Security Governance

Question 1

What are the goals of the ISO/IEC 27000?

Answer 1

1. Outlined how an InfoSec mgmt System should be built and maintained
2. Goal to provide guidance to orgs on how to design, implement and maintain policies, processes and technologies to manage risks to sensitive info assets
3. Std was needed to centrally manage the various security controls deployed throughout an org. w/ this std controls should not be managed in an ad hoc way

Question 2

What are components of Enterprise Architecture Development?

Answer 2

1. Model for developing enterprise architecture
2. Org. has choices in attempting to secure the env.
3. Ad hoc approach - constantly putting out fires
4. Managed Approach - by taking time to understand their env, layout the sec. req. of the biz env
5. Allows you to understand the org from different views and how changes take place at one level will affect other levels
6. Allows you to understand all things that will need to change to support a new biz function
7. Architecture allows you to understand the org as a complete organism and illustrate how changes to one internal component can directly affect another

Question 3

what are the steps in developing Enterprise Security Architecture?

Answer 3

Guide when implementing solutions to:
1. to ensure business needs are met
2. provide standard protection across the env
3. reduce the act of security surprises in the org
Implementing ESA is not the final solution to all sec. problems but it reduces the chaos and puts the org in a proactive instead of reactive stance

Question 4

What are the basics of Enterprise Architecture?

Answer 4

1. Encompasses the essential and unifying components of an org. it expresses the ent. structure (form) and behavior (function), it embodies the ent. components their relationships to each other and their relationships to the env
2. use framework as a guideline on how to build an architecture that best fits the org’s needs; each org starts with the same blueprint/framework/guideline and customizes it 4 their business

Question 5

What steps are involved in developing an Ent. Architecture?

Answer 5

1. ID Stakeholders - people looking at and using the architecture
2. Develop views - which is how the info that is most imp to the diff stakeholders will be illustrated in a useful manner.
   According to NIST companies have several viewpoints:
   - executives need to understand the company from a biz POV
   - Biz process developers need to understand what they of info needs to be collected to support biz activities
   -app dev need to know the structure of data
   All groups are looking at an architecture of the same org it just being presented from different perspectives

Question 6

What is SMART?

Answer 6

S- specific
M - Measurable
A - actionable
R - Realistic
T - Timed

Question 7

What is the Zachman Architecture Framework?

Answer 7

1. Generic model and framework done in Info Security
2. 2 dimensional model uses 6 basic communication interrogates: who, what, where, how, when why
3. Based on the principle of classical biz architecture that contain rules that governs an ordered set of relationships
4. Goal is to be able to look at the same org from diff. perspectives - IT, executives, biz, operations
5. Different groups w/in a company need the same info but presented in ways that directly relate to their responsibilities

Question 8

What is TOGAF?

Answer 8

The Open Group Architecture Framework

• provides an approach to design implement and govern an enterprise info architecture
• TOGAF can be used to dev the following architecture framework:
  1. Biz architecture
  2. Data Architecture
  3. Application architecture
  4. Technology architecture

Question 9

What are the characteristics of TOGAF?

Answer 9

TOGAF:

1. used to create the individual architecture types through the use of it Architecture Development Model (ADM)
2. ADM - iterative method that allows requirements to be continuously reviewed and the individual architectures updated as required. The different architectures can allow a technology engineer to understand from 4 perspectives (biz, app, data and tech) to ensure teams dev the necessary tech to work with in the env and all the components that make up that env and meet biz requirements

Question 10

What is Military Oriented Architecture Framework?

Answer 10

MODAF

• enterprise architecture documentation required for military procurement based on Dept of Defense (DOD) Architecture Framework) DoDAF
• documentation illustrate how they will properly integrate into the current infrastructure
• focus on DoDAF is on command, control, communications, computer, intelligence, surveillance and reconnaissance systems and processes.
• important that different devices communicate using the same protocol and interoperable software components and use the same data item

Question 11

What is MoDAF?

Answer 11

Ministry of Defense Architecture Framework - (British) - Goal able to get data in the right format to the right people at the right time based on DoDAF

Question 12

How to determine which Enterprise Architecture framework is correct for your org?

