DOMAIN 1 SECURITY AND RISK MANAGEMENT DOMAIN

Pataasin ang iyong marka sa homework at exams ngayon gamit ang Quizwiz!

Personnel Security Policies and Procedures

1) screening and hiring 2) Employment agreements and policies (nda's, drug tests, references, interviews of associates, social media) 3) Onborading and termination 4) vendor consultant and contractor agreements (supply change risk) 5) Compliance policy requirements (statutory and regulatory obligations to validate things are done in a certain way) 6) Privacy policy requirements (mgmt and expectation of mgmt of PII (HIPAA)) about due diligence and oversight procedure is about due care

Control Types

1) technical or administrative measures in place to assist with resource management i.e., Directive, Deterrent, Preventive, Detective, Corrective, Recovery

Control Categories

1. Administrative Controls 2. Logical Controls 3. Physical Controls

Threat Modeling Process 5 Steps *****MUST KNOW*****

1. Identify Security Objectives 2. Survey the Application / system (we may be doing modeling on an application or an entire system) 3. Decompose it (take it apart and put it back together to see all possible attack vectors) 4. Identify Threats 5. Identify Vulnerabilities; 4 and 5 are different what are we looking for in each step

Conduct assessment - Step 2 Qualitative

1) Get Org chart - decision makers, levels responsibilities 2) Inquire what the assets are (intellectual, real property assets, computer/office equipment, people their rate of pay and value) 3) After identify threats and vulnerabilities to those assets what is the risk 4) conduct assessment determine the likelihood (high, med or low rating) and impact (high, med or low rating) (walk-through, questionnaire - if answer no to question then may have a vulnerability if there is a threat 6) Overall risk rating 7) Handle the risk - SEE 4 risk responses

Key Concepts of GDPR

1) Harmonization across and beyond the EU 2) Personal Data 3) no distinction between personal data about individuals in their private, public or work roles - the person is the person

Public Sector Control Classes (Gov't)

1) Management 2) Operational 3) Technical/Logical

Addresses the "WHY" of policy

1) Methods and techniques to present awareness and training - briefings, online or real time, live, pre-recorded, document 2) Periodic content reviews 3) Program effectiveness evaluation - audio, visual, reading,

Planning Horizon - 3 Types of Goals

1) Operational 2)Tatical 3)Strategic

Conduct Assessment -Step 2 Quantitative

1) Org chart 2) ID assets and value 3) ID threats estimate potential loss SLE=AV * EF 4) Perform threat assessment 5) Handle the Risk? (Reduce it, mitigate, ignore, Get/see the firewall, ids sys, how many attacks did your IDS/firewall have over the year and how many of those turned out to be real attacks, statistics, logs, etc. what was monetary loss you had; almost impossible to do purely quantitative risk assessment;

NIST Overall Risk Assessment Process Steps 1 of 4

1) Prepare for assessment 2) Conduct assessment 3) Communicate Risks/Results 4) Maintain assessment

Skills or Things you need in BCDR/BIA

1) Project mgmt, 2) senior mgmt support* (extremely impt; if no support, no due care or diligence = no mitigation of risk; decision makers are backing because culture flows from them and support comes from them), 3) project scope (what is our our focus, limited resources; mindful; scope document helps to filter down to what is really needed; POC, sow), resources (clearly identify resources whether physical or people WBS, document info), timeline

4 canons of the Code of Ethics

1) Protect society, the common good, necessary public trust and confidence, and the infrastructure; Life/people safety is more impt than info 2) always Act with honor, hones, responsibly, and legally; be aligned with legal requirements 3) Provide diligent and competent service to principals; Make sure we do our job, show up every day, trained and up to the task 4) 1. never put CIA at odds with the mission and objectives of the organ; Advance and protect profession; never put ourselves, our co, profession or customers in a bad light i.e., ethical hacking

Two ways to measure risk

1) Qualitative risk assessment subjective deep knowledgeable people 2) Quantitative risk assessment based on reas can hybrid expressed use people with different kinds of skills; but can be hybrid assessment that mixed together

Penetration Testing Methodologies - 5 Steps (whether hacking or white hat)

1) Reconnaissance - fact finding; prepare the assessment 2) Enumeration 3) Vulnerability analysis - analyze vulnerabilities, weakness identification; 4) Execution / Exploitation - to gain access; still need to validate how far can go (i.e., can get in, but no username and password; worth noting but not the same as no username at all) 5) Document findings - look for ways to create opportunity to remediate and give value; what are other areas we can look to pen test on; overview; executive report highlighting the most detailed report; appendix

There are 8 domains

1) Sec and Risk Magmt 2) Asset Sec 3) Sec Architecture and Engineering 4) Comm and Network Sec 5) Sec Identity and Access Mgmt 6) Sec Assessment 7) Sec Operations 8) Software Dev Sec

5 aspects of the Standards of Good Practice for Information Security

1) Security mgmt 2) Critical business applications 3) Computer Installations (our hardware and how we build it) 4) Networks - How we comm and collaborate between two or more sys's connected over LAN or WAN via IP's, VPN's, DNS, dhcp, etc. and 5) SDLC - sys or software and how we choose to identify, document and build it

5 ITIL Life cycle phases

1) Service Strategy 2) Service Design 3) Service Transition 4) Service Operation 5) Continual Service Improvement CSI

Types of Attacks

1) Social Engineering 2) Pretexting 3) Phishing 4) Baiting 5) tailgating

4 things help us in a BCP Program

1) Talk to senior mgmt to get buy-in approval MUST BE in writing 2) define the scope or coverage (what will be inside and outside of the scope) 3) Estimate project resources - cost$ what do we have available, what can we do; the knowledge - the capability to do these things is a resource (i.e., we may have a constraint on knowledge) 4) We have to define a timeline that all of these things will take place

8 individual rights under GDPR

1) right to be informed 2) right of access, 3) Right to rectification, 4) Right to erasure, 5) Right to restrict processing, 6) Right to data portability, 7) Right to Object 8) Rights in relation to automated decision making and profiling

Predisposing event

An event that makes someone liable or inclined to specified attitude, action, or condition, are we patching, testing, vulnerability assessment, baseline assessment

5 categories of NIST CSF

Identify, Protect, Detect, Respond, Recover

Conduct Assessment -Step 2 Qualitative

Can be done Qualitatively or Quantitatively; Qualitatively - interviews w/key players subject matter experts to tell what the assets are; the types of threats and vulnerabilities faced; what is likelihood vulnerability can be exposed and what impact would be if exposed

ISO27006

Certification agency, A guide to the certification/registration process

CSRC

Computer Security Resource Center

SP8161R2

Computer Security incident handling

NIST SP800-160 Vol1 | Vol2 Systems Security Engineering

Considerations for a Multidisciplinary Approach in the Engineering of Trustworthy Secure Systems

Downtime

Consists of two elements, the systems recovery time and the work recovery time. Therefore, MTD = RTO (Recovery Time Objective) + RPO. The time available to recover disrupted systems and resources

Maintain assessment - Step 4

Continuously monitor; Every six months review the assessment and update it (iterative process); develop Risk Register upto date, see if vulnerabilities have changed; new threats

Trade Secret Law

Corporate resource that protects a specific resource and provides the organization with a value or advantage

Business Risk

Cost of doing business; The possibility of loss (failure) or gain (success) inherent in conducting business

Due care

Identifying what you need to do and Ensuring you are complying with laws, Rules, Reg's., etc. It is about knowing what to do; asking are you doing things that a reasonable person would do; standard of care used. Is the care you are using documented, and approved to minimize risk;

A good investment is

If it costs as much or less than the cost to purchase then it is seen as a good investment; If it cost more than, it still may be seen as a good investment, but we have to increase the recoup time to see the return. Instead of 12 months, maybe 24 months

FIPS 199

Impact Assessment where you are just looking at the impact of different types of data; NOT a Risk Assessment because only looking at Impact and not Likelihood

Continuity of Operation Plan (COOP)

Implies there is a disaster and you have to recover to an alternate site

Public sector is more concerned with

Confidentiality

CVSS

Created by US Common Vulnerability Scoring System; Open protocol for scoring new vulnerabilities; brings together major players in the technology and I.T. and security spaces.People in companies and entities like Cisco, Symantec, Microsoft, etc,to really contribute behind the scenes, research, vulnerability, information, etc.To come up with a common system that could then expose, discuss and score vulnerabilities and make them available, so we can then interact with them

MTD Times

Critical = min's to hours Urgent = 24 hours Important = 72 hours Normal = 7 days

ISO27010

Critical infrastructure management

Personal data

Data about a living identifiable person, which is specific or uniquely identifiable to that person (physical, physiological, genetic, mental, economic, cultural or social identity - 23 and me)

Security awareness training ****IMPT TO KNOW****

Establishing an understanding of the importance of, and need to, comply with security policies within the organization; should break up (mgmt, mid-level, technical) can lead to risk mitigation which leads to the reinforcement of through good clear communication and good documentation, standardization of behavior and as a result of that risk mitigation.

