Ch.3.1
What are the change control process steps?
1.) Identify the need for a change and submit it for approval. 2.)Conduct a feasibility analysis, including technical and budgetary considerations. 3.)Design the method for implementing change. 4.)Implement the change. 5.)Test the implementation to make sure it conforms to the plan and that the change does not adversely affect confidentiality, integrity, and accessibility. 6.)Document the change. 7.) Analyze feedback.
Under the direction of senior management, security professionals establish specific policies and plans related to the organization's security implementation. In addition to protecting company assets and employees' personal information,these plans and policies safeguard the organization from liability and exposure. Plans and policies are the most effective if the following steps are implemented in their execution:
1.)Assess the risk 2.)Create a policy 3.)Implement the policy 4.)Train the organization on the policy 5.)Audit the plan to make sure its working
California Database Security Breach Act of 2003
A California State Law that specifies that any agency, person, government, entity, or company that does business in the state of California must inform California residents within 48 hours if a database breach or other security breach occurs in which personal information has been stolen or is believed to have been stolen.
Gramm-Leach-Bliley Act
A US federal law designed to protect private information held at financial institutions.
Patriot Act of 2001
A US federal law that gives law enforcement the authority to request information from organizations to detect and suppress terrorism.
Children's Online Privacy Protection Act of 1988 (COPPA)
A US federal law that requires organizations that provide online services designed for children below the age of 13 to obtain parental consent prior to collecting a child's personal information.
Sarbanes-Oxley Act of 2002
A US federal law that requires publicly traded companies to adhere to very stringent reporting requirements and implement strong controls on electronic financial reporting systems. A key aspect of the law is the requirement for retaining copies of business records, including email, for a specified period of time.
Health Insurance Portability and Accountability Act of 1996 (HIPAA)
A US federal law that specifies all organizations must protect the health information that they obtain.
Code Escrow Agreement
A document that specifies the storage and conditions of release of source code. For example, a code escrow agreement could specify that you obtain the source code from a vendor if the vendor went out of business.
What is a service level agreement?
A guarantee of a specific level of service
Acceptable Use Policy (AUP)
A policy that defines how users should use the information and network resources in an organization.
Password Policy
A policy that detail the requirements for passwords used in an organization.
User Management Policy
A policy that identify actions to follow when employees status changes to ensure the security of the system, including hiring new employees, promoting and transferring employees, and terminating employees.
Privacy Policy
A policy that outlines how the organization will secure private information for employees, clients, and customers.
Change management and configuration management policy
A policy that regulate changes to policies, practices, and equipment that could impact the security of your IT infrastructure.
Authorized Access Policy (AAP)
A policy that specifies access controls that are employed on a network. This policy specifies who is allowed to access the various systems of the organization.
User Education and Awareness Policy
A policy with provisions for user education and awareness training.
Guideline
A recommendation that is used when a specific standard or procedure does not exist. Are considered non-compulsory and flexible.
regulation
A requirement published by a government or other licensing body that must be followed. While you are not responsible for writing regulations, you are responsible for knowing which regulations apply to your organization and making sure that those regulations are understood and adhered to. Policies are often written in response to regulations.
Code of Ethics
A set of rules or standards that help individuals to act ethically in various situations.
Baseline
A standard that dictates the settings and security mechanisms that must be imposed on a system in order to comply with required security standards. Are mandatory standards with which all systems must comply.
What do user management policies identify?
Actions that must take place when employee status changes. The administrator of a network for an organization needs to be aware of new employees, employee advancements and transfers, and terminated employees to ensure the security of the system. All these activities could result in changes to: network access, equipment configuration, software configuration
In data retention, make sure to review:
All the different types of information used in your organization and develop a policy that defines how long different types of data are retained and destroyed when the retention period is past. Record this information in a clearly written policy.Having a written policy and ensuring everyone in the organization follows it protects you from accusations of destroying evidence. Adhering to your data retention and destruction policy protects you and your organization. Never allow selective or arbitrary information destruction, it might make it appear that you are trying to hide evidence and could expose you to potential criminal charges.
Service Level Agreement (SLA)
An agreement between a customer and provider that guarantees the quality of a network service provider's care to a subscriber.
The four components of operational security that help establish defense in depth:
Change control, employee management, security awareness, physical security
You plan to implement a new security device on your network. Which of the following policies outlines the process you should follow before implementing that device?