Answer 12

1. to determine which framework is best for your org, start with stakeholders requests. Architecture needs to represent the org and be useful to folks who understand it best
2. architects need to design system that reflect biz needs and represents the design based on the individuals perspective. if folks need to understand the org from a biz, tech, security perspective design needs to be presented in those views
3. one difference b/w the various architecture frameworks is what type of info they provide and how they provide it

Question 13

What is Enterprise Security Architecture?

Answer 13

Enterprise Security Architecture defines the info security strategy that consists of layers of solutions, processes and procedures and the way they are linked across the org.
-strategically, tactically and proactively

Question 14

What are char. of Enterprise Security Architecture? (ESA)

Answer 14

1. Rigorous and comprehensive method for describing the structure and behavior of all components that make up a holistic ISMS:
2. Reasons to dev. ESA
   a. ensure that security efforts align with biz practices in a standardized and cost effective way
   b. architecture works at an abstract level and provides a frame of reference. it also allows orgs to better achieve interoperability, integration, ease of use, standardization and governance

Question 15

What are indicators/components of Enterprise Security Architecture?

Answer 15

1. Security should not be in silos throughout the org
2. Continuous communications b/w senior mgmt and security staff
3. No redundant product purchased for overlapping security needs
4. Security programs makeup policies that are implemented and enforced policy and controls for user access centralized and mentored
5. No “one offs” efforts take place, must follow standard procedures for info security
6. Biz manager aware of sec responsibility and how their responsibility map to legal and regulatory requirements
7. Sensitive data defined in policy with controls and monitored; enterprise-wide infused solutions implemented
8. Security governance available and the org is viewed in a standardized and holistic way

Question 16

How is ESA implemented?

Answer 16

• place one person in charge of a team that dev a phased approach ESA rollout with goals to integrate tech oriented and biz centric security processes, link admin, technical and physical controls to properly managed risks and integrate these processed and the org’s culture.
• org do not implemente ESA b/c they do not understand it and ESA seems overwhelming

Question 17

Define Sherwood Applied Biz Security Architecture (SABSA)?

Answer 17

SABSA - similar to Zachman ESA layered framework with 1st layer defining biz req from a security perspective

1. Each layer of the FW decreases in abstraction and increases in detail so it builds on others and moves from policy to practical implementation of tech solutions
2. Goal is provide a chain of traceability through the contextual, conceptual, logical, physical component and operational levels, questions to be answered at each level:
3. what are you trying to do at this layer - assets to be protected by the sec. architecture
4. why are you doing it? motivation for wanting to apply security
5. how are you trying to do it? functions needed to achieve security at this layer
6. who is involved? people and org aspects

Question 18

What are SABSA characteristics?

Answer 18

Sherwood Applied Biz Security Architecture
more questions:
- what are you doing? location where are you applying security
- when are you doing it? time related aspect of security

Question 19

What is SABSA?

Answer 19

SABSA (Sherwood applied business security architecture framework)

• a framework and methodology for enterprise security architecture and service mgmt.
• since its a framework this means it provides a structure for individual architectures to built from.
• Since it’s a methodology it provides the processes to follow to build the methodology

Question 20

What is the SABSA Lifecycle Model?

Answer 20

SABSA provides a lifecycle model so that the architecture can be constantly monitored and improved upon over time

Question 21

What are 4 critical components of SABSA?

Answer 21

Strategic Alignment
Business Enablement
Process Enhancements
Security Effectiveness

Question 22

What is Strategic Alignment (SABSA component)?

Answer 22

Strategic Alignment - business drivers and regulatory and legal requirements are being met by sec. Ent Arch Sec efforts must provide and support an env that allows an org to not only survive but thrive

Technology are tools that support the goals. Therefore IT Sec should support the biz and its strategic objective

Question 23

What is business enablement (SABSA component)?

Answer 23

• each org exist for one or more purpose; publicly traded company - to increase shareholder value
  non-profit - to further a specific cause; Gov - provide services to citizens

components and orgs do not exist for the sole purpose of being secure. security cannot stand in the way of biz processes.

Business enablement means the core biz process are integrated into security operating model. they are standards based and follow a risk tolerance cirteria

Question 24

What is process enhancements

(SABSA component)?

