Chapter 1 - Organizational Security and Compliance
3 main phase of Risk Analysts & Assessment
(1) Asset identification (2) Risk analysis (3) Risk likelihood and impact
SLA policy
(a) policies and procedures that a company performs to support the SLA agreement, including services performed
Exam Tip
Agreements should consider the business context of the organizations
Communicates network changes and outages
Change management policies
To ensure security policies are being followed requires?
Continued monitoring and auditing
Use ______ to protect integrity and privacy of data, and adhere to government-regulated compliance policies for data protection.
Data loss prevention (DLP)
cost of the risk management solution exceed value of the asset if it's lost
Example: > file server & data = $35,000 >proposed security solution = $150,000
Security Policies
general organizational security including physical access, access control to data, and security through structures and data security principles
Least privilege
grants users only the access rights they need
Cost of solutions
identify a cost-effective solution to protect assets
3 types of Business Partners Agreements
(1) General Partnerships (2) Limited (3) Joint Ventures
Risk Management Options (options based on nature and probability of risk and total cost of the solution)
(1) avoidance (2) transference (3) acceptance (4) mitigation (5) deterrence
3 Risk Control Types (each is separate but cooperative layer in overall risk management strategy)
(1) management (2) operational (3) technical
2 generally accepted ways to perform Risk Analysis
(1) qualitative (2) quantitative
Risk Management Options
(a) Avoidance (b) Transference (c) Acceptance (d) Mitigation (e) Deterrence
Risk mitigation strategies and policies include:
(a) Change management (b) Incident response (c) Auditing (d) User permission reviews (e) Data loss prevention
Most common data protection regulations include:
(a) HIPAA (b) SOX (c) PCI (d) EUDPD (Euro Union Data Protection)
Access Control Policies
(a) Least privilege (b) Separation of duties (c) Job rotation (d) Mandatory vacations
Acceptable Use Policies include:
(a) Legality (b) Uniqueness to your environment (c) Completeness (d) Adaptability (e) Protection for employees
Organizational Policies to Reduce Risk
(a) Security (b) Network Access (c) Human Resources
Joint Ventures
(a) begin same was as general partnership (b) but shorter time frame (c) often single project
Incident Management & Response Policy
(a) clearly defined policy can help contain a problem and provide quick recovery to normal ops (b) should cover each type of compromised security scenario and list the procedures to follow when they happen
MOA/MOU - Memorandums of agreement and understanding
(a) common in government sector (b) relate terms of cooperation between two organizations to seek common goal (c) detail the distinct roles and responsibilities of both parties (d) often high-level, accompanied by more tech docs (e) like interconnection security agreement
Best Practices: operational [risk]
(a) company-wide policies that must be created, distributed, and used to educate employees on how to conduct their day-to-day activities (b) improvement initiatives to make organizational processes more efficient and effective
Operational [risk]
(a) concerned with how you conduct your daily organizational business (b) minimize the security risk to your organization and its business activities
Best Practices: [risk]management
(a) controls encompassing managerial, technical, and operational aspects of the organization (b) includes: implementation of an overall risk management framework, efforts to improve documentation
Risk Analysis
(a) deals with identifying, assessing, and reducing the risk of security breaches against company assets
SOX - Sarbanes-Oxley Act
(a) defines standards for publicly held companies and accounting firms (b) storage, access, communications, auditing of financial data
BPA - Business Partners Agreements
(a) describes how a new business will be conduced among partners (b) 3 types
Technical [risk]
(a) describes the actual technical measures used to prevent security risks
NIST 800-47 "Security Guide for Interconnection Information Technology Systems"
(a) details lifecycle of interconnection information systems that includes: -planning, establishing, maintaining, and disconnecting the interconnection
ISA - Interconnection security agreement
(a) details technical framework in which two info systems--even those owned by single organization--will directly connect and share data securely (b) NIST guide 800-47 "Security Guide for Interconnection Information Technology Systems" (c) will have an accompanying diagram depicting the connection
General Partnerships
(a) devised under assumption that all profits and liabilities will be divided equally among the business partners
Data Loss Prevention and Regulatory Compliance (DLP)
(a) focused on preventing loss of data and protecting its confidentiality and privacy (b) company's own data, or any customer data stored & communicated (c) protect data in storage & transit (d) DLP mitigation techniques require use of both inbound via network security and outbound via content filters & encryption
User Rights and Permissions Reviews
(a) helps guard against existing security lapses in user rights policies from employee movement in the company (b) needs close cooperation with human resources and department heads to be proactively notified when employee's positions and responsibilities change
Management risk controls?
