Security Management Practices Exam Three
Identify some alternative recovery strategies?
Hot Site: Fully configured, ready to operate within hours Warm Site: Ready to operate within days: no or low power main computer. Does contain disks, network, peripherals Cold Site: Ready to operate within weeks. Contains electrical wiring, air conditioning, flooring Duplicate or Redundant Info. Processing Facility: Standby hot site within the organization Reciprocal Agreement: An agreement with another organization or division Mobile Site: Fully- or partially-configured trailer comes to your site, with microwave or satellite communications
Service Delivery Outage
Level of service in Alternate Mode
Maximum Tolerable Outage
Max time in Alternate Mode
How is Mean Time Between Failures (MTBF) defined?
Mean time between failures (MTBF) is the average time between system breakdowns. MTBF is a crucial maintenance metric to measure performance, safety, and equipment design, especially for critical or complex assets, like generators or airplanes. It is also used to determine the reliability of an asset. Measures of availability MTBF = Mean Time to Failure (MTTF) + Mean Time to Repair (MTTR)
Identify some major areas of Security concerns with the Cloud?
Multi-tenancy: Your app is on same server with other organizations — Need: segmentation, isolation, policy Physical Location: In which country will data reside? What regulations affect data? Service Level Agreement (SLA): Defines performance, security policy, availability, backup, compliance, audit issues Your Coverage: Total security = your portion + provider portion Responsibility varies for IAAS vs. PAAS vs. SAAS
What are the 4 event damage classifications and which should you document?
Negligible: No significant cost or damage Minor: A non-negligible event with no material or financial impact on the business Major: Impacts one or more departments and may impact outside clients Crisis: Has a major material or financial impact on the business
In case of a Business Continuity Plan/Disaster Recovery Planning, what is the number one priority?
People's lives take FIRST PRIORITY
What are some of the key contents of a Disaster Recovery Plan?
Pre-incident readiness How to declare a disaster Evacuation procedures Identifying persons responsible, contact information -Incident Response Team, S/W-H/W vendors, insurance, recovery facilities, suppliers, offsite media, human relations, law enforcement (for serious security threat) Step-by-step procedures Required resources for recovery & continued operations
What are some Cloud Deployment Models?
Private Cloud: Dedicated to one organization Community Cloud: Several organizations with shared concerns share computer facilities Public Cloud: Available to the public or a large industry group Hybrid Cloud: Two or more clouds (private, community or public clouds) remain distinct but are bound together by standardized or proprietary technology
What are some high availability solutions?
RAID: Local disk redundancy Fault-Tolerant Server: When primary server fails, backup server resumes service. Distributed Processing: Distributes load over multiple servers. If server fails, remaining server(s) attempt to carry the full load. Storage Area Network (SAN): disk network supports remote backups, data sharing and data migration between different geographical locations
What is Recovery Point Objective (RPO) and what is Recovery Time Objective?
Recovery Point Objective (RPO) is a measure of how frequently you take backups. ... In practice, the RPO indicates the amount of data (updated or created) that will be lost or need to be reentered after an outage. Recovery Time Objective (RTO) is the amount of downtime a business can tolerate.
Identify some Cloud Contractual Issues?
Service Level Agreement: personalized Ownership of Data: privacy policies, security controls, monitoring performed, data location, data subpoena Audit Report: Penetration testing, security/availability metrics, logs, policy change notifications Incident Response: Disaster recovery, informational reports Contract Termination: at any time, data export, costs, data destruction
Alternate Process Mode
Service offered by backup system
The first and most important BCP test is the:
1.Desk-based paper test
When a disaster occurs, the highest priority is:
1.Ensuring everyone is safe
The PRIMARY goal of the Post-Test is:
1.Evaluate test effectiveness and update the response plan
The FIRST thing that should be done when you discover an intruder has hacked into your computer system is to:
1.Follow the directions of the Incident Response Plan.
The amount of data transactions that are allowed to be lost following a computer failure (i.e., duration of orphan data) is the:
1.Recovery Point Objective
When the RTO is large, this is associated with:
1.Sensitive or nonsensitive services
What in general terms is the Risk Management Framework?
A unified framework for managing security, privacy, and supply chain risks.
What is the preferred way to perform Disaster Recovery Test Execution?
Always tested in this order: Desk-Based Evaluation/Paper Test: A group steps through a paper procedure and mentally performs each step. Preparedness Test: Part of the full test is performed. Different parts are tested regularly. Full Operational Test: Simulation of a full disaster
What two security architecture frameworks are discussed in Module 9?
Sherwood Applied Business Security Architecture (SABSA) NIST Cyber Security Framework
Identify some of the items one must address in Backup and Offsite Library implementations?
Backups are kept off-site (1 or more) Off-site is sufficiently far away (disaster-redundant) Library is equally secure as main site; unlabelled Library has constant environmental control (humidity-, temperature-controlled, UPS, smoke/water detectors, fire extinguishers) Detailed inventory of storage media & files is maintained
Business Continuity Management
Business continuity management (BCM) is a framework for identifying an organization's risk of exposure to internal and external threats. The goal of BCM is to provide the organization with the ability to effectively respond to threats such as natural disasters or data breaches and protect the business interests of the organization. BCM includes disaster recovery, business recovery, crisis management, incident management, emergency management and contingency planning.
What are the three reasons most Information Technology (IT) projects fail?
