quiz 3 terms
Confidential
"Confidential" shall be applied to information, the unauthorized disclosure of which reasonably could be expected to cause damage to the national security that the original classification authority is able to identify or describe. Essential and protected information, disclosure of which could severely damage the financial well-being or reputation of the organization
Secret
"Secret" shall be applied to information, the unauthorized disclosure of which reasonably could be expected to cause serious damage to the national security that the original classification authority is able to identify or describe.
Security Clearance
A personnel security structure in which each user of an information asset is assigned an authorization level that identifies the level of classified information he or she is "cleared" to access.
Mandatory Access Control (MAC)
A required, structured data classification scheme that rates each collection of information as well as each user. These ratings are often referred to as sensitivity or classification levels.
Benchmarking
An attempt to improve information security practices by comparing an organization's efforts against practices of a similar organization or an industry-developed standard to produce results it would like to duplicate. Sometimes referred to as external benchmarking.
Corrective
Remedies a circumstance or mitigates damage done during an incident; for example, changes to a firewall to block the recurrence of a diagnosed attack
Compensating
Resolves shortcomings, such as requiring the use of encryption for transmission of classified data over unsecured networks
ISO 27001
27001 :2013 One of the most widely referenced InfoSec management models is the Information Technology- Code of Practice for Information Security Management, which was originally published as British Standard BS7799. In 2000, the Code of Practice was adopted as an international standard framework for InfoSec by the International Organization for Standardization {ISO) and the International Electrotechnical Commission (!EC) as ISO/IEC 17799. Information Security Management System Specification Drawn from 857799:2
ISO 27002
27002:2013 The document was revised in 2005 (becoming ISO 17799:2005), and in 2007 it was renamed ISO 27002. to align it with the document ISO 27001 While the details of ISO/IEC 27002:2013 (the most recent version) are only available to those who purchase the standard, its structure and general organization are well known. Code of Practice for Information Security Management Renumbered from ISO/IEC 17799; drawn from 857799:1
ISO 27004
27004:2016 Information Security Measurements Performance measure for information security management decisions
Bell-LaPadula (BLP)
A confidentiality model or "state machine reference model" that ensures the confidentiality of the modeled system by using MACs, data classification, and security clearances. The intent of any state machine model is to devise a conceptual approach wherein the system being modeled can always be in a known secure condition; in other words, this kind of model is provably secure. A system that serves as a reference monitor compares the level of classification of the data with the clearance of the entity requesting access; it allows access only if the clearance is equal to or higher than the classification. BLP security rules prevent information from being moved from a level of higher security to a level of lower security. Access modes can be one of two types: simple security and the * (star) property.
COBIT 5 principles
COBIT 5 provides five principles focused on the governance and management of IT in an organization: • Principle 1: Meeting Stakeholder Needs • Principle 2 : Covering the Enterprise End-to-End • Principle 3: Applying a Single, Integrated Framework • Principle 4: Enabling a Holistic Approach • Principle 5: Separating Governance from Management
Detective
Detects or identifies an incident or threat when it occurs; for example, anti-malware software
Deterrent
Discourages or deters an incipient incident; an example would be signs that indicate video monitoring
Directive
Employs administrative controls such as policy and training designed to proscribe certain user behavior in the organization; an example would be an appropriate use policy that prohibits personal use of company assets for personal business purposes
Preventative
Helps an organization avoid an incident; an example would be the requirement for strong authentication in access controls
Blueprint
In information security, a framework or security model customized to an organization, including implementation details.
Orange Book
TCSEC was also known as the "Orange Book" and was considered the cornerstone of the series
Least privilege
The data access principle that ensures no unnecessary access to data exists by regulating members so they can perform only the minimum data manipulation necessary. Least privilege implies a need-to-know.
Graham-Denning access control model protection rights
The eight primitive protection rights are as follows: 1. Create object 2. Create subject 3. Delete object 4. Delete subject 5. Read access right 6. Grant access right 7. Delete access right 8. Transfer access right
Need to know
The principle of limiting users' access privileges to only the specific information required to perform their assigned tasks.
