CHAPTER 2_Information Security Governance and Risk Management Flashcards Preview

CISSP_TEST > CHAPTER 2_Information Security Governance and Risk Management > Flashcards

Flashcards in CHAPTER 2_Information Security Governance and Risk Management Deck (261):
1

Exposure

Presence of a vulnerability, which exposes the organization to a threat.

2

CobiT

Set of control objectives for IT management developed by Information Systems Audit and Control Association (ISACA) and the IT Governance Institute (ITGI)

3

Communications and operations management

Carry out operations security through operational procedures, proper change control, incident handling, separation of duties, capacity planning, network management, and media handling.

4

The following shows the levels of sensitivity from the highest to the lowest for military purposes:

  • Top secret
  • Secret
  • Confidential
  • Sensitive but unclassified
  • Unclassified

5

Data Analyst

Having proper data structures, definitions, and organization is very important to a company. The data analyst is responsible for ensuring that data is stored in a way that makes the most sense to the company and the individuals who need to access and work with it. For example, payroll information should not be mixed with inventory information, the purchasing department needs to have a lot of its values in monetary terms, and the inventory system must follow a standardized naming scheme. The data analyst may be responsible for architecting a new system that will hold company information, or advise in the purchase of a product that will do so.

6

8. Sue has been tasked with implementing a number of security controls, including antivirus and antispam software, to protect the company’s e-mail system. What type of approach is her company taking to handle the risk posed by the system?

A. Risk mitigation

B. Risk acceptance

C. Risk avoidance

D. Risk transference

Extended Questions:

CORRECT A. Risk can be dealt with in four basic ways: transfer it, avoid it, reduce it, or accept it. By implementing security controls such as antivirus and antispam software, Sue is reducing the risk posed by her company’s e-mail system. This is also referred to as risk mitigation, where the risk is decreased to a level considered acceptable. In addition to the use of IT security controls and countermeasures, risk can be mitigated by improving procedures, altering the environment, erecting barriers to the threat, and implementing early detection methods to stop threats as they occur, thereby reducing their possible damage.

WRONG B is incorrect because risk acceptance does not involve spending money on protection or countermeasures, such as antivirus software. When accepting risk, the company understands the level of risk it is faced with, as well as the potential cost of damage, and decides to live with it without implementing countermeasures. Many companies accept risk when the cost/benefit ratio indicates that the cost of the countermeasure outweighs the potential loss value.

WRONG C is incorrect because risk avoidance involves discontinuing the activity that is causing the risk, and in this case Sue’s company has chosen to continue to use e-mail. A company may choose to terminate an activity that introduces risk if that risk outweighs the activity’s business need. For example, a company may choose to block social media Web sites for some departments because of the risk they pose to employee productivity.

WRONG D is incorrect because risk transference involves sharing the risks with another entity as in purchasing of insurance to transfer some of the risk to the insurance company. Many types of insurance are available to companies to protect their assets. If a company decides the total or residual risk is too high to gamble with, it can purchase insurance.

7

ISO/IEC 27013

Guideline on the integrated implementation of ISO/IEC 20000-1 and ISO/IEC 27001

8

uncertainty

In risk analysis, uncertainty refers to the degree to which you lack confidence in an estimate. This is expressed as a percentage, from 0 to 100 percent. If you have a 30 percent confidence level in something, then it could be said you have a 70 percent uncertainty level. Capturing the degree of uncertainty when carrying out a risk analysis is important, because it indicates the level of confidence the team and management should have in the resulting figures.

9

DoDAF

U.S. Department of Defense architecture framework that ensures interoperability of systems to meet military mission goals

10

Application Owner

Some applications are specific to individual business units—for example, the accounting department has accounting software, R&D has software for testing and development, and quality assurance uses some type of automated system. The application owners, usually the business unit managers, are responsible for dictating who can and cannot access their applications (subject to staying in compliance with the company’s security policies, of course).

11

ISO/IEC 27007

Guideline for information security management systems auditing

12

Risk

The probability of a threat agent exploiting a vulnerability and the associated impact.

13

TOGAF is a framework that can be used to develop the following architecture types:

  • Business Architecture
  • Data Architecture
  • Applications Architecture
  • Technology Architecture

14

Because terminations can happen for a variety of reasons, and terminated people have different reactions, companies should have a specific set of procedures to follow with every termination. For example:

  • The employee must leave the facility immediately under the supervision of a manager or security guard.
  • The employee must surrender any identification badges or keys, complete an exit interview, and return company supplies.
  • That user’s accounts and passwords should be disabled or changed immediately.

15

ISO/IEC 27015

Information security management guidelines for the finance and insurance sectors

16

Process Owner

Ever heard the popular mantra, "Security is not a product, it’s a process"? The statement is very true. Security should be considered and treated like any another business process—not as its own island, nor like a redheaded stepchild with cooties. (The author is a redheaded stepchild, but currently has no cooties.)

17

Figure 2-2 Defense-in-depth

  • Fence
  • Locked external doors
  • Closed-circuit TV
  • Security guard
  • Locked internal doors
  • Locked server room
  • Physically secured computers (cable locks)

18

ISO/IEC 27031

Guideline for information and communications technology readiness for business continuity

19

Personnel Security

Many facets of the responsibilities of personnel fall under management’s umbrella, and several facets have a direct correlation to the overall security of the environment.

20

Enterprise vs. System Architectures

Our operating systems follow strict and hierarchical structures, but our company is a mess.

There is a difference between enterprise architectures and system architectures, although they do overlap. An enterprise architecture addresses the structure of an organization. A system architecture addresses the structure of software and computing components. While these different architecture types have different focuses (organization versus system), they have a direct relationship because the systems have to be able to support the organization and its security needs. A software architect cannot design an application that will be used within a company without understanding what the company needs the application to do. So the software architect needs to understand the business and technical aspects of the company to ensure that the software is properly developed for the needs of the organization.

21

Failure Modes and Effect Analysis (FMEA)

Failure Modes and Effect Analysis (FMEA) is a method for determining functions, identifying functional failures, and assessing the causes of failure and their failure effects through a structured process. It is commonly used in product development and operational environments. The goal is to identify where something is most likely going to break and either fix the flaws that could cause this issue or implement controls to reduce the impact of the break. For example, you might choose to carry out an FMEA on your organization’s network to identify single points of failure. These single points of failure represent vulnerabilities that could directly affect the productivity of the network as a whole. You would use this structured approach to identify these issues (vulnerabilities), assess their criticality (risk), and identify the necessary controls that should be put into place (reduce risk).

22

5. As head of sales, Jim is the information owner for the sales department. Which of the following is not Jim’s responsibility as information owner?

A. Assigning information classifications

B. Dictating how data should be protected

C. Verifying the availability of data

D. Determining how long to retain data

Extended Questions:

CORRECT C. The responsibility of verifying the availability of data is the only responsibility listed that does not belong to the information owner. Rather, it is the responsibility of the information custodian. The information custodian is also responsible for maintaining and protecting data as dictated by the information owner. This includes performing regular backups of data, restoring data from backup media, retaining records of activity, and fulfilling information security and data protection requirements in the company’s policies, guidelines, and standards. Information owners work at a higher level than the custodians. The owners basically state, "This is the level of integrity, availability, and confidentiality that needs to be provided—now go do it." The custodian must then carry out these mandates and follow up with the installed controls to make sure they are working properly.

WRONG A is incorrect because as information owner Jim is responsible for assigning information classifications. (The question asked which of the following Jim is not responsible for.)

WRONG B is incorrect because information owners such as Jim are responsible for dictating how information should be protected. The information owner has the organizational responsibility for data protection and is liable for any negligence when it comes to protecting the organization’s information assets. This means that Jim must make decisions regarding how information is protected and ensure that the information custodian (a role usually filled by IT or security) is carrying out these decisions.