EAL

Evaluation Assurance Level

Framework for specification of evaluation Protection Profile (PP)

Evaluation Assurance Level (EAL 1-7)

COBIT IT Governance framework associated with GRC (governance risk and compliancy)

Examines the effectiveness, efficiency, confidentiality, integrity, availability, compliance, and reliability of high level control objectives. Having controls, GRC heavy auditing, metrics, regulated industry

Supply Chain Risks

Examples: Insertion of counterfeits, unauthorized production, tampering, threat, insertion of malicious software and hardware (GPS tracking, computer chips), poor manufacturing and development practices in the supply chain. These risks are realized when threats in the supply chain exploit existing vulnerabilities

Data controller Accountability

Exercises due diligence. The processor under the guidance provided by the controller through due diligence exercises due care. The data controller is the overseer and has accountability. They ensure that all these other seven things are happening and shaping the discussion, the interaction, the collection, the management, storage usage, etc., throughout the data life cycle of the data. If we don't have oversight function or if we don't bring due diligence, we don't act through the other seven areas with due care, we're not exercising the proper level of thought, protection, integrity and confidentiality around our data

prevent, detect, correct

First reaction is PREVENT a security breach since can't prevent unknown Second is to DETECT and then take a CORRECTIVE action

Timelimits for GDPR

Guidance only - data controllers must notify the appropriate supervisory authority "without undue delay and, where feasible, not later than 72 hours after having become aware of it." If notification is not made within 72 hours, the controller must provide a "reasoned justification" for the delay; 30 days for request for personal information

NIST SP800-30R1 *****IMPT TO KNOW*****

Guide for conducting risk assessments

NIST SP800-30R1 p12 (IMPT)

Guide for conducting risk; SP800 series goes all the way back to the 1970's or so And is the foundation for much of the modern reference we have for guidelines. SEE IMAGE

NIST SP800-121R2

Guide to Bluetooth Security

NIST SP837R1

Guideline for applying risk mgmt framework (RMF or risk mgmt framework to Federal Syst's); originally 837

NIST SP800-88R1

Guidelines for Media Sanitization

Integrity Controls applied

Hashing, separation of duties, dual control (two man rule launching a weapon, safety deposit box)

HIPAA

Health Information Portability and Accountability Act; Act means it's a law and regulation medical industry. HITECH applicable to BAA's. If they don't say specifically that it's a law, then applies to industry

ARO (Annualized Rate of Occurrence)

How often over a single year are we going to see that occur (i.e., 3 times)

Risk Assessment Process

How we figure out what a risk is; it is a process

Qualitative Risk Assessment

INTANGIBLE; determines the product of likelihood of risk to produce a level of risk; the higher the risk the more immediate the need; an environmental hazard based on human perception rather than data; NOT numerically or metrically based but uses a soft factors like brand, reputation, the impact to that co may be negatively perceived (Risk Matrix)

ISO27009

IS governance

ISO27003

ISMS implementation guide

ISO27004

ISMS metrics

COBIT 5

IT business framework for the governance and compliance or risk mgmt created by ISACA.org and focused on GRC activities; COBIT allows us to frame the concepts and the conversations within the business around IT governance and what governance, risk and compliance mean

The GDPR provides exceptions to this additional requirement for the controller to notify data subjects in the following circumstances

1. The controller has "implemented appropriate technical and organisational protection measures" that "render the data unintelligible to any person who is not authorized to access it, such as encryption" 2. The controller takes actions subsequent to the personal data breach to "ensure that the high risk for the rights and freedoms of data subjects" is unlikely to materialize. 3. When notification to each data subject would "involve disproportionate effort," in which case alternative communication measures may be used

Additional Concepts for Integrity

1. accuracy 2. authenticity 3. validity 4. nonrepudiation - user cannot deny having performed an action; when we have integrity with our email and have a digital signature and hashing creating a message digest, we use nonrepudiation,

Three ways in which we can understand Integrity:

1. preventing unauthorized subjects from making modifications (users seeking to access data NPE non-person entities (user or application or account proxying on our behalf, a computer account) 2. preventing authorized subjects from making unauthorized modifications 3. maintaining consistency of objects so that they are true and accurate (ensure the data or asset is consistent kept in a true good known state; data can be modified by a system process of flags are changed on that data; timestamp, meta data)

Confidentiality Concepts

1. sensitivity 2. discretion (may have more than one scenario, but choose the best correct answer; minimizes administrative overhead and cost) 3. criticality 4. concealment 5. isolation 6. integrity 7. principle of least privilege 8. need to know

Availability Concepts

1. usability 2. accessibility 3. timeliness

Security Safeguards

3 layers: technical safeguards, data safeguards, and human safeguards; vlanning, access control

BIA Process 4 Steps (KNOW IN ORDER) (SP800R1)****MUST KNOW***

4 steps Step 1 - Gather info (interviews re svcs); Step 2 - vulnerability assesment - weaknesses of sys's (outage, attack, ? take them out of svc); Step 3 - risk analysis the outcome qual (opinion 1 to 10) and quant ($ based ALE = SLE * ARO) - threat analysis to determine what would happen if svc not avail); Step 4 - Comm Findings

Individual Participation

A fair information practices principle, ask the individual to opt-in; can't assume we can take your data without your knowledge and consent

Information Security Handbook

A guide for managers SP800-100

Risk Matrix

A matrix that lists an organization's vulnerabilities, with ratings that assess each one in terms of likelihood and impact on business operations, reputation, and other areas; typically high impact, high urgency would be at the uppermost right-hand quadrant.Typically, where it's lower we'd see low impact, typically lower left.

Safe Harbor (PRIVACY)

A negotiated agreement between two parties that relaxes the regulatory requirements and burden by allowing the participant that is negotiating to adhere to the spirit of the law as opposed to the letter of the regulatory compliance. I.E., things like the directive 95/46 and writes around personally identifiable information and privacy rights, but it could deal with a variety of things

COE is made up of

A) COE Preamble B) COE Canons - 1) Protect society, commonwealth and infrastructure (DO NO HARM AND PROTECT LIFE ABOVE ALL ELSE) 2) Act honorably, justly, responsibly, and legally 3) Provide diligent and competent service to principals 4) Advance and protect the profession \ 3) Organizational COE

Formula for quantitative risk assessment

ALE =SLE * ARO ALE = annual loss expectancy SLE = single loss expectancy ARO = annualized rate of occurrence

The Computer Security Act 1987

Aimed to Improve the security and privacy of sensitive info in federal computer systems and to establish a minimum acceptable security practice for these systems

Supplementation

All about making additions or adding on (resources, things that overlap) in order to reinforce to give us more value to support of mission objectives of the assessment; if we haven't scoped or tailored, we cannot measure properly to know whether we are doing well or not

Data Protection Officer (DPO) (GDPR)

All public authorities have it; expert knowledge of law and data; the that independent voice that sits above controller and data processor; they monitor compliance; advise with regards to impact assessments under Article 33; work with the controller or processor as the supervisory authority and the key contact point for that authority; single voice of communication; single conduit for information flow between the organization and any outside exchange around issues supporting and/or in alignment with GDPR; all communication in and out

Memorandum of Understanding (MOU)

An agreement between two or more parties to enable them to work together that is not legally enforceable but is more formal than an unwritten agreement. (M&A)

Penetration Strategies

Microsoft Baseline Security Analyzer (MBSA) ⦁ Ext Testing (white box) - pay someone to test system ⦁ Int Testing - do test internally, red/blue teams, tiger teams are terms used in govt, military and private sector ⦁ Blind Testing (black box) - involves either one of the two groups involved in testing knows something the other doesn't know (similar to external or internal testing) ⦁ Double-blind Testing (both internal and external teams are not told anything; they will get ip's that are off limits or life-safety things which goes back to scoping and tailoring)

Tactical management

Mid-Term Goals - (The thing we do Monthly or weekly) goals that involve how the security systems are developed and implemented to meet policy requirement

Security Control Assessments (SCA)

Monitor the controls we use to assess how well they are performing; different controls or countermeasures applied and assess on an ongoing basis of how well the are doing. when things change, we may need to change

countermeasure control categories

Must be cost, effective and appropriate. They should also provide value - cost effects how we deal with quantitative assessment risk and evaluation of risk. We ask how much will we have to spend to acquire and/or implement against the actual problem; we are attempting to mitigate risk; if the counter measure costs as much as the problem we still may want to have it depending on how long the risk is around

Risk Assessment Methodologies***IMPT TO KNOW ***

NIST 800-66r1 FRAP NIST 800-38 OCTAVE NIST 800-30r1 SOMAP CRAMM VAR FM & EA Spanning Tree

Places to find updates

NIST, ISF, ISO, BSIMM

NIST

National Institute of Standards and Technology. NIST is a part of the U.S. Department of Commerce, and it includes an Information Technology Laboratory (ITL); Globally recognized; US gov't institution f/k/a the National Bureau of Standards; NIST is the United States National Measurement Institute and promotes and maintains measurement standards for government agencies, academia and industries. It also has active programs for encouraging and assisting industry and science to develop and use these standards.