TCSEC
Trusted Computer System Evaluation Criteria (TCSEC) A deprecated (no longer used) DoD system certification and accreditation standard that defined the criteria for assessing the access controls in a computer system. Also known as the rainbow series due to the color coding of the individual documents that made up the criteria. this series was replaced in 2005 with a set of standards known as the "Common Criteria,"
Star property
The * property (the "write property"), on the other hand, prohibits a high-level subject from sending messages to a lower-level object. In short, subjects can read down and objects can write or append up. BLP uses access permission matrices and a security lattice for access control.
COBIT
"Control Objectives for Information and Related Technology" (COBIT) provides advice about the implementation of sound controls and control objectives for InfoSec. This document can be used not only as a planning tool for InfoSec but also as a control model. COBIT was created by the Information Systems Audit and Control Association (ISACA) and the IT Governance Institute (ITGI) in 1992. Documentation on COBIT was first published in 1996 and most recently updated in 2012. According to ISACA: COBIT 5 is the only business framework for the governance and management of enterprise IT. This evolutionary version incorporates the latest thinking in enterprise governance and management techniques, and provides globally accepted principles, practices, analytical tools, and models to help increase the trust in, and value from, information systems. COBIT s builds and expands on COBIT 4.1 by integrating other major frameworks, standards, and resources, including ISACA's Val IT and Risk IT. Information Technology Infrastructure Library (ITIL®), and related standards from the International Organization for Standardization (IS0). The principles and enablers are dependent on the employees' skills and abilities within their organization. The primary enabler, "principles, policies, and frameworks," is depicted as guiding and affecting the others. Although COBIT was designed to be an IT governance and management structure, it includes a framework to support InfoSec requirements and assessment needs. Organizations that incorporate COBIT assessments into their IT management are better prepared for general InfoSec risk management operations.
Top Secret
"Top Secret" shall be applied to information, the unauthorized disclosure of which reasonably could be expected to cause exceptionally grave damage to the national security that the original classification authority is able to identify or describe.
ISO 27003
27003:201 7 Information Security Management Systems Implementation Guidance Guidelines for project planning requirements for implementing an ISMS
ISO 27014
27014:2013 Information Security Governance Framework ISO's approach to security governance-guidance on evaluating, directing. monitoring. and communicating information security
ISO 27015
27015:2012 Information Security Management Guidelines for Financial Services Guidance for financial services organizations
Lattice-Based Access Controls
A variation on the MAC form of access control, which assigns users a matrix of authorizations for particular areas of access, incorporating the information assets of subjects such as users and objects.
Discretionary Access Controls (DACs)
Access controls that are implemented at the discretion or option of the data user.
Nondiscretionary Controls
Access controls that are implemented by a central authority.
Biba Integrity Model
An access control model that is similar to BLP and is based on the premise that higher levels of integrity are more worthy of trust than lower levels.
ITSEC
An international set of criteria for evaluating computer systems, very similar to TCSEC. The international standard Information Technology System Evaluation Criteria I (ITSEC) is very similar to TCSEC. Under ITSEC, Targets of Evaluation (ToE) are compared to detailed security function specifications, resulting in an assessment of systems functionality and comprehensive penetration testing. Like TCSEC, ITSEC was, for the most part, functionally replaced by the Common Criteria (described in the following section). ITSEC rates products on a scale of E1 (lowest level) to E6 (highest level), in much the same way that TCSEC and the Common Criteria do, with E1 roughly equivalent to EAL2 evaluation of the Common Criteria, and E6 roughly equivalent to EAL7
Common Criteria
An international standard (150/IEC 15408) for computer security certification that is considered the successor to TCSEC and ITSEC. The Common Criteria for Information Technology Security Evaluation (often called "Common Criteria" or "CC") is an international standard (ISO/IEC 15408) for computer security certification. It is widely considered the successor to both TCSEC and ITSEC in that it reconciles some of the differences between the various other standards. Most governments have discontinued their use of the other standards. CC is a combined effort of contributors from Australia, New Zealand, Canada, France, Germany, Japan, the Netherlands, Spain, the United Kingdom, and the United States. In the United States, the National Security Agency (NSA) and the NIST were the primary contributors. CC and its companion, the Common Methodology for Information Technology Security Evaluation (CEM), are the technical basis for an international agreement, the Common Criteria Recognition Agreement (CCRA), which ensures that products can be evaluated to determine their particular security properties. CC seeks the widest possible mutual recognition of secure IT products. The CC process assures that the specification, implementation, and evaluation of computer security products are performed in a rigorous and standard manner.'
