Final 249
List and describe the three guidelines for sound policy, as stated by Bergeron and Berube.
"All policies must contribute to the success of the organization, management must ensure the adequate sharing of responsibility for proper use of information systems, and End users of information systems should be involved in the steps of policy formulation." Bergeron and Berube further notate that even though it is an admirable goal for policies to be complete and comprehensive, too many policies or policies that are too complex can also lower end user satisfaction.
What is a cost-benefit analysis?
A cost benefit analysis is an evaluation of the worth of the information assets to be protected and the loss in value if those information assets became compromised by the exploitation of a specific vulnerability.
What is information security policy? Why is it critical to the success of the InfoSec program?
A security policy is a generic and complex document that outlines rules for computer network access, determines how other policies are enforced, and also lays out some of the basic architecture of the company security & network security environment. It also contains content on web-browsing habits, use of passwords, email attachments and much more. It is critical because every security measure that is to be taken needs to be supported by the InfoSec policy to ensure security.
What are the three types common approaches to implement the defense risk control strategy?
Application of policy- allows all levels of management to mandate that certain procedures always be followed Application of Training and education- simply communicating new or revised policy to employees that may not be adequate to assure compliance. Implementation of Technology- in the everyday world of InfoSec, technical controls and safeguards are frequently required to effectively reduce risk.
What is the difference between benchmarking and baselining?
Benchmarking- is the process of comparing yourself versus other companies seeking the same results; Baselining- is the process of standardizing yourself with your own results.
Chapter 7 - Controlling risk
Big concept terms, definitions, ideas. (Anything that looks ideal)
Chapter 4 - Policy
Big concept terms, definitions, ideas. (Anything that looks ideal) Role of policy in an organization What is the role of policy? What is the role of info security policy?
Default permit versus default deny
Default permit- Setting the default action to 'Permit' usually means a more open policy approach where rules are defined to block content. This type of policy is generally easier to manage but at the same time, less secure because anything not specifically denied will be allowed. For example, imagine working in an environment and when you sit down on the first day you can access EVERYTHING on the web, server, Internal network, etc. Default Deny- This approach is similar to a firewall policy where everything is denied unless specifically allowed. This type of policy can be very secur but requires more administration. Administrator using a default deny policy will build rules where the destination will be acceptable URLs or categories and where the action will be set to "permit". Default Deny is the best approach between the two. It can be annoying but it is the safest for the environment.
What are the five risk control?
Defense- Risk Defense/avoidance attempts to prevent the exploitation of the vulnerability. Transference- Risk transference attempts to shift the risk to other assets, other processes, or other organizations. Mitigation- Risk mitigation attempts to reduce, by means of planning and preparation, the damage caused by the exploitation of vulnerability. Acceptance- Risk acceptance is the choice to do nothing to protect an information asset and to accept the outcome from any resulting exploitation. Termination-
What is the difference between due diligence and due care?
Due Care- You either wait for regulators and government officials to come out with standards that you need to follow in order to ensure that your organization is truly secure, or you take a more proactive approach. Due Diligence- Due diligence is simply a matter of understanding the ins and outs of your information security policies and procedures. However, in order to truly demonstrate due diligence when it comes to information security, businesses must focus a narrow lens on their own information security in addition to being mindful of global laws and regulations which may have an impact on their operations. Due Diligence and Due Care occur when an organization adopt a certain minimum level of security.
What is a hybrid risk assessment?
Hybrid risk assessment tries to improve upon the ambiguity of qualitative measures without resorting to the unsubstantiated estimations used for quantitative measures. Also uses scales rather specific estimates.
Identification Authentication Authorization Accountability
Identification- A user or process is named and unique Authentication- A control verifies that the user is who they say they are, usually possessing something they have (example: certificate) or something they know (example: password) Authorization- Explicit permission to an identifiable and authenticated user has been granted to access a resource Accountability- A user or processes' actions that are logged to the originating account.
What is the difference between intrinsic value and acquired value?
Intrinsic value- defines the essential worth of the asset under consideration acquired value- is the value that some information assets acquire over time that is beyond the intrinsic value.
Is policy considered dynamic or static? Which factors might determine this status?
