Module 4
CBA formula*
CBA = pre-ALE - post-ALE - ACS
NIST
National Institute Standards of Technology
Qualitative approach uses labels to assess value rather than numbers. Quantitative using actual values or estimates for asset valuation
Qualitative vs quantitative
five stages of risk management.
Risk assessment Risk treatment Risk acceptance Risk communication Risk monitoring and review
US Military classifications
Top Secret, Secret, Confidential
TC SEC
Trusted Computer System Evaluation Criteria an older DoD system certification and accreditation standard that defines the criteria for assessing the access controls in a computer system. "Rainbow Series" color coded documents.
Delphi
a process whereby a group rates or ranks a set of information. Information responses are compiled and then returned to the group for another iteration.
Biba
an access control model that is similar to BLP and is based on the premise that higher levels of integrity are more worth of trust than lower levels. Assigns "read" or "write" integrity levels
Benchmarks
an attempt to improve information security practices by comparing an organization's efforts against practices of a similar organization or industry-developed standards to produce results to duplicate
Confidential
applied to information the unauthorized disclosure of which reasonably could be expected to cause "damage" to the national security that the original classification authority is able to identify or describe.
Secret
applied to information, the unauthorized disclosure of reasonably could be expected to cause "serious damage" to national security that the original classification authority is able to identify or describe
Top Secret
applied to information, the unauthorized disclosure of which reasonably could be expected to cause exceptionally "grave damage" to national security
Latus based matrix
assigns users a matrix of authorization for particular areas of access. Level of authorization may vary depending on the classification authorizations that individuals possess for each group of information assets or resources.
Transference
attempts to shift risk to another entity. May be accomplished by rethinking how services are offered, revising deployment models, outsourcing to other organizations, purchasing insurance, or implementing service contracts with providers.
Termination
based on the organization's need or choice to not protect an asset. Doesn't wish the information asset to remain at risk and so removes it from the environment where vulnerable to risk. Cost may outweigh the value.
Clarke wilson
built upon principles of change control rather than integrity levels, was designed for the commercial environment. No changes by unauthorized subjects No unauthorized changes by authorized subjects The maintenance of internal and external consistency
BLP Bell-LaPadula
confidentiality model "state machine reference model" ensures the confidentiality of the modeled system by using MACs, data classification and security clearance
Non-discretionary access controls
controls implemented by central authority based on roles called role-based access controls RBAC. can run in turn be based on lists maintained on subjects or objects.
Brewer-nash
designed to prevent a conflict of interest between two parties. Requires users to select one of two conflicting sets of data, after which they cannot access the conflicting data. "chinese wall"
Deterrent
discourages or deters an incipient incident
cba
economic feasibility study where presentation of economic expenditures needed for a particular security control, contrast to the projected value
ISO 270005
includes a standard for the performance of risk management: includes five stages of risk management.
ITIL Information Technology Infrastructure Library
is a collection of methods and practices for managing the development and operation of IT infrastructures. "ITIL" and "IT Infrastructure Library" are trademarked under the UK's OGC.
FAIR factor analysis of information risk
is a risk management framework developed by Jack A. Jones can help organizations understand analyze and measure information risk.
OCTAVE
method of InfoSec risk evaluation methodology that allows organizations to balance the protection of critical information assets against the costs of providing protective and detection controls.
Common criteria
of information technology is an international standard (ISO/IEC 15408) for computer security certification. Successor to TCSEC and ITSEC in that it reconciles som differences between various standards.
Security models
or framework a specification of a model to be followed during the design, selection, and initial and ongoing implementation of all subsequent security controls, including InfoSec Policies, security education, and training programs.
COSO Committee of Sponsoring Organizations
outlines the components, established a common definition of internal controls, standards and criteria against which companies and organizations can assess their control system.
Separation of duties
principle requires that significant tasks be split up in the such a way that more than one individual is responsible for their completion.
COBIT Control Objectives of Information and Related Technology
provides advice about the implementation of sound controls and control objectives for InfoSec. COBIT 5 is the only business framework for the governance and management of enterprise IT.
ISO 27001
provides information on how to implement ISO/IEC 27002 and how to set up an information security management system (ISMS)
Corrective
remedies a circumstance or mitigates damage done during an incident
Defense control strategy*
risk control strategy that eliminates or reduce remaining uncontrolled risk through the application of additional controls and safeguards. Avoidance Strategy.
Acceptance ctrl strategy*
risk control strategy that indicates the organization is willing to accept the current level of risk. A conscious decision is made to do nothing to protect information from risk and accept the damage.
Discretionary access controls
that are implemented at the discretion or option of the data user. Ability to share resources in a peer-to-peer configuration allows users to control and possibly provide access to information or resources at their disposal.
Mitigation
the control approach that focuses on planning and preparation to reduce the damage caused by a realized incident or disaster. Includes IR, DR, BC
Least privileges
the principle by which members of the organization can access the minimum amount of information for the minimum amount of time necessary to perform their required duties
Need to know
the principle of limiting users access privileges to only the specific information required to perform their assigned tasks.
Risk appetite
the quantity and nature of risk that organizations are willing to accept as they evaluate trade-offs between perfect security and unlimited accessibility
Covert channels
unauthorized or un-intended methods of communications hidden inside a computer system.
Reference Monitor
within TCB, a conceptual piece of the system that manages access controls-in other words, mediates all access to objects by subjects