WRONG D is incorrect because determining how long to retain data is the responsibility of the information owner. The information owner is also responsible for determining who can access the information and ensuring that proper access rights are being used. He can approve access requests himself or delegate the function to business unit managers, who will approve requests based on user access criteria defined by the information owner.

23

Physical and environmental security

Protect the organization’s assets by properly choosing a facility location, erecting and maintaining a security perimeter, implementing access control, and protecting equipment.

24

Automated Risk Analysis Methods

Collecting all the necessary data that needs to be plugged into risk analysis equations and properly interpreting the results can be overwhelming if done manually. Several automated risk analysis tools on the market can make this task much less painful and, hopefully, more accurate. The gathered data can be reused, greatly reducing the time required to perform subsequent analyses. The risk analysis team can also print reports and comprehensive graphs to present to management.

25

As mentioned earlier, which types of controls are implemented per classification depends upon the level of protection that management and the security team have determined is needed. The numerous types of controls available are discussed throughout this book. But some considerations pertaining to sensitive data and applications are common across most organizations:

  • Strict and granular access control for all levels of sensitive data and programs (see Chapter 3 for coverage of access controls, along with file system permissions that should be understood)
  • Encryption of data while stored and while in transmission (see Chapter 7 for coverage of all types of encryption technologies)
  • Auditing and monitoring (determine what level of auditing is required and how long logs are to be retained)
  • Separation of duties (determine whether two or more people must be involved in accessing sensitive information to protect against fraudulent activities; if so, define and document procedures)
  • Periodic reviews (review classification levels, and the data and programs that adhere to them, to ensure they are still in alignment with business needs; data or applications may also need to be reclassified or declassified, depending upon the situation)
  • Backup and recovery procedures (define and document)
  • Change control procedures (define and document)
  • Physical security protection (define and document)
  • Information flow channels (where does the sensitive data reside and how does it transverse the network)
  • Proper disposal actions, such as shredding, degaussing, and so on (define and document)
  • Marking, labeling, and handling procedures

26

20. Michael is charged with developing a classification program for his company. Which of the following should he do first?

A. Understand the different levels of protection that must be provided.

B. Specify data classification criteria.

C. Identify the data custodians.

D. Determine protection mechanisms for each classification level.

Extended Questions:

CORRECT A. Before Michael begins developing his company’s classification program, he must understand the different levels of protection that must be provided. Only then can he develop the necessary classification levels and their criteria. One company may choose to use only two layers of classification, while another may choose to use more. Regardless, when developing classification levels, he should keep in mind that too many or too few classification levels will render the classification ineffective; there should be no overlap in the criteria definitions between classification levels; and classification levels should be developed for both data and software.

WRONG B is incorrect because data classification criteria cannot be established until the classification levels themselves have been defined. The classification criteria are used by data owners to know what classification should be assigned to specific data. Basically, the classifications are defined buckets and the criteria help data owners determine what bucket each data set should be put into.

WRONG C is incorrect because there is no need to identify the data custodians until classification levels are defined, criteria are determined for how data are classified, and the data owner has indicated the classification of the data she is responsible for. Remember, the data custodian is responsible for implementing and maintaining the controls specified by the data owner.

WRONG D is incorrect because protection mechanisms for each classification level cannot be determined until the classification levels themselves are defined based on the different levels of protection that are required. The types of controls implemented per classification will depend upon the level of protection that management and the security team have determined is needed.

27

The IRM policy should be a subset of the organization’s overall risk management policy (risks to a company include more than just information security issues) and should be mapped to the organizational security policies. The IRM policy should address the following items:

  • The objectives of the IRM team
  • The level of risk the organization will accept and what is considered an acceptable level of risk
  • Formal processes of risk identification
  • The connection between the IRM policy and the organization’s strategic planning processes
  • Responsibilities that fall under IRM and the roles to fulfill them
  • The mapping of risk to internal controls
  • The approach toward changing staff behaviors and resource allocation in response to risk analysis
  • The mapping of risks to performance targets and budgets
  • Key indicators to monitor the effectiveness of controls

28

British Ministry of Defence Architecture Framework (MODAF)

The British Ministry of Defence Architecture Framework (MODAF) is another recognized enterprise architecture framework based upon the DoDAF. The crux of the framework is to be able to get data in the right format to the right people as soon as possible. Modern warfare is complex, and activities happen fast, which requires personnel and systems to be more adaptable than ever before. Data needs to be captured and properly presented so that decision makers understand complex issues quickly, which allows for fast and hopefully accurate decisions.

29

chief information officer (CIO)

On a lower rung of the food chain is the chief information officer (CIO). This individual can report to the CEO or CFO, depending upon the corporate structure, and is responsible for the strategic use and management of information systems and technology within the organization. Over time, this position has become more strategic and less operational in many organizations. CIOs oversee and are responsible for the day-in-day-out technology operations of a company, but because organizations are so dependent upon technology, CIOs are being asked to sit at the big boys’ corporate table more and more.

30

Data Owner Issues

Each business unit should have a data owner who protects the unit’s most critical information. The company’s policies must give the data owners the necessary authority to carry out their tasks.

31

Policy types

Organizational (master), issue-specific, system-specific.

32

19. Which of the following is not a characteristic of a company with a security governance program in place?

A. Board members are updated quarterly on the company’s state of security.

B. All security activity takes place within the security department.

C. Security products, services, and consultants are deployed in an informed manner.

D. The organization has established metrics and goals for improving security.

Extended Questions:

CORRECT B. If all security activity takes place within the security department, then security is working within a silo and is not integrated throughout the organization. In a company with a security governance program, security responsibilities permeate the entire organization, from executive management down the chain of command. A common scenario would be executive management holding business unit managements responsible for carrying out risk management activities for their specific business units. In addition, employees are held accountable for any security breaches they participate in, either maliciously or accidentally.

WRONG A is incorrect because security governance is a set of responsibilities and practices exercised by the board and executive management of an organization with the goal of providing strategic direction, ensuring that objectives are achieved, ascertaining that risks are managed appropriately, and verifying that the organization’s resources are used responsibly. An organization with a security governance program in place has a board of directors that understands the importance of security and is aware of the organization’s security performance and breaches.

WRONG C is incorrect because security governance is a coherent system of integrated security components that includes products, personnel, training, processes, etc. Thus, an organization with a security governance program in place is likely to purchase and deploy security products, managed services, and consultants in an informed manner. They are also constantly reviewed to ensure they are cost-effective.

WRONG D is incorrect because security governance requires performance measurement and oversight mechanisms. An organization with a security governance program in place continually reviews its processes, including security, with the goal of continued improvement. On the other hand, an organization that lacks a security governance program is likely to march forward without analyzing its performance and therefore repeatedly makes similar mistakes.

33

SABSA model

Model and methodology for the development of information security enterprise architectures

34

Layers of Responsibility

Okay, who is in charge so we have someone to blame?

Senior management and other levels of management understand the vision of the company, the business goals, and the objectives. The next layer down is the functional management, whose members understand how their individual departments work, what roles individuals play within the company, and how security affects their department directly. The next layers are operational managers and staff. These layers are closer to the actual operations of the company. They know detailed information about the technical and procedural requirements, the systems, and how the systems are used. The employees at these layers understand how security mechanisms integrate into systems, how to configure them, and how they affect daily productivity. Every layer offers different insight into what type of role security plays within an organization, and each should have input into the best security practices, procedures, and chosen controls to ensure the agreed-upon security level provides the necessary amount of protection without negatively affecting the company’s productivity.

35

Why Do We Need Enterprise Architecture Frameworks?

