Question 24

What comprises a formal Security Policy?

Answer 24

Policies
Standards
Baselines
Guide-lines
Procedures

These are essential to the design and implementation of security

Question 25

Data classification is used to….

Answer 25

determine how much effort, money and resources are allocated to protect said data.

Question 26

AAA Services

login process

Answer 26

Identify –> Authenticate –> Authorize –> Accountability

Question 27

DREAD

threat modeling –> rate / rank the threats

Answer 27

Damage potential
Reproduce?
Exploitable?
Affected users?
Discoverable?

Question 28

Threat Modeling

Answer 28

THREAT MODEL APPROACH:
VAST –> Visual, Agile, Simple Threat
STRIDE —> Spoofing, Tampering, Repudiation, Info disclosure, DDoS, Elev of priv

RISK BASED APPROACH:
TRIKE –>
PASTA –> DO, DTS, ADA, TA, WVA, RAM