Answer 24

Re-engineering processes

• an org that is serious about securing it env will take a close look at biz processes that take place on an ongoing basis - continuous improvement - plan - do - check - act;
• typically biz processes are duplicated, manual but process re-engineering can streamline and automate these processes for increase efficiency and ROI.
• Process re-engineering should be integrated to all for security to be built into the daily operations

Question 25

What is Security Effectiveness (SABSA component)?

Answer 25

• security effectiveness deals with metrics, meeting service level agreements, SLA requirements, achieving ROI, meeting set baselines and providing mgmt with a dashboard or balanced scorecard - these are ways to determine how useful the current security solutions and architecture are performing
• ensure that the controls in place are providing the necessary levels of protection and ensure that the finite $$ are being properly spent - do this by setting baselines, and metrics to be verified
• metrics are rolled up to mgmt which allows them to make informed decisions

Question 26

what is the relationship between enterprise and system architecture?

Answer 26

Enterprise and system architecture overlap.

• Sys. Architecture address the structure of software and computing components
• Ent Architecture focuses on the org as a whole
• IT architects need to understand the org as a whole while designing software for the org or designing the network
• Rules outline in Org. Sec. Policy must be supported in systems design. Security has to be integrated at all levels of the org including system design
• Ensure detailed biz and sec dependencies, interactions are understood and designed into the system

Question 27

What is IT Security Mgmt System (ITSM)?

Answer 27

ITSM outlines controls that need to be implemented

• Risk mgmt, physical security
• data protection, configuration mgmt
• vulnerability mgmt, biz continuity planning
• auditing
• ITSM provides direction on how these controls should be managed through their lifecycle
• ITSM specifies the pieces and parts that need to be put together to provide a holistic security program for the org and how to properly care for these components

Question 28

Enterprise Security Architecture

Answer 28

• Illustrates how ITSM components are to be integrated
  into the different layers of the current sec env
• security components have to be weaved/interwoven throughout the biz and not siloed with/in individual departments

Question 29

ISO/IEC 27000 Series

Answer 29

ISO/IEC 27000 Series - outlines the necessary components of an org’s security program

Question 30

Security Enterprise Architecture

Answer 30

Security Enterprise Architecture - helps integrate the requirements outlined in the Security program into existing business architecture

Question 31

Security Controls Development

Answer 31

Security Controls Development - documents the objectives of the controls to be implemented to accomplish the goals of the security program

Question 32

Security Controls - COBIT

Answer 32

Controls Objectives for Information and Technology - COBIT

• framework for governance by ISACA
• Helps orgs organize the value of IT by balancing resource utilization, risk levels and realization of benefits done by explicitly tying stakeholders drivers to stakeholders needs to org goals to IT goals to meet or support the org goals

Question 33

COBIT - 5 Key Principles

Answer 33

COBIT - Holistic approach based on 5 principles:

1. Meeting stakeholders need
2. Covering the enterprise end to end
3. Applying a single integrated framework
4. Enabling a holistic approach
5. Separating governance from mgmt

Question 34

COBIT Characteristics

Answer 34

• Everything in COBIT is ultimately linked to stakeholders through a series of transforms called cascading goals
• Cascading goals at any org points to our IT governance or mgmt processes, you should be able to ask why are you doing this? and be led to an IT goal that is tied to an enterprise goal, which is tied to a stakeholder need

Question 35

COBIT Cascading Goals

Answer 35

2 sets of goals (enterprise goals) are to ensure that we meet the 2nd goals (IT Goals) of covering the enterprise end to end by explicitly tying enterprise goals to IT goals

Question 36

COBIT - Enterprise Governance vs. Management

Answer 36

Enterprise governance - enterprise goals - high level
- a set of high level processes aimed at balancing the stakeholders value proposition

Management - a set of activities that achieve enterprise objects. things that org leaders do

CORBIT = private sector

Question 37

NIST SP 800 - 53

Answer 37

Government controls

- gov use - outlines controls that gov agencies need to put in place to be compliant with federal info