As you have probably experienced, business people and technology people sometimes seem like totally different species. Business people use terms like "net profits," "risk universes," "portfolio strategy," "hedging," "commodities," etc. Technology people use terms like "deep packet inspection," "level three devices," "cross-site scripting," "load balancing," etc. Think about the acronyms techies like us throw around—TCP, APT, ICMP, RAID, UDP, L2TP, PPTP, IPSec, AES, and DES. We can have complete conversations between ourselves without using any real words. And even though business people and technology people use some of the same words, they have totally different meanings to the individual groups. To business people, a protocol is a set of approved processes that must be followed to accomplish a task. To technical people, a protocol is a standardized manner of communication between computers or applications. Business and technical people use the term "risk," but each group is focusing on very different risks a company can face—market share versus security breaches. And even though each group uses the term "data" the same, business people look at data only from a functional point of view and security people look at data from a risk point of view.

36

chief executive officer (CEO)

This motley crew is made up of individuals whose titles start with a C. The chief executive officer (CEO) has the day-to-day management responsibilities of an organization. This person is often the chairperson of the board of directors and is the highest-ranking officer in the company. This role is for the person who oversees the company’s finances, strategic planning, and operations from a high level. The CEO is usually seen as the visionary for the company and is responsible for developing and modifying the company’s business plan. He sets budgets, forms partnerships, decides on what markets to enter, what product lines to develop, how the company will differentiate itself, and so on. This role’s overall responsibility is to ensure that the company grows and thrives.

37

1. Which of the following best describes the relationship between CobiT and ITIL?

A. CobiT is a model for IT governance, whereas ITIL is a model for corporate governance.

B. CobiT provides a corporate governance roadmap, whereas ITIL is a customizable framework for IT service management.

C. CobiT defines IT goals, whereas ITIL provides the process-level steps on how to achieve them.

D. CobiT provides a framework for achieving security goals, whereas ITIL defines a framework for achieving IT service-level goals.

Extended Questions:

CORRECT C. The Control Objectives for Information and related Technology (CobiT) is a framework developed by the Information Systems Audit and Control Association (ISACA) and the IT Governance Institute (ITGI). It defines goals for the controls that should be used to properly manage IT and ensure IT maps to business needs, not specifically just security needs. The Information Technology Infrastructure Library (ITIL) is the de facto standard of best practices for IT service management. A customizable framework, ITIL provides the goals, the general activities necessary to achieve these goals, and the input and output values for each process required to meet these determined goals. In essence, CobiT addresses "what is to be achieved," while ITIL addresses "how to achieve it."

WRONG A is incorrect because, while CobiT can be used as a model for IT governance, ITIL is not a model for corporate governance. Actually, Committee of Sponsoring Organizations of the Treadway Commission (COSO) is a model for corporate governance. CobiT is derived from the COSO framework. You can think of CobiT as a way to meet many of the COSO objectives, but only from the IT perspective. In order to achieve many of the objectives addressed in CobiT, an organization can use ITIL, which provides process-level steps for achieving IT service management objectives.

WRONG B is incorrect because, as previously stated, CobiT can be used as a model for IT governance, not corporate governance. COSO is a model for corporate governance. The second half of the answer is correct. ITIL is a customizable framework that is available as a series of books or online, for IT service management.

WRONG D is incorrect because CobiT defines goals for the controls that should be used to properly manage IT and ensure IT maps to business needs, not just IT security needs. ITIL provides steps for achieving IT service management goals as they relate to business needs. ITIL was created because of the increased dependence on information technology to meet business needs.

38

How do you know if an organization does not have an enterprise security architecture in place? If the answer is "yes" to most of the following questions, this type of architecture is not in place:

  • Does security take place in silos throughout the organization?
  • Is there a continual disconnect between senior management and the security staff?
  • Are redundant products purchased for different departments for overlapping security needs?
  • Is the security program made up of mainly policies without actual implementation and enforcement?
  • When user access requirements increase because of business needs, does the network administrator just modify the access controls without the user manager’s documented approval?
  • When a new product is being rolled out, do unexpected interoperability issues pop up that require more time and money to fix?
  • Do many "one-off" efforts take place instead of following standardized procedures when security issues arise?
  • Are the business unit managers unaware of their security responsibilities and how their responsibilities map to legal and regulatory requirements?
  • Is "sensitive data" defined in a policy, but the necessary controls are not fully implemented and monitored?
  • Are stovepipe (point) solutions implemented instead of enterprise-wide solutions?
  • Are the same expensive mistakes continuing to take place?
  • Is security governance currently unavailable because the enterprise is not viewed or monitored in a standardized and holistic manner?
  • Are business decisions being made without taking security into account?
  • Are security personnel usually putting out fires with no real time to look at and develop strategic approaches?
  • Are security efforts taking place in business units that other business units know nothing about?
  • Are more and more security personnel seeking out shrinks and going on antidepressant or anti-anxiety medication?

39

Quick Tips

  • The objectives of security are to provide availability, integrity, and confidentiality protection to data and resources.
  • A vulnerability is the absence of or weakness in a control.
  • A threat is the possibility that someone or something would exploit a vulnerability, intentionally or accidentally, and cause harm to an asset.
  • A risk is the probability of a threat agent exploiting a vulnerability and the loss potential from that action.
  • A countermeasure, also called a safeguard or control, mitigates the risk.
  • A control can be administrative, technical, or physical and can provide deterrent, preventive, detective, corrective, or recovery protection.
  • A compensating control is an alternate control that is put into place because of financial or business functionality reasons.
  • CobiT is a framework of control objectives and allows for IT governance.
  • ISO/IEC 27001 is the standard for the establishment, implementation, control, and improvement of the information security management system.
  • The ISO/IEC 27000 series were derived from BS 7799 and are international best practices on how to develop and maintain a security program.
  • Enterprise architecture frameworks are used to develop architectures for specific stakeholders and present information in views.
  • An information security management system (ISMS) is a coherent set of policies, processes, and systems to manage risks to information assets as outlined in ISO\IEC 27001.
  • Enterprise security architecture is a subset of business architecture and a way to describe current and future security processes, systems, and subunits to ensure strategic alignment.
  • Blueprints are functional definitions for the integration of technology into business processes.
  • Enterprise architecture frameworks are used to build individual architectures that best map to individual organizational needs and business drivers.
  • Zachman is an enterprise architecture framework, and SABSA is a security enterprise architecture framework.
  • COSO is a governance model used to help prevent fraud within a corporate environment.
  • ITIL is a set of best practices for IT service management.
  • Six Sigma is used to identify defects in processes so that the processes can be improved upon.
  • CMMI is a maturity model that allows for processes to improve in an incremented and standard approach.
  • Security enterprise architecture should tie in strategic alignment, business enablement, process enhancement, and security effectiveness.
  • NIST 800-53 uses the following control categories: technical, management, and operational.
  • OCTAVE is a team-oriented risk management methodology that employs workshops and is commonly used in the commercial sector.
  • Security management should work from the top down (from senior management down to the staff).
  • Risk can be transferred, avoided, reduced, or accepted.
  • Threats × vulnerability × asset value = total risk.
  • (Threats × vulnerability × asset value) × controls gap = residual risk.
  • The main goals of risk analysis are the following: identify assets and assign values to them, identify vulnerabilities and threats, quantify the impact of potential threats, and provide an economic balance between the impact of the risk and the cost of the safeguards.
  • Failure Modes and Effect Analysis (FMEA) is a method for determining functions, identifying functional failures, and assessing the causes of failure and their failure effects through a structured process.
  • A fault tree analysis is a useful approach to detect failures that can take place within complex environments and systems.
  • A quantitative risk analysis attempts to assign monetary values to components within the analysis.
  • A purely quantitative risk analysis is not possible because qualitative items cannot be quantified with precision.
  • Capturing the degree of uncertainty when carrying out a risk analysis is important, because it indicates the level of confidence the team and management should have in the resulting figures.
  • Automated risk analysis tools reduce the amount of manual work involved in the analysis. They can be used to estimate future expected losses and calculate the benefits of different security measures.
  • Single loss expectancy × frequency per year = annualized loss expectancy (SLE × ARO = ALE).
  • Qualitative risk analysis uses judgment and intuition instead of numbers.
  • Qualitative risk analysis involves people with the requisite experience and education evaluating threat scenarios and rating the probability, potential loss, and severity of each threat based on their personal experience.
  • The Delphi technique is a group decision method where each group member can communicate anonymously.
  • When choosing the right safeguard to reduce a specific risk, the cost, functionality, and effectiveness must be evaluated and a cost/benefit analysis performed.
  • A security policy is a statement by management dictating the role security plays in the organization.
  • Procedures are detailed step-by-step actions that should be followed to achieve a certain task.
  • Standards are documents that outline rules that are compulsory in nature and support the organization’s security policies.
  • A baseline is a minimum level of security.
  • Guidelines are recommendations and general approaches that provide advice and flexibility.
  • Job rotation is a detective administrative control to detect fraud.
  • Mandatory vacations are a detective administrative control type that can help detect fraudulent activities.
  • Separation of duties ensures no single person has total control over a critical activity or task. It is a preventative administrative control.
  • Split knowledge and dual control are two aspects of separation of duties.
  • Data owners specify the classification of data, and data custodians implement and maintain controls to enforce the set classification levels.
  • Security has functional requirements, which define the expected behavior from a product or system, and assurance requirements, which establish confidence in the implemented products or systems overall.
  • Management must define the scope and purpose of security management, provide support, appoint a security team, delegate responsibility, and review the team’s findings.
  • The risk management team should include individuals from different departments within the organization, not just technical personnel.
  • Social engineering is a nontechnical attack carried out to manipulate a person into providing sensitive data to an unauthorized individual.
  • Personal identification information (PII) is a collection of identity-based data that can be used in identity theft and financial fraud, and thus must be highly protected.
  • Security governance is a framework that provides oversight, accountability, and compliance.
  • ISO/IEC 27004:2009 is an international standard for information security measurement management.
  • NIST 800-55 is a standard for performance measurement for information security.

