Chapter 3 Policies, Procedures, and Awareness
Interoperability agreement
3rd parties and outsourced services web hosting, payroll services, firewall etc where is my ORG data, who do they hire? what access controls are in place? legal department included
California Database Security Breach Act
A California state law that specifies that any agency, person, government entity, or company that does business in the state of California must inform California residents within 48 hours if a database breach or other security breach occurs in which personal information has been stolen or is believed to have been stolen.
GLBA
A US federal law designed to protect private information held at financial institutions.
Patriot Act
A US federal law that gives law enforcement the authority to request information from organizations to detect and suppress terrorism.
sarbox act
A US federal law that requires publicly traded companies to adhere to very stringent reporting requirements and implement strong controls on electronic financial reporting systems.
HIPPA
A US federal law that specifies that all organizations must protect the health information that they maintain.
Countermeasure
A countermeasure is a means of mitigating the potential risk.
Waterfall Planning
A development model sequential in its layout, with phases that contain a series of instructions that must be executed and documented before the next phase can begin.
Extreme Programming
A development model that values simplicity, feedback, courage, and communication and brings the entire team of developers, managers, and customers together so that adequate feedback and evaluations can be provided.
Clean Room
A development model used for high-quality software where all levels of development are tested for bugs and defects with the goal of finding problems before they can mature.
Ad Hoc
A development model where qualified developers are given a project without a consistent team, funding, or schedule.
Non-Disclosure Agreement
A legal contract between an organization and an employee that specifies that the employee is not to disclose the organization's confidential or proprietary information to anyone outside the organization.
NCA
A legal contract between the organization and the employee that specifies that the employee is not to work for a competing organization for a specified time after the employee leaves the organization
Loss
A loss is the real damage to an asset that reduces its confidentiality, integrity, or availability.
Social Engineering
A malicious attempt to fraudulently acquire sensitive information that is usually accomplished using impersonations.
Computer-Aided Software Engineering (CASE)
A method of using computers to help with the systematic analysis, development, design, and implementation of software.
Structured Programming
A method used by programmers that uses layering, modularity, and segmenting to allow for optimal control over coherence, security, accuracy, and comprehensibility.
Spiral
A mix of the waterfall model and the prototype model in which a prototype is developed and tested using the waterfall method.
BCP
A plan for recovering and restoring critical functions after a catastrophic disaster or extended disruption.
Disaster Recovery Plan (DRP)
A plan for resumption of applications, data access, hardware, communications, and other IT infrastructure in case of disaster.
AUP
A policy that defines how users should use the information and network resources in an organization.
Password Policy
A policy that detail the requirements for passwords used in an organization.
User Management Policy
A policy that identify actions to follow when employee status changes to ensure the security of the system, including hiring new employees, promoting and transferring employees, and terminating employees.
Privacy Policy
A policy that outlines how the organization will secure private information for employees, clients, and customers.
Configuration/Change Management Policy
A policy that regulate changes to policies, practices, and equipment that could impact the security of your IT infrastructure.
Authorized access policy
A policy that specifies access controls that are employed on a network.
HR Policy
A policy used by HR that defines hiring and termination processes, job rotation requirements, and personal time off procedures.
User Education and Awareness Policy
A policy with provisions for user education and awareness training.
Reporting System
A procedure to immediately report the loss of a device will enable the device to be disabled quickly and reduce the chance of confidential information being compromised.
Guideline
A recommendation that is used when a specific standard or procedure does not exist.
Regulation
A requirement published by a government or other licensing body that must be followed.
Collusion
A situation in which multiple employees conspire to commit fraud or theft.
Vishing
A social engineering attack that exploits voice-over-IP telephone services to gain access to an individual's personal and financial information, including their government ID number, bank account numbers, or credit card numbers.
Email Hoax
A social engineering attack that preys on email recipients who are fearful and will believe most information if it is presented in a professional manner.
Spear Phishing
A social engineering attack that targets specific individuals within a company to gain access to information that will allow the attacker to gain commercial advantage or commit fraud.
Phishing
A social engineering attack that usually involves sending emails that are purported to be from reputable companies in order to induce individuals to reveal personal information, such as passwords and credit card numbers.
Watering Hole
A social engineering attack where the victim is a group like an organization, an industry, or a region and where the attacker guesses or observes which websites the group uses and infects one or more of them with malware.
Whaling
A spear phishing attack targeted that targets senior executives and high-profile victims.
Baseline
A standard that dictates the settings and security mechanisms that must be imposed on a system in order to comply with required security standards.
Procedure
A step-by-step process that outlines how to implement a specific action.
Cost-Benefit Analysis
A systematic approach to calculating and comparing the benefits and costs of a course of action in a given situation.
SDLC
A systematic, seven-phase method for design, development, and change management used for software development and the implementation of system and security projects.
