Security Governance and Risk Management - Domain 3 Flashcards
Q
A
Business Model for Information Security
- Organization Design/Strategy 2. People 3. Process 4. Technology
Security Governance
Corporate governance is the set of responsibilities and practices exercised by the board and executive management with the goal of providing strategic direction, ensuring that objectives are achieved, ascertaining that risks are managed appropriately and verifying that the enterprises resources are used responsibly.
Information Security Governance
- Subset of corporate governance 2. Provides strategic direction for security activities 3. Ensure that objectives are achieved 4 Ensures that Information security risks are appropriately managed 5. Ensures the enterprises information resources ar used responsibly
Control Frameworks and methodologies (4)
1.Committe of Sponsoring Organizations (COSO) - managing risk 2. IT Infrastructure Library (ITIL) 3. Control Objectives for Information and related Technology (COBIT) 4 ISO/IEC 27000 Series
Committee of Sponsoring Organizations (COSO)
Emphasis on identifying and managing risks
IT Infrastructure Library (ITIL)
- Emphasis on It services and IT service management 2. Can be used as a compliment to COBIT
Control Objectives for Information and related Technology (COBIT)
Acts as a model for IT governance and focuses more on operational goals and regulatory compliance
Cobit - PDCA Model
- PLan - establish ISMS 2. Do - Implement and operate ISMS 3. Check monitor and review ISMS check 4. Act - maintain and improve ISMS
Cobit
- Control objectives for information related technology 2 Focuses on IT related process and provides a security management lifecycle 3 A process that subdivides IT into four domains- a. Plan and organize b. acquire and implement c. deliver and support d. monitor and evaluate
ISO 27000
glossary of Terms
ISO 27001
IS Managment Systems Requirements - employs the PDCA model to structure processes and reflects the principals set out in the OECD guidelines.
ISO 27002
Code of IS practice - basic outline of hundreds of potential controls and control mechanisms, which maybe implemented, in theory, subject to the guidance provided within ISO 27001.
ISO 27005
IS Risk Management - provides guidelines for information security risk management (ISRM) in an organization, specifically supporting the requirements of an information security management system.
ISO 27799
IS for Healthcare Organizations - defines guidelines to support the interpretation and implementation in health informatics of ISO 27002 and is a companion to that standard. It specifies a set of detailed controls for managing health information security and provides health information security best practices guidelines.
ISO 27001 Controls (11) -.-
- Physical and environmental Sec. 2. Human resource Sec. 3. Organizing Information Security 4. Asset Management 5. Communications and operations Managment 6. Information Security Incident Managment 7. Business Continuity Managment 8. Security Policy 9. Access Control 10. Compliance 11 Information Systems Acquisition Development and Maintenance
Goals of a security model
Strategic goals - Overarching - supported by tactical and operational goals 2. tactical goals - mid-term - lay the necessary foundation to accomplish strategic goals 3. Operational goals - Day-to-Day - focus on productivity and task-oriented activities.
Due Care
- Do the right thing to protect assets 2. Functional requirements
Due Diligence
- To investigate actual threats and risks 2. Assurance requirements
Center of (ISC)2’s CBK: C-I-A Triad
- Confidentiality - prevent unauthorized disclosure of sensitive information 2. Integrity - Prevent unauthorized modification of systems and information 3. Availability - prevent disruption of service and productivity
Confidentiality (opposite: disclosure)
- Only authorized individuals, process or systems have access to information on a need to know basis 2. This level of access, also known as the principles of least privilege, is at the level necessary for the individual to do their job 3. Confidentiality ensures that the necessary level of security is enforced at each instance of data processing; while the data is at rest and while the data is in transit
Integrity (opposite: alteration)
- This principle implies that data should be protected from intentional, unauthorized, and/or accidental changes. 2. Controls are put in place to ensure that information is only modified through approved and accepted practices 3. Hardware, software, and communication mechanisms should work in concert to maintain and process data correctly and to move data to intended destinations without unexpected alteration
Availability (opposite: destruction)
- Availibity ensures reliability and timely access to data and resources to authorized individuals 2. The two primary areas affecting the availability of systems are (1) denial of service attacks (2) loss of service due to a disaster 3. Disaster recovery ensures that all or parts of information technology processing systems can be recovered. Disaster recovery and business continuity work together to minimize the impact of critical events.
Security Policy Document Relationships (think org chart)
Laws, regulations best practices (drivers) —> Program or Organizational policy (managements security statement) —> Functional Policies (managmements security directives) —> 1. Standards 2. Procedures 3. Baselines 4. Guidelines
Functions for Supporting Policies - Standards
Compulsory rules that dictate how hardware and software are to be used and expected behavior of employees - binding.
Functions for Supporting Policies - Baselines
A minimum level of security that is required throughout the organization - binding.
Functions for Supporting Policies - Procedures
Detailed step-by-step actions to be taken to achieve a specific task - binding.
Functions for Supporting Policies - Guidlines
Recommended actions and operational guides for users and staff members where standards do not apply - non-binding.
Asset Valuation
- Acquisitionor development costs 2. Replacement costs 3. Maintenance and protection costs 4. Productivity and operational losses 5. Owners value 6. Outside valuation 7 liability - if the asset is compromised
Data Classification Procedure
- Custodian - identify 2. Classification criteria - specify 3. Controls - per classification 4. Exceptions - document 5. Transfer custody - methods 6. Declassification - reclassification/ termination 7. Awareness - of security program