Ch-16 Flashcards
(14 cards)
Organizational Policies
Policy serves as the foundation for any cybersecurity program, setting out the principles and rules that guide the execution of security efforts throughout the enterprise. Often, organizations base these policies on best practice frameworks developed by industry groups such as the National Institute of Standards and Technology (NIST) or the International Organization for Standardization (ISO).
information security policy framework
Policies -
Standards -
Procedures -
Guidelines -
Policies
high-level statements of management intent. Compliance with policies is mandatory.
A statement of the importance of cybersecurity to the organization Requirements that all staff and contracts take measures to protect the confidentiality, integrity, and availability of information and information systems Statement on the ownership of information created and/or possessed by the organization Designation of the chief information security officer (CISO) or other individual as the executive responsible for cybersecurity issues Delegation of authority granting the CISO the ability to create standards, procedures, and guidelines that implement the policy
Standards
Provide mandatory requirements describing how an organization will carry out its information security policies.
These may include the specific configuration settings used for a common operating system, the controls that must be put in place for highly sensitive information, or any other security objective. Standards are typically approved at a lower organizational level than policies and, therefore, may change more regularly.
Procedures
Mandatory, detailed, step-by-step processes that individuals and organizations must follow in specific circumstances.
Similar to checklists, procedures ensure a consistent process for achieving a security objective. Organizations may create procedures for building new systems, releasing code to production environments, responding to security incidents, and many other tasks. Compliance with procedures is mandatory.
Guidelines
Non-mandatory, provide best practices and recommendations related to a given concept, technology, or task. Compliance with guidelines is not mandatory, and guidelines are offered in the spirit of providing helpful advice. That said, the “optionality” of guidelines may vary significantly depending on the organization’s culture.
Exceptions and Compensating Controls
When adopting new security policies, standards, and procedures, organizations should also provide a mechanism for exceptions to those rules.
When an exception happens a compensating control needs to be in place.
Personnel Management
Least Privilege - says that individuals should be granted only the minimum set of permissions necessary to carry out their job functions.
Separation of Duties - for extremely sensitive job functions. Separation of duties takes two different tasks
Job Rotation - practices take employees with sensitive roles and move them periodically to other positions in the organization. With the though of they may not be able to continue those concealment activities due to changes in privileges and their replacement may discover the fraud themselves.
Mandatory Vacations - serve a similar purpose as job rotation. Forcing employees to take annual vacations of a week or more consecutive time and revoking their access privileges during that vacation period.
Clean Desk Policies - are designed to protect the confidentiality of sensitive information by limiting the amount of paper left exposed on unattended employee desks.
User Training
Role-based Training - make sure that individuals receive the appropriate level of training based on their job responsibilities. For example, a systems administrator should receive detailed and highly technical training, whereas a customer service representative requires less technical training with a greater focus on social engineering and pretexting attacks that they may encounter in their work.
Phishing Simulations - which send users fake phishing messages to test their skills. Users who click on the simulated phishing message are sent to a training program designed to help them better recognize fraudulent messages.
Gamification - designed to make training more enjoyable and help users retain the message of the campaign. Capture the flag (CTF) exercises are a great example of this.
3rd Party Agreements
Master Service Agreements (MSA) - provide an umbrella contract for the work that a vendor does with an organization over an extended period of time. The MSA typically includes detailed security and privacy requirements. Each time the organization enters into a new project with the vendor, they may then create a statement of work (SOW) that contains project-specific details and references the MSA.
Service level agreements (SLA) are written contracts that specify the conditions of service that will be provided by the vendor and the remedies available to the customer if the vendor fails to meet the SLA. SLAs commonly cover issues such as system availability, data durability, and response time.
Memorandum of Understanding (MOU) - a letter written to document aspects of the relationship. MOUs are an informal mechanism that allows the parties to document their relationship to avoid future misunderstandings.
Business partnership agreements (BPAs) - exist when two organizations agree to do business with each other in a partnership. For example, if two companies jointly develop and market a product, the BPA might specify each partner’s responsibilities and the division of profits.
Compliance Laws
Payment Card Industry Data Security Standard (PCI DSS) - provides detailed rules about the storage, processing, and transmission of credit and debit card information. PCI DSS is not a law but rather a contractual obligation that applies to credit card merchants and service providers worldwide.
Gramm–Leach–Bliley Act (GLBA) covers U.S. financial institutions, broadly defined. It requires that those institutions have a formal security program and designate an individual as having overall responsibility for that program.
Sarbanes–Oxley (SOX) Act applies to the financial records of U.S. publicly traded companies and requires that those companies have a strong degree of assurance for the IT systems that store and process those records.
General Data Protection Regulation (GDPR) implements security and privacy requirements for the personal information of European Union residents worldwide.
Family Educational Rights and Privacy Act (FERPA) requires that U.S. educational institutions implement security and privacy controls for student educational records.
Health Insurance Portability and Accountability Act (HIPAA) includes security and privacy rules that affect health-care providers, health insurers, and health information clearinghouses in the United States.
NIST Framework
Objectives -
Describe their current cybersecurity posture.
Describe their target state for cybersecurity.
Identify and prioritize opportunities for improvement within the context of a continuous and repeatable process.
Assess progress toward the target state.
Communicate among internal and external stakeholders about cybersecurity risk.
Components -
The Core - Identify, protect, detect, respond, recover
The Implementation - Describes current and desired positions
The Framework - Describes how an organization might use the framework for security functions
ISO Standards
ISO 27001 is a standard document titled “Information technology—Security techniques—Information security management systems—Requirements.”
ISO 27002 standard goes beyond control objectives and describes the actual controls that an organization may implement to meet cybersecurity objectives.
ISO 27701 contains standard guidance for managing privacy controls. ISO views this document as an extension to their ISO 27001 and ISO 27002 security standards.
ISO 31000 provides guidelines for risk management programs. This document is not specific to cybersecurity or privacy but covers risk management in a general way so that it may be applied to any risk.
SOC Assessment
service organization controls (SOC)
Categories -
SOC 1 - engagements assess the organization’s controls that might impact the accuracy of financial reporting
SOC 2 - engagements assess the organization’s controls that affect the security (confidentiality, integrity, and availability) and privacy of information stored in a system. SOC 2 audit results are confidential and are normally only shared outside the organization under an NDA.
SOC 3 - engagements also assess the organization’s controls that affect the security (confidentiality, integrity, and availability) and privacy of information stored in a system. However, SOC 3 audit results are intended for public disclosure
Types of Reports -
Type 1 - reports provide the auditor’s opinion on the description provided by management and the suitability of the design of the controls.
Type 2 - reports go further and also provide the auditor’s opinion on the operating effectiveness of the controls. That is, the auditor actually confirms that the controls are functioning properly.