40

The organizational security policy has several important characteristics that must be understood and implemented:

  • Business objectives should drive the policy’s creation, implementation, and enforcement. The policy should not dictate business objectives.
  • It should be an easily understood document that is used as a reference point for all employees and management.
  • It should be developed and used to integrate security into all business functions and processes.
  • It should be derived from and support all legislation and regulations applicable to the company.
  • It should be reviewed and modified as a company changes, such as through adoption of a new business model, a merger with another company, or change of ownership.
  • Each iteration of the policy should be dated and under version control.
  • The units and individuals who are governed by the policy must have easy access to it. Policies are commonly posted on portals on an intranet.
  • It should be created with the intention of having the policies in place for several years at a time. This will help ensure policies are forward-thinking enough to deal with potential changes that may arise.
  • The level of professionalism in the presentation of the policies reinforces their importance as well as the need to adhere to them.
  • It should not contain language that isn’t readily understood by everyone. Use clear and declarative statements that are easy to understand and adopt.
  • It should be reviewed on a regular basis and adapted to correct incidents that have occurred since the last review and revision of the policies.

41

We Are Never Done

Only by reassessing the risks on a periodic basis can a statement of safeguard performance be trusted. If the risk has not changed, and the safeguards implemented are functioning in good order, then it can be said that the risk is being properly mitigated. Regular IRM monitoring will support the information security risk ratings.

42

A risk analysis has four main goals:

  • Identify assets and their value to the organization.
  • Identify vulnerabilities and threats.
  • Quantify the probability and business impact of these potential threats.
  • Provide an economic balance between the impact of the threat and the cost of the countermeasure.

43

Data custodian

Individual responsible for implementing and maintaining security controls to meet security requirements outlined by data owner.

44

Single loss expectancy

One instance of an expected loss if a specific vulnerability is exploited and how it affects a single asset. Asset Value × Exposure Factor = SLE.

45

Preventive

Intended to avoid an incident from occurring

46

Top-down Approach

The janitor said we should wrap our computers in tin foil to meet our information security needs.

47

The following shows the common levels of sensitivity from the highest to the lowest for commercial business:

  • Confidential
  • Private
  • Sensitive
  • Public

48

ISO/IEC 27011

Information security management guidelines for telecommunications organizations

49

Many Standards, Best Practices, and Frameworks

As you will see in the following sections, various profit and nonprofit organizations have developed their own approaches to security management, security control objectives, process management, and enterprise development. We will examine their similarities and differences and illustrate where each is used within the industry.

50

Chief Privacy Officer

The chief privacy officer (CPO) is a newer position, created mainly because of the increasing demands on organizations to protect a long laundry list of different types of data. This role is responsible for ensuring that customer, company, and employee data are kept safe, which keeps the company out of criminal and civil courts and hopefully out of the headlines. This person is usually an attorney and is directly involved with setting policies on how data are collected, protected, and given out to third parties. The CPO often reports to the chief security officer.

51

chief security officer (CSO)

The chief security officer (CSO) is responsible for understanding the risks that the company faces and for mitigating these risks to an acceptable level. This role is responsible for understanding the organization’s business drivers and for creating and maintaining a security program that facilitates these drivers, along with providing security, compliance with a long list of regulations and laws, and any customer expectations or contractual obligations.

52

Physical damage

Fire, water, vandalism, power loss, and natural disasters

53

Detective

Helps identify an incident’s activities and potentially an intruder

54

Quick Tips

• The objectives of security are to provide availability, integrity, and confidentiality protection to data and resources.

55

risk

A risk is the likelihood of a threat agent exploiting a vulnerability and the corresponding business impact. If a firewall has several ports open, there is a higher likelihood that an intruder will use one to access the network in an unauthorized method. If users are not educated on processes and procedures, there is a higher likelihood that an employee will make an unintentional mistake that may destroy data. If an intrusion detection system (IDS) is not implemented on a network, there is a higher likelihood an attack will go unnoticed until it is too late. Risk ties the vulnerability, threat, and likelihood of exploitation to the resulting business impact.

56

Zachman framework

Model for the development of enterprise architectures developed by John Zachman

57

Process Management Development

Along with ensuring that we have the proper controls in place, we also want to have ways to construct and improve our business, IT, and security processes in a structured and controlled manner. The security controls can be considered the "things," and processes are how we use these things. We want to use them properly, effectively, and efficiently.

58

NIST 800-53

Are there standard approaches to locking down government systems?

CobiT contains control objectives used within the private sector; the U.S. government has its own set of requirements when it comes to controls for federal information systems and organizations.

59

Chief Information Officer

On a lower rung of the food chain is the chief information officer (CIO). This individual can report to the CEO or CFO, depending upon the corporate structure, and is responsible for the strategic use and management of information systems and technology within the organization. Over time, this position has become more strategic and less operational in many organizations. CIOs oversee and are responsible for the day-in-day-out technology operations of a company, but because organizations are so dependent upon technology, CIOs are being asked to sit at the big boys’ corporate table more and more.

60

Cost/benefit analysis

Calculating the value of a control. (ALE before implementing a control) - (ALE after implementing a control) - (annual cost of control) = value of control.

61

Who Really Understands Risk Management?

Unfortunately, the answer to this question is that not enough people inside or outside of the security profession really understand risk management. Even though information security is big business today, the focus is more on applications, devices, viruses, and hacking. Although these items all must be considered and weighed in risk management processes, they should be considered small pieces of the overall security puzzle, not the main focus of risk management.

62

Facilitated Risk Analysis Process (FRAP)

A focused, qualitative approach that carries out prescreening to save time and money.

63

17. Jared plays a role in his company’s data classification system. In this role, he must practice due care when accessing data and ensure that the data is used only in accordance with allowed policy while abiding by the rules set for the classification of the data. He does not determine, maintain, or evaluate controls, so what is Jared’s role?