It could be either or, as it depends on the strategic or tactical planning changes. It also depends on the effective standards that come into play, and the effectiveness of the policy that is already in place for the organization.
What is the purpose of a Systems-Specific Information Security Policies (SysSP)?
It is designed as a technical procedure for configuring and maintaining individual and networked systems.
What is the purpose of an Issue-Specific Information Security Policies (ISSP)?
It provides a detailed, targeted guidance to instruct the organization in secure use of technology systems, and begins with introduction to fundamental technological philosophy of the organization. It also serves to protect employees and the organization from inefficiency and ambiguity; it also documents how the technology-based system is controlled; and identifies the processes and authorities that provide this control; Serves to indemnify the organization against liability for an employee's inappropriate or illegal system use.
What is the purpose of an Enterprise Information Security Policy (EISP)?
It sets the strategic direction, scope, focus, and tone for all of the organization's security efforts, and it is designed to establish the overall information security environment.
To what degree should the organization's values, mission, and objectives be integrated into the policy documents?
It should fully meet the organization's value, mission and objectives, and not falter or contradict those things even slightly.
List and describe the three challenges in shaping policy
Never conflict with law Stand up in court Properly supported and administrated Contribute to the success of the organization Involve end users of information systems
What is the difference between organizational feasibility and operational feasibility?
Organizational Feasibility- examines how well the proposed information security alternatives will contribute. Operational Feasibility- examines user acceptance and support, management acceptance and support, and the overall requirements of the organization's stakeholders.
In what way are policies different from standards?
Policies are plans or courses of action, intended to influence and determine decisions, actions, and other matters. Standards are detailed statements of what must be done to comply with a certain policy. The use of standards is a way to implement policies.
In what way are policies different from procedures?
Policies are the guidelines for employees, and they are used in order for the employees to comply with the set procedures. The procedures are the steps that are taken to complete the end task.
Describe residual risk.
Residual risk is the "left-over" risk that is not completely removed, shifted, or planned for.
What is risk appetite? Explain why risk appetite varies from organization to organization.
Risk appetite is the amount of risk that organizations are willing to accept, as they evaluate the trade-offs between perfect security and unlimited accessibility. Risk appetite varies from organization to organization because of differences in size, budget, organizational culture as well as the difference in value placed on certain assets.
What is single loss expectancy? What is annual loss expectancy?
Single loss expectancy (SLE)- is the calculation of the value associated with the most likely loss from an attack. Annual Loss Expectancy- is the calculation of the value associated with most likely annual loss from an attack.
3 factors of authentication
Something you know (such as a password): The something you know factor is the most common factor used and can be a password or a simple personal identification number (PIN). However, it is also the easiest to beat. When using passwords, it's important to use strong passwords. A strong password has a mixture of upper case, lower case, numbers, and special characters. Something you have (such as a smart card): The something you have factor refers to items such as smart cards. A smart card is a credit-card sized card that has an embedded certificate used to identify the holder. The user can insert the card into a smart card reader to authenticate the individual. Smart cards are commonly used with a PIN providing multi-factor authentication. In other words, the user must have something (the smart card) and know something (the PIN). Something you are (such as a fingerprint): Some of the methods that can be used are fingerprints, hand geometry, retinal or iris scans, handwriting, and voice analysis. Fingerprints and handprints are the most widely used method in use. Many laptops include fingerprint readers. Handprints are used with many amusement parks that sell season passes, or multi-day passes.
3 primary goals of InfoSec
The 3 primary goals of information security are Confidentiality, Integrity and Availability, also known as the CIA triad. The CIA triad is a model designed to guide policies for information security within an organization. 1. Confidentiality- Goal is to keep Information only available to individuals that have authorization to access it & legitimate users are prohibited to access information they are not allowed access to. (Examples of Confident: Encryption algorithms, access control mechanism, institutional policy, etc.) 2. Integrity- Goal is to protect the integrity of information by insuring that data may only be modified by authorized user in authorized ways. Protecting accuracy and characteristic of information. (Example: Your bank keeps up with an accurate display of your bank balance. U don't want them to keep up with ur money incorrectly) 3. Availability- Goal is to have Information available to be accessed by authorized users, only when they need it! (Availability attack is like when Netflix got taken down for days by attacker)
What is the OCTAVE Method? What does it provide to those who adopt it?
