01. Information Security Control Design and Selection (240)

Question 1

Information Security Control Design and Selection

Controls are the procedures, mechanisms, systems, and other measures designed to reduce risk through compliance to policies

240

Question 2

Information Security Control Design and Selection

An organisation develops controls to ensure that its business objectives will be met, risks will be reduced, and errors will be prevented or corrected

240

Question 3

Information Security Control Design and Selection

Controls are created to ensure desired outcomes and to avoid unwanted outcomes. They are created for several reasons includingl

240

Answer 3

1. regulation
2. risk assessment
3. audit result

Question 4

Control Classification

Sucurity managers should understand the characterstics, or classifications, of controls. Control classification types, classes, and categoris should all be understood

Control Classification

241

Question 5

Types of controls

3 types of controls;

1. Physical
2. Technical
3. Administrative

242

Question 6

Class of Controls

6 classes of controls;

1. Preventive
2. detective
3. deterrent
4. corrective
5. compensating
6. recovery

242

Answer 6

Preventive
Used to prevent the occurrence of unwanted events
Detective
Used to record both wanted and unwanted events
Deterrent
Exists to convince someone that they should not perform and unwanted activity
Corrective
Activated manually or automatically after some unwanted event has occurred
Compensating
Used where some other direct control cannot be used
Recovery
Used to restore system or asset to its pre-incident state

Question 7

Class of Controls

Examples….

Preventive
Computer loging screen, key card system, encryption
Detective
Video surveillance, event logs
Deterrent
Video surveillance cameras and monitors, fences,
Corrective
The process of improving a process whenf ound to be ineffective
Compensating
A guest sing-in register used/used in place of when video surveilance is unavailable
Recovery
Malware removal tools, backup software to recover lost files

243

Question 8

Categories of Control

2 categories of controls that relate to the nature of their operation;

1. Automatic
2. Manual

244

Answer 8

Automatic
Performs its function with little or no human judgement or decision making
Manual
Requires human to operate it

Question 9

Categories of Control

Examples…

Automatic
Login page to application that cannot be circumvented, security door automatically locking
Manual
Monthly review of computer users

244

Question 10

Control Objectives

Control objectives describe the desired states or outcomes of business operations

244

Question 11

General Computing Controls

IT will have a set of controls that apply across all of its applications and services, known as General Computing Controls (GCC’s)

245

Question 12

General Computing Controls

General Comput Controls (GCCs) are general in nature, often implemented in different ways on different information systems based on individual capabilities and limitations, and applicability

245

Question 13

Contorls: Build vs Buy

Build vs Buy of controls refers to the business decisions organisation leads take regarding building a new assets, tangible or intangible, or paying another organisation to create the asset.

245

Question 14

Control Frameworks

A control framework is a collection of controls, organisation into logical categories

246

Question 15

Control Frameworks

Well known control frameworks developed to streamline the process of control development and adoption;

1. ISO/IEC 27002
2. NIST SP 800-53
3. CIS CSC

Commonly used Control Frameworks

246

Question 16

Control Frameworks

Selection of a control framework should represent a starting point.Once a framework is selected, the organisation can use risk management life cycle to understand risks in the organisation that result in changes to controls used

247

Question 17

Mapping Control Frameworks

One or more control frameworks may be adopted primarily because…

1. Multiple apllicable regulatory frameworks
2. Multiple operational context

248

Answer 17

Example;
Healthcare services that take credit card payments would likely select HIPAA and PCI DSS, where either framework does not fully address all the needs of the business alone

Question 18

Mapping Control Frameworks

Organisations will map control frameworks together, resulting in a single control framework with controls from each framework

248

Question 19

Mapping Control Frameworks

A chart that maps two or more control frameworks together is known as a crosswalk

248

Question 20

Working with Control Frameworks

Security Managers need to organise the organisations operational activities around the selected/mapped control frameworks

249

Question 21

Working with Control Frameworks

Risk Assessment
Before a control can be designed, the security manager needs to know the nature of the risk(s) the control is intended to address

249

Question 22

Working with Control Frameworks

Control Design
Before a control can be used, it must be designed. A control framework comprises the control language, and some degree of guideance

249

Answer 22

A security manager with personnel who are responsible for revelent technologies, willd etermine what activity is required to implement the control

Question 23

Working with Control Frameworks

Control Design
Proper control design will potentially require one or more of the following; New or changed….