Can attributed the ongoing rate of (partial or complete) failure for IT projects (70% range) due to: •Inadequate design or strategy •Poor execution •Insufficient metrics
Identify the 5 Business Continuity Test Types?
Checklist Review: Reviews coverage of plan - are all important concerns covered? Structured Walkthrough: Reviews all aspects of plan, often walking through different scenarios Simulation Test: Execute plan based upon a specific scenario, without alternate site Parallel Test: Bring up alternate off-site facility, without bringing down regular site Full-Interruption: Move processing from regular site to alternate site.
What frameworks can be used in determining level of security control implementation within a company, firm, or organization?
CobiT 5 CMMC ISO/IEC 27001/27002 Cyber Resilience Review Center of internet Security Top 20
What is used in determining what is required between current state and desired state? GAP Assessment/Analysis
Complete analysis for each element, attribute, and characteristic determines the GAP between the current and the desired state. It is a Technique for determining the steps to be taken in moving from current state to desired future state. Gap Analysis is formal study of what business is doing currently and where it wants to go in the future?
What are some Cloud Service Models?
Data (DaaS): Retrieve DB data from cloud provider Software (SaaS): Provider runs own applications on cloud infrastructure Platform (PaaS): Consumer provides apps; provider provides system and development environment. Infrastructure (laaS): Provides customers access to processing, storage, networks or other fundamental resources
What is Orphan Data?
Data which is lost and never recovered — RPO influences the Backup Period
What does it mean that an architecture needs a holistic approach?
Do we understand all of the requirements? Do we have a design philosophy? Do we have all of the components? Do these components work together? Do they form an integrated system? Does the system run smoothly? Are we assured that it is properly assembled? Is the system properly tuned? Do we operate the system correctly? Do we maintain the system? Do we comply with the rules?
What is the one takeaway from the slide An Incident Occurs
Emergency Response Team: Human life: First concern slide 52 This activity diagram shows that some events can happen in parallel, including all the tasks to the right. In some cases there is a security committee, and anyone on the committee can decide a disaster has occurred.
What are some of the concerns of a Business Continuity Plan/Disaster Recovery Plan?
Evacuation plan: People's lives always take first priority Disaster declaration: Who, how, for what? Responsibility: Who covers necessary disaster recovery functions Procedures for Disaster Recovery Procedures for Alternate Mode operation ¨Resource Allocation: During recovery & continued operation Copies of the plan should be off-site
What is used in comparing current to desired level?
GAP Analysis: Comparing Current Level with Desired Level • Which processes need to be improved? • Where is staff or equipment lacking? • Where does additional coordination need to occur?
Why do a GAP Analysis?
GAP analysis provides foundation for measuring investment of time , money and Human resources required to achieve particular outcome. Examples: Transformation of Paper based to Paperless Salary system Classification of how well a product or solution meets the consumer requirement
What tool is used in establishing Disaster Recovery Responsibilities identified on BC&DR Slide 55?
General Business First responder: Evacuation, fire, health... Damage Assessment Emergency Mgmt Legal Affairs Transportation/Relocation/Coordination (people, equipment) Supplies Salvage Training IT-Specific Functions Software Application Emergency operations Network recovery Hardware Database/Data Entry Information Security Contact information is important!
Restoration Plan
How to return to regular system mode
Disaster Recovery Plan (DRP):
How to transition to Alternate Process Mode
What five main categories are included in the NIST Cyber Security Framework?
Identify Protect Detect Respond Recover
Disaster Recovery
Survive interruption to computer information systems
What is the least cost in regards to Disruption vs. Recovery Costs?
The least cost is the cross-point of these two curves. Slide 34
Define Crisis Management?
The overall direction of an organization's response to a disruptive event, in an effective, timely manner, with the goal of avoiding or minimizing damage to the organization's profitability, reputation, and ability to operate. Development and application of the organizational capability to deal with a crisis.
Interruption Window
Time duration organization can wait between point of failure and service resumption
What does an information security architecture either provide or ensure?
To provide all the links in the chain To ensure that security is provided through a fully integrated systems approach To ensure that security services are properly managed To ensure that security services are properly delivered & supported To ensure that security meets the needs of the business
What are the six questions one should ask when developing an information security architecture and/or going through the six SABSA layers?
WHAT? What are we trying to do at this layer? The assets, goals & objectives to be protected & enhanced. WHY? Why are we doing it? The risk & opportunity motivation at this layer. HOW? How are we trying to do it? The processes required to achieve security at this layer. WHO? Who is involved? The people and organizational aspects of security at this layer. WHERE? Where are we doing it? The locations where we are applying security at this layer. WHEN? When are we doing it? The time related aspects of security at this layer.
What are some of the first steps in performing Business Impact Analysis?
Which business processes are of strategic importance? What events or incidents could occur? What impact would they have on the organization financially? Legally? On human life? On reputation? What is the required recovery time period? What is the required recovery point objective?
Are there metrics associated with the SABSA Business Attributes?
Yes. Summary: •Business-focused security architecture •Open source •Controls and technology neutral •Top Down Design ― Allow for full traceability from top to bottom and vise versa •Risk and metrics integrated into design •Maturity schema integrated into framework •One can use or integrate other frameworks •Process intensive •Few automated tools
Is SABSA Controls neutral as well as technology neutral?