COSO
Another control-based model is that of the Committee of Sponsoring Organizations (COSO) of the Treadway Commission, a private-sector initiative formed in 1985. Its major objective is to identify the factors that cause fraudulent financial reporting and to make recommendations to reduce its incidence. COSO has established a common definition of internal controls, standards, and criteria against which companies and organizations can assess their control systems.16 COSO helps organizations comply with critical regulations like the Sarbanes-Oxley Act of 2002. According to COSO: [I]ntemal control is a process, effected by an entity's board of directors, management, and other personnel, designed to provide reasonable assurance regarding the achievement of objectives in the following categories: • Effectiveness and efficiency of operations • Reliability of financial reporting • Compliance with applicable laws and regulations COSO describes its key concepts as follows: The COSO Internal Control- Integrated Framework (the Framework) outlines the components, principles, and factors necessary for an organization to effectively manage its risks through the implementation of internal control. There should be neither "gaps" in addressing risk and control, nor unnecessary or unintentional duplication of effort. The Three Lines of Defense (the Model) addresses how specific duties related to risk and control could be assigned and coordinated within an organization, regardless of its size or complexity. In particular, the Model clarifies the difference and relationship between the organizations' assurance and other monitoring activities- activities which can be misunderstood if not clearly defined."
Content-Dependent access controls
As the name suggests, access to a specific set of information may be dependent on its content. For example, the marketing department needs access to marketing data, the accounting department needs access to accounting data, and so forth.
Framework
In information security, a specification of a model to be followed during the design, selection, and initial and ongoing implementation of all subsequent security controls, including lnfoSec policies, security education and training programs, and technological controls. Also known as a security model. A framework or security model is a generic outline of the more thorough and organization-specific blueprint.
Security Management Models
Organizations may seek management models to use within their InfoSec processes, and among the most accessible places to find a quality security management model are U.S. federal agencies and international standard setting organizations. Some of the documents discussed in detail in the following sections are proprietary. Organizations that want to adopt proprietary models must purchase the right to do so. Alternatively, some public domain sources for security management models offer free documentation. In the forefront of this category are those documents provided by NIST's Computer Security Resource Center (http://csrc.nist .gov). This Web resource houses many publications, including some containing various security management models and practices.
NIST
Other approaches to structuring InfoSec management are found in the many documents available from NIST's Computer Security Resource Center. These documents, which are among the references cited by the U.S. government as reasons not to adopt ISO/IEC 17799 standards, enjoy two notable advantages over many other sources of security information: (1) They are publicly available at no charge, and (2.) they have been available for some time; thus, they have been broadly reviewed by government and industry professionals. You can use the NIST SP {Special Publication) documents discussed earlier in this book to help design a custom security framework for your organization's InfoSec program.