Change management
Physical security is the protection of assets from physical threats. Physical security procedures include the following:
Choosing a secure site and securing the facility, protecting both data and equipment from theft, destruction, or compromise, implementing environmental and safety measures to protect personnel and the facility, disposing of sensitive material that is no longer needed.
A Service legal agreement defines the relationship and contractual responsibilities of providers and service recipients. Which of the following characteristics are most important when designing an SLA?
Clear and detailed descriptions of penalties if the level of service is not provided, Detailed provider responsibilities for all continuity and disaster recovery mechanisms.
Under the direction of senior management, security professionals establish specific policies and plans related to the organization's security implementation. The purpose of these plans and policies is twofold: they protect the organization's assets and protect the organization from liability and exposure. Security planning must include:
Complying with legal and regulatory compliance issues, Demonstrating ethical practices, practicing due care in the development of security policy and procedures. Due care means that security has been examined and reasonable security measures have been put in place. Due care eliminates an organization's burden of negligence in case of a security breach. Practicing due diligence by ensuring that approved security measures have been implemented and continue to be effective. Implementing due process by adhering to laws regarding evidence and fairness to protect individuals' rights. Due process ensures that any party charged with a crime is fully aware of the charges held against them and has the opportunity to fully defend themselves.
The code of ethic requires that everyone associated with the security policy:
Conduct themselves in accordance with the highest standards of moral, ethical, and legal behavior. Not commit or be a party to any unlawful or unethical act that may negatively affect their professional reputation or the reputation of their profession. Appropriately report activity related to the profession that they believe to be unlawful and cooperate with resulting investigations.
You have recently discovered that a network attack has compromised your database server. In the process, customer credit card numbers might have been taken by an attacker. You have stopped the attack and put measures in place to prevent the same incident from occurring in the future. What else might you be legally required to do?
Contact your customers to let them know about the security breach.
Requirement for job rotation:
Cross-trains individuals and rotates users between positions on a regular basis. Job rotation helps to catch irregularities that could arise when one person is unsupervised over an area of responsibility.
Role based security awareness training which should be tailored for the role of employees:
Data owner, system administrator, system owner, user, privileged user, executive user
Which of the following is the best protection against security violations?
Defense in-depth
The acceptable use agreement might set expectations for user privacy when using company resources. Privacy is the right of individuals to keep personal information from unauthorized exposure or disclosure. In a business environment, businesses might need to be able to monitor and record actions taken by employees. Such monitoring might be viewed as a violation of individual privacy. To protect against legal issues:
Define the types of actions and communications that will be monitored. For instance, its typical for a business to reserve the right to monitor all activities performed on company computers, even if those activities might be of a personal nature. Clearly communicate all monitoring activities. Users should know that monitoring is being performed. Apply monitoring to all employees. Targeting specific employees could be grounds for discrimination. Comply with all legal requirements for privacy. For example, personal medical information is protected and cannot be shared without prior authorization.
Security Policy
Defines the overall security goals and processes for an organization. To be effective, the security policy must be: Planned. Good security is the result of good planning, Maintained. A good security plan must be constantly evaluated and modified as needs change. Used. The most common failure of a security policy is the lack of user awareness. The most effective way of improving security is through user awareness.
Sample data retention rules could include the following:
Delete email messages after 90 days. Keep tax-related information for 7 years, this timeframe should be defined by the applicable taxation authority. For example, The United States Internal Revenue Service requires tax information to be retained for 7 years. Keep employees records for 4 years after an employer leaves the organization. Keep integral research,design, or patent documents for 25 years. Keep contracts with vendors and partners for 5 years after a contract has ended. Delete employee files after 1 year.
Due care and due diligence are also called the prudent man rule
Demonstrates that management has taken reasonable actions to ensure safety standards according to accepted best practices. The ability to demonstrate due care and due diligence protects the organization and its staff from accusations of negligence or incompetence in security-related issues.
When you inform an employee that they are being terminated, what is the most important activity?
Disabling their network access
Change control should be used to oversee and manage changes over what aspect of an organization?
Every aspect
How can a code of escrow agreement provide security for an organization?
Ex: A a code escrow agreement could specify that you obtain the source code from a vendor if the vendor went out of business.
Security awareness is designed to:
Familiarize employees with the security policy, communicate standards, procedures, and baselines that apply to an employer's job, facilitate employee ownership and recognition of security responsibilities, establish reporting procedures for suspected security violations, Follow up and gather training metrics to validate:employee compliance, the organizations security posture
Security awareness and training is designed to:
Familiarize employees with the security policy, communicate standards, procedures, and baselines that apply to the employee's job, facilitate employee ownership and recognition of security responsibilities, establish reporting procedures for suspected security violations.
