Chapter 3 Policies, Procedures, and Awareness

Interoperability agreement

3rd parties and outsourced services web hosting, payroll services, firewall etc where is my ORG data, who do they hire? what access controls are in place? legal department included

California Database Security Breach Act

A California state law that specifies that any agency, person, government entity, or company that does business in the state of California must inform California residents within 48 hours if a database breach or other security breach occurs in which personal information has been stolen or is believed to have been stolen.

GLBA

A US federal law designed to protect private information held at financial institutions.

Patriot Act

A US federal law that gives law enforcement the authority to request information from organizations to detect and suppress terrorism.

sarbox act

A US federal law that requires publicly traded companies to adhere to very stringent reporting requirements and implement strong controls on electronic financial reporting systems.

HIPPA

A US federal law that specifies that all organizations must protect the health information that they maintain.

Countermeasure

A countermeasure is a means of mitigating the potential risk.

Waterfall Planning

A development model sequential in its layout, with phases that contain a series of instructions that must be executed and documented before the next phase can begin.

Extreme Programming

A development model that values simplicity, feedback, courage, and communication and brings the entire team of developers, managers, and customers together so that adequate feedback and evaluations can be provided.

Clean Room

A development model used for high-quality software where all levels of development are tested for bugs and defects with the goal of finding problems before they can mature.

Ad Hoc

A development model where qualified developers are given a project without a consistent team, funding, or schedule.

Non-Disclosure Agreement

A legal contract between an organization and an employee that specifies that the employee is not to disclose the organization's confidential or proprietary information to anyone outside the organization.

NCA

A legal contract between the organization and the employee that specifies that the employee is not to work for a competing organization for a specified time after the employee leaves the organization

Loss

A loss is the real damage to an asset that reduces its confidentiality, integrity, or availability.

Social Engineering

A malicious attempt to fraudulently acquire sensitive information that is usually accomplished using impersonations.

Computer-Aided Software Engineering (CASE)

A method of using computers to help with the systematic analysis, development, design, and implementation of software.

Structured Programming

A method used by programmers that uses layering, modularity, and segmenting to allow for optimal control over coherence, security, accuracy, and comprehensibility.

Spiral

A mix of the waterfall model and the prototype model in which a prototype is developed and tested using the waterfall method.

BCP

A plan for recovering and restoring critical functions after a catastrophic disaster or extended disruption.

Disaster Recovery Plan (DRP)

A plan for resumption of applications, data access, hardware, communications, and other IT infrastructure in case of disaster.

AUP

A policy that defines how users should use the information and network resources in an organization.

Password Policy

A policy that detail the requirements for passwords used in an organization.

User Management Policy

A policy that identify actions to follow when employee status changes to ensure the security of the system, including hiring new employees, promoting and transferring employees, and terminating employees.

Privacy Policy

A policy that outlines how the organization will secure private information for employees, clients, and customers.

Configuration/Change Management Policy

A policy that regulate changes to policies, practices, and equipment that could impact the security of your IT infrastructure.

Authorized access policy

A policy that specifies access controls that are employed on a network.

HR Policy

A policy used by HR that defines hiring and termination processes, job rotation requirements, and personal time off procedures.

User Education and Awareness Policy

A policy with provisions for user education and awareness training.

Reporting System

A procedure to immediately report the loss of a device will enable the device to be disabled quickly and reduce the chance of confidential information being compromised.

Guideline

A recommendation that is used when a specific standard or procedure does not exist.

Regulation

A requirement published by a government or other licensing body that must be followed.

Collusion

A situation in which multiple employees conspire to commit fraud or theft.

Vishing

A social engineering attack that exploits voice-over-IP telephone services to gain access to an individual's personal and financial information, including their government ID number, bank account numbers, or credit card numbers.

Email Hoax

A social engineering attack that preys on email recipients who are fearful and will believe most information if it is presented in a professional manner.

Spear Phishing

A social engineering attack that targets specific individuals within a company to gain access to information that will allow the attacker to gain commercial advantage or commit fraud.

Phishing

A social engineering attack that usually involves sending emails that are purported to be from reputable companies in order to induce individuals to reveal personal information, such as passwords and credit card numbers.

Watering Hole

A social engineering attack where the victim is a group like an organization, an industry, or a region and where the attacker guesses or observes which websites the group uses and infects one or more of them with malware.

Whaling

A spear phishing attack targeted that targets senior executives and high-profile victims.

Baseline

A standard that dictates the settings and security mechanisms that must be imposed on a system in order to comply with required security standards.

Procedure

A step-by-step process that outlines how to implement a specific action.

Cost-Benefit Analysis

A systematic approach to calculating and comparing the benefits and costs of a course of action in a given situation.

SDLC

A systematic, seven-phase method for design, development, and change management used for software development and the implementation of system and security projects.