Yes. Summary: •Business-focused security architecture •Open source •Controls and technology neutral •Top Down Design ― Allow for full traceability from top to bottom and vise versa •Risk and metrics integrated into design •Maturity schema integrated into framework •One can use or integrate other frameworks •Process intensive •Few automated tools
Does Recovery Point Objective (RPO) influence backup periods?
Yes. RPO influences the Backup Period
In preparing for a cyber crisis, it is important that you exercise a plan {bank-fill in the blank} and must include whom?
holistically including IT, business, legal, and PR teams and anyone who might be involved from the business perspective in a cyber crisis
What do business continuity plans build within a business?
·Risk range from Reputation loss over time to total collapse ·Business without Business Continuity Plans, if incident occurs: ·25 % of Business never open again ·80 % that don't recover within a month are likely out of business ·75 % fail within 3 years ·Businesses with Business Continuity Plans, if incident occurs: ·82 % mitigated the impact of disruption ·74 % delivered key products and services •Business Continuity Plans builds a more resilient, agile business
CobiT's Version of CMM Levels
•0-Nonexistent-Organization does not recognize the need for information security •1-Ad-hoc-Risks are considered on an ad-hoc basis and no formal processes exist. •2-Repeatable but intuitive-There is an emerging understanding of risk and the need for security •3-Defined process-Company-wide risk management policies and security awareness •4-Managed and measurable-Risk assessments are standard procedure. Roles and responsibilities are assigned. Policies and standards have been developed. •5-Optimized-Organization-wide processes implemented, monitored, and managed
Center for Internet Security Top 20
•A pattern has emerged of steps common to many organizations that have made substantial progress in reducing risk using the Critical Controls: •Step 1. Perform Initial Gap Assessment - determining what has been implemented and where gaps remain for each control and sub-control. •Step 2. Develop an Implementation Roadmap - selecting the specific controls (and sub-controls) to be implemented in each phase, and scheduling the phases based on business risk considerations. •Step 3. Implement the First Phase of Controls - identifying existing tools that can be repurposed or more fully utilized, new tools to acquire, processes to be enhanced, and skills to be developed through training. •Step 4. Integrate Controls into Operations - focusing on continuous monitoring and mitigation and weaving new processes into standard acquisition and systems management operations. •Step 5. Report and Manage Progress against the Implementation Roadmap developed in Step 2. Then repeat Steps 3-5 in the next phase of the Roadmap. •Steps 3, 4 and 5 become your "incremental desired states"
What is a desired state?
•A useful approach is to describe a "desired state," •A snapshot at some future point of the essential elements, aspects, and operations of the program in terms of characteristics and attributes
Identify some Business Continuity Security Controls?
•Redundancy: RAID, Storage Area Networks, fault-tolerant server, distributed processing, big data •Backups: Full backup, incremental backup, differential backup •Networks: Diverse routing, alternative routing •Alternative Site: Hot site, warm site, cold site, reciprocal agreement, mobile site •Testing: checklist, structured walkthrough, simulation, parallel, full interruption •Insurance
A test that verifies that the alternate site successfully can process transactions is known as:
1.Parallel test
During an audit of the business continuity plan, the finding of MOST concern is:
1.A test of the backup-recovery system is not performed regularly
A documented process where one determines the most crucial IT operations from the business perspective
1.Business Impact Analysis
When the RPO is very short, the best solution is:
1.Data mirroring
What are the ten steps in strategy development?
1.Define desired state 2.Determine current state 3.Perform gap analysis 4.Set control objectives 5.Determine resources 6.Define constraints 7.Evaluate control choices 8.Design controls with available resources 9.Design monitoring and metrics for controls 10.Develop project and management plans
Define Crisis?
Abnormal and unstable situation that threatens the organization's strategic objectives, reputation or viability
Why should one have an action plan?
Action Plan — Intermediate Goals •Consideration for how the organization operates must always be considered •A formal strategy may cover five years and needs to be portioned into reasonably sized efforts commensurate with the normal organizational cycles •Program parts may have dependencies such as • Standards cannot be finalized until policies are approved and distributed • Procedures cannot be finalized until standards are approved and distributed • Tactical events may delay or derail best laid plans and require redirected efforts • Priority should be given to those activities providing the greatest short-term benefits •Early "wins" will help sustain enthusiasm for the overall program as will demonstrable benefits •Consideration must be given to program development metrics •These will typically be project management metrics showing such things as progress against plan and cost against budget
What are the attributes of a good security strategy?
Attributes of a Good Security Strategy •Necessary knowing the culture and the landscape, that is, the context • Will determine what is possible and the kinds of solutions and approaches that will be acceptable to the organization and the environment it operates in •Must know resources available •Must understand the constraints •Proposed Questions: • What is the hallmark of a good strategy? • Are there elements we can consider likely to result in a successful strategy? Are The Objectives Realistic And Achievable •Is not uncommon for security practitioners with ambitious goals for implementing effective security be frustrated by the difficulties in gaining management support and adequate resources •Cannot rest solely assuming every objective will be substantially achieved •Must consider how to optimize partial successes and how the various components of the strategy can still function to some degree •Revisit and develop acceptable alternatives if any part of a plan requires the complete success of a prior aspect of that plan Are The Objectives Likely To Achieve The Desired Outcomes •Requires priorities and trade-offs •Consider which security attributes take precedence when conflicting requirements exist •Consider the trade-offs between performance and safety • They cannot coexist to a considerable extent but if a particular business requirement for high throughput or fast response conflicts with the processing necessary for high assurance of identity, which will take priority? Consider the issues of confidentiality, integrity, and availability from both a strategy and controls perspective in terms of trade-offs and focus
Business Continuity
Business continuity is an organization's ability to maintain essential functions during and after a disaster has occurred. Business continuity planning establishes risk management processes and procedures that aim to prevent interruptions to mission-critical services, and reestablish full function to the organization as quickly and smoothly as possible.
