5.0 Governance, Risk, and Compliance (Focus Areas)
Classifications of Data (5 Main types)
- Public - Private - Sensitive - Confidential - Critical • Proprietary - Data that is the property of an organization - May also include trade secrets - Often data unique to an organization • PII - Personally Identifiable Information - Data that can be used to identify an individual - Name, date of birth, mother's maiden name, biometric information • PHI - Protected Health Information - Health information associated with an individual - Health status, health care records, payments for health care, and much more • Public / Unclassified - No restrictions on viewing the data • Private / Classified / Restricted / Internal use only - Restricted access, may require a non-disclosure agreement (NDA) • Sensitive - Intellectual property, PII, PHI • Confidential - Very sensitive, must be approved to view • Critical - Data should always be available • Financial information - Internal company financial information - Customer financial details • Government data - Open data - Transfer between government entities - May be protected by law • Customer data - Data associated with customers - May include user-specific details - Legal handling requirements
Consequences of data breaches
- Reputation damage - Identify Theft - Fines - IP theft
ALE
Annualized loss expectancy. Used to measure risk with annualized rate of occurrence (ARO) and single loss expectancy (SLE). The ALE identifies the total amount of loss expected for a given risk. The calculation is SLE × ARO = ALE.
ARO
Annualized rate of occurrence. Used to measure risk with annualized loss expectancy (ALE) and single loss expectancy (SLE). The ARO identifies how many times a loss is expected to occur in a year. The calculation is SLE x ARO = ALE.
Data Privacy Officer (DPO)
C-
CIS Framework
Center for Internet Security • Center for Internet Security - Critical Security Controls for - Effective Cyber Defense - CIS CSC • Improve cyber defenses - Twenty key actions (the critical security controls) - Categorized for different organization sizes • Designed for implementation - Written for IT professionals - Includes practical and actionable tasks
CSA (Includes CCM and Reference Architecture)
Cloud Security Architecture • Security in cloud computing - Not-for-profit organization • Cloud Controls Matrix (CCM) - Cloud-specific security controls - Controls are mapped to standards, best practices, and regulations • Enterprise (Reference) Architecture - Methodology and tools - Assess internal IT groups and cloud providers - Determine security capabilities - Build a roadmap'
Multi-Party (Risk Assessment)
Easy when it is one organization and an attacker, but if you have multiple organizations that work together you have to take into account each entity and their level of security which can make things harder to secure.
Data Processor
Entity that processes data given to it by the data controller. Their role is manipulation of the data as part of the business processes. - Developing and implementing IT processes and systems that manage personal data. - Implementing Security measures that would safeguard personal data - Using tools and strategies to properly handle personal data
GDPR
General Data Protection Regulation • European Union regulation - Data protection and privacy for individuals in the EU - Name, address, photo, email address, bank details, posts on social networking websites, medical information, a computer's IP address, etc. • Controls export of personal data - Users can decide where their data goes • Gives individuals control of their personal data - A right to be forgotten • Site privacy policy - Details all of the privacy rights for a user
Business Impact Analysis
Identifies all critical business functions and the effect that a specific disaster may have upon them
ISO/IEC 27001 27002 27701 31000
International Organization for Standardization/International Electrotechnical Commission • ISO/IEC 27001 - Standard for an Information Security Management System (ISMS) • ISO/IEC 27002 - Code of practice for information security controls • ISO/IEC 27701 - Privacy Information Management Systems (PIMS) • ISO 31000 - International standards for risk management practices
MTTR and Availability
Mean Time to Repair--Describes how long it will take to recover a failed system. MTTR = (total downtime) / (number of breakdowns) Availability = MTBF /(MTBF + MTTR)
MTBF
Mean time between failures. A metric that provides a measure of a system's reliability and is' usually represented in hours. The MTBF identifies the average time between failures.