Threat Vector

A threat vector is a path or means that an attacker can use to compromise the security of a system.

Prototype

A type of iterative development that was made to combat the weaknesses of waterfall-based models.

equals SLE

AV(EF)

equals Annual Loss Expectancy

AV(EF)ARO

Scarcity

An active social engineering technique that attempts to make people believe that if they don't act quickly, they will miss out on an item, opportunity, or experience.

Urgency

An active social engineering technique that attempts to make people believe they must act quickly to avoid imminent damage or suffering.

Authority

An active social engineering technique that involves the impersonation of legal, organizational, and social authorities.

Consensus

An active social engineering technique that leverages peoples' willingness to perform an act if others have already performed the act.

Familiarity

An active social engineering technique that leverages peoples' willingness to perform an act requested by someone they are familiar with.

Intimidation

An active social engineering technique that usually involves an attacker impersonating a manager or director to frighten lower-level employees to gain information.

Delphi

An asset prioritization method that uses an anonymous survey to determine the value of an asset.

Authorized Access

An authorized access policy documents access control to company resources and information. This policy specifies who is allowed to access the various systems of the organization.

Plans and policies most effective

Assess the risk, Create a policy, Implement policy, Train on the policy, Audit

Implementing security controls to reduce risk

Compatibility infrastructure Effectiveness Regulatory compliance Organizational policies Operational impact Feasibility Safety and reliability

Security planning

Comply, Ethical, Due Care, due diligence (prudent man rule)

Storage Segmentation

Consider segmenting personal data from organizational data on mobile devices

Employee privacy legality

Define the types actions and communications, communicate all monitoring activities, apply to all, legal compliance

Prototype milestones

Definition of initial concept implementation of initial prototype refinement of prototype until functionable complete and release

Sample data retention rules

Delete email messages after 90 days, tax-related information for seven years, employee records for four years after, keep research design or patent documents for 25 years, keep contracts with vendors and partners for five years after a contract has ended, delete employee files after one year

Tailgating or Piggybacking

Entering a secure building by following an authorized employee through a secure door without providing identification.

Configuration Management

Establishes hardware, software, and infrastructure configurations, track and document changes, assess risk of implementing new processes, hardware, or software, proper testing

Virus Hoax

False reports about non-existent viruses that often claim to do impossible things that cause recipients to take drastic action, like shutting down their network.

Security Awareness

Familiarize employees with the security policy, Communicate standards, procedures, and baselines that apply to an employee's job, ownership, establish reporting procedures for suspected security violations, follow up with employee and org compliance

Software Installation and Implementation

Formal functional testing by users, All bugs vulnerabilities and risks should be evaluated and documented, user guides and operational manuals, certification accreditation, and auditing are performed

ranked accuracy

GPS WIFI tri Cell tri IP address resolution

Passive Social Engineering

Gathering information or gaining access to secure areas by taking advantage of peoples' unintentional actions.

Active Social Engineering

Gathering information or gaining access to secure areas through direct interaction with users.

post identification and valuation guidlines

How to store the asset, How to provide access to the asset, How to transfer and move the asset, How to destroy or dispose of the asset

Change control process steps

Identify the need get approval feasibility analysis implement change method implement test for CIA document the change analyze feedback rollback if necessary

Shoulder Surfing

Looking over the shoulder of someone working on a computer to view usernames, passwords, or account numbers.

Manageable network plan

NSA process to make a network manageable, defensible, and secure

Ownership of materials agreement

Organization owns IP

Physical security procedures

Physical security procedures Choosing a secure site and securing the facility, Protecting both data and equipment from theft, destruction, or compromise, Implementing environmental and safety measures to protect personnel and the facility, disposing of sensitive material that is no longer needed

Effective security policy

Planned, Maintained, Used

Employee Management

Pre-employment processing agreement documents monitoring termination procedures

Object-Oriented Programming (OOP)

Programming based on the organization of objects rather than actions that uses pre-assembled programming code in a self-contained module that encapsulates a segment of data and its processing instructions.

Ongoing Operations

Regularly verify compliance with the IA documents communicate with prospective 3rd party

waterfall milestones

Requirements design implementation testing deployment maintenance

3rd party offboarding

Reset or disable any VPN, firewall, router, or switch configurations Disable any domain trust relationships Disable any user and group accounts Reset any passwords

Risk

Risk is the likelihood of a vulnerability being exploited. Reducing the vulnerability or minimizing the threat agent reduces the risk.

IA includes

SLA BPO/BPA (blanket purchase) MOU ISA

Quantitative value of risk

SLE(ARO) = ALE

Mobile Device Management

Software that allows IT admin to control secure and enforce policy

Resource Allocation

Staffing Technology Budgets

Onboarding

The activities involved in setting up the work environment for new employees.