A. Data owner

B. Data custodian

C. Data user

D. Information systems auditor

Extended Questions:

CORRECT C. Any individual who routinely uses data for work-related tasks is a data user. Users must have the necessary level of access to the data to perform the duties within their position and are responsible for following operational security procedures to ensure the data’s confidentiality, integrity, and availability to others. This means that users must practice due care and act in accordance with both security policy and data classification rules.

WRONG A is incorrect because the data owner has a greater level of responsibility in the protection of the data. Data owners are responsible for classifying the data, regularly reviewing classification levels, and delegating the responsibility of the data protection duties to the data custodian. The data owner is typically a manager or executive in the organization and is held responsible when it comes to protecting the company’s information assets.

WRONG B is incorrect because the data custodian is responsible for the implementation and maintenance of security controls as dictated by the data owner. In other words, the data custodian is the technical caretaker of the controls that protects the data. Her duties include making backups, restoring data, implementing and maintaining countermeasures, and administering controls.

WRONG D is incorrect because an information systems auditor is responsible for evaluating controls. After evaluating the controls, the auditor provides reports to management, illustrating the mapping between the set acceptable risk level of the organization and her findings. This does not have to do with using the data or practicing due care with the use of data.

64

26. ISO/IEC 27000 is part of a growing family of ISO/IEC information security management systems (ISMS) standards. It comprises information security standards published jointly by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC). Which of the following provides an incorrect mapping of the individual standards that make up this family of standards?

A. ISO/IEC 27002 Code of practice for information security management

B. ISO/IEC 27003 Guideline for ISMS implementation

C. ISO/IEC 27004 Guideline for information security management measurement and metrics framework

D. ISO/IEC 27005 Guideline for bodies providing audit and certification of information security management systems

Extended Questions:

CORRECT D. The ISO/IEC 27005 standard is the guideline for information security risk management. ISO/IEC 27005 is an international standard for how risk management should be carried out in the framework of an information security management system (ISMS).

WRONG A is incorrect because ISO/IEC 27002 is the code of practice for information security management; thus, it has a correct mapping. ISO/IEC 27002 provides best practice recommendations and guidelines as they pertain to initiating, implementing, or maintaining information security management systems (ISMS).

WRONG B is incorrect because ISO/IEC 27003 is the guideline for ISMS implementation; thus, it has a correct mapping. It focuses on the critical aspects needed for successful design and implementation of an information security management system (ISMS) in accordance with ISO/IEC 27001:2005. It describes the process of ISMS specification and design from inception to the production of implementation plans.

WRONG C is incorrect because ISO/IEC 27004 is the guideline for information security management measurement and metrics framework; thus, it has a correct mapping. It provides guidance on the development and use of measures and measurement in order to assess the effectiveness of an implemented information security management system (ISMS) and controls or groups of controls, as specified in ISO/IEC 27001.

The following scenario applies to questions 27 and 28.

65

ISO 27799

Guideline for information security management in health organizations

66

9. The integrity of data is not related to which of the following?

A. Unauthorized manipulation or changes to data

B. The modification of data without authorization

C. The intentional or accidental substitution of data

D. The extraction of data to share with unauthorized entities

Extended Questions:

CORRECT D. The extraction of data to share with unauthorized entities is a confidentiality issue, not an integrity issue. Confidentiality ensures that the necessary level of secrecy is enforced at each junction of data processing and prevents unauthorized disclosure. This level of confidentiality should prevail while data resides on systems and devices within the network, as it is transmitted, and once it reaches its destination. Integrity, on the other hand, is the principle that signifies the data has not been changed or manipulated in an unauthorized manner.

WRONG A is incorrect because integrity is related to the unauthorized manipulation or changes to data. Integrity is upheld when any unauthorized modification is prevented. Hardware, software, and communication mechanisms must work in concert to maintain and process data correctly and move data to intended destinations without unexpected alteration. The systems and network should be protected from outside interference and contamination.

WRONG B is incorrect because the modification of data without authorization is related to integrity. Integrity is about protecting data so that it cannot be changed either by users or other systems that do not have the rights to do so.

WRONG C is incorrect because the intentional or accidental substitution of data is related to integrity. Along with the assurance that data is not modified by unauthorized entities, integrity is upheld when the assurance of the accuracy and reliability of the information and systems is provided. An environment that enforces integrity prevents attackers, for example, from inserting a virus, logic bomb, or backdoor into a system that could corrupt or replace data. Users usually affect a system or its data’s integrity by mistake (although internal users may also commit malicious deeds). For example, a user may insert incorrect values into a data processing application that ends up charging a customer $3,000 instead of $300.

67

16. Susan, an attorney, has been hired to fill a new position at Widgets Inc. The position is Chief Privacy Officer (CPO). What is the primary function of her new role?

A. Ensuring the protection of partner data

B. Ensuring the accuracy and protection of company financial information

C. Ensuring that security policies are defined and enforced

D. Ensuring the protection of customer, company, and employee data

Extended Questions:

CORRECT D. The Chief Privacy Officer (CPO) position is being created by companies in response to the increasing demands on organizations to protect myriad types of data. The CPO is responsible for ensuring the security of customer, company, and employee data, which keeps the company free from legal prosecution and—hopefully—out of the headlines. Thus, the CPO is directly involved with setting policies on how data is collected, protected, and distributed to third parties. The CPO is usually an attorney and reports to the Chief Security Officer.

WRONG A is incorrect because protecting partner data is just a small subset of all the data the CPO is responsible for protecting. CPOs are responsible for ensuring the protection of customer, company, and employee data. Partner data is among the various types of data that the CPO is responsible for protecting. In addition, the CPO is responsible for knowing how its company’s suppliers, partners, and other third parties are protecting its sensitive information. Many times, companies will need to review these other parties (which have copies of data needing protection).

WRONG B is incorrect because the accuracy of financial information is the responsibility of its data owner—the Chief Financial Officer (CFO). The CFO is responsible for the corporation’s account and financial activities, and the overall financial structure of the organization. The CPO is responsible for helping to ensure the secrecy of this data, but not the accuracy of the data. The financial information is also a small subset of all the data types the CPO is responsible for protecting.

WRONG C is incorrect because the definition and enforcement of security policies is the responsibility of senior management, commonly delegated to the CISO or CSO—not the CPO. A security policy is an overall general statement that dictates what role security plays within the organization. The CPO’s responsibilities as they relate to policies are to contribute to the setting of data protection policies, including how data is collected, protected, and distributed to third parties.

68

Capability Maturity Model Integration (CMMI)

Organizational development for process improvement developed by Carnegie Mellon

69

COSO

Set of internal corporate controls to help reduce the risk of financial fraud developed by the Committee of Sponsoring Organizations (COSO) of the Treadway Commission

70

annualized rate of occurrence (ARO)

The annualized rate of occurrence (ARO) is the value that represents the estimated frequency of a specific threat taking place within a 12-month timeframe. The range can be from 0.0 (never) to 1.0 (once a year) to greater than 1 (several times a year) and anywhere in between. For example, if the probability of a fire taking place and damaging our data warehouse is once every ten years, the ARO value is 0.1.

71

Data Owner

The data owner (information owner) is usually a member of management who is in charge of a specific business unit, and who is ultimately responsible for the protection and use of a specific subset of information. The data owner has due care responsibilities and thus will be held responsible for any negligent act that results in the corruption or disclosure of the data. The data owner decides upon the classification of the data she is responsible for and alters that classification if the business need arises. This person is also responsible for ensuring that the necessary security controls are in place, defining security requirements per classification and backup requirements, approving any disclosure activities, ensuring that proper access rights are being used, and defining user access criteria. The data owner approves access requests or may choose to delegate this function to business unit managers. And the data owner will deal with security violations pertaining to the data she is responsible for protecting. The data owner, who obviously has enough on her plate, delegates responsibility of the day-to-day maintenance of the data protection mechanisms to the data custodian.

