BCIS 4740 MOD 3 / 4
The ISSP:
(1) addresses specific areas of technology (2) requires frequent updates, (3) contains a statement on the organization's position on a specific issue
Defense in Depth
- implementation of security layers - requires that organizations establish multiple layers of security controls safeguards
Security Perimeter
-Border of security protecting internal systems from outside threats -Does not protect against internal attacks from employee threats or onsite physical threats
How many high-level information security governance principles are specified in ISO 27014:2013?
6
What does the organization have after the risk assessment process is complete?
A list of information assets with currently unacceptable levels of risk that require an appropriate strategy to be selected and applied for each asset.
NIST Risk Management Framework (RMF) emphasizes...
Building information security capabilities into federal information systems through the application of state-of-the-practice management, operational, and technical security controls Maintaining awareness of the security state Providing essential information to senior leaders
For policies to be effective and legally defensible, the following must be done properly:
Development, Dissemination, reading, comprehension, compliance, enforcement
What are the two areas typically addressed by an Enterprise Information Security Policy (EISP) regarding compliance?
Ensure meeting of requirements to establish program and assigning responsibilities Use of specified penalties and disciplinary action
Different types of security policy:
Enterprise information security Issue-specific security systems-specific security
What are the high level information sec principles?
Establish organization-wide information security. Adopt a risk-based approach. Set the direction of investment decisions. Ensure conformance with internal and external requirements. Foster a security-positive environment. Review performance in relation to business outcomes.
Communities of interest are responsible for
Evaluating current and proposed risk controls Determining which control options are cost-effective for the organization Acquiring or installing the needed controls Ensuring that the controls remain effective
RM framework consists of key stages:
Executive governance and support Framework design Framework implementation Framework monitoring and review Continuous improvement
Other sources of security framework
FASP (CERT/CC) IAPSC
NIST Cybersecurity Framework Fundamental components
Framework core, Framework tiers, Framework profile
What tasks does NIST SP 800-30, Rev. 1 recommend performing to prepare for the risk process?
Identify the purpose of the assessment; Identify the scope of the assessment; Identify the assumptions and constraints associated with the assessment; Identify the sources of information to be used as inputs to the assessment; Identify the risk model and analytic approaches.
Level of Controls (design of security Arch)
Management controls, Operational controls, Technical Controls
Systems-specific policies fall into two groups:
Managerial guidance Technical specifications
Risk Evaluation:
Once the risk ratings are calculated for all TVA triples, the organization needs to decide whether it can live with the analyzed level of risk.
EISP Elements
Overview of corporate philosophy on security Information on the structure of the organization fully articulated responsibilities for security shared by all members / security unique to each role in org
Framework tiers: help relate the maturity of security programs and implement corresponding measures and functions
Partial Risk Informed Repeatable Adaptive
InfoSec management six P's
Planning, Policy, Programs, Protection, People, Project Management
Seven step approach to implementing / improving programs:
Prioritize and scope Orient Create current profile Conduct risk assessment Create target profile Determine, analyze, prioritize gaps Implement action
Policies must be managed, to remain viable, security policies must have....
Responsible manager/policy administrator Schedule of reviews Review procedures and practices Policy and revision dates Automated policy management
What is the process that follows the risk assessment in the risk management (RM) process?
Risk response or risk control
What is another name for the process of treating unacceptable risk?
Risk treatment
A detailed statement of what must be done to comply with policy, sometimes viewed as the rules governing policy compliance, is known as a(n) _____.
STANDARD
Enterprise Information Security Policy
Sets strategic direction, scope, and tone for all security efforts within the organization
Vulnerability Assessment
Specific avenues threat agents can exploit to attack an information asset process works best when people with diverse backgrounds within an organization work iteratively
T or F: Everyone in an organization needs to be trained and aware of information security; not every member needs a formal degree or certificate in security.
TRUE
Risk tolerance (risk threshold):
The assessment of the amount of risk an organization is willing to accept for a particular information asset
Risk Appetite
The quantity and nature of risk that organizations are willing to accept as they evaluate the trade-offs between perfect security and unlimited accessibility.
Residual risk:
The risk to information assets that remains even after current controls have been applied.
T OR F: If a vulnerability is fully managed by an existing control, it can be set aside.
True
T or F: If it is partially controlled, you can estimate what percentage of the vulnerability has been controlled.
True
T or F: The goal of information security is to bring residual risk in alignment with risk appetite.
True
Can the goals and objectives of the InfoSec management team sometimes conflict with those of the IT management team?
Yes, some of the InfoSec management team's goals and objectives may be contrary to or require resolution with the goals of the IT management team
Operational Controls....
address personnel security, physical security, and the protection of production inputs/outputs.
Framework Monitoring and Review
after implementation, framework team continues to monitor and reviewing the utility
Risk treatment (risk control):
application of safeguards or controls that reduce the risks to an organization's information assets to an acceptable level.
What is information security governance?
application of the principles and practices of corporate governance to the information security function, emphasizing the responsibility of the board of directors and/or senior management for the oversight of information security in the organization.
Technical Controls....
are the tactical and technical implementations related to designing and integrating security in the organization.
The identification, analysis, and evaluation of risk as initial parts of risk management is known as risk _____.
assesment
risk analysis
assesses the relative risk for each vulnerability and assigns a risk rating or score to each information asset.
The process that seeks to teach members of the organization what security is and what the employee should do in some situations is known as security _____.
awareness
information security blueprint
basis for design, selection, and implementation of all security elements.