Offboarding

The activities involved when an employee resigns, retires, or is terminated.

Provisioning

The configuration, deployment and management of IT system resources, including mobile devices

Asset Tracking and Inventory Control

The make and model number of the device, The device serial number, The operating system version number, The date the device was purchased and the vendor it was purchased from, The end-of-warranty date for the device, The vendor providing support for the device, The employee to whom the device has been issued

Risk Assessment

The practice of determining which threats identified are relevant and pressing to the organization and then attaching a potential cost that can be expected if the identified threat occurs.

Principle of Least Privilege

The practice of granting each user or group of users only the necessary access to do their job or perform their official duties.

Dumpster Diving

The process of looking in the trash for sensitive information that was not properly disposed of.

Fraud

The use of deception to divert company assets or profits to an employee.

Exposure

The vulnerability to losses from a threat agent.

Threat Probability

Threat probability is the likelihood that a particular threat will occur that exploits a specific vulnerability.

Business Impact Analysis

What are your crit business fx's? What is impacted? How long will you be impacted? what's the impact to the bottom line?

System design key security decisions

access controls rights and permissions encryption algorithms

Milestone

action or even with significant change when implementing a manageable network plan

BCP manual

analysis solution design implementation testing and organization acceptance maintenance identifies and prioritizes critical functions

ALE

annual loss expected from an incident ARO x SLE

ARO

annual rate of occurrence of a threat attack

application vulnerability life cycle

app release, bugs discovered by hackers, hackers publish bugs, Vendor patch, app users install the patches, hackers continue

Asset Classification

appropriate value and protection levels, helps with value and duration based, sensitivity, legal and regulatory compliance requirements, affects storage and access controls required to protect the asset.

Data retention

archiving destroying handling

mean time to repair

average time required to repair a failure

Pre-employment

background check check refs job history education check criminal bg check credit history

Security awareness reminders

banners newsletters reminders

MOU

both sides agree on contents of memorandum usually includes statements of confidentiality informal letter of intent (not signed contact)

Values

business values that govern day to day actions

Sensitivity vs. Risk

categories, budget, ranking using chart quadrants

Every aspect

change control will monitor and manage...

Software Development and Coding

coding testing validation

3rd party onboarding

compare security policies and infrastructure similar incident response procedures security controls used by each party similar audit policies similar compatible enough to work together will the integration expose vulnerabilities risks data ownership Identify who will be responsible for protecting data how privacy will be protected classification labels Identify how data will be shared

Request Process

control who is issued a device and what information is put on the device.

System design output

data procedural architectural design

role based awareness

data owner, sysadmin, sysowner, user, priv user, exec user

End of life

destroying overwriting archiving

Risk register

details of each known risk, including a risk category, description, unique identification number, projected impact, likelihood of occurring, and risk response plan

Order of restoration

different app priorities well defined order may change based on calendar

Termination

disable accounts exit interview remind NDA/NCA collect assets archive email and voice clean out workspace escort

risk acceptance

do nothing as response

prepare to document

easy to use detail important things timestamps restricted access/encrypted hard copy

User management

employee status change: network access, equipment config, software config

Personal responsibility

employee to uphold COE

Reach your network

ensure physical and remote access remove insecure protocols AUTOMATE

Privacy impact assessment

ensures compliance what and why PII how collected, used, and secured PII

Hot sites

exact replica stocked updated flip and switch GO

3 items of GLBA

finacncial privacy rule, safeguard rule, pretexting protection

Privacy threshold assessment

first step in compliance identify business process that are privacy-sensitive determine if a privacy impact assessment is required

Change control

formal process for managing change avoid downtime, confusion and mistakes

System Design

functional model behavioral model informational model

High cohesion

functions performed by a module are related and clearly defined

Principles

fundamental truths or rules that support values

Recovery time objective

get up and running quickly get back to a particular service level

modular coding

high cohesion low coupling

Human Resources

hiring, termination, job rotation, mandatory vacations

ISA

how connected and what data is shared used by Feds to define security controls

Succession Planning

identify and devlop internal swap positions

security practices

industry-standard frameworks, security reference architectures, benchmarks and secure configuration guides

Asset

information infrastructure support services

Annualized Rate of Occurrence

insurance and crime statistics likelihood

Transferring risk

insurance to protect the asset

User education awareness

internal:communicate standards, procedures, baselines, ownership, reporting

Warm site

just enough to get going big room with rack space hardware ready and waiting bring app and data

medium exercise

larger number of individuals get together and work though a larger-scale simulation that incorporates many parts of the BCP

Risk deterrence

letting threat agents know of the consequences they face if they choose to attack the asset

Control your network

limit users limit admins regular accounts for day to day role based access unable to install account expiration disable and remove accounts