72

ITIL

Processes to allow for IT service management developed by the United Kingdom’s Office of Government Commerce

73

data owner

The data owner (information owner) is usually a member of management who is in charge of a specific business unit, and who is ultimately responsible for the protection and use of a specific subset of information. The data owner has due care responsibilities and thus will be held responsible for any negligent act that results in the corruption or disclosure of the data. The data owner decides upon the classification of the data she is responsible for and alters that classification if the business need arises. This person is also responsible for ensuring that the necessary security controls are in place, defining security requirements per classification and backup requirements, approving any disclosure activities, ensuring that proper access rights are being used, and defining user access criteria. The data owner approves access requests or may choose to delegate this function to business unit managers. And the data owner will deal with security violations pertaining to the data she is responsible for protecting. The data owner, who obviously has enough on her plate, delegates responsibility of the day-to-day maintenance of the data protection mechanisms to the data custodian.

74

Regulatory

This type of policy ensures that the organization is following standards set by specific industry regulations (HIPAA, GLBA, SOX, PCI-DSS, etc.). It is very detailed and specific to a type of industry. It is used in financial institutions, healthcare facilities, public utilities, and other government-regulated industries.

75

Putting It Together

To perform a risk analysis, a company first decides what assets must be protected and to what extent. It also indicates the amount of money that can go toward protecting specific assets. Next, it must evaluate the functionality of the available safeguards and determine which ones would be most beneficial for the environment. Finally, the company needs to appraise and compare the costs of the safeguards. These steps and the resulting information enable management to make the most intelligent and informed decisions about selecting and purchasing countermeasures.

76

Security Governance

Are we doing all this stuff right?

An organization may be following many of the items laid out in this chapter: building a security program, integrating it into their business architecture, developing a risk management program, documenting the different aspects of the security program, performing data protection, and training their staff. But how do we know we are doing it all correctly and on an ongoing basis? This is where security governance comes into play. Security governance is a framework that allows for the security goals of an organization to be set and expressed by senior management, communicated throughout the different levels of the organization, grant power to the entities needed to implement and enforce security, and provide a way to verify the performance of these necessary security activities. Not only does senior management need to set the direction of security, it needs a way to be able to view and understand how their directives are being met or not being met.

77

The following issues should be considered when assigning values to assets:

  • Cost to acquire or develop the asset
  • Cost to maintain and protect the asset
  • Value of the asset to owners and users
  • Value of the asset to adversaries
  • Price others are willing to pay for the asset
  • Cost to replace the asset if lost
  • Operational and production activities affected if the asset is unavailable
  • Liability issues if the asset is compromised
  • Usefulness and role of the asset in the organization

78

Corrective

Fixes components or systems after an incident has occurred

79

British Ministry of Defence Architecture Framework (MODAF)

The British Ministry of Defence Architecture Framework (MODAF) is another recognized enterprise architecture framework based upon the DoDAF. The crux of the framework is to be able to get data in the right format to the right people as soon as possible. Modern warfare is complex, and activities happen fast, which requires personnel and systems to be more adaptable than ever before. Data needs to be captured and properly presented so that decision makers understand complex issues quickly, which allows for fast and hopefully accurate decisions.

80

board of directors

The board of directors is a group of individuals who are elected by the shareholders of a corporation to oversee the fulfillment of the corporation’s charter. The goal of the board is to ensure the shareholders’ interests are being protected and that the corporation is being run properly. They are supposed to be unbiased and independent individuals who oversee the executive staff’s performance in running the company.

81

Loss of data

Intentional or unintentional loss of information to unauthorized receivers

82

Total Risk vs. Residual Risk

The reason a company implements countermeasures is to reduce its overall risk to an acceptable level. As stated earlier, no system or environment is 100 percent secure, which means there is always some risk left over to deal with. This is called residual risk.

83

threat agent

A threat is any potential danger that is associated with the exploitation of a vulnerability. The threat is that someone, or something, will identify a specific vulnerability and use it against the company or individual. The entity that takes advantage of a vulnerability is referred to as a threat agent. A threat agent could be an intruder accessing the network through a port on the firewall, a process accessing data in a way that violates the security policy, a tornado wiping out a facility, or an employee making an unintentional mistake that could expose confidential information.

84

18. Risk assessment has several different methodologies. Which of the following official risk methodologies was not created for the purpose of analyzing security risks?

A. FAP

B. OCTAVE

C. ANZ 4360

D. NIST SP 800-30

Extended Questions:

CORRECT C. While ANZ 4360 can be used to analyze security risks, it was not created for that purpose. It takes a much broader approach to risk management than other risk assessment methodologies, such as NIST and OCTAVE, which focus on IT threats and information security risks. ANZ 4360 can be used to understand a company’s financial, capital, human safety, and business decisions risks.

WRONG A is incorrect because there is no formal FAP risk analysis approach. It is a distracter answer.

WRONG B is incorrect because OCTAVE focuses on IT threats and information security risks. OCTAVE is meant to be used in situations where people manage and direct the risk evaluation for information security within their organization. The organization’s employees are given the power to determine the best approach for evaluating security.

WRONG D is incorrect because NIST SP 800-30 is specific to IT threats and how they relate to information security risks. It focuses mainly on systems. Data is collected from network and security practice assessments, and from people within the organization. The data is then used as input values for the risk analysis steps outlined in the 800-30 document.

85

chief financial officer (CFO)

The chief financial officer (CFO) is responsible for the corporation’s account and financial activities and the overall financial structure of the organization. This person is responsible for determining what the company’s financial needs will be and how to finance those needs. The CFO must create and maintain the company’s capital structure, which is the proper mix of equity, credit, cash, and debt financing. This person oversees forecasting and budgeting and the processes of submitting quarterly and annual financial statements to the SEC and stakeholders.

86

Total risk

Full risk amount before a control is put into place. Threats × vulnerabilities × assets = total risk.

87

Quantitative risk analysis

Assigning monetary and numeric values to all the data elements of a risk assessment.

88

Each organization is different in its size, security posture, threat profile, and security budget. One organization may have one individual responsible for IRM or a team that works in a coordinated manner. The overall goal of the team is to ensure the company is protected in the most cost-effective manner. This goal can be accomplished only if the following components are in place:

  • An established risk acceptance level provided by senior management
  • Documented risk assessment processes and procedures
  • Procedures for identifying and mitigating risks
  • Appropriate resource and fund allocation from senior management
  • Security-awareness training for all staff members associated with information assets
  • The ability to establish improvement (or risk mitigation) teams in specific areas when necessary
  • The mapping of legal and regulation compliancy requirements to control and implement requirements
  • The development of metrics and performance indicators so as to measure and manage various types of risks
  • The ability to identify and assess new risks as the environment and company change
  • The integration of IRM and the organization’s change control process to ensure that changes do not introduce new vulnerabilities

89

data custodian

The data custodian (information custodian) is responsible for maintaining and protecting the data. This role is usually filled by the IT or security department, and the duties include implementing and maintaining security controls; performing regular backups of the data; periodically validating the integrity of the data; restoring data from backup media; retaining records of activity; and fulfilling the requirements specified in the company’s security policy, standards, and guidelines that pertain to information security and data protection.

90

Audit Committee

The audit committee should be appointed by the board of directors to help it review and evaluate the company’s internal operations, internal audit system, and the transparency and accuracy of financial reporting so the company’s investors, customers, and creditors have continued confidence in the organization.

91

Separation of duties

Preventive administrative control used to ensure one person cannot carry out a critical task alone.

92

Policy

High-level document that outlines senior management’s security directives.

93

Defense-in-depth

Implementation of multiple controls so that successful penetration and compromise is more difficult to attain

94

The Open Group Architecture Framework (TOGAF)

Another enterprise architecture framework is The Open Group Architecture Framework (TOGAF), which has its origins in the U.S. Department of Defense. It provides an approach to design, implement, and govern an enterprise information architecture.

95

Access control

Control access to assets based on business requirements, user management, authentication methods, and monitoring.