Octave 2003 *******MUST KNOW**********

Operationally Critical Threat, Asset, and Vulnerability Evaluation) 2003; risk management threat modeling framework

OEDC (PRIVACY)

Organization of Economically Developed Countries - in 1985 originated trans-border data flow; privacy principles that help to focus on how we capture info, manage it, and what we do with it; the OEDC developed the 8 core principles of privacy

AS/NZS 4360

Original 2004 and updated in 2009; tied to an ISO implementation; world's first Australian and New Zealand risk mgmt standard made up of 5 steps. a risk mgmt methodology can be used to understand a company's financial, capital, human safety, and business decisions risks. Although it can be used to analyze security risks, it was not created specifically for this purpose. This risk methodology is more focused on the health of a company from a business point of view, not security.

Private Sector Control Classes

Overarching above Control Types 1) Physical (guards guns and gates), 2) Administrative (policy based, rules) 3) Logical (technical) (things we implement through software vpn or vlan

Contingency

PREDICT A possible future event that must be prepared for or guarded against; possibility

Safeguard

PROACTIVE Security Control put in place BEFORE vulnerabilities are exposed; to prevent exposure

Use Limitation

Personal data should not be disclosed or used for purposes other than stated in the Purpose Principle, except with the consent of the individual or by the authority of law (ex. if your doctor collects data to treat you, they cannot then sell that data to another without your knowledge and consent)

NIST SP800-193

Platform Firmware Resiliency Guidelines

PIA (GDPR)

Privacy Impact Assessment

NIST SP800-171R1

Protecting Controlled Unclassified Information in NON-FEDERAL Systems and Organizations

countermeasure (control measure) ********MUST KNOW************

REACTIVE Security Control we use to deal with, AFTER, the likelihood of a threat's adverse impact

Guidance

Recommendations, suggestions or a set of steps, procedures, processes, a path and How we measure whether we are successful or not at doing something

BIA or business impact Analysis (coop operation)

Risk mgmt mitigation tool used to understand and determine what impact a disruptive event would have on an organization; how business critical services if disrupted would rank by priority; it's about measuring the importance of services because we have a limited amount of resources and time so everything doesn't warrant the same protection; The BIA helps us frame risks and rank services by their impt and why; should be done, examined, renewed and refreshed semi-annually or at least once a year

SP means

SP for special publication and R stands for Revision

The concept of Safe Harbor is

Safe harbor (2000) is the idea that we can negotiate an agreement in this case between two countries or more countries, the EU and US, an agreement almost like a side line agreement that allows us to stipulate that we will not violate the letter of an agreement will comply with the spirit of the law

NIST SP800-125AR1

Security Recommendations for Server-based Hypervisor Platforms

Availability

Security actions put into place for continuity and in the event of a disaster; they ensure that AUTHORIZED users can access data at the appropriate times

NIST SP800-R5

Security and Privacy Controls for Information Systems and Organizations

NIST SP853R4

Security controls for federal gov't information systems. the most current one is currently 853R4

Operational risks

Short term goals (Things we do daily vulnerability scanning, reviewing of logs) - concerned with performing day to day business transactions of the organization; threats inherent in the technologies used to reach business success

Information Security Forum

Standards of Good Practice for Information Security; where we get 5 aspects (standards of IS); broken into 30 areas and 135 sections

Goals, Missions and Objectives are made up of

Strategic view - Goals Tactical View - a. what you do and how you execute Operational vision - stitches the goals and tactical views together Strategy - managed through policy and procedures

NIST SP800-161 p7 ******IMPT TO KNOW*******

Supply chain and risk mgmt practices for Federal Information systems; even though says for federal use, it is used worldwide to manage supply chain and third party risk in an orga

Quantitative

Tangible; When we quantify the measure of risk; a numerical assessment assigned when we drill down our understanding and assessment of the potential impacts of risk.

Vulnerability Assessments/testing

Tell us what weaknesses exist in our network; we test to make sure what we think is happening is actually happening; trust but verify; can be a physical or software configuration or misconfiguration

Rights in relation to automated decision making and profiling

The GDPR provides safeguards for individuals against the risk that a potentially damaging decision is taken without human intervention (big data, ai, machine learning); can't let a computer alone make a damaging decision that can impact you negatively. A human must be involved in that process.We could still have the computers spit out all that stuff and recommend yes or no, But a human must go through, look at that, and then ultimately make that decision

ITIL

The Information Technology Infrastructure Library (ITIL) is a service framework for how we provide Information Technology Services Management (ITSM) to the business. ITIL gives detailed descriptions of a number of important IT practices and provides comprehensive checklists, tasks and procedures that any IT organization can tailor to its needs.

Integrity Controls give you

The ability to oversee, monitor and manage the current, present, well documented, agreed upon state of data so that if it were to be modified in any way, we would have record or knowledge of it and have the ability to go back through incident response; changing or removing data is a violation of the integrity w/o prior consent

Privacy by Design

The concept that organizations need to build privacy directly into technology, systems and practices at the design phase, thereby ensuring the existence of privacy from the outset. Originating in the mid-1990s by the Information and Privacy Commissioner of Ontario, the principle has gained recognition around the globe, including from the U.S. Federal Trade Commission and the European Commission.

RTO (recovery time objective)

The max amt of time it will take to recover from an event; RTO AND MTD can be the same but no margin for error if things don't go well will have no buffer; Better if RTO is less than MTD

Maximum tolerable outage (MTO)

The maximum time that the organization can support processing in the alternate site - O = outage alt facility

Exposure Factor (EF)

The measure or percentage of loss experienced IF a specific asset were attacked

E-Privacy Regulation is lateral to the GDPR

This global legislation controls/regulates the flow of personal data and the management of data across all electronic communications including telephony (i.e., non verbal communication over the web using a form RDP); significant penalties for non-compliance. In the UK this regulation will replace the exiting PECR laws;

USCU Safe Harbor framework

US maintained website

Right of access

Under the GDPR, individuals will have the right to obtain: • confirmation that their data is being processed; • access to their personal data; and • other supplementary information - this largely corresponds to the information that should be provided in a privacy notice (see Article 15)

Export Administration Regulations (EAR)

Under what conditions can we export (US) - dual use goods

Examples of assessments

Vulnerability, penetration testing,

Impact ********MUST KNOW************

What a threat will cost qualitative and quantitative

loss potential

What the company would lose if a threat agent actually exploited a vulnerability

Examples of due care

When practitioners implement through procedures - need to know, least privilege, job rotation, separation of duties

Right to restrict processing

When processing is restricted, you are permitted to store the personal data, but not further process it. You can retain just enough information about the individual to ensure that the restriction is respected in future (backups)

Management framework

Zachman framework, the Calder-Moir framework, TOGAF, DODAF, MODAF

Categories of Penetration Testing

Zero knowledge a/k/a black box - NO knowledge Partial knowledge a/k/a grey box - SOME knowledge Full knowledge a/k/a white box - on inside and know all

data breach or personal data breach (GDPR)

a breach of security leading to accidental or intentional, unlawful, willful destruction of data, loss, alteration, unauthorized disclosure of and/or access to personal data transmitted, stored or otherwise processed

Preventive

a camera and a sign or a lock

security frameworks allow us to have

a common vocabulary, create context, and have a central and shared point of reference and commonality for our communication, discussion, and dialogue around how we approach managing and they structure and define a set of requirements and elements that help us to measure whether or not we're being effective in what we do