1. Policies
2. Business process documents
3. Information systems
4. Business records

250

Question 24

Control Architecture

**Control Architecture **refers to the “big picture” of controls in an organisation. Security managers need to understand how controls work together

250

Question 25

# Dealing with Changing Technology **Technologies change more quickly than standard control frameworks**. Security managers must monitor emerging technologies "plugged in" to business processes to ensure they are involved to understand what controls are required. ## Footnote 250

Answer 25

* Personal computing * Cloud Computing * Smartphones * Bring Your Own Device (BYOD) * Bring Your Own Application (BYOA) * Shadow IT * Work From Home (WFH) * Artificial Intelligence (AI) * Virtual Reality (VR) * Internet of Things (IoT)

Question 26

# Dealing with Changing Technology Changes in technology are often disruptive. Disruption is the result of innovation New ideas and innovation make organisations better ## Footnote 250

Question 27

# ISO/IEC 27002 **ISO/IEC 27002** * World renowned set of controls * Must be purchased * **4** control **categories** * **93** control **objectives** ## Footnote 252

Answer 27

1. Organisational Controls 2. People Controls 3. Physical Records 4. Technological Controls

Question 28

# NIST SP 800-53 rev 5 **NIST SP 800-53** * published by the Computer Security Division of the U.S. National Institute for Standards and Technology (NIST) ## Footnote 254

Question 29

# **Center for Internet Security Critical Security Controls** (CIS CSC) * Regarded as a simpler set of controls * Structured in a way that is easy to understand and use * **18** control **objectives** ## Footnote 256

Question 30

# **NIST Cyber Security Framework** (CSF) * Risk management **methodology and control Framework** * Designed to be a **single standard** for **identifying risk** and **implementing controls** to protect information assets * Framework **core**, consisting of **5 activities** * Framework **Implementation Tiers** - capabilities assessment, resembles **maturity levels** ## Footnote 257

Question 31

# NIST Cyber Security Framework **Identify** Develop the organisational understanding to manage cybersecurity **Protect** Develop and implement appropriate safeguards **Detect** Develop and implement activities to identify cybersecurity events **Respond** Develop and implement activities to take action to detected cybersecurity events **Recover** Develop and implement activities to maintain resilience and restore capabilities ## Footnote 257

Question 32

# NIST Cyber Security Framework Framework Implementation Tiers - Maturity Assessment **Partial** Risk management is not formalused. Reactive, limited within the organisation **Risk Informed** RIsk management is formalised, not working organisation wide **Repeatable** Risk management practices formalised and approved. Intergrated into the business **Adaptive** Risk management practices monitored, adapted to meet changing threats and needs. Fully intergrated ## Footnote 257

Question 33

# NIST Cyber Security Framework CSF contains a methodology for establishing or making improvements; **Step 1: Prioritze and Scope** * Determine business units or business processes in scope **Step 2: Orient** * Identify assets in scope for program **Step 3: Create a current profile** * Idetnify current state against framework core and subcategories **Step 4: Conduct a risk assessment** * Conduct risk assessment covering entire scope of the program **Step 5: Create a target profile** * Determine the desired furture state **Step 6: Determine, Analyse, prioritise gaps** * Compare current profile to desired profile (gap analysis) **Step 7: Implement action plan** * Develop plans and execute to close gaps ## Footnote 258

Question 34

# **Payment Card Information Data Security Standard** (PCI DSS) * A **control framework** with the main objective is the **protection of cardholder data** * Founded by major credit card brands * **Tiered structure** - **high volume** transactions require **onsite annual audits**. **Low volumes** can be **annually self assessed** * Offers **certification** for personnel who can **perform PCI audits** ## Footnote 258