96

business enablement

When looking at the business enablement requirement of the security enterprise architecture, we need to remind ourselves that companies are in business to make money. Companies and organizations do not exist for the sole purpose of being secure. Security cannot stand in the way of business processes, but should be implemented to better enable them.

97

January 2004

Enron ex-Chief Financial Officer Andrew Fastow was given a ten-year prison sentence for his accounting scandals, which was a reduced term because he cooperated with prosecutors.

98

annual loss expectancy (ALE)

If we choose to carry out a quantitative analysis, then we are going to use mathematical equations for our data interpretation process. The most commonly used equations used for this purpose are the single loss expectancy (SLE) and the annual loss expectancy (ALE).

99

AS/NZS 4360

Australia and New Zealand business risk management assessment approach.

100

chief privacy officer (CPO)

The chief privacy officer (CPO) is a newer position, created mainly because of the increasing demands on organizations to protect a long laundry list of different types of data. This role is responsible for ensuring that customer, company, and employee data are kept safe, which keeps the company out of criminal and civil courts and hopefully out of the headlines. This person is usually an attorney and is directly involved with setting policies on how data are collected, protected, and given out to third parties. The CPO often reports to the chief security officer.

101

user

The user is any individual who routinely uses the data for work-related tasks. The user must have the necessary level of access to the data to perform the duties within their position and is responsible for following operational security procedures to ensure the data’s confidentiality, integrity, and availability to others.

102

Quantitative Cons

  • Calculations can be complex. Can management understand how these values were derived?
  • Without automated tools, this process is extremely laborious.
  • More preliminary work is needed to gather detailed information about the environment.
  • Standards are not available. Each vendor has its own way of interpreting the processes and their results.

103

Fundamental Principles of Security

We need to understand the core goals of security, which are to provide availability, integrity, and confidentiality (AIC triad) protection for critical assets. Each asset will require different levels of these types of protection, as we will see in the following sections. All security controls, mechanisms, and safeguards are implemented to provide one or more of these protection types, and all risks, threats, and vulnerabilities are measured for their potential capability to compromise one or all of the AIC principles.

104

System development and maintenance

Implement security in all phases of a system’s lifetime through development of security requirements, cryptography, integrity protection, and software development procedures.

105

Risk Analysis Team

Each organization has different departments, and each department has its own functionality, resources, tasks, and quirks. For the most effective risk analysis, an organization must build a risk analysis team that includes individuals from many or all departments to ensure that all of the threats are identified and addressed. The team members may be part of management, application programmers, IT staff, systems integrators, and operational managers—indeed, any key personnel from key areas of the organization. This mix is necessary because if the risk analysis team comprises only individuals from the IT department, it may not understand, for example, the types of threats the accounting department faces with data integrity issues, or how the company as a whole would be affected if the accounting department’s data files were wiped out by an accidental or intentional act. Or, as another example, the IT staff may not understand all the risks the employees in the warehouse would face if a natural disaster were to hit, or what it would mean to their productivity and how it would affect the organization overall. If the risk analysis team is unable to include members from various departments, it should, at the very least, make sure to interview people in each department so it fully understands and can quantify all threats.

106

chief privacy officer (CPO)

The chief privacy officer (CPO) is a newer position, created mainly because of the increasing demands on organizations to protect a long laundry list of different types of data. This role is responsible for ensuring that customer, company, and employee data are kept safe, which keeps the company out of criminal and civil courts and hopefully out of the headlines. This person is usually an attorney and is directly involved with setting policies on how data are collected, protected, and given out to third parties. The CPO often reports to the chief security officer.

107

organizational security policy

A security policy is an overall general statement produced by senior management (or a selected policy board or committee) that dictates what role security plays within the organization. A security policy can be an organizational policy, an issue-specific policy, or a system-specific policy. In an organizational security policy, management establishes how a security program will be set up, lays out the program’s goals, assigns responsibilities, shows the strategic and tactical value of security, and outlines how enforcement should be carried out. This policy must address relative laws, regulations, and liability issues, and how they are to be satisfied. The organizational security policy provides scope and direction for all future security activities within the organization. It also describes the amount of risk senior management is willing to accept.

108

December 2005

The former Chief Executive Officer of HealthSouth Corp. was sentenced to five years in prison for his part in the $2.7 billion scandal.

109

Business continuity management

Counter disruptions of normal operations by using continuity planning and testing.

110

Delphi method

Data collection method that happens in an anonymous fashion.

111

Asset classification and control

Develop a security infrastructure to protect organizational assets through accountability and inventory, classification, and handling procedures.

112

13. As his company’s CISO, George needs to demonstrate to the Board of Directors the necessity of a strong risk management program. Which of the following should George use to calculate the company’s residual risk?

A. threats × vulnerability × asset value = residual risk

B. SLE × frequency = ALE, which is equal to residual risk

C. (threats × vulnerability × asset value) × control gap = residual risk

D. (total risk - asset value) × countermeasures = residual risk

Extended Questions:

CORRECT C. Countermeasures are implemented to reduce overall risk to an acceptable level. However, no system or environment is 100 percent secure, and with every countermeasure some risk remains. The leftover risk after countermeasures are implemented is called residual risk. Residual risk differs from total risk, which is the risk companies face when they choose not to implement any countermeasures. While the total risk can be determined by calculating threats × vulnerability × asset value = total risk, residual risk can be determined by calculating (threats × vulnerability × asset value) × control gap = residual risk. Control gap is the amount of protection the control cannot provide.

WRONG A is incorrect because threats × vulnerability × asset value does not equal residual risk. It is the equation to calculate total risk. Total risk is the risk a company faces in the absence of any security safeguards or actions to reduce the overall risk exposure. The total risk is reduced by implementing safeguards and countermeasures, leaving the company with residual risk—or the risk left over after safeguards are implemented.

WRONG B is incorrect because SLE × frequency is the equation to calculate the annualized loss expectancy (ALE) as a result of a threat exploiting a vulnerability and the business impact. The frequency is the threat’s annual rate of occurrence (ARO). The ALE is not equal to residual risk. ALE indicates how much money a specific type of threat is likely to cost the company over the course of a year. Knowing the real possibility of a threat and how much damage, in monetary terms, the threat can cause is important in determining how much should be spent to try and protect against that threat in the first place.

WRONG D is incorrect and is a distracter answer. There is no such formula like this used in risk assessments. The actual equations are threats × vulnerability × asset value = total risk; and (threats × vulnerability × asset value) × control gap = residual risk.

113

chief financial officer (CFO)

The chief financial officer (CFO) is responsible for the corporation’s account and financial activities and the overall financial structure of the organization. This person is responsible for determining what the company’s financial needs will be and how to finance those needs. The CFO must create and maintain the company’s capital structure, which is the proper mix of equity, credit, cash, and debt financing. This person oversees forecasting and budgeting and the processes of submitting quarterly and annual financial statements to the SEC and stakeholders.

114

Privacy

Privacy is different from security. Privacy indicates the amount of control an individual should be able to have and expect as it relates to the release of their own sensitive information. Security is the mechanisms that can be put into place to provide this level of control.

115

ISO/IEC 27006

Guidelines for bodies providing audit and certification of information security management systems

116

Nondisclosure agreements

Nondisclosure agreements must be developed and signed by new employees to protect the company and its sensitive information. Any conflicts of interest must be addressed, and there should be different agreements and precautions taken with temporary and contract employees.

117

chief security officer (CSO)

The chief security officer (CSO) is responsible for understanding the risks that the company faces and for mitigating these risks to an acceptable level. This role is responsible for understanding the organization’s business drivers and for creating and maintaining a security program that facilitates these drivers, along with providing security, compliance with a long list of regulations and laws, and any customer expectations or contractual obligations.

118

Why So Many Roles?