Risk Assessment

a component of risk management; 4 steps to completing risk assessment

Deterrent

a control - deters you from doing something (i.e., cameras)

Consent must be freely given

a controller cannot insist on data that's not required for the performance of a contract as a pre-requisite for that contract

code of ethics a/k/a code of professional ethics

a formal statement of ethical principles and rules of conduct; COE's help to standardize behavior, conduct and focus in and around the organization

The Economic Espionage Act of 1996

a law that makes the theft of trade secrets by foreign entities a federal crime in the United States; (Edward Snowden)

MTD (Maximum Tolerable Downtime)

a measure of time; The longest period of time a business can be inoperable without causing the business to fail irrecoverably. It encompasses the entire window of time from the beginning of RTO to resume production

Directive

a policy control - only allow this for this reason; we only allow remote access through VPN

Threat Modeling (risk mgmt)

a process for defenders use to systematically identify, enumerate and prioritize potential threats - viewed from a hypothetical attacker's point of view.; allows for use-cases; to use attack vectors, attacking tools or approaches, used to view the world from a bad actor's point of view and ask questions about "what if" this happened, what are our concerns and the targets or assets they want; what would we do; may involve tying into vulnerability and pen testing to have a complete package to assess and examine

Trademark

a recognizable sign, design, or unique expression related to products or services of a particular source from those of others, usually called service marks

COSO (Committee of Sponsoring Organizations)

a risk framework; it speaks about the control element of risks, how we setup controls, manage it and control it - 5 areas of internal control

Reputational Risk

a risk of loss resulting from damages to a firm's reputation, in lost revenue; increased operating, capital or regulatory costs; or destruction of shareholder value, consequent to an adverse or potentially criminal event even if the company is not found guilty.

Delayed Loss

a secondary in nature and takes place well after a vulnerability is exploited. and may include damage to the company's reputation, loss of market share, accrued late penalties, civil suits, the delayed collection of funds from customers

Patent

a set of exclusive rights of OWNERSHIP granted by a sovereign state or governmental organization to an inventor or a signee for SOMETHING NEW/NOVEL, USEFUL AND NOT OBVIOUS a limited period of time (typically 20 years) in exchange for detailed public disclosure of an invention

intellectual property (IP law)

a set of laws and thought processes we apply to data; intangible creative work that is embodied in physical form and includes copyrights, trademarks, and patents; sensitive, pii, financial data, information about m&a to manipulate stock prices; They must be able to demonstrate that they took steps to secure it

Integrity controls or countermeasures

a. strict access controls / authentication b. IDS (passive monitoring sys that alerts when something goes wrong but doesn't take action) c. encryption (doesn't matter if you get it, just so long as the encryption holds best safeguard) d. hashing (is not about keeping data secure or secret by encryption it's about no changes to the data occur and if it does occur, you have permission to do so) e. interface restrictions / controls (can only access this workstation under strict controls) f. input / function checks (validation when typing in data and asking you to safe it you insert your smartcard to make sure you have permission to save it)

Availability controls or countermeasures

a. strict access controls / authentication b. continuous monitoring c. firewalls & routers to prevent DoS / DDoS attacks d. redundant system design eliminate SPOF (single point of failures) e. periodic testing of backup systems; Redundancy, backups, remote site hosting (hot, warm cold sites), high availability (cluster active/passive) and fault tolerance (0 downtime)

Right to erasure

a/k/a 'the right to be forgotten; this right is to enable an individual to request the deletion or removal of personal data where there is no compelling reason for its continued processing

Data Processors in GDPR

act with due care; they are the entity that actually performs the data processing ON THE controller's behalf

contractual

agreed in a contract (verbal) standardized and adheres to requirements

Should the controller determine that the personal data breach "is likely to result in a high risk to the rights and freedoms of individuals," it must

also communicate information regarding the personal data breach to the affected data subjects. Under Article 32, this must be done "without undue delay.

GDPR also allows the data protection officer functions to be performed by

an employee of the controller or processor or by a third party service provider

The ITIL framework is

an enterprise mgmt framework that comes from British or other governmental military mgmt; it defines what customer service is in IT and how we measure it; it standardizes the selection, planning, delivery and support of IT services to a business

Breach

an occurrence or event that has compromised data and impacted one or more of the CIA and as a result has modified, disclosed or rendered the data unavailable, with a negative outcome; a countermeasure being bypassed or rendered ineffective

Threat Source a/k/a threat actor or BAD actors ********MUST KNOW************

any kind of event or situation that has negative consequences or if it occurred would prevent normal operation of the organization; can be internal or external (i.e., not just hackers, but red and blue teams because they are negotiated and approved by the customer)

User

any person who has access to a secured system

Threat event

any potential adverse occurrence or unwanted event that could injure the organization or prevent the normal operation; all events are not bad

Regulations

apply to governmental agencies and industries the use of governmental authority to control or change some practice in the private sector; punishment loss of license or designation

Risk Management

applying overlapping controls and counter measures to mitigate risk and minimize them to the point of toleration, based on our risk appetite in the business; change management and risk management - you have to have both

CMMI and UML

are not threat models, right.They may provide elements in frameworks associated with aspects you may engage in with threat modeling, but they're not threat models

ISO 27002

are the security controls that help us frame ISO 27001; Organisations can achieve certification to ISO 27001 but not ISO 27002

E-Privacy Regulation is important for digital marketing activity

as it overrides the GDPR's allowance for legitimate interests and enforces consent on all digital communications for marketing purposes. There will still be an allowance for the "soft opt-in" where customers can be communicated to about similar goods and services with an opt-out only, but it should be noted that the wording here has been tightened restricting the use to customers only

willful destruction or alteration of data is

as much a breach as theft; it's about integrity, confidentiality and availability

ISO27007

audit

Copyright covers

books, advertisements, articles, graphic designs, labels, letters (including emails), lyrics, maps, musical compositions, product designs, etc.

BS 7799 Part 1, ISO 17799, ISO 27002

code of practice; ISO came from the British security standards BS7799 and ISO 17799; 133 controls, 500 plus detailed controls built on called BS 7799 which is the original British security standards document

Computer related crimes

computer-incidental crimes

"downstream" responsibility of DSAR's

controllers to take "reasonable steps" to notify processors and other downstream data recipients of such requests

Access Controls

controls that restrict unauthorized individuals from using information resources and are concerned with user identification; temporal, time based; discretionary, managed

STRIDE Methodology *******MUST KNOW**********

created by two security practitioners, Loren Kohnfelder and Praerit Gard, at Microsoft in 1999, to assess applications and security in their methodology approach; characterizing known threats according to the kinds of exploit that are used (or motivation of the attacker). Stands for Spoofing identity, Tampering with data, Repudiation, Information disclosure, Denial of service, and Elevation of privilege.

A company with multiple subsidiaries may appoint a single

data protection officer so long as they are "easily accessible from each establishment

Avoidance

decide not to engage in that behavior; avoid risk by not doing what will lead to that risk; disengage i.e., patching, not using windows, anti

Scoping and Tailoring - In step 1

decide through scoping what will and will not be included in the assessment then tailor it to filter and/or modify our approach to fit our scope objectives (i.e., iterations when doing SDLC)

Exposure

degree to which you are susceptible to asset loss due to a threat

BCP Planning begins with

developing a BCP Program - wherein we sketch out the parameters of what the program means

Administrative Controls

directive controls - policies and procedures, privilege management or monitoring

Logical (Technical) Controls

directive controls - policies and procedures, privilege management or monitoring

Deterrent Controls

discourage people from violating security directives reinforce directive controls

The GDPR regulation expressly prevents

dismissal or censure of the data protection officer for performance of his/her tasks and places no limitation on the length of their tenure

Due Diligence

doing what it takes from day-to-day to implement oversight of standards that are set, the security culture that is guided by the framework so everybody can be held accountable within that culture, and everybody is responsible for operating in the appropriate way within that culture

Asset valuation

dollar value assigned to an asset

E-Privacy Regulation

ePrivacy, ePrivacy2, PECR2, ePR

Cybercrime

engaging in criminal activity through use of a computer, a. Loss of intellectual property and sensitive data b. Damage to brand image/reputation c. Penalties and compensatory payments d. Cost of countermeasures e. regulatory and compliance issues (jail time, sensure, assets seized)

Integrity controls are not about

ensuring info is kept confidential/secret. It is impt because if the info is changed, the meaning of the info may also change

Job Rotation (personnel security/EMPLOYEE CONTROL)

ensuring people can move through different jobs in organization - enables cross training - ensure knowledge documentation

Third Party Assessment

ensuring we have visibility through some sort of audit ability, verification, validation, and assurance process to ensure that due diligence and due care are being applied.We have to have good, clean, understandable, signed off on,and agreed to SLAs, service level agreements, that are contractual vehicles.That bind both customers and suppliers, or providers, you can think of it either way,to a set of assumptions,a set of requirements

Reporting

every last step is to communicate findings and summarize effectively what you have done, timeliness and understandability

privacy management (GDPR)

exercising personal control over confidential information in order to enhance autonomy or minimize vulnerability; The regulation mandates a "Risk Based Approach:" where the appropriate organizational controls must be developed according to the degree of risk associated with the processing activities.

