ISA 08
18. What are the common names for NIST SP 800-53 and NIST SP 800-53A? What is the purpose of each document? What resources do they provide?
Answer: "NIST SP 800-53A, Rev. 4: Assessing Security and Privacy Controls in Federal Information Systems and Organizations: Building Effective Assessment Plans" is the functional successor to "SP 800-26: Security Self-Assessment Guide for Information Technology Systems." A companion guide to "SP 800-53, Revision 4: Security and Privacy Controls for Federal Information Systems and Organizations," it provides a systems developmental life cycle (SDLC) approach to security assessment of information systems.
10. What is a data classification model? How is data classification different from a clearance level?
Answer: A data classification model provides guidance as to the sensitivity level for information assets. A clearance level is applied to human resources, indicating the sensitivity levels of data to which they have access.
1. What is an InfoSec framework?
Answer: A framework is the outline of the plans for intended security control.
9. What is a mandatory access control?
Answer: A mandatory access control (MAC) is an implementation in which software elements are structured and coordinated within a data classification scheme that rates each collection of information as well as each user and forces compliance with policy through the use of a reference monitor.
6. What are the essential processes of access control?
Answer: Access control includes four processes: • Identification—Obtaining the identity of the entity requesting access to a logical or physical area • Authentication—Confirming the identity of the entity seeking access to a logical or physical area • Authorization—Determining which actions an authenticated entity can perform in a physical or logical area • Accountability—Documenting the activities of the authorized individual and systems
7. What are the key principles on which access control is founded?
Answer: Access control is built on several key principles, including least privilege, need to know, and separation of duties.
5. What is access control?
Answer: Access control regulates the admission of users into trusted areas of the organization—both logical access to the information systems and physical access to the organization's facilities. Access control is maintained through a collection of policies, programs to carry out those policies, and technologies that enforce the policies.
14. What is COBIT? Who is its sponsor? What does it accomplish?
Answer: Control Objectives for Information and Related Technology (COBIT) is an IT governance framework and supporting toolset that allows managers to bridge the gap between control requirements, technical issues, and business risks. COBIT was created in 1992 by the Information Systems Audit and Control Association (ISACA) and the IT Governance Institute (ITGI). COBIT enables clear policy development and good practice for IT control throughout organizations
4. How might an InfoSec professional use a security model?
Answer: InfoSec professionals can use security models as an outline for a comprehensive design of an organization's entire planned security program or as the starting point for a more fully customized version of such a plan.
13. What are the documents in the ISO/IEC 27000 series?
Answer: Table 8-3 in the text shows the existing or planned documents for the 27000 series.
20. What is COSO, and why is it important?
Answer: The Committee of Sponsoring Organizations of the Treadway Commission (COSO) is a U.S. private-sector initiative formed in 1985. Its major objective is to identify the factors that cause fraudulent financial reporting and to make recommendations to reduce its incidence. The COSO established a common definition of internal controls, standards, and criteria against which companies and organizations can assess their control systems. The committee's report has entered practical usage as a standard of performance that helps organizations comply with critical regulations like the Sarbanes-Oxley Act of 2002
11. Which international InfoSec standards have evolved from the BS7799 model? What do they include?
Answer: The ISO/IEC 27000 series has evolved from the BS7799 model. Its security model has 10 sections that give recommendations for InfoSec managers who are responsible for initiating, implementing, or maintaining security in their organization.
2. What is an InfoSec blueprint?
Answer: The InfoSec blueprint is the detailed plan for the complete design, selection, and implementation of all subsequent security controls, including InfoSec policies, security education and training programs, and technological controls. It includes sequenced steps and planned timeframes for each component.
12. What is an alternative model to the BS7799 model (and its successors)? What does it include?
Answer: The NIST collection of InfoSec management practices offers an alternative to BS7799 and its successors. The NIST approach includes a broad array of documentation that covers the broad topical area of InfoSec management.
16. What is the common name for NIST SP 800-12? What is the document's purpose? What resources does it provide?
Answer: The common name for NIST SP 800-12 is "The Computer Security Handbook." It provides an excellent background and terminology for InfoSec.
17. What is the common name for NIST SP 800-14? What is the document's purpose? What resources does it provide?
Answer: The common name for NIST SP 800-14 is "Generally Accepted Principles and Practices for Securing Information Technology Systems." The document describes the best practices in InfoSec, and can be used to direct the security team in the development of a security blueprint
19. What is the common name of NIST SP 800-30? What is the document's purpose? What resources does it provide?
Answer: The common name of NIST SP 800-30, Rev. 1, is "Guide for Conducting Risk Assessments." It is a foundation for the development of an effective risk management program, and it contains both the definitions and the practical guidance necessary for assessing and mitigating risks identified within IT systems. The ultimate goal is to help organizations better manage IT-related mission risks.
15. What are the two primary advantages of NIST security models?
Answer: They are publicly available at no charge, and they have been available for some time; thus, they are very thorough and have undergone a great deal of refinement over time.
3. How might an organization create a security blueprint?
Answer: To generate a usable security blueprint, most organizations draw on established security frameworks, models, and practices. Some of these models are proprietary and are only available for a significant fee; others are relatively inexpensive. The chosen model must be flexible, scalable, robust, and sufficiently detailed.
8. Identify at least two approaches used to categorize access control methodologies. List the types of controls found in each.
One approach depicts controls by their inherent characteristics and classifies each control as one of the following: • Preventative—Helps an organization avoid an incident • Deterrent—Discourages or deters an incipient incident • Detective—Detects or identifies an incident or threat when an incident occurs • Corrective—Remedies a circumstance or mitigates damage done during an incident • Recovery—Restores operating conditions back to normal • Compensating—Resolves shortcomings A second approach, described in the NIST Special Publication series, categorizes controls based on their operational impact on the organization: • Management—Controls that cover security processes designed by strategic planners, integrated into the organization's management practices, and routinely used by security administrators to design, implement, and monitor other control systems • Operational (or administrative)—Controls that deal with the operational functions of security that have been integrated into the repeatable processes of the organization • Technical—Controls that support the tactical portion of a security program and that have been implemented as reactive mechanisms to deal with the immediate needs of the organization as it responds to the realities of the technical environment