Threat Vector
A threat vector is a path or means that an attacker can use to compromise the security of a system.
Prototype
A type of iterative development that was made to combat the weaknesses of waterfall-based models.
equals SLE
AV(EF)
equals Annual Loss Expectancy
AV(EF)ARO
Scarcity
An active social engineering technique that attempts to make people believe that if they don't act quickly, they will miss out on an item, opportunity, or experience.
Urgency
An active social engineering technique that attempts to make people believe they must act quickly to avoid imminent damage or suffering.
Authority
An active social engineering technique that involves the impersonation of legal, organizational, and social authorities.
Consensus
An active social engineering technique that leverages peoples' willingness to perform an act if others have already performed the act.
Familiarity
An active social engineering technique that leverages peoples' willingness to perform an act requested by someone they are familiar with.
Intimidation
An active social engineering technique that usually involves an attacker impersonating a manager or director to frighten lower-level employees to gain information.
Delphi
An asset prioritization method that uses an anonymous survey to determine the value of an asset.
Authorized Access
An authorized access policy documents access control to company resources and information. This policy specifies who is allowed to access the various systems of the organization.
Plans and policies most effective
Assess the risk, Create a policy, Implement policy, Train on the policy, Audit
Implementing security controls to reduce risk
Compatibility infrastructure Effectiveness Regulatory compliance Organizational policies Operational impact Feasibility Safety and reliability
Security planning
Comply, Ethical, Due Care, due diligence (prudent man rule)
Storage Segmentation
Consider segmenting personal data from organizational data on mobile devices
Employee privacy legality
Define the types actions and communications, communicate all monitoring activities, apply to all, legal compliance
Prototype milestones
Definition of initial concept implementation of initial prototype refinement of prototype until functionable complete and release
Sample data retention rules
Delete email messages after 90 days, tax-related information for seven years, employee records for four years after, keep research design or patent documents for 25 years, keep contracts with vendors and partners for five years after a contract has ended, delete employee files after one year
Tailgating or Piggybacking
Entering a secure building by following an authorized employee through a secure door without providing identification.
Configuration Management
Establishes hardware, software, and infrastructure configurations, track and document changes, assess risk of implementing new processes, hardware, or software, proper testing
Virus Hoax
False reports about non-existent viruses that often claim to do impossible things that cause recipients to take drastic action, like shutting down their network.
Security Awareness
Familiarize employees with the security policy, Communicate standards, procedures, and baselines that apply to an employee's job, ownership, establish reporting procedures for suspected security violations, follow up with employee and org compliance
Software Installation and Implementation
Formal functional testing by users, All bugs vulnerabilities and risks should be evaluated and documented, user guides and operational manuals, certification accreditation, and auditing are performed
ranked accuracy
GPS WIFI tri Cell tri IP address resolution
Passive Social Engineering
Gathering information or gaining access to secure areas by taking advantage of peoples' unintentional actions.
Active Social Engineering
Gathering information or gaining access to secure areas through direct interaction with users.
post identification and valuation guidlines
How to store the asset, How to provide access to the asset, How to transfer and move the asset, How to destroy or dispose of the asset
Change control process steps
Identify the need get approval feasibility analysis implement change method implement test for CIA document the change analyze feedback rollback if necessary
Shoulder Surfing
Looking over the shoulder of someone working on a computer to view usernames, passwords, or account numbers.
Manageable network plan
NSA process to make a network manageable, defensible, and secure
Ownership of materials agreement
Organization owns IP
Physical security procedures
Physical security procedures Choosing a secure site and securing the facility, Protecting both data and equipment from theft, destruction, or compromise, Implementing environmental and safety measures to protect personnel and the facility, disposing of sensitive material that is no longer needed
Effective security policy
Planned, Maintained, Used
Employee Management
Pre-employment processing agreement documents monitoring termination procedures
Object-Oriented Programming (OOP)
Programming based on the organization of objects rather than actions that uses pre-assembled programming code in a self-contained module that encapsulates a segment of data and its processing instructions.
Ongoing Operations
Regularly verify compliance with the IA documents communicate with prospective 3rd party
waterfall milestones
Requirements design implementation testing deployment maintenance
3rd party offboarding
Reset or disable any VPN, firewall, router, or switch configurations Disable any domain trust relationships Disable any user and group accounts Reset any passwords
Risk
Risk is the likelihood of a vulnerability being exploited. Reducing the vulnerability or minimizing the threat agent reduces the risk.
IA includes
SLA BPO/BPA (blanket purchase) MOU ISA
Quantitative value of risk
SLE(ARO) = ALE
Mobile Device Management
Software that allows IT admin to control secure and enforce policy
Resource Allocation
Staffing Technology Budgets
Onboarding
The activities involved in setting up the work environment for new employees.