NIST CSF (Know framework core)
National Institute of Standards and technology cybersecurity framework. Designed to assist organizations in the early stages of planning their cybersecurity posture. • National Institute of Standards and Technology - Cybersecurity Framework (CSF) - A voluntary commercial framework • Framework Core - Identify, Protect, Detect, Respond, and Recover • Framework Implementation Tiers - An organization's view of cybersecurity risk and processes to manage the risk • Framework Profile - The alignment of standards, guidelines, and practices to the Framework Core
NIST RMF (Six step process)
National Institute of standards and technology risk management framework. Provides recommended strategies to the U.S. Government and others on how to handle. wide range of issues, including risk from cybersecurity threats. • National Institute of Standards and Technology - Risk Management Framework (RMF) - Mandatory for US federal agencies and organizations that handle federal data • Six step process - Step 1: Categorize - Define the environment - Step 2: Select - Pick appropriate controls - Step 3: Implement - Define proper implementation - Step 4: Assess - Determine if controls are working - Step 5: Authorize - Make a decision to authorize a system - Step 6: Monitor - Check for ongoing compliance
PCI DSS (and six objectives)
Payment Card Industry Data Security Standard PCI DSS • Payment Card Industry - Data Security Standard (PCI DSS) - A standard for protecting credit cards • Six control objectives - Build and maintain a secure network and systems - Protect cardholder data - Maintain a vulnerability management program - Implement strong access control measures - Regularly monitor and test networks - Maintain an information security policy
Privacy Enhancing Technologies (5)
Privacy technology standards developed solely to be used for the transmission, storage and use of privacy data. Data Minimization - Only keep what you need for as long as you need. Data Masking - Substituting values (like only showing a bunch of X's then the last four of credit card). Hides personal or sensitive data, but does not render it unusable. Tokenization - Random value to take the place of a data element that has traceable meaning. NOT HASHING. Mostly used with commerce. Companies do not keep card numbers, CVC, because the transaction agent returns the approval code which is a unique token to that transaction. The Commerce agent doesn't need to keep personing info because the token can be used to reference the transaction agent. Anonymization - Hashing, Masking, but cannot be reversed. No way to associate the data with the use. Pseudo Anonymization - de-identification method that replaces private identifies with fake identifiers or pseudonyms. Preserves the statistical accuracy and the data integrity, allowing the modified data to be used for training, development, testing, and analytics while processing data privacy.
Risk Assessment Types
Qualitative risk assessment • Identify significant risk factors - Ask opinions about the significance - Display visually with traffic light grid or similar method Quantitative risk assessment • Likelihood - Annualized Rate of Occurrence (ARO) - How likely is it that a hurricane will hit? In Montana? In Florida?
RPO
Recovery Point Objective. A Recovery Point Objective identifies a point in time where data loss is acceptable. It is related to the RTO and the BIA often includes both RTOs and RPOs. RPO deals with backup Frequency.
RTO
Recovery Time Objective. An RTO identifies the maximum amount of time it can take to restore a system after an outage. It is related to the RPO and the BIA often includes both RTOs and RPOs. Serves the purpose of defining the requirements for business continuity.
Data Custodian/Steward
Responsible for the day to day caretaking of the data. The data owner sets relevant policies, and the steward or custodian ensures they are followed. - Responsible for data accuracy, privacy, and security - Associates sensitivity labels to the data - Ensures compliance with any applicable laws and standards - Manages the access rights to the data - Implements security controls
Software Compliance/Licensing
Risk associated with a company not being aware of what software or components are installed within its network
IP Theft
Risk associated with business assets and property being stolen from an organization in which economic damage, the loss of a competitive edge, or a slowdown in business growth occurs
Risk Control Assessment
Risk has been determined - Heat maps have been created • Time to build cybersecurity requirements - Based on the identified risks • Find the gap - Often requires a formal audit - Self-assessments may be an option • Build and maintain security systems based on the requirements - The organizational risk determines the proper controls • Determine if existing controls are compliant or noncompliant - Make plans to bring everything into compliance
Web Server Hardening
Secure configuration Guide • Access a server with your browser - The fundamental server on the Internet - Microsoft Internet Information Server, Apache HTTP Server, et al. • Huge potential for access issues - Data leaks, server access • Secure configuration - Information leakage: Banner information, directory browsing - Permissions: Run from a non-privileged account, configure file permissions - Configure SSL: Manage and install certificates - Log files: Monitor access and error logs
Platform/Vendor Specific Guides
Secure configuration guides Hardening guides that are specific to the software or platform. No system is secure with the default configurations. you may need some guidelines to keep everything safe. Get feedback from the manufacturer or Internet interest groups.
SLE
Single Loss Expectancy value of a loss expected from a single event. SLE = Asset Value (AV) x Exposure Factor (EF)
Risk Appetite
The amount of risk a company is willing to accept to achieve its goals and objectives. To avoid undue risk, risk appetite must be in alignment with company strategy.
Risk Analysis
The process by which an organization assesses the value of each asset being protected, estimates the probability that each asset might be compromised, and compares the probable costs of each being compromised with the costs of protecting it.
Control Risk
When the risk specifically affects the financial reporting.