Question 35

# **Health Insurance Portability and Accountability Act** (HIPAA) * Designed to **address issues** around process of **healthcare information** * Electronic Protected Healthcare Information (ePHI) * Organisations delivering medical healthcare **required to comply** * HIPAA security rules are **required** or **addressable** ## Footnote 261

Question 36

# **Health Insurance Portability and Accountability Act** (HIPAA) HIPAA Security rules are required or addressable; **Required** * Must be implemented **Addressable** * Requires an analysis to determine if they must be implemented ## Footnote 261

Question 37

# COBIT 2019 * Industry wide standard, a result of industry consensus by managers, auditors, IT users * **1100+** control activities * **5** principles, **37** principles 1. Meeting Stakeholder Needs 2. Covering the Entprise End to end 3. Applying a single, Integrated Framework 4. Enabling a Holistic Approach 5. Seperating Governance from Management ## Footnote 261

Question 38

# **The Committee of Sponsoring Organisations** (COSO) * **Control framework** used by US public companies * Management of **finaicial accounting and reporting systems** * **17** principles * **5** framework components ## Footnote [COSO Control Framework](https://drive.google.com/file/d/16v0DZdk6cC8ST4zcFHbNfm8h_F8KoxYi/view?usp=drive_link) 261

Question 39

# **North American Eletric Reliability Corporation** (NERC) * Standards for **electric utilities** throguhout **North America** * NERC has authority to **enforce standards** * **Fines** levied for public utilities **non compliance** ## Footnote [NERC Framework ](https://drive.google.com/file/d/16vJLzttX5o6BPUQ681qGKeLCp30eW60z/view?usp=drive_link) 263

Question 40

# **Cloud Security Alliance** (CSA) Control Framework * Cloud Controls Matrix (CCM) * Provides security principles to cloud vendors * Provide customers with assessments of cloud vendors * CSA STAR - assurance framework 2 levels, Self assessment, Third party audit ## Footnote [CSA Control Framework](https://drive.google.com/file/d/16z_PC3n5yKxzzUbQlsElRR4RDux8e9X1/view?usp=drive_link) 263

Question 41

# **Service Organisation Controls** (SOC) * Statement on Auditing Standards No. 70 (**SAS-70**) * SAS-70 allows **audits of service providers** by **public accounting firms** * Allows public companies to **obtain assurance** of **control effectiveness** for outsourced IT services * System and Organisation Controls (SOC) * **SOC 1, SOC 2, SOC 3** ## Footnote 264

Question 42

# **System and Organisation Controls 1** (SOC 1) * Statement on Standards for Attenstation Engagements (SSAE) * SSAE 16, SSAE 18, ISAE 3402 * Service organisation has **free latitude to decide** which controls are in **scope** * 2 types; Type 1, Type 2 **Type 1:** * **Point in time** examination of controls and their design **Type 2:** * Occurs over a **period of time** (3 months to 1 year) * Type 1 applies, as well as business records to determine **control effectiveness** ## Footnote 264

Question 43

# **System and Organisation Controls 2** (SOC 2) * Developed for **IT service providers** * For providers who want to **demonstrate assurance** in their **controls** to customers * **5** trust principles * **2 types**; Type 1, Type 2 * Type 1 - **Point in time** * Type 2 - Over a **period of time** (6 months to 1 year) #-#-#-#-#- **Security** * Protected against unauthorized access **Availability** * Available for operation **Processing Integrity** * System process is complete, valid, accurate, timely, authorized as agreed upon **Confidentiality** * Confidential information is protected as agreed upon **Privacy** * Personal information collected, used, retained, disclosed, destroyed ## Footnote 264

Question 44

# **System and Organisation Controls 3** (SOC 3) * Audit includes any or all **5** trust principles * **Lacks** description of **control testing** or opinion of **control effectiveness** #-#-#-#-#- **Security** * Protected against unauthorized access **Availability** * Available for operation **Processing Integrity** * System process is complete, valid, accurate, timely, authorized as agreed upon **Confidentiality** * Confidential information is protected as agreed upon **Privacy** * Personal information collected, used, retained, disclosed, destroyed ## Footnote 265