The Gramm-Leach Bliley Act (GLBA) requires all banks and financial institutions to implement the following:
Financial privacy rule- requires banks and financial institutions to alert customers to their policies and practices in disclosing customer information. Safeguards rule- requires banks and financial institutions to develop a written information security plan detailing how they can plan to protect electronic and paper files containing personally identifiable financial information. Pretexting protection- requires banks and financial institutions to train their staff how to recognize social engineering exploits.
Privacy policy outlines how personally identifiable information (PLL) can be used and how it is protected from disclosure. PLL items could include:
Full name, address, telephone number, driver's license, national identification number, credit card numbers, email address
Organizational Security Policy
High-level overview of the corporate security program.
Human resource policies related to security might include the following:
Hiring policies identify processes to follow before hiring. For example, the policy might specify that pre-employment screening include: employment, reference, and education history checks, drug screening, a background investigation or credit rating check
Termination policies and procedures
Identify processes to be implemented when terminating employees. For example, the termination policy might specify that: Network access and user accounts are disabled immediately, Exit interviews are conducted, Employees are escorted at all times following termination, all company property is returned, appropriate documents are signed
The organizational security policy includes:
Is usually written by the security professionals, but must be wholly supported and endorsed by senior management. Identifies roles and responsibilities to support and maintain the elements of the security program. Identifies what is acceptable and unacceptable regarding security management. Identifies the rules and responsibilities of the enforcement of the policy.
The Children's Online Privacy Protection Act (COPPA) requires online services or websites designed for children under the age of 13 to:
Obtain parental consent prior to the collection, use, disclosure, or display of a child's personal information. Allow children's participation without the need to disclose more personal information than is reasonably necessary to participate.
Defense in depth
One of the best ways to implement operational security, is the premise that no single layer is completely effective in securing the information. The most secure system has many layers of security, eliminating single points of failure.
The USA Patriot Act mandates:
Organizations to provide information, including records and documents, to law enforcement agencies under the authority of a valid court order, subpoena, or other authorized agency.
Resource Allocation Policy
Outlines how resources are allocated. Resources could include: staffing, technology, budgets
Human Resources (HR) Policy
Policy used by HR that defines hiring and termination processes, job rotation requirements, and personal time off procedures.
Employee management reduces asset vulnerability from emplyees by implementing processes that include the following:
Pre-employment processing, employee agreement documents, employee monitoring, termination procedures
Configuration management policy
Provides a structured approach to securing company assets and making changes. Configuration management: Establishes hardware, software, and infrastructure configurations that are to be deployed universally throughout the corporation. Tracks and documents significant changes to the infrastructure. Assesses the risk of implementing new processes, hardware, or software. Ensures that proper testing and approval processes are followed before changes are allowed.
Which of the following best describes the concept of due care or due diligence?
Reasonable precautions based on industry best practices are utilized and documented.
Other benefits of implementing a data retention and destruction policy include:
Reduced cost of discovery requests in the event of legal action. Responding to discovery requests can be time-consuming and costly. If old material has been destroyed, discovery costs are minimized. Reduced exposure during discovery Minimizing the amount of electronic material an organization keeps reduces the amount of information that could expose an organization to potential litigation. Reduced hardware and software requirements for storing old data.
Change control
Regulates changes to policies and practices that could impact security. The primary purpose is to prevent unchecked change that cold introduce reductions in security. Change control must be a formal, fully documented process.
Requirement for mandatory vacations:
Requires employees to take vacations of specified length. These vacations can be used to audit actions taken by the employees and provide a passage of time where problems caused by misconduct could become evident.
Security policies need not to be created in a bubble. There are security frameworks, best practices, ans secure configuration guides that can help when creating secure architectures and systems:
Security professionals have created industry-standard frameworks which describe the activities that will achieve specific security outcomes. In addition, security reference architectures can be used as templates when building a secure environment. In some cases, such as when creating government systems, a security framework or reference architecture may be mandated by government regulations. These frameworks and architectures can be customized for specific industries or may be customized for a specific nation. They can be generalized for organizations with international interests. Benchmark and secure configuration guides can be used to harden computers, networks, and vendor-specific devices. There are general purpose guides that are platform specific or vendor specific. For example, there are secure configuration guides to harden web servers, operating systems, application servers, and network infrastructure devices.