Recovery
Restores operating conditions back to normal; for example, data backup and recovery software
SP800-12
SP 800- 12, Rev. 1: An Introduction to Information Security (2017) Newly revised after over 2.0 years, this document serves as a starting point for those with little to no background in InfoSec. It provides the following: 1. Introduction to the SP 2. Elements of InfoSec: 2..1 Information security supports the mission of the organization. 2..2. Information security is an integral element of sound management. 2..3 Information security protections are implemented so as to be commensurate with risk. 2.4 Information security roles and responsibilities are made explicit. 2.5 Information security responsibilities for system owners go beyond their own organization. 2.6 Information security requires a comprehensive and integrated approach. 2.6.1 Interdependencies of security controls 2.6.2 Other interdependencies 2.7 Information security is assessed and monitored regularly. 2.8 Information security is constrained by societal and cultural factors. 3. Key roles and responsibilities for both industry and government sectors 4. An overview of threats and vulnerabilities, including sources and events {attacks) 5. The three NIST security policy categories: • Program Policy {EISP) • Issue-Specific Policy (ISSP) • System-Specific Policy {SysSP) 6. An overview of the NIST Risk Management Framework and its use in risk management 7. Discussion of systems assurance, including authorization, engineering, and operations assurance 8. Security considerations in systems support and operations 9. A discussion of the foundations and application of cryptography 10. The 20 NIST Control "families" that form the foundation of the NIST Security model: 10.1 Access Control {AC) 10.2 Awareness and Training {AT) 10.3 Audit and Accountability {AU) 10.4 Security Assessment and Authorization (CA) 10.5 Configuration Management {CM) 10.6 Contingency Planning {CP) 10.7 Identification and Authentication {IA) 10.8 Incident Response {IR) 10.9 Maintenance (MA) 10.10 Media Protection {MP) 10.11 Physical and Environmental Security {PE) 10.12 Planning {PL) 10.13 Personnel Security {PS) 10.14 Risk Assessment {RA) 10.15 System and Services Acquisition {SA) 10.16 System and Communication Protection {SC) 10.17 System and Information Integrity {SI) 10.18 Program Management {PM)
SP800-14
SP 800-14: Generally Accepted Principles and Practices for Securing Information Technology Systems (1996) This document describes recommended practices and provides information on commonly accepted InfoSec principles that can direct the security team in the development of a security blueprint. It also describes the philosophical principles that the security team should integrate into the entire InfoSec process: • Security supports the mission of the organization. • Security is an integral element of sound management. • Security should be cost-effective. • System owners have security responsibilities outside their own organizations. • Security responsibilities and accountability should be made explicit. • Security requires a comprehensive and integrated approach. • Security should be periodically reassessed. • Security is constrained by societal factors. Table 8-4 presents the NIST SP 800-14 principles for securing information technology systems. This table serves as a checklist for the blueprint process, and it provides a method to ensure that all key elements are present in the design of an InfoSec program and that the planning efforts produce a blueprint for effective security architecture.
SP 800-18
SP 800-18, Rev. 1: Guide for Developing Security Plans for Federal Information Systems (2006) This guide provides detailed methods for assessing, designing, and implementing controls and plans for applications of various sizes. It serves as a guide for the security planning activities described later and for the overall InfoSec planning process. In addition, this document includes templates for major application security plans. As with any publication of this scope and magnitude, SP 800-18 must be customized to fit the particular needs of the organization.
SP 800-30
SP 800-30, Rev. 1: Guide for Conducting Risk Assessments (2012) This guide provides a foundation for the development of an effective risk management program, and it contains both the definitions and the practical guidance necessary for assessing and mitigating risks identified within IT systems. The ultimate goal is to help organizations better manage IT-related mission risks. The document is organized into three chapters that explain the overall risk management process as well as preparing for, conducting, and communicating a risk assessment. The original document, SP 800-30, was functionally replaced by SP 800-53 (currently fifth revision in draft): Guide for Assessing the Security Controls in Federal Information Systems and Organizations. The document was substantially revised, and SP 800-30 (Revision 1) became a process document for the subtask of conducting risk assessment.
ToE
Targets of Evaluation (ToE) are compared to detailed security function specifications, resulting in an assessment of systems functionality and comprehensive penetration testing.
SP 800-34
SP 800-34, Rev. 1: Contingency Planning Guide for Federal Information Systems (2010) This guide defines the seven-stage methodology for responding to an event requiring disaster recovery operations. The guide also provides an overview of business continuity strategies and methods. 1. Develop the contingency planning policy statement. A formal policy provides the authority and guidance necessary to develop an effective contingency plan. 2. Conduct the business impact analysis (BIA). The BIA helps identify and prioritize information systems and components critical to supporting the organization's mission/business processes. A template for developing the BIA is provided to assist the user. 3. Identify preventive controls. Measures taken to reduce the effects of system disruptions can increase system availability and reduce contingency life cycle costs. 4. Create contingency strategies. Thorough recovery strategies ensure that the system may be recovered quickly and effectively following a disruption. 5. Develop an information system contingency plan. The contingency plan should contain detailed guidance and procedures for restoring a damaged system unique to the system's security impact level and recovery requirements. 6. Ensure plan testing, training, and exercises. Testing validates recovery capabilities, whereas training prepares recovery personnel for plan activation and exercising the plan identifies planning gaps; combined, the activities improve plan effectiveness and overall organization preparedness. 7. Ensure plan maintenance. The plan should be a living document that is updated regularly to remain current with system enhancements and organizational changes. This document, when combined with NIST SP 800-61 (discussed later in this section), forms the basis for all incident response, disaster recovery, and business continuity lectures in this text.