What are the 4 different classification of services and how are they ranked in cost?
Critical $$$$: Cannot be performed manually. Tolerance to interruption is very low Vital $$: Can be performed manually for very short time Sensitive $: Can be performed manually for a period of time, but may cost more in staff Nonsensitive ¢: Can be performed manually for an extended period of time with little additional cost and minimal recovery effort
What are the major steps/activities in performing a GAP Assessment/Analysis?
Current State: Where are we now? Desired State: Where do we want to go? Gap Analysis: What do we need to do to get to desired state? How do we do it? Answer each GAP analysis question: answer "yes" then Provide Evidence Answer "no" then remedial action should be taken. Answer N/A - No action required. You must be able to justify why this question is not applicable.
Define: Gap Analysis Information Security Framework
Gap Analysis: It is a Technique for determining the steps to be taken in moving from current state to desired future state. Information Security Framework: Is a defined set of components used to design, manage, and measure an information security program.
Define: a. Identify (function)—Slide 128 b. Protect (function) --- Slide 128 c. Recover (function) --- Slide 128 d. Respond (function)-- Slide 128 e. Detect (function) --- Slide 128 f. Deter or Deterrent--- Slide 128 g. Prevention--- Slide 128 h. Containment--- Slide 128
Identify (function): Develop the organizational understanding to manage cybersecurity risk to systems, assets, data, and capabilities. Protect (function): Develop and implement the appropriate safeguards to ensure delivery of critical infrastructure services. Recover (function): Develop and implement the appropriate activities to maintain plans for resilience and to restore any capabilities or services that were impaired due to a cybersecurity event Respond (function): Develop and implement the appropriate activities to take action regarding a detected cybersecurity event. Detect (function): Develop and implement the appropriate activities to identify the occurrence of a cybersecurity event. Deter or Deterrent: Controls that are intended to discourage individuals from intentionally violating information security policies or procedures. These usually take the form of constraints that make it difficult or undesirable to perform unauthorized activities or threats of consequences that influence a potential intruder to not violate security (e.g., threats ranging from embarrassment to severe punishment). Prevention: Controls attempt to avoid the occurrence of unwanted events, whereas detective controls attempt to identify unwanted events after they have occurred Containment: Controls that attempt to isolate the occurrence of a cybersecurity event.
1. Define Business Resilience- BC&DR Slide 7
Is the ability an organization has to quickly adapt to disruptions while maintaining continuous business operations and safeguarding people, assets and overall brand equity. Business resilience goes a step beyond disaster recovery by offering post-disaster strategies to avoid costly downtime, shore up vulnerabilities and maintain business operations in the face of additional, unexpected breaches.
What uses are there in regards to having or developing an information systems architecture?
Managing Complexity Provide a framework within which complexity can be managed successfully •Must all work as a team to create something that has the appearance of being designed by a single "design authority" •Must integrate many business processes and support functions seamlessly providing effective services and management to the business, its customers and its partners •Provides a means to manage that complexity Providing a Framework and Road Map •Acts as a road map for a collection of smaller projects and services that must be integrated into a single homogeneous whole •Provides a framework within which many members of large design, delivery, and support teams can work harmoniously, and toward which tactical projects can be migrated Simplicity and Clarity through Layering and Modularization •In the same way that conventional architecture defines the rules and standards for the design and construction of buildings, information systems architecture addresses these same issues for the design and construction of computers, communications networks, and the distributed business systems that are required for the delivery of business services •Information systems architecture must take account of: • The goals that are to be achieved through the systems • The environment in which the systems will be built and used • The technical capabilities of the people to construct and operate the systems and their component subsystems Business Focus Beyond the Technical Domain •Information systems architecture is concerned with much more than mere technical factors •It is concerned with what the enterprise wants to achieve and with the environmental factors that will influence those achievements •This broad view of information systems architecture may not be well understood •Technical factors are often the main ones that influence the architecture, and under these conditions the architecture can fail to deliver what the business expects and needs.
What are the major steps in the Business Continuity Process?
Perform Business Impact Analysis Prioritize services to support critical business processes Determine alternate processing modes for critical and vital services Develop the Disaster Recovery plan for systems recovery Develop BCP for business operations recovery and continuation Test the plans Perform feedback and lessons learned Maintain and update plans
Is NIST's Cyber Security Framework Controls technology neutral?
Yes. But it is not controls neutral. Summary: •Open source •Technology neutral •Maturity and risk integrated into framework •A standard security framework used by commercial and non-commercial entities in the United States •It is required framework for Federal Government and its contractors •It is integrated into other frameworks •Risk is assumed (opinion) •Metrics not integrated into framework
Can SABSA and NIST Cyber Security Framework co-exist?
Yes. See both summaries if necessary in q 34 and q 33.
What are the three constraints in strategy development and describe each?