Offboarding
The activities involved when an employee resigns, retires, or is terminated.
Provisioning
The configuration, deployment and management of IT system resources, including mobile devices
Asset Tracking and Inventory Control
The make and model number of the device, The device serial number, The operating system version number, The date the device was purchased and the vendor it was purchased from, The end-of-warranty date for the device, The vendor providing support for the device, The employee to whom the device has been issued
Risk Assessment
The practice of determining which threats identified are relevant and pressing to the organization and then attaching a potential cost that can be expected if the identified threat occurs.
Principle of Least Privilege
The practice of granting each user or group of users only the necessary access to do their job or perform their official duties.
Dumpster Diving
The process of looking in the trash for sensitive information that was not properly disposed of.
Fraud
The use of deception to divert company assets or profits to an employee.
Exposure
The vulnerability to losses from a threat agent.
Threat Probability
Threat probability is the likelihood that a particular threat will occur that exploits a specific vulnerability.
Business Impact Analysis
What are your crit business fx's? What is impacted? How long will you be impacted? what's the impact to the bottom line?
System design key security decisions
access controls rights and permissions encryption algorithms
Milestone
action or even with significant change when implementing a manageable network plan
BCP manual
analysis solution design implementation testing and organization acceptance maintenance identifies and prioritizes critical functions
ALE
annual loss expected from an incident ARO x SLE
ARO
annual rate of occurrence of a threat attack
application vulnerability life cycle
app release, bugs discovered by hackers, hackers publish bugs, Vendor patch, app users install the patches, hackers continue
Asset Classification
appropriate value and protection levels, helps with value and duration based, sensitivity, legal and regulatory compliance requirements, affects storage and access controls required to protect the asset.
Data retention
archiving destroying handling
mean time to repair
average time required to repair a failure
Pre-employment
background check check refs job history education check criminal bg check credit history
Security awareness reminders
banners newsletters reminders
MOU
both sides agree on contents of memorandum usually includes statements of confidentiality informal letter of intent (not signed contact)
Values
business values that govern day to day actions
Sensitivity vs. Risk
categories, budget, ranking using chart quadrants
Every aspect
change control will monitor and manage...
Software Development and Coding
coding testing validation
3rd party onboarding
compare security policies and infrastructure similar incident response procedures security controls used by each party similar audit policies similar compatible enough to work together will the integration expose vulnerabilities risks data ownership Identify who will be responsible for protecting data how privacy will be protected classification labels Identify how data will be shared
Request Process
control who is issued a device and what information is put on the device.
System design output
data procedural architectural design
role based awareness
data owner, sysadmin, sysowner, user, priv user, exec user
End of life
destroying overwriting archiving
Risk register
details of each known risk, including a risk category, description, unique identification number, projected impact, likelihood of occurring, and risk response plan
Order of restoration
different app priorities well defined order may change based on calendar
Termination
disable accounts exit interview remind NDA/NCA collect assets archive email and voice clean out workspace escort
risk acceptance
do nothing as response
prepare to document
easy to use detail important things timestamps restricted access/encrypted hard copy
User management
employee status change: network access, equipment config, software config
Personal responsibility
employee to uphold COE
Reach your network
ensure physical and remote access remove insecure protocols AUTOMATE
Privacy impact assessment
ensures compliance what and why PII how collected, used, and secured PII
Hot sites
exact replica stocked updated flip and switch GO
3 items of GLBA
finacncial privacy rule, safeguard rule, pretexting protection
Privacy threshold assessment
first step in compliance identify business process that are privacy-sensitive determine if a privacy impact assessment is required
Change control
formal process for managing change avoid downtime, confusion and mistakes
System Design
functional model behavioral model informational model
High cohesion
functions performed by a module are related and clearly defined
Principles
fundamental truths or rules that support values
Recovery time objective
get up and running quickly get back to a particular service level
modular coding
high cohesion low coupling
Human Resources
hiring, termination, job rotation, mandatory vacations
ISA
how connected and what data is shared used by Feds to define security controls
Succession Planning
identify and devlop internal swap positions
security practices
industry-standard frameworks, security reference architectures, benchmarks and secure configuration guides
Asset
information infrastructure support services
Annualized Rate of Occurrence
insurance and crime statistics likelihood
Transferring risk
insurance to protect the asset
User education awareness
internal:communicate standards, procedures, baselines, ownership, reporting
Warm site
just enough to get going big room with rack space hardware ready and waiting bring app and data
medium exercise
larger number of individuals get together and work though a larger-scale simulation that incorporates many parts of the BCP
Risk deterrence
letting threat agents know of the consequences they face if they choose to attack the asset
Control your network
limit users limit admins regular accounts for day to day role based access unable to install account expiration disable and remove accounts
Manage your network 2
list approved apps criteria for each app approval verify apps device baselines secure web browsers check security misconfig baselines
protect your network
list users list high value assets list trust boundaries list choke points segregate and isolate isolate server fx's physically secure high value systems
factors in retention policy
litigation and criminal investigations
Secuity control types
management, operational, technical
MDT
maxiumum down tim
SLA
minimum terms for services provided uptime, response agreement, etc defines dispute resolution
Low coupling
modules not dependent on another module and that changes in the module will not require changes in another module
COE expectations
moral, ethical, and legal behavior, mind professional reputation or of profession, report activity
Strong passwords
multiple char types 8+ no part of user/email
secondary processing sites
mutual aid agreement with another similar organization; hot, warm or cold sites, alternate sites with varying degrees of availability and feasibility; or, a service bureau, a contracted organization to assist in the event of disaster.