SP 800-37
SP 800-37, Rev. 1: Guide for Applying the Risk Management Framework to Federal Information Systems: A Security Life Cycle Approach (2010) this document continues the NIST RMF program and provides additional guidance on the use of the NIST Risk Management Framework.
Simple security
Simple security (also called the "read property") prohibits a subject of lower clearance from reading an object of higher clearance but allows a subject with a higher clearance level to read an object at a lower level (read down).
Constrained user interfaces
Some systems are designed specifically to restrict what information an individual user can access. The most common example is the bank automated teller machine (ATM), which restricts authorized users to simple account queries, transfers, deposits, and withdrawals.
State machine model
The Bell-La Padula (BLP) confidentiality model is known as a state machine reference model- in other words, a model of an automated system that is able to manipulate its state or status over time.
Brewer-Nash (Chinese wall)
The Brewer-Nash model, commonly known as a "Chinese Wall," is designed to prevent a conflict of interest between two parties. Imagine that a law firm represents two individuals who are involved in a car accident. One sues the other, and the firm has to represent both. To prevent a conflict of interest, the individual attorneys should not be able to access the private information of both litigants. The Brewer-Nash model requires users to select one of two conflicting sets of data, after which they cannot access the conflicting data.
COBIT 5 enablers
The COBIT s framework also incorporates a series of "enablers" to support the principles: • Principles, policies, and frameworks are the vehicle to translate the desired behavior into practical guidance for day-to-day management. • Processes describe an organized set of practices and activities to achieve certain objectives and produce a set of outputs in support of achieving overall IT-related goals. • Organizational structures are the key decision-making entities in an enterprise. • Culture, ethics, and behavior of individuals and of the enterprise are very often underestimated as a success factor in governance and management activities. • Information is required for keeping the organization running and well governed, but at the operational level, information is very often the key product of the enterprise itself. • Services, infrastructure, and applications include the infrastructure, technology, and applications that provide the enterprise with information technology processing and services.
COSO 5 components
The COSO framework is built on five interrelated components. Again, while COSO is designed to serve as a framework that can describe and analyze internal control systems, some of those internal control systems are on IT systems that incorporate InfoSec controls. COSO's five components are as follows: • Control environment- This is the foundation of all internal control components. The environmental factors include integrity, ethical values, management's operating style, delegation of authority systems, and the processes for managing and developing people in the organization. • Risk assessment- Risk assessment assists in the identification and examination of valid risks to the defined objectives of the organizations. It can also include assessment of risks to information assets. • Control activities- This includes those policies and procedures that support management directives. These activities occur throughout the organization and include approvals, authorizations, verifications, reconciliations, reviews of operating performance, security of assets, and segregation of duties. • Information and communication- This encompasses the delivery of reports regulatory, financial, and otherwise. Effective communication should also include those made to third parties and other stakeholders. • Monitoring- Continuous or discrete activities to ensure internal control systems are functioning as expected; internal control deficiencies detected during these monitoring activities should be reported upstream, and corrective actions should be taken to ensure continuous improvement of the system.