•Are any condition that diminishes or adversely impacts the achievement of any of the selected attributes •Can be direct, consequential, or peripheral Direct Constraint •Is a characteristic that either prohibits a particular solution or renders it ineffective, example: •Can be legal, ethical, practical, or a matter of organizational policy •Can be a problem of excessive control such as solely relying on voluntary policy compliance without monitoring Consequential Constraints •Are those for which the application of a control has subsequent effects beyond that intended (Remember the Down Stream Consequences Analysis) • •Examples: • If one assigns a long, complex passwords, it could/can likely result in a user writing it down and subject to being compromised • If one adds substantial work or difficulty to users as a means of control is could/can invite adverse effects whose probability must be considered as a constraint to the approach Peripheral Constraints •Address the possibility that the intended effects of a particular approach extends beyond the intended targets •Can include any control, however effective and efficient at addressing a particular security gap that adversely impacts the ability to get required work done, will be subject to peripheral constraints
What are some crisis management principles?
•Be ready to recognize a crisis — overconfidence can lead to oversite of problem or issue •Respond quickly and decisively ― avoid focusing on technical aspects, consider public perception, monitor media •Ensure visibility of a strong business leader — position of authority •Communicate early and often — vital for rebuilding trust •Prioritize trust over other concerns — key to organization's reputation and long-term survival
What are the Key Goal Indicators (KGI) for Resource Management?
•Benchmarking •Resource utilization •Number of Controls Standardized processes
What is re-engineering and why is it used?
•Business process re-engineering can be used as an approach in assessing and analyzing control procedures and practices determining if they can be modified or eliminated •It is not unusual that up to half of all controls can be eliminated and others improved substantially in terms of user convenience, effectiveness, and efficiency
What are some sources one can use in performing a GAP Analysis?
•Center for Internet Security (CIS) Critical Security Controls, aka SANS Top 20 CIS Controls Small to Medium-Sized Enterprises (SME) Companion Guide Creating Baseline Security Controls for Any Sized Enterprise Using The Cyber Resilience Review (CRR) •The Federal Financial Institutions Examination Council (FFIEC) developed the Cybersecurity Assessment Tool (Assessment) GAP Analysis Resources-COBIT 5 •Internal or External Audit Assessments •Third Party Vendor's •Lessons Learned •Prior or current incident response activity •Disaster Recovery or Business Continuity Plan, or Crisis Management test/exercise •Community Resources such as: • ISACS • ISACA • ISSA • ISC2 • ASIS
What is the Cybersecurity Maturity Model Certification (CMMC) Framework?
•Consists: • Maturity processes • Cybersecurity best practices • Inputs from Defense Industrial Base (DIB) Stakeholders •Model Framework • Organizes processes and practices into a set of domains and maps them across 5 levels and aligns the practices to a set of capabilities within each domain
What are the two general classes of constraints and describe each one?
•Contextual •Operational Contextual Constraints •Constitute the boundaries or limits within which the strategy must operate •Approaches and solutions in achieving objectives must not fall outside the defined contextual constraints •Some such as ethics and culture, may have been dealt with in developing both the desired and current state •Others can arise as a consequence of developing the road map and action plan when unusual solutions are required to address particular issues CAN INCLUDE: •Law — Legal and regulatory requirements •Physical — Capacity, space, and environmental constraints •Ethics — Appropriate, reasonable, and customary •Policy — Must meet the organizational policy mandates •Culture — Both inside and outside the organization •Costs — Time and money •Personnel — Resistance to change, resentment against new constraints •Organizational structure — How decisions are made and by whom; turf protection •Resources — Capital, technology, and people •Capabilities — Knowledge, training, skills, and expertise •Time — Window of opportunity, mandated compliance •Risk tolerance — Threats, vulnerabilities, and impacts Operational Constraints •They are the inherent capabilities and limitations of the solutions and approaches themselves in addressing the gaps •Example • Policies and standards are important resources for addressing identified "gaps" but absent good compliance will do little to manage the risk • Merely writing something down does not ensure that it is accomplished •Solutions addressing gaps must be verifiable and have the capability in providing feedback as to operational status and effectiveness •An unreliable or inaccurate technical solution may be a greater problem than the one it was intended to remedy •Bad or incorrect information may be worse than none at all Operational Constraints to Consider: •Manageable — An approach difficult or impossible to manage will be a constraint •Maintainable — The level of maintenance required for controls must be considered •Efficient — A serious lack of control efficiency can be a constraint •Effective — Controls that are not effective will not be a good choice •Proportional — The cost of a control cannot exceed its benefits •Reliable — Any control that is not consistent and dependable will limit benefits •Accurate — The solution must clearly address the defined problem •In Scope — A solution's effect is limited to the intended area or can there be unintended consequences
What are some of the plans that go into crisis management?
•Crisis Management — Cyber Security Incident Response Plan, Emergency Response Plan, Information Technology Disaster Recovery (ITDR) Plan, Business Continuity Plan, Crisis Communication Plan •Crisis Management Governance Framework ― How we organize around a crisis; How we identify them; How we characterize them as to what they are; How serious are they; How we escalate them through the organization based on their severity, Which of these plans is triggered to respond to and a recover from these crises •Organizations develop and execute annual training exercise testing continuity plans, emergency plans, crisis communication plans and so forth •Organizations perform education and awareness •Organizations can manage crisis one among them being cyber crises
What are some of the frameworks one can use in defining/developing the "desired state?"