Standards

external guidance for industries should align with to maintain designation

Detective

finds suspicious behavior and alert you IDS

Standardization/Standards

formalized (written down) guidance that allows us to operate with a set of things we need to do in a certain way; formalized guidance and things we need to be aligned with coming from an agency and have penalty of

ISMS is a

framework of policies and procedures that includes mgmt of all legal, physical and technical controls involved in an org's info risk mgmt processes. Tells you what you should have in place but doesn't tell you how to do it - strategic level

Acceptance

going to engage in risk behavior even though there may be a downside, the cost of doing business

Risk Framework

guideline or recipe for how risk is to be assessed, resolved, and monitored. (COSO, ITIL, ISO 27001 and 27002 ISO 17799/BS 7799, ISMS (01) and Controls (02); ISO 73:2009 (risk mgmt vocab list), ISO 31010:2009 (risk mgmt techniques), ISO 31000:2018 (risk mgmt guidelines)

ISO31000

guidelines on managing risks

Security Control Frameworks

help us to structure mgmt identification of requirements goals and objectives

Policy

high level strategy or statement of events, gives direction but not details or specific approach of how to get there; they should be broad in scope and coverage; details come in supporting documentation

BCP - business continuity planning

how do what we do to get back to normal; if it's not working, we need to understand what isn't working and what it means; what steps we do to get systems working to restore continuity

OEDC 8 core principles or privacy

i. Collection limitation ii. Data quality iii. Purpose specification- what we capture data for and narrowingly defining that need iv. Use limitation- what we capture data for and narrowingly defining that need so we don't capture more than we need so as not to expose data v. Security safeguards vi. Openness vii. Individual participation viii. Data controller accountability

incidents and breaches are important because of

i. Privacy ii. Governance iii. Risk iv. Compliance

Internal Penetration Testing

important because people who know the system will know where to look for the holes, but they also will ignore certain things; or only test for compliance because even though you may meet compliance, an external tester will look for all ways to get in

High availability

involves system downtime while we failover to a new system and bring it back up (i.e., cluster)

International Wire Transfer

is Governed by the countries that use it so data remains under the laws of the agreements through the countries it travels through

Risk Value

is how we measure risk

Data Custodian

is responsible for implementing the protections called out by the security policy at the behest/direction of the data owner. Performs all activities necessary to provide CIA protection.

The ITL

is supported by NIST and publishes special publications related to security that are freely available for download here: http:// csrc.nist.gov/ publications/ PubsSPs.html.

ALE

is the $ value over a period of time (12 months/year, 6 months. Etc.)

organizational process role and responsibility

is this idea of well thought out, well defined, and communicated policies and procedures that everybody understands

Risk Assessment Goal

is to identify, catalog and mitigate risks

BCP Planning

is when one or more individuals from diff areas of an organ that get together to jointly come up with a plan that can be a set of written/documented requirements; detailed action-oriented capability that we develop in business; a story or narrative about what we should do if something isn't working; a good plan that encompasses what needs to happen and how

Right to data portability

it allows them to move, copy or transfer personal data easily from one IT environment to another in a safe and secure way, without hindrance to format, usability because it mandates standardized data formats like .csv; it ensures that data is gonna be structured, stored, managed, and used in ways that make it portable so I'm not locked in to one vendor, no proprietary systems

Recital 171 of GDPR

makes clear that existing consent is O.K. if it was in line with the purpose of GDPR; you're not supposed to go out and consistently seek a renewal of consent because certain activities can be seen as being problematic for other reasons

Disclosure

making secret information public; breaks confidentiality; disclosures can happen as a result of a breach

Adverse impact

measures what a vulnerability would cost or mean if it happens

Encryption Controls

mechanisms, rules, thought processes, policies and procedures (guns, guards, gates, sing-ins, sec cameras, card access, CCTV monitoring, non-stop observation

The goal of the ISMS is to

minimize risk and ensure continuity by pro-actively limiting the impact of a sec breach and to ensure business is conducted within an acceptable level of risk (minimize risk and maximize CIA)

Mitigation

minimize the risk, engage in behavior and execute countermeasures at every opportunity (patching up to date; access control; administrative account special)

BS 7799

morphs into ISO17799 which ultimately becomes the bedrock and baseline for ISO 27001 and 27002

Defense-in-Depth Strategy

multiple layers or levels of access controls to provide layered security; a series of concentric rings that show controls overlap and mutually reinforce each other overlapping neutrally reinforcing layers of controls or counter measures to minimize risk.Remember, if one control is good, two is better, and three is better than two because they may be implemented differently in different systems, be managed and overseen by different areas of the business,we may have different vulnerabilities that we are addressing with them indifferent areas of the architecture even though they are the same.

US Privacy Shield Framework

new name for the Privacy Sheild

when a data processor experiences a personal data breach, it must

notify the controller but otherwise has no other notification or reporting obligation

COUNTER MEASURE SELECTION

offset risk, counter measures are about the things we will do in order to prevent unauthorized access to the system

Repudiation occurs when

one party in a transaction denies that the transaction took place

security frameworks are never

one size fits all. they are one size fits one; they should be used as guidance, a starting point or skeleton; they don't have to be taken verbatim but do have to be documented and implemented so we can audit, validate and verify against them; they help us to translate those ideas into what we already do without ripping and replacing everything

Guidelines

optional things, a set of best practice recommendations not forced to follow, doesn't carry the force of a regulation

Consent should be demonstrable

organizations need to be able to show clearly how consent was gained and when.

Right to be informed

our ability to be able to have our information fairly processed and managed. And as a result there is a privacy notice that is provided by companies that are either updating or have sent you or revised that you see we treat you data this way, we do these things to it. We don't sell it, we don't give it to these people

ISO2700 series

overall addresses information security management across a broad a swath of different numbered standards in this series; Organisations can achieve certification to ISO 27001 but not ISO 27002.

PCI DSS

payment card industry data security standard - credit card, prevent identity theft; applies to payment card industry, they regulated themselves

Violations of obligations related to legal justification for process (Consent)

permission for something to happen or agreement to do something; opt-in to give explicit permission to use data

Data owner

person or entity who has ultimate control over data who has access, what permissions, etc. the person who is in charge of data classification

Physical Controls

preventative and deterrent controls - things we apply to a system to prevent something from happening (doors, locks, windows, guards, dogs, etc)

Applicable types of control measures or countermeasures

preventive, detective and corrective

Strategy is not the same as

procedures

Integrity

provides assurances that data has not been modified, tampered with, or corrupted; is Change control for data - no unauthorized modification without knowledge and consent of data owner"; confidentiality and integrity depend on each other; can't have one without the other

DREAD Methodology

quantifying, comparing and prioritizing the amount of risk presented by each evaluated threat. The DREAD algorithm, shown below, is used to compute a risk value, which is an average of all five categories.

Corrective Controls

remedy circumstance, mitigate damage, and/or restore controls (attempt to fix when something has gone wrong) (corrective would be power cycling something to clear an error; a blue screen so restarting)

Work factor

represents the time and effort required to break a protective measure and it has to be large

Gramm-Leach-Bliley Act (GLBA)

requires financial institutions to ensure the security and confidentiality of customer data

Recovery Controls

restore conditions to normal after a security incident (let's try to restore after problem has happened from backup take because of a failure)

Right to Object

right to object to processing based on legitimate interests or the performance of a task in the public interest/exercise of official authority (including profiling); • direct marketing (including profiling); and • processing for purposes of scientific/historical research and statistics.