(a) high-level risk management (b) assessment (c) mitigation plans that define your overall organization security
Asset Identification
(a) identify and quantify the company's assets, worth (b) established beyond mere capital costs--acquisition costs, maintenance, value of asset to company/competitor, what clients would pay for asset or server, cost of replacement, cost of compromise
Risk assessment and mitigation deals with:
(a) identifying (b) assessing (c) reducing the risk of security breaches against company assets
EUDPD - EU Data Protection Directive
(a) multinational (b) provide privacy protection for stored and transmitted user data
Change Management Policy
(a) official company procedures used to identify and communicate current or forthcoming changes to some aspect of the company's networks and comm services
[risk] Management
(a) ongoing high-level function w/in your organization (b) begins with risk assessment and analysis to identify the risk of security breaches against company assets (c) assessing the probability of a risk and estimating its impact, and defining the steps to reduce the level of that risk (d) solutions need proper analyze and budget for cost-effective solutions
Best Practices: technical [risk]
(a) physical access controls (fencing, security passes, surveillance) (b) environmental controls (fire suppression, temp controls) (c) deep-level network and system security (firewalls, a/v, content filters, other net security devices) (d) better coding practices
Most compliance regulations & standards include these key factors for data security:
(a) proper protection of data through network security principles and tech (firewalls & antimalware devices) (b) strong user account & password management for access control (c) use of encryption (d) extensive logging and auditing to monitor and analyze reports, have audit trails for evidence
Audits
(a) routine audits of security procedures & policies are integral part of continuous security awareness (b) review and analyze data logs to compare to current policies and level of incidents that occur (c) access to logs should be preserved and analyzed (d) audits performed at all levels
Employee termination process includes
(a) securing the work area (b) returning id and company equipment (c) suspending computer accounts
Operational risk controls?
(a) security for day-to-day organizational business activities
HIPAA - Health Insurance Portability and Accountability Act
(a) set of compliance regulations (b) protects confidential patient data
Acceptable Use Policy
(a) set of established guidelines for the appropriate use of computer networks within an organization
Limited Partnerships
(a) similar to General, but more complex (b) allows partners to have limited liability & corresponding input based on the investment percentage
PCI - Payment Card Industry
(a) standards defined for companies that process credit card transactions (b) prevent against fraud and identify theft (c) guide for storing and communicating financial data
To best protect organizational assets, important to consider best practices encompassing:
(a) technical (b) managerial (c) operational
Technical risk controls?
(a) technical measures deployed to mitigate security risks
Due Care, Diligence, Process
(a) terms that apply to the implementation and enforcement of company-wide security policies
Avoidance
(a) typically used when cost to mitigate a threat, unlikely or has little impact, means it is not worth implementing (b) take certain steps to avoid risk altogether, benefits not worth great security risk
SLA - Service Level Agreement
(a) understanding among a supplier of services and the users of those services that service in question will be available for certain % of time
What is used so that procedures are in place to deal with security incidents?
Incident response policy
Which Organizational Policy also includes user education and vigilant monitoring/testing to make sure plans are adhered to & activities are constantly analyzed to protect against new threats?
Operational risk control
Policy that describes distribution, protection, and confidentiality of customer data?
Privacy
Unplanned changes in your network could indicate
Security breaches
Template and procedures for risk mitigation is called?
Security policies
Which controls perform the bulk of the risk mitigation and deterrence that have been defined in your organizational risk analysis?
Technical risk control
Annual Loss Expectancy (ALE)
calculated by multiplying the ARO x SLE
Annual Rate of Occurrence (ARO)
chance of a risk occurring
Separation of duties
ensures that one single individual isn't tasked with high-security and high-risk responsibilities
Due diligence
ensures these security policies are properly implemented
Company practices due diligence by
implementing and maintaining these security procedures at all times to protect the company's facilities, assets, employees
False positive
legitimate action that is perceived as a risk or threat
Privacy policies
must be easy to find and provide information on how to opt out of any use of personal information
Job rotation
no employee retains the same amount of access control for a particular responsibility for a period of time, prevents internal corruption
Specific separation of duties ensures
one individual isn't tasked with high-security and high-risk responsibilities
Users should have
only the access rights they need to perform their job functions
Using Organizational Policies to Reduce Risk
organizational security is critical for company's risk management plan and needs proper detail, communication, and adherence by employees activities through use of policies
Single Loss Expectancy (SLE)
potential loss of revenue based on a specific period of downtime
Due process
process ensures an impartial and fair inquiry into violations of company policies
Qualitative
risk analysis includes intangible factors in determining costs
Quantitative
risk analysis is strict dollar-amount calculation of exact cost of the loss or a specific company asset because of a disaster
False negative
security issue that has passed your security controls as legitimate action, this one is worse
Acceptable use policy
set of established guidelines for the appropriate use of computer networks
Mitigation
specific risks must be mitigated using countermeasures
Due care
taking the necessary responsibility and steps to protect the company and the employees
Risk Assessment
use to understand current risks, their probability and impact, and the solutions to prevent them
Mandatory vacations
use vacation at specific times of the year or use all of their vacation days allotted for single year, helps detect fraud or other anomalies