•Define "desired state" using framework(s) •Use different frameworks/approaches to defining information security objectives including: • Security architecture • Sherwood Applied Business Security Architecture (SABSA) • NIST Cyber Security Framework • Risk Management Framework • CobiT 5 • Capability Maturity Model • Cybersecurity Maturity Model Certification (CMMC) Framework • ISO/IEC 27001, 27002 • The Center for Internet Security (CIS) Controls for Effective Cyber Defense Version 6.0 formally known as SANS Top 20 Critical Controls • Federal Financial Institutions Examination Council (FFIEC) developed the Cybersecurity Assessment Tool (Assessment)
What can one use to describe the current state?
•Determining current state for the Six Outcomes Of Effective Information Security Governance uses the identical methods in defining the desired state •Identifying current state uses the identical characteristics and attributes of desired state, the gap between the two can be evaluated •Determining the gap is not the same as closing it, which may pose some formidable challenges
What are some sources for Information Security Framework selection process?
•Domestic or International Business Operations •Interaction with U.S. Federal Government entities •Upstream Supplier and Provider Reliance •Requirements of Downstream Relationships •Business Compliance Requirements
Identify some of the items one must address in Backup — Encryption and Key Management?
•Escrow all Encryption Keys with a certified key escrow provider •Ensure you can decrypt backup files •Document backup encryption, decryption process •Follow NIST SP 800-57 Part 2 Rev. 1, "Recommendation for Key Management: Part 2 - Best Practices for Key Management Organizations" for defining and managing organizations key management standards, practices, processes or procedures
What are the four components to an Information Security Framework?
•Framework Selection Process - The decision criteria for determining the industry standard framework(s) that comprise the organization's Information Security Framework •Scope of Framework Application - The description of the generally recognized set of security program components selected and implemented within the organization, including which components of the framework are deemed in scope or out of scope, and reasoning for exclusion of de-selected framework components •Framework Role Assignments - The mapping of responsible parties for governance, oversight, and operational execution for distinct functions within the framework •Framework Assessment - Relates to the Program Measurements and Metrics to evaluate effectiveness of the Framework functions and associated controls that are defined
What are some considerations for Information Security Framework Selection?
•Framework selection, scope, and prioritization decisions derived from Framework Assessment are outputs from the Information Security Strategy including short, mid, and long term planning •Defining the effectiveness of the framework elements and controls in the Measurement and Metrics area •Defining the high-level role functions within the Governance and Organization area •Constructing a decision tree / flow diagram for specific framework selections •Including a decision risk assessment template within the Information Security Risk Management area
What are the questions that must be asked in regards to the six outcomes of an effective information security governance program?
•How much alignment with organizational objectives must security have? • How do we define and measure it? • Is alignment increasing or decreasing? • How can it be measured? •What levels must risk be managed to: •What measurement(s) determine(s) when it is achieved •What options are available integrating assurance functions: • How can the silo effect of safety efforts be countered • What constitutes an optimal level of integration. •What is an adequate or optimal level of value delivery: • How can it be improved? • How can it be measured? •How do we determine if resources are being used effectively and efficiently? •What level of performance measurement is sufficient in guiding the security program and maintaining an acceptable level of security?
What are some of the questions asked within a crisis management governance framework?
•How we organize around a crisis; How we identify them; How we characterize them as to what they are; How serious are they; How we escalate them through the organization based on their severity, Which of these plans is triggered to respond to and a recover from these crises
What are some of the causes for strategy failures?
•Inadequate or faulty analysis •Greed •Unmitigated ambition •Other corporate malfeasance Strategy — Causes of Failures Not So Well Understood •Overconfidence •Optimism •Anchoring •Status quo bias •Endowment effect • Is a similar bias for people to keep what they own and that simply owning something makes it more valuable to the owner •Mental accounting • Defined as the inclination to categorize and treat money differently depending on where it comes from, where it is kept, and how it is spent • Is common even in the boardrooms of conservative and otherwise rational corporations •Confirmation bias •Seeking only those opinions and facts that support one's own beliefs •Selective recall •Remembering the facts and experiences that reinforce current assumptions •False consensus •Overestimate the extent that others share their views, beliefs, and experiences. •Biased evaluation • Evidence supporting the preferred hypotheses while challenging and rejecting contradictory evidence; often accompanied by charging critics with hostile motives and impugning their competence •Group Thinking • Pressuring for agreement in a team-based or consensus-oriented culture • Can lead to ignoring or minimizing important threats or weaknesses in plans and persisting with doomed strategies Strategy — Causes of Failures Not So Well Understood — Herding instinct •Is a fundamental human trait to conform and seek validation by the actions of others •Can be observed by the "faddism" in security as evidenced by the sudden adoption and deployment across industries of identity management or intrusion detection •Is based in the fear of being left out and missing the boat •Make decisions based on what everybody else is doing •Is aptly demonstrated by one pundit who quipped, "For senior managers the only thing worse than making a huge strategic mistake is being the only person in the industry to make it"
What are the Key Goal Indicators (KGI) for Business Process Assurance/Convergence?
•Incidents, or a lack of them, traceable to a lack of integration •The number of management levels before assurance processes fall under the same organizational position •Inconsistencies or contradictions in the objectives, policies, and standards applied to various assurance functions •An absence of communications between assurance providers
What are the two greatest issues/difficulties in developing a strategy?
•Issues posing the greatest difficulties will be cultural and structural •Though they are challenging, addressing them is not impossible, although it may take considerable effort and time •One must clarify these issues as an essential first step in finding possible approaches and illuminating them for management consideration
What are the Key Goal Indicators (KGI) for Strategic Alignment?