Clark-Wilson Integrity Model
The Clark-Wilson integrity model, which is built upon principles of change control rather than integrity levels, was designed for the commercial environment. The change control principles upon which it operates are as follows: • No changes by unauthorized subjects • No unauthorized changes by authorized subjects • The maintenance of internal and external consistency Internal consistency means that the system does what it is expected to do every time, without exception. External consistency means that the data in the system is consistent with similar data in the outside world. This model establishes a system of subject-program-object relationships such that the subject has no direct access to the object. Instead, the subject is required to access the object using a well-formed transaction via a validated program. The intent is to provide an environment where security can be proven through the use of separated activities, each of which is provably secure. The following controls are part of the Clark Wilson model: • Subject authentication and identification • Access to objects by means of well-formed transactions • Execution by subjects on a restricted set of programs The elements of the Clark-Wilson model are: • Constrained data item (CDI)- Data item with protected integrity • Unconstrained data item- Data not controlled by Clark-Wilson; nonvalidated input or any output • Integrity verification procedure (IVP}- Procedure that scans data and confirms its integrity • Transformation procedure (TP)- Procedure that only allows changes to a constrained data item All subjects and objects are labeled with TPs. The TPs operate as the intermediate layer between subjects and objects. Each data item has a set of access operations that can be performed on it. Each subject is assigned a set of access operations that it can perform. The system then compares these two parameters and either permits or denies access by the subject to the object.
Graham-Denning Access Control Model
The Graham-Denning access control model has three parts: a set of objects, a set of subjects, and a set of rights. The subjects are composed of two things: a process and a domain. The domain is the set of constraints controlling how subjects may access objects. The set of rights governs how subjects may manipulate the passive objects. This model describes eight primitive protection rights, called commands, which subjects can execute to have an effect on other subjects or objects. Note that these are similar to the rights a user can assign to an entity in modern operating systems
Harrison-Ruzzo-Ullman (HRU) model
The Harrison-Ruzzo-Ullman (HRU) model defines a method to allow changes to access rights and the addition and removal of subjects and objects, a process that the BLP model does not. Because systems change over time, their protective states need to change. HRU is built on an access control matrix and includes a set of generic rights and a specific set of commands. These include: • Create subject/create object • Enter right X into • Delete right X from • Destroy subject/destroy object By implementing this set of rights and commands and restricting the commands to a single operation each, it is possible to determine if and when a specific subject can obtain a particular right to an object.
ITIL
The Information Technology Infrastructure Library (ITIL) is a collection of methods and practices for managing the development and operation of IT infrastructures. It has been produced as a series of books, each of which covers an IT management topic. The names "ITIL" and "IT Infrastructure Library" are registered trademarks of the United Kingdom's Office of Government Commerce (OGC). Because ITIL includes a detailed description of many significant IT-related practices, it can be tailored to many IT organizations.
Separation of duties
The information security principle that requires significant tasks to be split up so that more than one individual is required to complete them.
Access Control
The selective method by which systems specify who may use a particular resource and how they may use it. regulate the admission of users into trusted areas of the organization- both logical access to information systems and physical access to the organization's facilities. Access control is maintained by means of a collection of policies, programs to carry out those policies, and technologies that enforce policies. The general application of access control comprises four processes: obtaining the identity of the entity requesting access to a logical or physical area (identification); confirming the identity of the entity seeking access to a logical or physical area (authentication); determining which actions an authenticated entity can perform in that physical or logical area (authorization); and finally, documenting the activities of the authorized individual and systems (accountability).
Trusted computed base
Under TCSEC, the combination of all hardware, firmware, and software responsible for enforcing the security policy. In this context, "security policy" refers to the rules of configuration for a system rather than a managerial guidance document. TCB is only as effective as its internal control mechanisms and the administration of the systems being configured. TCB is made up of the hardware and software that has been implemented to provide security for a particular information system. This usually includes the operating system kernel and a specified set of security utilities, such as the user login subsystem. The term "trusted" can be misleading- in this context, it means that a component is part of TCB's security system, not that it is necessarily trustworthy. The frequent discovery of flaws and the delivery of patches by software vendors to remedy security vulnerabilities attest to the relative level of trust you can place in current generations of software.
Executive Order 13526
corporate and military organizations use a variety of classification schemes. As you might expect, the U.S. military classification scheme is a more complex categorization system than the schemes of most corporations. The military is perhaps the best-known user of data classification schemes. It has invested heavily in InfoSec, operations security (OpSec), and communications security (ComSec). In fact, many developments in communications and InfoSec are the result of Department of Defense (DoD) and military-sponsored research and development. For most information, the U.S. government uses a three-level classification scheme for information deemed to be National Security Information {NS!), as defined in Executive Order 13526 in 2009.