PII
name, address, tele, license, SSN, cc#, email
Change control process
need request feasibility analysis Document management for approval change plan to developers test the change document the change release
Map your network
network topology device list protocol list
Passwords
never the same password disable/lock accounts password rotation
MOA
next step above MOU both sides agree to objectives legal document unlike a contract, may not contain legally enforceable promises
Cold sites
no hardware data ppl
Quantitative analysis
numbers to the costs of damages and countermeasures including probability. There is no strick Quant
Asset identification
organization's resources.
Employee monitoring agreement
organizations monitoring activities (cameras)
Project Initiation
original/profitable idea, initial security objectives are defined, timelines, users-based concept development, security objectives that the software needs to meet are created, initial risk analysis
COPPA
parental consent, minimal info for participation
Manage your network 1
patch AUTOMATE
Operations and Maintenance
patching and changes security functions should remain intact security-related patches
Exposure factor
percentage of the asset lost because of a successful threat attack
Tangible asset
physical item such as a computer, storage device, or document
Never delete
post subpoenaed or if you have reason to believe that it may be subpoenaed Destruction of evidence and obstruction of justice are serious crimes that could result in jail time.
MTBF
predicted elapsed time between failures
NSA manageable network plan milestones
prepare to document map your network protect your network reach your network control your network manage your network 1 manage your network 2 document your network
Risk Management
process of identifying vulnerabilities and threats and then deciding which countermeasures will reduce those risks to an acceptable level. Reduce an organization's risk deemed acceptable by senior management.
Document your network
processes procedures
Functional Design
project plan, Security activities and checkpoints, Design documentation, limited resources allocated to the project, security framework, evaluation criteria is identified, app framework, prototype.
Recovery point objective
quantity of data lost exceeds BCP How much data loss is acceptable? bring the system back online; how far back does the data go?
Agile
ready shoot aim repeat sprints
Retention and destruction policy allows
reduced cost of discovery requests, reduced exposure during discovery. reduced hardware and software requirements
Change Control
regulates changes to policies and practices that could impact security
Release
released to librarian for disposition into production
Residual risk
risk post-countermeasure
Organization security includes
roles responsiblities, acceptable management, enforcement of polcy
Code of Ethics
rules or standards that help you to act ethically in various situations.
Qualitative analysis
scenarios to identify risks and responses, speculative, results in relative costs or rankings.
Collusion countermeasures
separation of duties two-man control least priv mandatory vacations
BPO/BPA (blanket purchase)
service provision as a ongoing process discounted pricing commonly seen between manufacturers and resellers
exit interview
signature evidence violation recognition grounds for termination recognition
Risk rejection
simply not responding to the risk
tabletop exercise
small number of individuals get together and test just one part of the BCP
Vulnerabilities may exist
software, operating system, and hardware vulnerabilities, Lax physical security, Weak policies and procedures
Distributive Allocation
spreading it through redundancy and high availability techniques such as clustering, load balancing, and redundant storage arrays
Code Escrow Agreement
storage and release of source code, obtain change rights if vendor dies
Feasibility analysis
technical feasibility cost justification security review
major production developed by programmers
tested, unintentional back doors (maintenance hooks), modular coding, no vulnerable function calls, dynamic code analysis, peer code review, design and architectural patterns, each task performed by a different group
SLA guarantees
turn around, response, # online users, util rates, uptimes, volumns, production problems
Eavesdropping
unauthorized listening
Post data retention policy
use information classification labels to identify which retention policy rule is to be applied to specific data.
Comparative
valuation arbitrary qualitative scale ranking
Intangible asset
value and may be saleable even though it is not physical or material
complex exercise
very large number of individuals and a very realistic scenario that may involve full-scale practice exercises.
CBF
vital buisness activites
Single Loss Expectancy
what is the monetary loss if a single event occurs?
clean desk policy
when you leave nothing is on desk reduce confidential exposure
Data sovereignty
where data resides follows laws legal monitoring court order may not be able to move data out
Asset valuation
worth of that resource to the organization, establishes the level of protection appropriate for each asset.