•Lines of business have defined security requirements and control objectives •Business requirements drive security initiatives •Security activities do not materially hinder business •Security program enables certain business activities •Security activities provide predictable operations •Security resources are allocated in proportion to business criticality
Why might one use an architecture in strategy development?
•May be beneficial to consider a security architecture that formally addresses the required elements as well as their interrelationships and ability to achieve the desired outcomes Enterprise Security Architecture: •Business strategy for security is closely linked to the goals of Operational Risk Management •As part of a business strategy, security must balance with other requirements: • Usability, inter-operability, integration, supportability • Fast time-to-market, scalability, re-usability • Cost effectiveness •They must deal with conflicting objectives Information Security Architecture •Provides the links in the chain •Ensures security is provided through a fully integrated systems approach •Ensures security services are properly managed •Ensures security services are properly delivered & supported •Ensures security meets the needs of the business
What is the difference between Objectives and Outcomes?
•Objectives set the targets for efforts; outcomes are the result •Knowing the desired outcomes defines the objectives •Initiating/implementing information security governance ― first step in securing information security program outcomes •Understanding and clarifying outcomes or results provides both direction and guidance for: •Defining specific objectives •Determining whether those outcomes are being achieved
What are some of the resources available to implement a strategy?
•Policies • Establishes high-level statement of management intent, expectations, and direction • Considered the "constitution" of security governance if organization has not established a Security Charter •Standards • Defines allowable boundaries for people, processes, procedures, and technologies necessary in meeting the intent of policies • Considered the "law" of security governance •Procedures • Are detailed steps necessary in accomplishing a particular task and must conform to the standards •Guidelines • Are helpful narratives in executing procedures including suggestions, tools, and so forth •Architecture(s) • Defines the relationships between objects, the information flows between them, and the inputs and outputs, as well as other aspects such as schemas, specifications, metrics, test points, and so on • Range from contextual and conceptual, to logical, functional, physical, and operational. •Controls-physical, technical, procedural • Are any regulatory element, whether process, procedure, technology, or physical component (e.g., access controls, procedural controls, and firewalls) •Countermeasures • Target directly mitigation activities for any threat or vulnerability • Can be considered a targeted control •Layered defenses • Are the practice of adding subsequent or sequential controls in an effort ensuring that failure of one control will not compromise the entire system •Technologies • Are preventive, detective, corrective, or compensatory in nature, or some combination of these (e.g., A firewall can both be preventive and detective, as well as possibly compensatory) •Personnel security • Remain one of the greatest threats to security through overwork, lack of training, carelessness, indifference, accident, mistakes, and, occasionally, malice • Must consider the human element as central to implementation and secure operations •Organizational structure • Can be beneficial to effective security strategy development or a monumental obstacle • Must consider the following in strategy development: organizational structures, reporting relationships, real or potential conflicts between various organizational units, and whether it is a command and control structure or a flat, decentralized structure •Roles and responsibilities • Establishing clear and well defined roles and responsibilities must be considered in strategy development and will have a significant impact on implementation and operation of a security program •Skills • Use existing skills and proficiencies will be easier to implement and must be assessed in the planning phase •Training • Will require either skills acquisition or training or both due to major changes in operations • Consider training requirements in security strategy development or in the controls operation and configuration development •Awareness and education • Provides the greatest return on investment in terms of security • Include provisions for ongoing security awareness using various methods such as computer-based training and security briefings •Audits • Are not often used to best effect • Consider how to coordinate with auditors and use audits as a force for needed changes in overall governance •Compliance enforcement • Is often one of the most problematic elements of security governance and due consideration must be given in the strategy to how policies and standards can be enforced both from a technical perspective and the more difficult physical and procedural stand-point • Requires effective policy and standards compliance in establishing and maintaining a successful security program •Threat analysis • Requires ongoing evaluation of existing and emerging threats •Vulnerability analysis • Requires technical vulnerability scanning as well as physical and operational vulnerabilities, which are often not tested or ignored • Consider how all these elements will be addressed •Risk assessment • Must be a standard practice at the strategic, management, and operational levels, and must cover entire business processes from input to output in addition to relevant external factors • Have policies and standards that provide the requirements for assessment of risk on an ongoing basis •Business Impact Assessment (BIA) • Are essential for determining protection and recovery priorities, and should be a policy requirement defined in the strategy •Resource dependency analysis • Can be an alternative to BIAs in determining protection and recovery priorities • Is based on analyzing the resources required for critical business processes •Outsourced security providers • Are a viable option for implementing a strategy but carry some attendant risk that must be addressed • Must consider the options for outsourcing as a viable approach to program implementation •Other organizational support and assurance providers • Must consider how to optimize integration of a variety of other assurance providers in the organization to maximize security cost effectiveness •Facilities • Must consider Facilities Management in a security program strategy given the critical nature of physical and environmental impact on information security effectiveness •Environmental security • Must address external environmental threats and risks •Metrics and monitoring • Requires adequate metrics and suitable monitoring • Must ensure metrics are designed into key controls ensuring their continued operation • Requires key processes and controls monitoring and the strategy must address how this will be accomplished
In managing a cyber crisis, it requires expertise in both?
•Requires expertise in both crisis management and cybersecurity
What are the Key Goal Indicators (KGI) for Risk Management?