Question 38

COSO (Committee on Sponsor Organazation) Integrated Framework

Answer 38

COBIT derived from COSO
- IDs 17 internal controls principles groups into 5 internal control components - Control Env
Controls Environment:
1. Demonstrates commitment to integrity and ethical value
2. exercise oversight responsibilities
3. Est. structure, authority and responsibility
4. Demonstrate commitment to competence
5. Enforce accountability

Risk Assessment

1. Specifies suitable objectives
2. IDs and analyze risks
3. Assess fraud risk
4. IDs and analyze significant changes

Question 39

COSO Controls

Answer 39

• Selects and dev control activities
• Select and dev general controls over technology
• Deploys through policies and procedures

Info and communications
- uses relevant and quality info
Monetary Activity
- conduct ongoing and or separate evaluations, evaluate & communicate deficiencies

Question 40

Whats the difference between the COSO and COBIT Models?

Answer 40

COSO Internal Controls
- Model for corp governance 
- operates at the strategic level 
- deals with non IT items like corp culture, Fin. accounting, board of directors responsibilities and internal communications structure
- SOX based on COSO - illegal for orgs to "cook their books"
COBIT 
- model for IT governance
- implemented at the operational level 
- is a way to meet COSO objectives

Question 41

Process Management Development

Answer 41

• along with ensuring the right controls are in place, org must have ways to construct and improve biz, IT and security processed in a structured and controlled manner
• security controls can be considered “things” and processes are how to use this things - use controls (things) properly, effectively and efficiently

Question 42

Information Technology Infrastructure Library (ITIL)

Answer 42

ITIL - defect standard of practices for IT service mgmt

• customizable framework that provides the goals, general activities necessary to achieve those goals and the input and output values for each process required to see these determined goals
• focused on SLAs

Question 43

What are the 5 stages of ITIL Lifecycle?

Answer 43

1. Service Strategy
2. Service Design
3. Service Transition
4. Service Operations
5. Continuous Service Improvement

Question 44

What is Six Sigma?

Answer 44

• Six Sigma is a process improvement methodology;
• Focused on Total Quality mgmt with goals to improve process quality by using statistical methods of measuring OPS efficiency and reducing variation, defects and waste
• used in security to measure the success factors of different controls and procedures

Question 45

What is Capability Maturity Model Integration (CMMI)?

Answer 45

• CMMI was developed as a way to determine the maturity of an org’s processes used within the org to help lay out a pathway of how incremental improvement can take place.
• only way to improve is to know where you’re starting from, where you need to go and the steps to take in between

Question 46

What are the stages of CMMI?

Answer 46

0. NON Existent
   - nonexistent management, no processes, no assessment
1. Unpredictable
   - unpredictable, ad hoc and disorganized, reactive activities.
2. Repeatable processes
   - immature and developing, security assigned to IT
3. Defined processes
   - documented and communicated; defined procedures
4. Managed Processes
   - monitored and measured;
   - Security and business objectives are mapped
5. Optimized Processes
   - Automated practices; structured and enterprise wide

Question 47

What is the Security Program Lifecycle?

Answer 47

1. Plan and organic
   - mgmt commitment, dev. security architecture, assess business drivers, assign roles and responsibilities
2. Dev and Implement Security Policies
3. Operate and Maintain - follow procedures, audits and SLAs
4. Monitor and evaluate - review logs, dev. improvement steps

Question 48

What are the crux of computer crime laws?

Answer 48

crux of computer crime laws

• is to deal with core issues
• unauthorized modification and destruction of data
• disclosure of sensitive info
• unauthorized access and the use of malware

Question 49

What are the categories of computer crime?

Answer 49

1. Computer Assisted Crime
2. Computer Targeted Crime
3. Computer Incidental

Question 50

What is computer Incidental (crime?)

Answer 50

Computer Incidental Crime:
- Where a computer is not necessarily the attacker or attacker but just happened to be involved when a crime was carried out. i.e child porn

Question 51

What is computer assisted crime?

Answer 51

• Computer assisted crime is covered by criminal law
• when a computer was used as a tool to help carry out a crime
  ex. attacking a financial system to carry out the theft of funds and or sensitive info

Question 52

what is Computer Targeted Crime?