Keep in mind the following recommendations for SLA's:
Should define, in sufficient detail, any penalties incurred if the level service is not maintained. In the information security realm, it is also vital that the provider's role in disaster recovery operations and continuity planning is clearly defined. Industry standard templates are frequently used as a starting point for SLA design, but must be tailored to be the specific project or relationship to be effective. If you depend on an SLA for mission-critical code, you should consider a code escrow arrangement.Code escrow is a storage facility hosted by a trusted third party which will ensure access to the mission critical code even if the development company, the company with whom you have the SLA, goes out of business.
You have a set of DVD-RW discs that have been used to archive files for your latest development project. You need to dispose of the discs. Which of the following methods should you use to best prevent extracting data from the discs?
Shred the disks
Acceptable use
The acceptable use policy (AUP) identifies the employees rights to use the company property such as internet access and computer equipment for personal use.
What happens if a change control unintentionally diminishes security?
The effective change control process includes a rollback. A rollback makes it possible to revert the system back to the state it was in before the change was put into effect.
Service Level Agreement (SLA) often include descriptions for the following:
The mean time between failures (MTFB) identifies the average lifetime of a system or component. Components should be replaced about the time that the MTFB is reached. The eman time to repair (MTTR) identifies the average amount of time necessary to repair a failed component or to restore operations.
Password policy includes:
The same password should never be used for different systems. Accounts should be disabled or locked out after a specified amount of failed login attempts. Passwords should never contain words, slang, or acronyms. Users should be required to change their passwords within a certain time frame and use a rotation policy. A strong password policy should be enforced. Strong passwords: Contain multiple character types(uppercase, lowercase, numbers, and symbols). Are a minimum length of eight characters or more. Use no part of a username or email address.
Procedure
The step-by-step process that outlines how to implement a specific action. The design of a procedure is guided by goals defined in a policy, but go beyond the policy by identifying specific steps that are to be implemented. The use of consistent procedures ensures that the goals defined in policy are met and that the actions of mulitple administrators are consistent.
What is the primary purpose of source code of Escrow?
To obtain change rights over software after the vendor goes out of business.
What is the goal of security management?
To preserve the confidentiality, integrity, and availability of all critical and valuable assets. Senior management is responsible for security management. Senior management defines the corporate security posture or tone (the organization's outlook and approach to security) and provides funding for the security program.
What to do after creating your written data retention policy?
Use information classification labels to identify which retention policy rule is to be applied to specific data. using classfication labels allows you to use software tools to automate the data retention and destruction process. All information should be destroyed before being disposed of. Simpy deleting files can leave sensitive information behind.
When a new security plan is distributed, why is it important to destroy all copies of the old version?
When an updated version of a security plan is produced, the most crucial activity to prevent is public release of older versions of the document. Even an out of date plan can provide sufficient information to attackers to perform serious security intrusions. When the security plan is updated, users should be made aware of the changes, the document should be distributed internally to appropriate parties, and all old versions should be destroyed.
Which of the following is an example of a strong password?
a8bT11$yi
Data retention policies also typically describe procedures for:
archiving information, destroying information when the retention limit is reached, handling information involved in litigation
Data Retention Policies
define how information in your possession is maintained and for how long. The key point to remember is that different types of data must be retained for different lengths of time based on legal and business requirements.
Which of the following is a recommendation to use when a specific standard or procedure does not exist?
guideline
A Privacy Impact Assessment (PIA)
is a process that assists organizations in identifying and minimizing the privacy risks of new projects or policies.
A Privacy Threshold Assessment (PTA)
is a required document that serves as the official determination by the Department of Homeland Security (DHS) as to whether a department program or system has privacy implications and whether additional privacy compliance documentation is required, such as a Privacy Impact Assessment (PIA) and System of Records Notice (SORN). The PTA is built into departmental processes for technology investments and security. PTAs expire and must be reviewed and re-certified every three years. The purpose of a PTA is to: Identify programs and systems that are privacy-sensitive Demonstrate the inclusion of privacy considerations during the review of a program or system Provide a record of the program or system and its privacy requirements at the DHS's Privacy Office Demonstrate compliance with privacy laws and regulations
What do HIPAA guidelines protect?
privacy
What is the most effective way to improve or enforce security in any environment?
providing user-awareness training
Which of the following is defined as a contract which prescribes the technical support or business parameters that a provider will bestow its client?
service level agreement
SLA's can include guarantees for:
turn-around times, average response times, number of online users, system utilization rates, system uptimes, volume of transactions, production problems