At the end of the risk identification process, a prioritized list of assets with their vulnerabilities is achieved, which can ....
be combined with weighted list of threats to form threats-vulnerabilities-assets (TVA) worksheet
Who is responsible for drafting an Enterprise Information Security Policy (EISP)?
chief information officer (CIO) of the organization.
security education, training, and awareness (SETA) program...
control measure designed to reduce accidental security breaches. enhances security by improving awareness, developing skills and knowledge, and building in-depth knowledge.
Framework Design
designing the RM process by which the organization will understand its current levels of risk and determine what, if anything, it needs to do to bring those levels down
Risk assessment:
determination of the extent to which an organization's information assets are exposed to risk.
What do policies direct in information security?
direct how issues should be addressed and how technologies should be used.
If residual risk is less than risk appetite,
document the results and proceed to the latter stages of risk management.
Practices, procedures, and guidelines ....
effectively explain how to comply with policy.
What is the purpose of information security governance?
ensure that the organization's information security policies and practices align with its overall strategic objectives and goals.
What are the goals and objectives of the InfoSec management team?
ensuring the confidentiality, integrity, and availability of information
Risk management by...
executing appropriate measures to manage and mitigate threats to information resources
How do the goals and objectives of the InfoSec management team differ from those of the IT and general management communities?
focused on the secure operation of the organization
Spheres of security
foundation of the security framework
Risk management (RM) plan
framework team creates a formal document and define the organization's risk appetite
leadership of the information security function that delivers strategic planning and corporate responsibility is best accomplished using an approach industry refers to as....
governance, risk management, and compliance (GRC)
What is the purpose of NIST SP 800-30, Rev. 1?
guide for conducting risk assessments.
Configuration rule policies govern....
how security system reacts to received data.
The first operational phase of the RM process is ....
identification of risk - identify information assets - classify them - categorize them into useful groups - prioritize them by overall importance
Once the probability of an attack by a threat has been evaluated, the organization typically looks at the possible ......
impact or consequences of a successful attack.
Common approaches when creating and managing ISSP's
independent ISSP documents, each tailored to a specific issue A single comprehensive ISSP document that covers all issues A modular ISSP document that unifies policy creation and administration while maintaining each specific issue's requirements
Framework Implementation
influenced by organizations risk appetite. methods include: Desk Check Pilot Test Phased Approach Direct Cutover
RM framework
is the overall structure of the strategic planning and design for the entirety of the organization's RM efforts. (planning)
Once the likelihood and impact are known, the organization can perform...
isk determination using a formula that seeks to quantify certain risk elements.
What are some characteristics of security policies as controls?
least expensive controls to execute but most difficult to implement properly.
If residual risk is greater than risk....
look for treatment strategies to further reduce the risk.
Performance measurement by
measuring, monitoring, and reporting information security governance metrics to ensure that organizational objectives are achieved
Standards are...
more detailed statements of what must be done to comply with policy EX: "The password must be at least 10 characters with at least one of each of these: uppercase letter, lowercase letter, number, and special character."
RM Policy
much like the enterprise information security policy (EISP), is a strategic document that formalizes much of the intent of the governance group.
Information security safeguards focus on lower-level planning that deal with the functionality of the organization's security; they include disaster recovery planning, incident response planning, and SETA programs and are collectively called _____ controls.
operational
Value delivery by
optimizing information security investments in support of organizational objectives
Policy functions as...
organizational law that dictates acceptable and unacceptable behavior EX: "Use strong passwords, frequently changed."
Likelihood
overall rating—a numerical value on a defined scale—of the probability that a specific vulnerability will be exploited or attacked, commonly referred to as a threat event.
The final step in the risk identification process is to....
prioritize assets or rank order the assets achieved by weighted table analysis
When performing risk identification, which of these steps is performed last?
prioritizing
Risk management:
process of identifying risk, assessing its relative magnitude, and taking steps to reduce it to an acceptable level.
What is the purpose of an organizational security policy in the ISO 27000 series?
provide management direction and support give recommendations for information security management with the goal of certification Provides a starting point for developing organizational security
Access control lists (ACLs) can
restrict access for a particular user, computer, time, duration —even a particular file.
Risk Determination Formula:
risk equals likelihood of threat event (attack) occurrence multiplied by impact (or consequence), plus or minus an element of uncertainty.
An information security policy provides...
rules for protection of the organization's information assets.
What is ISO 27014:2013?
series standard for Governance of Information Security.
Framework core:
set of information security activities an organization is expected to perform and their desired results: Identify Protect Detect Respond Recovery
Management Controls...
set the direction and scope of the security processes and provide detailed instructions for its conduct.
What is the purpose of strategic planning in an organization?
sets the long-term direction to be taken by the organization and each of its component parts. It guides organizational efforts and focuses resources toward specific, clearly defined goals.
What are some requirements for effective security policies?
should never contradict law, must be able to stand up in court, and must be properly administered.
information security framework
specification to be followed during the design, selection, and implementation of security controls.
What is the ISO 27000 series?
standard framework for information security that is one of the most widely referenced security models.
SysSPs often function as...
standards or procedures used when configuring or maintaining systems.
RM process
the implementation of risk management, as specified in the framework. (doing)
Risk identification:
the recognition, enumeration, and documentation of risks to an organization's information assets.
risk analysis goal
to develop a repeatable method to evaluate the relative risk of each vulnerability that has been identified and added to the list.
Framework Profile:
used to perform a gap analysis between the current state and a desired state of information security/risk management
Resource management by
using information security knowledge and infrastructure efficiently and effectively
information security model
well-recognized framework promoted by a government agency, standards organization, or industry group.
Strategic alignment of information security...
with business strategy to support organizational objectives
Information security, information technology, and business management and users all must...
work together