Financial Risk

risk associated with a monetary outlay; includes the initial cost of the purchase, as well as the costs of using the item or service Probability of Harm (P) x Magnitude of Harm (M) = Cost of Prevention (C)

ISO 31000:2018 ******IMPT TO KNOW*****

risk mgmt guidelines; linked to AS/NZS 4360 which underlines ISO 31000

ISO 31010:2009 ******IMPT TO KNOW*****

risk mgmt techniques

Cross border data transfers (GDPR)

safe movement of electronic, personal data around the world. ... The regulation addresses the transfer of personal data to locations outside the EU or EEA (European Economic Area)

War Dialing

searching for an idle modem by programming a computer to dial thousands of phone lines

Data Protection Directive of the GDPR is the

second part of GDPR, it's called the DPD which is designed around police and criminal justice related activities to ensure that victims of crimes, witnesses and suspects all duly protected, whatever those protections may be, under the context of an investigation through law enforcement action

non-repudiation

security principle of providing proof that a transaction did or did not occur between identified parties (i.e., a digital signature; username and password); BUT with just nonrepudiation, there is a GAP, they only know that it was my username and password or digital signature; they don't know that it was me who did it so you NEED multifactor authentication, something you have, know and are -

Security frameworks

sets of best practices and rules that drive the behavior and common language of an org; it is the over-arching thought process of how we structure and align with sec support strategy, goal, mission, and objectives of the org

Withdrawing consent should always be possible

should be as easy as giving it

Detective Controls

signal a warning when a security control has been breached (alert or warn us when something is wrong, flashing light, alarm)

ISC2 Code of Ethics*

simple code with a preamble and 4 canons -describes *what you should do*; the behavior is accepted and expected from those that act on behalf of the organ

Incident

some sort of occurrence or event that has the potential to do harm to the elements of CIA; it may or may not be negative

Corrective

something that is done when we find suspicious activity and take action to prevent it from occurring - IPS

Recovery

something we implement to fix a problem (If we can run a script that will restore functionality)

NIST documents are

standard documents numbered in the 800 series. the 1500 series updates the 800's

Procedures

step-by-step instructions for completing a task

Compensating Controls

substitute for the loss of primary controls and mitigate risk down to an acceptable level; they substitute when control is lost (redundancy, ups, backup power supplies)

Availability indicates

that data and services are available for authorized people when needed/on-demand

information security management system (ISMS) or ESA validate

that the appropriate policies, procedures, standards, and guidelines are implemented to ensure business operations are conducted within an acceptable level of risk

Fault tolerance

the ability for a system to respond to unexpected failures or system crashes as the identical component immediately and automatically takes over with no downtime (i.e., drive mirroring or a generator)

Half-Life

the amount of time it takes to break encryption that is going to be chipped away at every second of every day the encryption is in place.

We mitigate risks through

the application of controls

Cryptography

the art of protecting information by transforming it into an unreadable format, called cipher text

Likelihood ********MUST KNOW************

the chance that something might happen

Encryption only means

the data will be harder for the bad actor to decrypt; it does not mean they can't get to the data; a way of protecting data that uses a control that allows us to transform the nature of the data with a lock and key mechanism

Culture

the enduring behaviors, ideas, attitudes, values, and traditions shared by a group of people; it allows us to share information and create relevancy

Attack

the exploitation of a vulnerability by a threat agent (bad actor)

Compliance

tools or processes that are put into place to validate and verify, trust but verify; it's about that the organization is aligning with the contractual legal, industry standard or regulatory requirements (maritime (international waters), treaties, antarctic etc.)

Availability control does not mean

uninterrupted service. Some availability controls are compensating controls that allow us to restore system access, but there will be a delay of some sort (i.e., ups')

Notice is not required if "the personal data breach is

unlikely to result in a risk for the rights and freedoms of individuals

Preventive Controls

used to stop a security incident or information breach (anti-lock brakes; crash avoidance)

NIST is a

very expansive organization. It does all sorts of stuff. It is really the research and standardization of the US government when it comes to standards across all industries, Not just information security and not just IT; for IT want to look under publications, SP (special publications), see table showing the release dates, status, draft and the number, can click and download the standard pdf

NIST Cybersecurity Framework

was published in February 2014 in response to Presidential Executive Order 13636, "Improving Critical Infrastructure Cybersecurity," which called for a standardized security framework for critical infrastructure in the United States; https://www.nist.gov/cyberframework

Residual Risk ********MUST KNOW************

whatever risk that is left over after the countermeasures have been applied; ex. zero day exploits you may not know or be aware of, but that doesn't mean there is no risk) Residual Risk = Threats * Vulnerabilities * Asset Value OR Residual Risk = Total Risk - Controls

Dual Control

when two people perform a separate portion of a task at the same time as a control over the process

Acceptable levels of risk

when we can mitigate or minimize, quantify or qualify all known and documented risks; when we are willing to deal with what is left over knowing that certain risks are less impactful

Openness

willingness to try new things and be open to new experiences; we should be able to tell people what we're doing with our data and purpose specification what the expectations are for our data; transparency

5 areas of internal control of COSO necessary for disclosure objectives

⦁ Control environments ⦁ Risk assessment ⦁ The control activities - how we're going to engage in controls ⦁ Information and communication mechanisms ⦁ Monitoring

ITIL's 5 thought process areas

⦁ Service strategy ⦁ Service design ⦁ Service transition ⦁ Service operation ⦁ CSI or Continual Service Improvement then iterate back through

STEPS FOR VULNERABILITY

⦁ Vulnerability scanning - Nmap, winmap, xenmap, nrip scanner, Metasploit ⦁ Analysis - of open ports and the services that it is open for (webserver, apache, iis webserver) ⦁ Communicate results - devolve the info we find so people can understand what they need to do. Need vs. investment

Seven types/categories of access control

1) Directive 2) Deterrent (3) Preventive (4) Compensating (5) Detective (6) Corrective (7) Recovery

GRC

Governance, Risk and Compliance standards

Collection Limitation Principle

"OECD privacy guideline principle that states that personal data can be collected but limited to the purpose specified.

Encryption is the

#1 control for confidentiality; a process of encoding messages to keep them secret, so only "authorized" parties can read it (i.e., lock and key)

Hashing is the

#1 control for integrity; it Is the process of using an algorithm for verifying the integrity or authenticity of a computer file. This can be done by comparing two files bit-by-bit, but requires two copies of the same file, and may miss systematic corruptions which might occur to both files. A more popular approach is to also store checksums (hashes, message digests) of files for later comparison.

Asset Value (AV)

$$$ amount asset is worth to the organization

5 rights are associated with a copyright

(1) Reproduction of the work in any form, language, or medium (you have the right to block that from somebody who is doing that illegally, without licensing, without your approval) (2) Adapt or derive more works from it. (3) Make and distribute its copies. (4) Perform it in public. (5) Display or exhibit it in public

Prepare for assessment - Step 1

(A) Determine methodology, qualitative or quantitative. Qualitative - 3 high, med and low ratings or 5 very high, high, moderate, low, very low. Quantitative - collect statistics about things that have happened (B) Determine Scope need to know what to focus on AND what we can ignore regarding the assessment (IT as a whole, HIPAA focused, PCI-DSS) (C) Rigor we will use (D) Degree of formality we will use?

Transference

(Insurance or SLA) get someone else take on the risk for our behalf; pay someone to take on the risk in exchange for money they will manage it on your behalf (i.e., move to cloud to SASS, PASS or IS model - renting infrastructure from somebody else for a fee giving someone else the liability for managing it for you; transferring the risk to a cloud provider

M2M

(Machine to Machine) enables connected devices to communicate with each other

Declaration of Trans-border data flow

(PRIVACY) Transfer of data between countries; fast changes in technology flow of data is boundary and border-less between countries, pii. there is a physical way to control it, but not with data

Directive Controls

(administrative) do this don't do that; specify acceptable rules of behavior within an organization

ISO27001

(formally known as ISO/IEC 27001:2005) specification for an information security management system (ISMS)

AS/NZS 4360 5 Step Process *****IMPT TO KNOW****

1) Establish Context: Establish the risk domain, i.e., which assets/systems are important? 2) Identify the Risks: Within the risk domain, what specific risks are apparent? 3) Analyze the Risks: Look at the risks and determine if there are any supporting controls in place. 4) Evaluate the Risks: Determine the residual risk. 5) Treat the Risks: Describe the method to treat the risks so that risks selected by the business will be mitigated.