Data Controller
person responsible for managing how and why data is going to be used by the organization. - What data is collected - Where and how it is used - With whom and how is data shared - How long the data is kept and how it is disposed at end of life (EOL)
Risk Assessment Strategies (4)
• Acceptance - A business decision; we'll take the risk! • Risk-avoidance - Stop participating in a high-risk activity • Transference - Buy some cybersecurity insurance - Transfers risk to a third party that manages specific types of risk for multiple parties, thus reducing individual cost. • Mitigation - Decrease the risk level - Invest in security systems
Data Owner
• Data owner - Accountable for specific data, often a senior officer - VP of Sales owns the customer relationship data - Treasurer owns the financial information
External Threats (Risk Assessment)
• External threats - Outside the organization - Hacker groups, former employees - The extra step and the reliance on external connections typically make external attackers easier to detect.
Risk Assessment and Types
• Identify assets that could be affected by an attack - Define the risk associated with each asset - Hardware, customer data, intellectual property • Identify threats - Loss of data, disruption of services, etc. • Determine the risk - High, medium, or low risk • Assess the total risk to the organization - Make future security plans Types External Internal Legacy
Inherent Risk
• Inherent risk - Impact + Likelihood - Risk that exists in the absence of controls - Some models include the existing set of controls Your car has a lot of controls to enable self-driving, yet there is still risk involved. Risk that exists in the absence of controls
Internal (Risk Assessment)
• Internal threats - Employees and partners - Disgruntled employees - Not always malicious, but could be just as damaging. Sometimes good employees make mistakes that have catastrophic consequences on the same level of an an attack.
Legacy Systems (Risk Assessment)
• Legacy systems - Outdated, older technologies - May not be supported by the manufacturer - May not have security updates - Depending on the age, may not be easily accessible
Operating System Secure Configuration Guide.
• Many and varied - Windows, Linux, iOS, Android, et al. • Updates - Operating system updates/service packs, security patches • User accounts - Minimum password lengths and complexity - Account limitations • Network access and security - Limit network access • Monitor and secure - Anti-virus, anti-malware
Benchmarks and Secure Configuration Guides
• No system is secure with the default configurations - You need some guidelines to keep everything safe • Hardening guides are specific to the software or platform - Get feedback from the manufacturer or Internet interest group - They'll have the best details Three main sources - Vendors or manufacturers of the software - The Government (a bit more scattered NIST NVD) - Independent organization such as CIS (Center for internet security) or CSA (Cloud Security Alliance)
Application Server Secure Configuration Guide
• Programming languages, runtime libraries, etc. - Usually between the web server and the database - Middleware • Very specific functionality - Disable all unnecessary services • Operating system updates - Security patches • File permissions and access controls - Limit rights to what's required - Limit access from other devices
Functional Recovery Plan
• Recover from an outage - Step-by-step guide • Contact information - Someone is on-call - Keep everyone up to date • Technical process - Reference the knowledge base - Follow the internal processes • Recover and test - Confirm normal operation
Residual Risk
• Residual risk - Inherent risk + control effectiveness - Risk that exists after controls are considered - Some models base it on including additional controls - You cannot eliminate residual risk, but you can manage risk to drive residual risk to an acceptable level. Amount of risk that remains after controls are accounted for.
Risk Matrix/Heat Map
• Risk matrix / risk heat map - View the results of the risk assessment - Visually identify risk based on color - Combines the likelihood of an event with the potential impact - Assists with making strategic decisions
Risk Register
• Risk register - Every project has a plan, but also has risk - Identify and document the risk associated with each step - Apply possible solutions to the identified risks - Monitor the results A list of the risks associated with a system.
Key (Security) Framework
• Secure your data. - Where do you start? What are the best practices? - If only there was a book. • Often a complex problem - Unique organizational requirements - Compliance and regulatory requirements - Many different processes and tools are available • Use a security framework - Documented processes - A guide for creating a security program - Define tasks and prioritize projects
Network Infrastructure Devices Secure Configuration Guide
• Switches, routers, firewalls, IPS, etc. - You never see them, but they're always there • Purpose-built devices - Embedded OS, limited OS access • Configure authentication - Don't use the defaults • Check with the manufacturer - Security updates - Not usually updated frequently - Updates are usually important
SSAE SOC 2 Type I/II
• The American Institute of Certified Public Accountants (AICPA) auditing standard Statement on Standards for Attestation Engagements number 18 (SSAE 18) • SOC 2 - Trust Services Criteria (security controls) - Firewalls, intrusion detection, and multi-factor authentication • Type I audit - Tests controls in place at a particular point in time • Type II - Tests controls over a period of at least six consecutive months