Answer 52

• Computer targeted crime concerns incidents where your computer was a victim of an attack crafted to harm it and its owners specifically
  ex. DDoS attacks, capturing PW or sensitive data
• installing malware with the intent to cause harm
• installing rootkits and sniffers for malicious reasons
• buffer overflows to take control of a system

Question 53

What is the Counsel of European Convention on Cybercrime?

Answer 53

• the Counsel of European Convention on Cybercrime is an attempt to crate a standard international response to cybercrime
• coordinate national laws and improve investigative techniques and international corporations
• goals- creation of a framework for establishing jurisdiction and extradition of the accused

Question 54

What are the OECD Guidelines on Protection of Privacy and Trans-boarder flow of Personal Data? 1- 4

Answer 54

OECD Guidelines on Protection of Privacy and Trans-boarder flow of Personal Data

1. Collection Limitation principle
   - collect limited personal data
   - obtain personal data by lawful and fair means with subject knowledge
2. Data Quality Principle
   - personal data should be kept complete and current and relevant for the purpose being used
3. Purpose Specific Principle
   - notify subject of personal data collection at the time of collection and why
4. use Limitation Principle
   - use personal data with subject consent or authority of law should personal data be disclosed

Question 55

What are the OECD Guidelines on Protection of Privacy and Trans-boarder flow of Personal Data? 5-8

Answer 55

OECD Guidelines on Protection of Privacy and Trans-boarder flow of Personal Data

5. Security Safeguard Principles
   - reasonable safeguards in place to protect personal data
6. Openness Principle
   - develop practices and policies regarding personal data should be opening communicated
7. Individual Participation Principle
   - subject should be able to find out whether an org has his/hers personal data and what that info is; correct wrong data and to challenge denied requests
8. Accountability Principles
   - org should be accountable for complying with measures that support these principles

Question 56

what are the European Principles of Privacy?

Answer 56

European Principles Privacy addresses using and transmitting info considered private in nature.
- principles are encompassed in the EU’s Data Protection Directive which all EU state must abide by anon with orgs doing biz in the EU

Question 57

What are EU Safe Harbor Principles?

Answer 57

EU Safe Harbor Principles;

• construct that outlines how US based companies can comply with EU privacy principles. NON EU companies will have to adhere to Safe Harbor requirements if certain types of data will be passed back and forth during biz processes
• EU has tighter privacy controls than US

Question 58

Define the EU Safe Harbor Framework

Answer 58

EU Safe Harbor Framework for Privacy data protection rules for data transfer

1. Notice
   - individuals must be informed that their data is being collected and about how it will be used
2. Choice
   - individuals must have the ability to opt out of the collection and forward xfer of data to 3rd parties
3. Onward Transfer
   - xfer of data to 3rd parties may only occur to other orgs that follow adequate data protection
4. Security
   - Reasonable efforts must be made to prevent loss of collected info
5. Data Integrity
   - data must be relevant and reliable for collected purpose
6. Access
   - individual must be able to access info held about them and correct or delete it if inaccurate
7. Enforcement
   - there must be effective means for enforcing the law

Question 59

what legal requirements for Import and Export?

Answer 59

Legal requirements for import and export are:

• complexity is when an org is attempting toward with org in other parts of the world is import/export laws
• each country has it’s own specs when it comes to what is allows in its boarders

Question 60

What is the Wassenaar Arrangement?

Answer 60

Wassenaar Arrangements:

• signed by 41 countries
• following items can be exported
  1. material processing
  2. electronics
  3. computers
  4. marine
  5. aerospace and propulsion
  6. special materials and related equipment
  7. Part 1: telecommunications
  8. Part 2: Information Security
  9. Sensors and lasers

Question 61

What are the goals of the Wassenaar Agreement?

Answer 61

goals of the Wassenaar Agreement

• prevent the buildup of military capabilities that could threaten regional and international security and stability
• ensure everyone has similar military offense and defense capabilities with hoe it won’t end up in the wrong hands
• cryptography is seen as a dual use good. it can be used for military and civilian use and is seen as dangerous to export products with crypto functions to countries in the offensive column i.e terrorist friendly
• crypto import restrictions - countries do not allow their citizens to use crypto