Definition of ISO/IEC 15408-1:2009

-1 means Revision 1 :2009 is the year it was last updated; can see table of contents, first couple of pages, the appendices, will have to buy to see guts

Privacy Principles

1) Accurate 2) up-to-date info 3) can't be disclosed to a third party unless authorized consent is given by person or statute 4) people have a right to have info corrected

Process Steps for doing a Risk Assessment

1) Approval - get sr mgmt buy-in 2) Form a Risk Assessment Team 3) Analyze Data 4) Calculate Risk 5) Coutermeasure Recommendations

Ways to Assess Whether we are in line with policies, rules and regulations on an ongoing basis

1) Audits (informal or formal; annual or semi-annual) 2) continuous monitoring 3) use automation tools and techniques 4) logging 5) automation monitoring that alerts; must have well-defined processes and procedures that get implemented, monitored and standardized in a way that can be validated

4 RISK RESPONSE APPROACHES/WAYS TO DEAL WITH RISK - ATAM

1) Avoidance 2) Transference 3) Acceptance 4) Mitigation/Reduce; can apply to any pm project

6 legal grounds under the GDPR

1) Consent, 2) Contract, 3) Legal obligations, 4) Vital interests, 5) Public interests 6) Legitimate interests;

Quantitative Risk Assessment Formulas ***IMPT TO KNOW ***

1) Cost Benefit Analysis CBA = ALE before Safeguards - ALE after Safeguard 2) Total Risk = Threats * Vulnerabilities * Asset Value 3) Residual Risk = Threats * Vulnerabilities * Asset Value 4) Residual Risk = Total Risk - Controls

Different Types of law

1) Criminal harms done to one or more organizations 2) civil - interaction between business and individual 3) administrative - day to day oversight and regulation 4) maritime 5) International

Threat Modeling Two ways to visually represent what we do with data

1) Data flow diagrams - look at how data moves through the system (PASTA and TRIKE) 2) Process flow diagram - visual representation of what we do (VAST)

Conduct Assessment - Step 2 Substeps

5 substeps; (a) Identify threat sources and events (can be negative or not negative events are incidents - want to catalog them and this is based on information from Step 1 (b) Identify vulnerabilities and predisposing conditions - things that occur that allow threats to occur or not occur; unless I check and verify I don't know and ask are there countermeasures - (c) Determine likelihood that the risks will occur, if you're not patching the likelihood of something to occur, the likelihood that those vulnerabilities will not occur (d) Determine magnitude of impact - quantitative or qualitative risk impact (number on a scale, dollar value, or a hybrid) (e) Determine risk - the sum total of Risk (the effect of threat sources, events, predisposing conditions and vulnerabilities, likelihood of occurrence and magnitude of impact)

Vulnerability ********MUST KNOW************

= weakness; an inherent weakness in an information system (i.e., policy, procedures, internal controls or implementation) ALL vulnerabilities are not equal

Data Quality

A comprehensive approach to ensuring the accuracy, validity, and timeliness of data (elminate data, minimize errors)

Compensating

A control designed to be in place so that if another control fails, that control picks up the slack and will offset the failure (anti-lock brakes/anti-collision or firewall/IDS/IPS or IDPS). ⦁ IDS is passive, detects ⦁ IPS - active, alert, can shut down

Total Risk

A risk a company faces if it chooses not to implement a safeguard, control or countermeasure

Process for Attack Simulation and Threat Analysis (P.A.S.T.A)

A seven-step process for aligning business objectives and requirements, taking into account compliance issues and business analysis. Provides a dynamic threat identification, enumeration, and scoring process. Also associated with Microsoft; Once the threat model is completed security subject matter experts develop a detailed analysis of the identified threats. Finally, appropriate security controls can be enumerated. Provides an attacker-centric view of the application and infrastructure from which defenders can develop an asset-centric mitigation strategy.

Penetration Testing

A test by an authorized outsider to do agreed upon work to actually exploit any weaknesses in systems that are vulnerable.

External Penetration Testing

A test by an outsider to actually exploit any weaknesses in systems that are vulnerable; may not need if nothing uses cloud services or AS400; if you can't guarantee you don't use it, that will be the thing that someone exploits

Zero Day Exploit

An unknown risk; a vulnerability that is exploited before the software creator/vendor is even aware of its existence.

DREAD algorithm

An used to compute a risk value; Risk_DREAD = DAMAGE + REPRODUCIBILITY + EXPLOITABILITY + AFFECTED USERS + DISCOVERABILITY) / 5 get a numerical value; will always produce a number between 0 and 10; the higher the number, the more serious the risk. the lower the number the less impactful

Cost-Benefit Analysis (CBA)

Analysis that compares (CBA = ALE before Safeguards - ALE after Safeguard) the costs of various possible decisions to each other, forecasts the net impact of each on the bottom line, and recommends the best alternative.

Quantitative or quantifiable Risk Formula

AnnualLossExpectancy (ALE) = SingleLossExpectancy (SLE) * Annual Rate of Occurrence (ARO) ALE=SLE*ARO

Asset

Anything of value that is owned

Other areas Penetration Testing

Application DoS/DDoS (internet sites) WAR... (driving dialing) Wireless Social Engineering Telephony - (not vlanned voip phones; little computers malware into may access across the network plugged into switch and routers)

Regulatory Risk

The risk that changes in regulations may negatively affect the operations of a company.

NIST SP800-53AR4

Assessing Security and Privacy Controls in FEDERAL Information Systems and Organizations: Building Effective Assessment Plans

ASSIGN RISK

Assign risk when you have the risk residual; senior mgmt assigns - This is the person that will manage risk on behalf of the organization; Senior management owns and bears responsibility and accountability of the risk

VAST

Associate with AGILE, Another threat modeling methodology, visual, agile, and simple threat model or modeling, that's what it's referring to

Financial Frameworks

Basel II, Sarbanes-Oxley (financial AND publically traded co's NASDAQ OR NEW STOCKEXCHANGE), COSO, GLBA

Threat modeling methodologies - History

Began in 1977; christopher Alexander; Visualization;

BSIMM

Building Security In Maturity Model (BSIMM) measures software security; Software security framework made of four domains (governance, Intelligence, SSDL Touchpoints, Deployments

ISO 15, 16,17, 18

Cloud standards

Eight Core Principles

Collection Limitation, Data Quality, Purpose, Specification, Use Limitation, Security Safeguards, Openness, Individual Participation, Data Controller Accountability

ISO15408

Common Criteria For IT Security Evaluation Framework for specification of evaluation protection profile (PP) Evaluation Assurance Level (EAL 1-7) - government and military standards - equip is certified at a certain level of security

Confidentiality countermeasures or controls

Done through Access controls (permissions) a. encryption b. traffic padding (adding random garbage in the traffic stream to make it harder for the hacker to pick out good stuff) c. strict access controls / authentication mechanisms d. data classification e. awareness training

Need to Know (risk mitigation technique)

Defines the minimum level of access for subjects based on their job or business requirements;

DODAF

Department of Defense Architecture Framework

Separation of Duties (personnel security/EMPLOYEE CONTROL)

Dividing responsibilities between two or more people to give us more insite and oversite to a control and limit fraud and promote accuracy of accounting records (ex. backups and restore; prevent one person from having all the power; similar to TWO PERSON RULE

separation of duties

Dividing responsibilities between two or more people to limit fraud and promote accuracy of accounting records (i.e., backing up data)

Copyright

Don't have to register it like a patent, can just claim it as copyrighted material; it protects published or unpublished UNIQUE/original work (for the duration of its author's life plus 50 years) from unauthorized duplication without due credit and compensation; Protects not only books but also According to the major international intellectual-property protection treaties (Berne Convention, Universal Copyright Convention, and WIPO Copyright Treaty - United Nations entity World Intellectual Property Organization, a subset of the United Nations,that governs this globally international ip)

The Wassenaar Arrangement

Dual Use Goods

Examples of due diligence (personnel security/EMPLOYEE CONTROLS)

From a Sr. mgmt perspective overseeing- need to know, least privilege, job rotation, separation of duties

Privacy Requirements

GDPR replaces Directive 95/46 EC, HIPAA, Personally Identifiable Information (PII)

Examples of governance organizations

GRC standards, US, EU Safe Harbor Framework

GDPR

General Data Protection Regulation (EU) April 27, 2016/679 (GDPR) is a regulation that ALL member states must adhere to. The GDPR in EU law on data protection and privacy in the European Union (EU) and the European Economic Area (EEA). It also addresses the transfer of personal data outside the EU and EEA areas. 173 recitals and 99 articles (the 99th is the go live date May 25, 2018; 98 articles we pay attentionto)

Security Policy

Give us direction, guidance and guidelines around what we are supposed to do; strategic in nature; high level

Collection Limitation and Purpose Specification

Go hand in hand because data needs to be collected for the specified purpose and tell you so you have knowledge

Right to rectification

Individuals are entitled to have personal data rectified if it is inaccurate or incomplete. If you have disclosed the personal data in question to third parties, you must inform them of the rectification where possible. You must also inform the individuals about the third parties to whom the data has been disclosed where appropriate.