•Risk Assessment Completed •Business Impact Assessments Performed or Completed •Business Continuity Planning/Disaster Recovery (BCP/DR) Developed, Implemented, Completed, or Tested •Risk Appetite and Risk Tolerances Defined •Asset Classification Performed, Initiated, or Completed •Have an overall security strategy and program for achieving acceptable levels of risk •Define mitigation objectives for identified significant risks •Have processes for management or reduction of adverse impacts •Have systematic, continuous risk management processes •Show trends of periodic risk assessment, indicating progress toward defined goals •Show trends in impacts •Perform analysis of collective impact of aggregated risk •Establish and show recognition for potential cascading impacts
What are the Key Goal Indicators (KGI) for Value Delivery?
•Security activities are designed to achieve specific strategic objectives •The cost of security being proportional to the value of assets •Security resources are allocated by degree of assessed risk and potential impact •Controls are based on defined control objectives and are fully used •An adequate and appropriate number of controls to achieve acceptable risk and impact levels •Control effectiveness that is determined by periodic testing •Policies in place that require all controls to be periodically reevaluated for cost, compliance, reliability, and effectiveness •Controls usage ― controls that are rarely used are not likely to be cost-effective •The number of controls to achieve acceptable risk and impact levels ― fewer effective controls can be expected to be more cost-effective than more less-effective controls
Cyber Resilience Review
•Step 1. Perform Initial Gap Assessment - determining what has been implemented and where gaps remain for each control and desired maturity level •Step 2. Develop an Implementation Roadmap - selecting the specific controls (and maturity level) to be implemented in each phase, and scheduling the phases based on business risk considerations •Step 3. Implement the First Phase of Controls - identifying existing tools that can be repurposed or more fully utilized, new tools to acquire, processes to be enhanced, and skills to be developed through training •Step 4. Integrate Controls into Operations - focusing on continuous monitoring and mitigation and weaving new processes into standard acquisition and systems management operations •Step 5. Report and Manage Progress against the Implementation Roadmap developed in Step 2. Then repeat Steps 3-5 in the next phase of the Roadmap
What are the six outcomes of an effective information security governance program?
•Strategic alignment ― Aligning security activities with business strategy to support organizational objectives •Risk management ― Executing appropriate measures to manage risks and potential impacts to an acceptable level •Business process assurance/convergence ― Integrating all relevant assurance processes to maximize the effectiveness and efficiency of security activities •Value delivery ― Optimizing investments in support of business objectives •Resource management ― Using organizational resources efficiently and effectively •Performance measurement ― Monitoring and reporting on security processes to ensure that business objectives are achieved
What is an information security strategy?
•Strategy is the plan to achieve an objective •The objectives of information security coupled with the plans to achieve it •The concept of design is nearly synonymous with strategy •Both require an objective and a plan, although a strategy implies actions as well, whereas design does •The resulting plan(s) address those actions/activities in meeting the organization's security objectives; typically covers at least one to three years in duration, sometimes up to five •The information security strategy should be aligned with the organization's overall business strategy
What tool is used and identified in determining Information Security Framework role assignments?
•The standard RACI method should be used. •As the framework is implemented, the role assignments should be captured across each element or control and tracked across the organization • Larger organizations may have numerous assignments based on divisions, business units, or other sub-organizational division factors • Additionally, outsourced solutions and Cloud Computing will introduce further role assignment factors
What are the Key Goal Indicators (KGI) for Performance Management?
•The time it takes to detect and report security-related incidents •The number and frequency of subsequently discovered unreported incidents •The ability to determine the effectiveness, efficiency, accuracy, and reliability of metrics •Clear indications that security objectives are being met •Threat and vulnerability management •Consistency or effectiveness of log review practices
What is a common approach to create practical points of reference to gauge the extent to which these outcomes will be realized?
•They create practical reference points gauging extent to which outcomes are realized •Goals developed in conjunction with the organization's business and operational units ensures relevance to their activities •They can be any form of metric, whether an actual numeric value such as the number of complaints in some period of time or periodic surveys of organizational sentiment regarding security •They provide useful feedback for security management for navigating the program and providing a general metric for monitoring organizational progress
Does ISO/IEC 27001/27002 provide a linkage between control objectives and strategic business objectives?
•This standard and code of practice can serve to provide an approach to security governance, although, to some extent by inference •27001 is a management system with a focus on control objectives, not a strategic governance approach •The linkage between control objectives and strategic business objectives is not explicitly addressed •Many organizations find benefits using international standards •Might be useful to use a higher-level framework or other approach for setting strategic security governance objectives that then feed into the ISO model
ISO/IEC 27001/27002
•Use a the below scale in determining current state status •0 - requirement not implemented nor planned, but mark those that will be implemented in the desired state; •1 - requirement is planned but not implemented; •2 - requirement is implemented only partially, so that full effects cannot be expected; •3 - requirement is implemented, but measurement, review and improvement are not performed; and •4 - requirement is implemented and measurement, review and improvement are performed regularly.
NIST SP 800-53
•Use a the below scale in determining current state status •0 - requirement not implemented nor planned, but mark those that will be implemented in the desired state; •1 - requirement is planned but not implemented; •2 - requirement is implemented only partially, so that full effects cannot be expected; •3 - requirement is implemented, but measurement, review and improvement are not performed; and •4 - requirement is implemented and measurement, review and improvement are performed regularly.