BCIS 4740 MOD 3 / 4

The ISSP:

(1) addresses specific areas of technology (2) requires frequent updates, (3) contains a statement on the organization's position on a specific issue

Defense in Depth

- implementation of security layers - requires that organizations establish multiple layers of security controls safeguards

Security Perimeter

-Border of security protecting internal systems from outside threats -Does not protect against internal attacks from employee threats or onsite physical threats

How many high-level information security governance principles are specified in ISO 27014:2013?

6

What does the organization have after the risk assessment process is complete?

A list of information assets with currently unacceptable levels of risk that require an appropriate strategy to be selected and applied for each asset.

NIST Risk Management Framework (RMF) emphasizes...

Building information security capabilities into federal information systems through the application of state-of-the-practice management, operational, and technical security controls Maintaining awareness of the security state Providing essential information to senior leaders

For policies to be effective and legally defensible, the following must be done properly:

Development, Dissemination, reading, comprehension, compliance, enforcement

What are the two areas typically addressed by an Enterprise Information Security Policy (EISP) regarding compliance?

Ensure meeting of requirements to establish program and assigning responsibilities Use of specified penalties and disciplinary action

Different types of security policy:

Enterprise information security Issue-specific security systems-specific security

What are the high level information sec principles?

Establish organization-wide information security. Adopt a risk-based approach. Set the direction of investment decisions. Ensure conformance with internal and external requirements. Foster a security-positive environment. Review performance in relation to business outcomes.

Communities of interest are responsible for

Evaluating current and proposed risk controls Determining which control options are cost-effective for the organization Acquiring or installing the needed controls Ensuring that the controls remain effective

RM framework consists of key stages:

Executive governance and support Framework design Framework implementation Framework monitoring and review Continuous improvement

Other sources of security framework

FASP (CERT/CC) IAPSC

NIST Cybersecurity Framework Fundamental components

Framework core, Framework tiers, Framework profile

What tasks does NIST SP 800-30, Rev. 1 recommend performing to prepare for the risk process?

Identify the purpose of the assessment; Identify the scope of the assessment; Identify the assumptions and constraints associated with the assessment; Identify the sources of information to be used as inputs to the assessment; Identify the risk model and analytic approaches.

Level of Controls (design of security Arch)

Management controls, Operational controls, Technical Controls

Systems-specific policies fall into two groups:

Managerial guidance Technical specifications

Risk Evaluation:

Once the risk ratings are calculated for all TVA triples, the organization needs to decide whether it can live with the analyzed level of risk.

EISP Elements

Overview of corporate philosophy on security Information on the structure of the organization fully articulated responsibilities for security shared by all members / security unique to each role in org

Framework tiers: help relate the maturity of security programs and implement corresponding measures and functions

Partial Risk Informed Repeatable Adaptive

InfoSec management six P's

Planning, Policy, Programs, Protection, People, Project Management

Seven step approach to implementing / improving programs:

Prioritize and scope Orient Create current profile Conduct risk assessment Create target profile Determine, analyze, prioritize gaps Implement action

Policies must be managed, to remain viable, security policies must have....

Responsible manager/policy administrator Schedule of reviews Review procedures and practices Policy and revision dates Automated policy management

What is the process that follows the risk assessment in the risk management (RM) process?

Risk response or risk control

What is another name for the process of treating unacceptable risk?

Risk treatment

A detailed statement of what must be done to comply with policy, sometimes viewed as the rules governing policy compliance, is known as a(n) _____.

STANDARD

Enterprise Information Security Policy

Sets strategic direction, scope, and tone for all security efforts within the organization

Vulnerability Assessment

Specific avenues threat agents can exploit to attack an information asset process works best when people with diverse backgrounds within an organization work iteratively

T or F: Everyone in an organization needs to be trained and aware of information security; not every member needs a formal degree or certificate in security.

TRUE

Risk tolerance (risk threshold):

The assessment of the amount of risk an organization is willing to accept for a particular information asset

Risk Appetite

The quantity and nature of risk that organizations are willing to accept as they evaluate the trade-offs between perfect security and unlimited accessibility.

Residual risk:

The risk to information assets that remains even after current controls have been applied.

T OR F: If a vulnerability is fully managed by an existing control, it can be set aside.

True

T or F: If it is partially controlled, you can estimate what percentage of the vulnerability has been controlled.

True

T or F: The goal of information security is to bring residual risk in alignment with risk appetite.

True

Can the goals and objectives of the InfoSec management team sometimes conflict with those of the IT management team?

Yes, some of the InfoSec management team's goals and objectives may be contrary to or require resolution with the goals of the IT management team

Operational Controls....

address personnel security, physical security, and the protection of production inputs/outputs.

Framework Monitoring and Review

after implementation, framework team continues to monitor and reviewing the utility

Risk treatment (risk control):

application of safeguards or controls that reduce the risks to an organization's information assets to an acceptable level.

What is information security governance?

application of the principles and practices of corporate governance to the information security function, emphasizing the responsibility of the board of directors and/or senior management for the oversight of information security in the organization.

Technical Controls....

are the tactical and technical implementations related to designing and integrating security in the organization.

The identification, analysis, and evaluation of risk as initial parts of risk management is known as risk _____.

assesment

risk analysis

assesses the relative risk for each vulnerability and assigns a risk rating or score to each information asset.

The process that seeks to teach members of the organization what security is and what the employee should do in some situations is known as security _____.

awareness

information security blueprint

basis for design, selection, and implementation of all security elements.