BS 7799 Part 2 ISO 27001

Information Security Management System (ISMS)

ISACA stands for

Information Systems Audit and Control Association

ISSAP

Information Systems Security Architecture Professional

ISSEP

Information Systems Security Engineering Professional

enterprise security architecture (ESA)

Information security mgmt system (ISMS)

ISO27005

Infosec risk management; sec guides

Private Sector is more concerned with

Integrity and availability

IAPP

International Association of Privacy Professionals, internationally recognized for privacy and trans-border data flow

ISO

International Organization for Standards

Examples of Import/export controls

International Traffic in Arms Regulations (ITAR), Export Administration Regulations (EAR) and The Wassenaar Arrangement - All three these agreements classify technology as dual use goods because we can use computers and encryption algorithms to not only create secure environments but also hide nefarious activities

International Traffic in Arms Regulations (ITAR)

International traffic in arms regulations - a group of agreements countries can sign on for that govern the use of dual use goods; dual use goods

NIST SP800-12R1

Introduction to information security; good for general knowledge, framework, reference; the lower the number the older the document

ISACA

Issues standards, guidance, and procedures for conducting information system audits behind various IT framework with the most famous being COBIT

Least Privilege (risk mitigation technique (personnel security/EMPLOYEE CONTROL))

Level of access required to execute full control; Providing only the minimum amount of privileges necessary to accomplish a function (i.e., access control)

Strategic management

Long-Term Goals - (Things we will do in the future) involves creating security policies, dealing with people issues, and evaluating threats and risks

A disaster is when we hit the

MTD barrier

"Privacy Shield" Framework

Managed by the FTC sets forth Data protection requirements when transferring personal data from the European Union to the United States in support of transatlantic commerce. This replaces the previous "Safe harbor" framework.

directive

One size fits one concept; Something that guides or directs and can be interpreted differently; no standardization; no one way of doing things; especially, a general instruction from a high-level body or official.

Controller

One who or that oversees, regulates, gives guidance and directs from a management perspective the why and the how for processing personal data; they are the ones who exercise due diligence

Communicate Risks/Results - Step 3

Regardless of the type of assessment completed (Quantitative or Qualitative) the Results can be quantitative or qualitative; broadly and widely in the organization; to senior decision makers to help them understand what is involved in dealing with the risk

Privacy Act of 1974

Restricts the way in which personal data can be used by federal agencies Individuals must be permitted access to information stored about them and may correct any information that is incorrect. Agencies must ensure both the security and confidentiality of any sensitive information.

NIST SP800-37R2

Risk mgmt framework for information systems and organizations; a life cycle approach for security and privacy

Deming cycle

See Plan-Do-Check-Act Cycle (PDCA); clockwise; do is execute, check is validate, act continue or remediate; continuous improvement; iterations (i.e., patch mgmt, vulnerability assessment, risk management)

Employee controls

Separation of duties, Job Rotation and Least Privilege; mandatory vacation, split knowledge, dual control, collusion

SLA

Service Level Agreement - Transfer; are contractual vehicles that bind both customers and providers to a set of documented statements, assumptions, and operational requirements. That we both have to agree to in order to create this trust that allows us to coexist and manage within that system.But ultimately, this all boils back down to due diligence and due care due diligence in their systems to oversee, and to provide the governance, and to provide the oversight in the system so that things work the right way. We as customers have to exercise due care, we have to consume according to those rules and operate according to those rules.And we have to ensure our vendors follow that same thought process when we're managing outsourced relationships

SLR

Service Level Requirements enumeration of the requirements that help shape and structure the SLA; the details that both the provider and the customer stipulate to that go into making up the service level agreements.

Security Role

The part an individual plays in the overall scheme of security implementation and administration within an organization.

Vulnerability Management

The practice of finding and mitigating software vulnerabilities in computers and networks.

Risk ********MUST KNOW************

The probability or likelihood that a given threat will take advantage of a vulnerability and the impact if that occurs; it is the sum total, the effect of threat sources, events, predisposing conditions and vulnerabilities, likelihood of occurrence and magnitude of impact risk = threat * vulnerability

Asset Valuation

The process of assigning financial value or worth to each information asset. need to know tangible and intangible worth (asset is something that adds value to the organization); depreciate asset over three or five year life cycle; GAP

Risk Framing

The process of identifying risks, needs, answering 5 W's and H

ALE (Annual Loss Expectancy)

The total cost of a risk to an organization on an annual basis. (i.e., $3,000)

SLE (Single Loss Expectancy)

The value of the potential impact of an event when it occurs ONE time (i.e., a $ value $1,000)

Trike

Threat models are used to satisfy the security auditing to help value and profile and understand acceptable risk levels; a threat modeling process where Threat models are based on a "requirements model." The requirements model establishes the stakeholder-defined "acceptable" level of risk assigned to each asset class. Analysis of the requirements model yields a threat model form which threats are enumerated and assigned risk values. The completed threat model is used to construct a risk model based on asset, roles, actions, and calculated risk exposure.

Total Risk Formula (Quantitative Risk Assessment)

Threats * Vulnerabilities * Asset Value

RPO (Recovery Point Objective)

Time we are willing to lose or walk away from when a sys is recovered. i.e., backups occur every 15 mins., the RPO is 15 mins so if email fails, the most we will lose is 15 mins.

Information Provided at Data Collection

the identity and the contact details of the controller and DPO • the purposes of the processing for which the personal data are intended • the legal basis of the processing • where applicable, the legitimate interests pursued by the controller or by a third party • where applicable, the recipients or categories of recipients of the personal data • where applicable, that the controller intends to transfer personal data internationally • the period for which the personal data will be stored, or if this is not possible, the criteria used to determine this period • the existence of the right to access, rectify or erase the personal data • the right to data portability • the right to withdraw consent at any time • and the right to lodge a complaint to a supervisory authority

Evaluation Assurance Level (EAL)

the level of certification sought in the Common Criteria

Risk (Organizational risk)

the likelihood that a threat source will, through threat events, exploit a vulnerability or weakness and the resulting impact will occur

BIA Goals

the main goal is to look at all the services offered (i.e., phones, email, remote access, dm, w:\ drive, accounting, printing, directory services, internet) 1) Determine criticality (ranking priorities on a scale of 1 to 10); 2) Estimate max downtime BEFORE we have a crisis (MAD max allowable downtime) and max tolerable downtime (MTD max tolerable downtime); 3) Evaluate internal and external resource requirements (where we ask who needs what service i.e., color printing, wifi) - internal (system dependency) - external (ISP connection cross-over cable to network, i.e., supply chain, vendors) - If we don't know these things we cannot assess and validate in order to prioritize and recover

Key space

the number of possible random permutations of the key that could be used to decrypt the data (i.e., a password) and it has to be large

Moore's Law (Gordon Moore Intel)

the observation that computing power roughly doubles every two years while the price will get cheaper

Legitimate Interests & Direct Marketing

the processing of data for "direct marketing purposes" can be considered as a legitimate interest.

Data subject rights - data subject access request DSAR's (GDPR)

the right to a timely processing of a request to remove their information, the right for their information to be forgotten from a system or to have the personal information corrected; Controllers must inform subjects of the period of time (or reasons why) data will be retained on collection

Confidentiality, integrity, and availability***IMPT TO KNOW***

the security triad, CIA

Governance ***IMPT TO KNOW***

the system an org uses to directs and control IT security (adapted from ISO 38500) to deliver IT decisions that bring value and impact bus for stakeholders

Confidentiality helps prevent

the unauthorized disclosure of data; keep good data away from bad people; For Confidentiality to be maintained and protected in ALL forms, at rest (in storage), in use and on the wire (transmitted). Confidentiality and Integrity depend on each other. One is not effective without the other.

Profiling (GDPR)

the use of computers to combine data from multiple sources, automated collection and processing of personal data, so that we can learn more about individuals (big data, data visualization, AI, machine learning, Alexa, etc.)

data subject equals

the user

Import

to bring a product into a country which may be governed by a series of laws

Purpose of threat modeling

to provide defenders with a systematic analysis of the probable attacker's profile, the most likely attack vectors, and the assets most desired by an attacker.


Kaugnay na mga set ng pag-aaral

History Chapter 13 section 1 and 2

View Set

Chapter 17: The South and the West Transformed, 1865-1900 INquiz

View Set

Elements and their Chemical Symbols

View Set

IBD - Financial Statement Basics

View Set