Manage your network 2

list approved apps criteria for each app approval verify apps device baselines secure web browsers check security misconfig baselines

protect your network

list users list high value assets list trust boundaries list choke points segregate and isolate isolate server fx's physically secure high value systems

factors in retention policy

litigation and criminal investigations

Secuity control types

management, operational, technical

MDT

maxiumum down tim

SLA

minimum terms for services provided uptime, response agreement, etc defines dispute resolution

Low coupling

modules not dependent on another module and that changes in the module will not require changes in another module

COE expectations

moral, ethical, and legal behavior, mind professional reputation or of profession, report activity

Strong passwords

multiple char types 8+ no part of user/email

secondary processing sites

mutual aid agreement with another similar organization; hot, warm or cold sites, alternate sites with varying degrees of availability and feasibility; or, a service bureau, a contracted organization to assist in the event of disaster.

PII

name, address, tele, license, SSN, cc#, email

Change control process

need request feasibility analysis Document management for approval change plan to developers test the change document the change release

Map your network

network topology device list protocol list

Passwords

never the same password disable/lock accounts password rotation

MOA

next step above MOU both sides agree to objectives legal document unlike a contract, may not contain legally enforceable promises

Cold sites

no hardware data ppl

Quantitative analysis

numbers to the costs of damages and countermeasures including probability. There is no strick Quant

Asset identification

organization's resources.

Employee monitoring agreement

organizations monitoring activities (cameras)

Project Initiation

original/profitable idea, initial security objectives are defined, timelines, users-based concept development, security objectives that the software needs to meet are created, initial risk analysis

COPPA

parental consent, minimal info for participation

Manage your network 1

patch AUTOMATE

Operations and Maintenance

patching and changes security functions should remain intact security-related patches

Exposure factor

percentage of the asset lost because of a successful threat attack

Tangible asset

physical item such as a computer, storage device, or document

Never delete

post subpoenaed or if you have reason to believe that it may be subpoenaed Destruction of evidence and obstruction of justice are serious crimes that could result in jail time.

MTBF

predicted elapsed time between failures

NSA manageable network plan milestones

prepare to document map your network protect your network reach your network control your network manage your network 1 manage your network 2 document your network

Risk Management

process of identifying vulnerabilities and threats and then deciding which countermeasures will reduce those risks to an acceptable level. Reduce an organization's risk deemed acceptable by senior management.

Document your network

processes procedures

Functional Design

project plan, Security activities and checkpoints, Design documentation, limited resources allocated to the project, security framework, evaluation criteria is identified, app framework, prototype.

Recovery point objective

quantity of data lost exceeds BCP How much data loss is acceptable? bring the system back online; how far back does the data go?

Agile

ready shoot aim repeat sprints

Retention and destruction policy allows

reduced cost of discovery requests, reduced exposure during discovery. reduced hardware and software requirements

Change Control

regulates changes to policies and practices that could impact security

Release

released to librarian for disposition into production

Residual risk

risk post-countermeasure

Organization security includes

roles responsiblities, acceptable management, enforcement of polcy

Code of Ethics

rules or standards that help you to act ethically in various situations.

Qualitative analysis

scenarios to identify risks and responses, speculative, results in relative costs or rankings.

Collusion countermeasures

separation of duties two-man control least priv mandatory vacations

BPO/BPA (blanket purchase)

service provision as a ongoing process discounted pricing commonly seen between manufacturers and resellers

exit interview

signature evidence violation recognition grounds for termination recognition

Risk rejection

simply not responding to the risk

tabletop exercise

small number of individuals get together and test just one part of the BCP

Vulnerabilities may exist

software, operating system, and hardware vulnerabilities, Lax physical security, Weak policies and procedures

Distributive Allocation

spreading it through redundancy and high availability techniques such as clustering, load balancing, and redundant storage arrays

Code Escrow Agreement

storage and release of source code, obtain change rights if vendor dies

Feasibility analysis

technical feasibility cost justification security review

major production developed by programmers

tested, unintentional back doors (maintenance hooks), modular coding, no vulnerable function calls, dynamic code analysis, peer code review, design and architectural patterns, each task performed by a different group

SLA guarantees

turn around, response, # online users, util rates, uptimes, volumns, production problems

Eavesdropping

unauthorized listening

Post data retention policy

use information classification labels to identify which retention policy rule is to be applied to specific data.

Comparative

valuation arbitrary qualitative scale ranking

Intangible asset

value and may be saleable even though it is not physical or material

complex exercise

very large number of individuals and a very realistic scenario that may involve full-scale practice exercises.

CBF

vital buisness activites

Single Loss Expectancy

what is the monetary loss if a single event occurs?

clean desk policy

when you leave nothing is on desk reduce confidential exposure

Data sovereignty

where data resides follows laws legal monitoring court order may not be able to move data out

Asset valuation

worth of that resource to the organization, establishes the level of protection appropriate for each asset.