At the end of the risk identification process, a prioritized list of assets with their vulnerabilities is achieved, which can ....

be combined with weighted list of threats to form threats-vulnerabilities-assets (TVA) worksheet

Who is responsible for drafting an Enterprise Information Security Policy (EISP)?

chief information officer (CIO) of the organization.

security education, training, and awareness (SETA) program...

control measure designed to reduce accidental security breaches. enhances security by improving awareness, developing skills and knowledge, and building in-depth knowledge.

Framework Design

designing the RM process by which the organization will understand its current levels of risk and determine what, if anything, it needs to do to bring those levels down

Risk assessment:

determination of the extent to which an organization's information assets are exposed to risk.

What do policies direct in information security?

direct how issues should be addressed and how technologies should be used.

If residual risk is less than risk appetite,

document the results and proceed to the latter stages of risk management.

Practices, procedures, and guidelines ....

effectively explain how to comply with policy.

What is the purpose of information security governance?

ensure that the organization's information security policies and practices align with its overall strategic objectives and goals.

What are the goals and objectives of the InfoSec management team?

ensuring the confidentiality, integrity, and availability of information

Risk management by...

executing appropriate measures to manage and mitigate threats to information resources

How do the goals and objectives of the InfoSec management team differ from those of the IT and general management communities?

focused on the secure operation of the organization

Spheres of security

foundation of the security framework

Risk management (RM) plan

framework team creates a formal document and define the organization's risk appetite

leadership of the information security function that delivers strategic planning and corporate responsibility is best accomplished using an approach industry refers to as....

governance, risk management, and compliance (GRC)

What is the purpose of NIST SP 800-30, Rev. 1?

guide for conducting risk assessments.

Configuration rule policies govern....

how security system reacts to received data.

The first operational phase of the RM process is ....

identification of risk - identify information assets - classify them - categorize them into useful groups - prioritize them by overall importance

Once the probability of an attack by a threat has been evaluated, the organization typically looks at the possible ......

impact or consequences of a successful attack.

Common approaches when creating and managing ISSP's

independent ISSP documents, each tailored to a specific issue A single comprehensive ISSP document that covers all issues A modular ISSP document that unifies policy creation and administration while maintaining each specific issue's requirements

Framework Implementation

influenced by organizations risk appetite. methods include: Desk Check Pilot Test Phased Approach Direct Cutover

RM framework

is the overall structure of the strategic planning and design for the entirety of the organization's RM efforts. (planning)

Once the likelihood and impact are known, the organization can perform...

isk determination using a formula that seeks to quantify certain risk elements.

What are some characteristics of security policies as controls?

least expensive controls to execute but most difficult to implement properly.

If residual risk is greater than risk....

look for treatment strategies to further reduce the risk.

Performance measurement by

measuring, monitoring, and reporting information security governance metrics to ensure that organizational objectives are achieved

Standards are...

more detailed statements of what must be done to comply with policy EX: "The password must be at least 10 characters with at least one of each of these: uppercase letter, lowercase letter, number, and special character."

RM Policy

much like the enterprise information security policy (EISP), is a strategic document that formalizes much of the intent of the governance group.

Information security safeguards focus on lower-level planning that deal with the functionality of the organization's security; they include disaster recovery planning, incident response planning, and SETA programs and are collectively called _____ controls.

operational

Value delivery by

optimizing information security investments in support of organizational objectives

Policy functions as...

organizational law that dictates acceptable and unacceptable behavior EX: "Use strong passwords, frequently changed."

Likelihood

overall rating—a numerical value on a defined scale—of the probability that a specific vulnerability will be exploited or attacked, commonly referred to as a threat event.

The final step in the risk identification process is to....

prioritize assets or rank order the assets achieved by weighted table analysis

When performing risk identification, which of these steps is performed last?

prioritizing

Risk management:

process of identifying risk, assessing its relative magnitude, and taking steps to reduce it to an acceptable level.

What is the purpose of an organizational security policy in the ISO 27000 series?

provide management direction and support give recommendations for information security management with the goal of certification Provides a starting point for developing organizational security

Access control lists (ACLs) can

restrict access for a particular user, computer, time, duration —even a particular file.

Risk Determination Formula:

risk equals likelihood of threat event (attack) occurrence multiplied by impact (or consequence), plus or minus an element of uncertainty.

An information security policy provides...

rules for protection of the organization's information assets.

What is ISO 27014:2013?

series standard for Governance of Information Security.

Framework core:

set of information security activities an organization is expected to perform and their desired results: Identify Protect Detect Respond Recovery

Management Controls...

set the direction and scope of the security processes and provide detailed instructions for its conduct.

What is the purpose of strategic planning in an organization?

sets the long-term direction to be taken by the organization and each of its component parts. It guides organizational efforts and focuses resources toward specific, clearly defined goals.

What are some requirements for effective security policies?

should never contradict law, must be able to stand up in court, and must be properly administered.

information security framework

specification to be followed during the design, selection, and implementation of security controls.

What is the ISO 27000 series?

standard framework for information security that is one of the most widely referenced security models.

SysSPs often function as...

standards or procedures used when configuring or maintaining systems.

RM process

the implementation of risk management, as specified in the framework. (doing)

Risk identification:

the recognition, enumeration, and documentation of risks to an organization's information assets.

risk analysis goal

to develop a repeatable method to evaluate the relative risk of each vulnerability that has been identified and added to the list.

Framework Profile:

used to perform a gap analysis between the current state and a desired state of information security/risk management

Resource management by

using information security knowledge and infrastructure efficiently and effectively

information security model

well-recognized framework promoted by a government agency, standards organization, or industry group.

Strategic alignment of information security...

with business strategy to support organizational objectives

Information security, information technology, and business management and users all must...

work together