The OCTAVE Method is an InfoSec risk evaluation methodology that allows organizations to balance the protection of critical information assets against the costs of providing protective and detective controls. It can assist the organization by enabling an organization to measure itself against know or accepted good security practices, and then to establish an organization-wide protection strategy and information security risk mitigation plan.
What conditions must be met to ensure that risk acceptance has been used properly?
The following conditions must be met to ensure that risk acceptance has been used properly: the level of risk posed to the asset has been determined, the probability of attack and the likelihood of a successful exploitation of a vulnerability has been assessed, the annual rate of occurrence of such an attack has been approximated, the potential loss that could result from attacks has been estimated, a thorough cost-benefit analysis has been performed, controls using each appropriate type of feasibility have been evaluated, it has been decided that the particular function, service, information, or asset did not justify the cost of protection.
Describe how outsourcing can be used for risk transference.
This allows the organization to transfer risk associated with management of these complex systems to another organization that has experience in dealing with those risks. Benefit of outsourcing is that the provider is responsible for disaster recovery and through service level arrangements is responsible for guarantying server and website availability.
Access control (MAC, DAC, Non-discretionary)
Three common approaches to Access Control Design: 1. Mandatory Access Control (MAC): MAC assigns a security label to every subject and every object. Uses a set of rules to mediate access. Example: Imagine there are 4 security levels/labels. Public, Confidential, Secret, and Top Secret. The objects would all get stamped with a level/label & so would subjects. If the subject has Top Secret label it could access Top Secret objects. 2. Discretionary Access Control (DAC) DAC uses the identity of the subject to mediate access. The most common form relies on the subject that owns the object which other subjects may access the object. DAC is typically easier to implement than MAC. But it is also less secure. 3. Non-discretionary Access Control Based on a subject role or assigned task.
List and describe the two general groups of material included in most SysSP documents.
a. Access control lists - Include the user access lists, matrices, and capability tables that govern the rights and privileges. b. Configuration files - Configuration rules are the specific configuration codes entered into security systems to guide the execution of the system when information is passing through it.
List and describe three functions that the ISSP serves in an organization.
a. Address specific technology-based systems b. Require frequent updates c. Contain an issue statement on the organization's position on an issue
List and describe three common ways in which ISSP documents are created and/or managed.
a. Common approaches are to create a number of independent ISSP documents. To create a single comprehensive ISSP document, or create a modular ISSP document that unifies policy creation and administration. The recommended approach is the modular policy, which provides a balance between issue orientation and policy management.
What should be the first component of an ISSP when it is presented? Why? What should be the second major component? Why?
a. First component should be the statement of purpose, because it describes the scope and applicability of the policy, the definition of technology addressed, and its responsibilities. b. Second should be authorized uses, because it is part of the ISSP framework, as it describes user accessibility, fair and reasonable uses, and the protection of privacy.
For a policy to have any effect, what must happen after it is approved by management? What are some ways to accomplish this?
a. Policies must be implemented and enforced down the chain of command. b. All policies must contribute to the success of the organization. Management must ensure the adequate sharing of responsibility for proper use of information systems. End users of information systems should be involved in the steps of policy formulation.
Describe the bull's-eye model. What does it say about policy in the InfoSec program?
a. Policies — first layer of defense b. Networks — threats first meet the organization's network c. Systems — computers and manufacturing systems d. Applications — all applications systems e. It explains how there are certain issues CISOs must wory about before spending on controls. There are also many layers that INFOSEC must focus on systematically.
List and describe the four elements that should be present in the EISP.
a. Statement of Purpose - What the policy is for b. IT Security Elements - Defines information security c. Need for IT Security - Justifies importance of information security in the organization d. IT Security Responsibilities and Roles - Defines organizational structure
Mutual authentication
is commonly referred to as Two-Way Authentication & refers to the combination of both Server & Client Authentication. The authentication is mutual because the server is authenticating itself to the client, and the client is authenticating itself to the server in order to establish a secure encrypted channel between them.