Most organizations will not have all the roles previously listed, but what is important is to build an organizational structure that contains the necessary roles and map the correct security responsibilities to them. This structure includes clear definitions of responsibilities, lines of authority and communication, and enforcement capabilities. A clear-cut structure takes the mystery out of who does what and how things are handled in different situations.

119

CRAMM

Central Computing and Telecommunications Agency Risk Analysis and Management Method.

120

qualitative

Another method of risk analysis is qualitative, which does not assign numbers and monetary values to components and losses. Instead, qualitative methods walk through different scenarios of risk possibilities and rank the seriousness of the threats and the validity of the different possible countermeasures based on opinions. (A wide sweeping analysis can include hundreds of scenarios.) Qualitative analysis techniques include judgment, best practices, intuition, and experience. Examples of qualitative techniques to gather data are Delphi, brainstorming, storyboarding, focus groups, surveys, questionnaires, checklists, one-on-one meetings, and interviews. The risk analysis team will determine the best technique for the threats that need to be assessed, as well as the culture of the company and individuals involved with the analysis.

121

bottom-up approach

A security program should use a top-down approach, meaning that the initiation, support, and direction come from top management; work their way through middle management; and then reach staff members. In contrast, a bottom-up approach refers to a situation in which staff members (usually IT) try to develop a security program without getting proper management support and direction. A bottom-up approach is commonly less effective, not broad enough to address all security risks, and doomed to fail. A top-down approach makes sure the people actually responsible for protecting the company’s assets (senior management) are driving the program. Senior management are not only ultimately responsible for the protection of the organization, but also hold the purse strings for the necessary funding, have the authority to assign needed resources, and are the only ones who can ensure true enforcement of the stated security rules and policies. Management’s support is one of the most important pieces of a security program. A simple nod and a wink will not provide the amount of support required.

122

24. List in the proper order from the table that follows the learning objectives that are missing and their proper definitions.

A. Understanding, recognition and retention, skill

B. Skill, recognition and retention, skill

C. Recognition and retention, skill, understanding

D. Skill, recognition and retention, understanding

Extended Questions:

CORRECT C. Awareness training and materials remind employees of their responsibilities pertaining to protecting company assets. Training provides skills needed to carry out specific tasks and functions. Education provides management skills and decision-making capabilities.

WRONG A is incorrect because the different types of training and education do not map to the listed results. Companies today spend a lot of money on security devices and technologies, but they commonly overlook the fact that individuals must be trained to use these devices and technologies. Without such training, the money invested toward reducing threats can be wasted, and the company is still insecure.

WRONG B is incorrect because the different types of training and education do not map to the listed results. Different roles require different types of training or education. A skilled staff is one of the most critical components to the security of a company.

WRONG D is incorrect because the different types of training and education do not map to the listed results. A security-awareness program is typically created for at least three types of audiences: management, staff, and technical employees. Each type of awareness training must be geared toward the individual audience to ensure each group understands its particular responsibilities, liabilities, and expectations.

123

CobiT was derived from the COSO framework, developed by the Committee of Sponsoring Organizations (COSO) of the Treadway Commission in 1985 to deal with fraudulent financial activities and reporting. The COSO framework is made up of the following components:

  • Control environment
  • Management’s philosophy and operating style
  • Company culture as it pertains to ethics and fraud
  • Risk assessment
  • Establishment of risk objectives
  • Ability to manage internal and external change
  • Control activities
  • Policies, procedures, and practices put in place to mitigate risk
  • Information and communication
  • Structure that ensures that the right people get the right information at the right time
  • Monitoring
  • Detecting and responding to control deficiencies

124

The main components of each phase are provided in the following:

  • Plan and Organize
  • Establish management commitment.
  • Establish oversight steering committee.
  • Assess business drivers.
  • Develop a threat profile on the organization.
  • Carry out a risk assessment.
  • Develop security architectures at business, data, application, and infrastructure levels.
  • Identify solutions per architecture level.
  • Obtain management approval to move forward.
  • Implement
  • Assign roles and responsibilities.
  • Develop and implement security policies, procedures, standards, baselines, and guidelines.
  • Identify sensitive data at rest and in transit.
  • Implement the following blueprints:
  • Asset identification and management
  • Risk management
  • Vulnerability management
  • Compliance
  • Identity management and access control
  • Change control
  • Software development life cycle
  • Business continuity planning
  • Awareness and training
  • Physical security
  • Incident response
  • Implement solutions (administrative, technical, physical) per blueprint.
  • Develop auditing and monitoring solutions per blueprint.
  • Establish goals, service level agreements (SLAs), and metrics per blueprint.
  • Operate and Maintain
  • Follow procedures to ensure all baselines are met in each implemented blueprint.
  • Carry out internal and external audits.
  • Carry out tasks outlined per blueprint.
  • Manage SLAs per blueprint.
  • Monitor and Evaluate
  • Review logs, audit results, collected metric values, and SLAs per blueprint.
  • Assess goal accomplishments per blueprint.
  • Carry out quarterly meetings with steering committees.
  • Develop improvement steps and integrate into the Plan and Organize phase.

125

15. A. CobiT has four domains: Plan and Organize, Acquire and Implement, Deliver and Support, and Monitor and Evaluate. Each category drills down into subcategories. For example, Acquire and Implement contains the following subcategories:

  • Acquire and Maintain Application Software
  • Acquire and Maintain Technology Infrastructure
  • Develop and Maintain Procedures
  • Install and Accredit Systems
  • Manage Changes

126

This committee is usually responsible for at least the following items:

  • The integrity of the company’s financial statements and other financial information provided to stockholders and others
  • The company’s system of internal controls
  • The engagement and performance of the independent auditors
  • The performance of the internal audit function
  • Compliance with legal requirements, regulations, and company policies regarding ethical conduct

127

29. C. The best process improvement approaches provided in this list are Six Sigma and the Capability Maturity Model. The following outlines the definitions for all items in this question:

  • TOGAF Model and methodology for the development of enterprise architectures developed by The Open Group
  • ITIL Processes to allow for IT service management developed by the United Kingdom’s Office of Government Commerce
  • Six Sigma Business management strategy that can be used to carry out process improvement
  • Capability Maturity Model Integration (CMMI) Organizational development for process improvement developed by Carnegie Mellon

128

2. Jane has been charged with ensuring that clients’ personal health information is adequately protected before it is exchanged with a new European partner. What data security requirements must she adhere to?

A. HIPAA

B. NIST SP 800-66

C. Safe Harbor

D. European Union Principles on Privacy

Extended Questions:

CORRECT C. The Safe Harbor requirements were created to harmonize the data privacy practices of the U.S. with the European Union’s stricter privacy controls, and to prevent accidental information disclosure and loss. The framework outlines how any entity that is going to move private data to and from Europe must go about protecting it. By certifying against this rule base, U.S. companies that work with European entities can more quickly and easily transfer data.

WRONG A is incorrect because the Health Insurance Portability and Accountability Act (HIPAA) does not specifically address data protection for the purposes of sharing it with European entities. HIPAA provides a framework and guidelines to ensure security, integrity, and privacy when handling confidential medical information within the U.S. The U.S. federal regulation also outlines how security should be managed for any facility that creates, accesses, shares, or destroys medical information.

WRONG B is incorrect because NIST SP 800-66 is a risk assessment methodology. It does not point out specific data privacy requirements. NIST SP 800-66 does apply to health care. It was originally designed to be implemented in the health care field and can be used by HIPAA clients to help achieve compliance.

WRONG D is incorrect because the European Union Principles on Privacy are the foundation for the European Union’s strict laws pertaining to data that is considered private. The purpose of the principles is not to prepare data specifically for its exchange with U.S. companies, nor are the requirements mandated for U.S. companies. This set of principles has six areas that address using and transmitting sensitive information, and all European states must abide by these principles to be in compliance.

129

11. A number of factors should be considered when assigning values to assets. Which of the following is not used to determine the value of an asset?

A. The asset’s value in the external marketplace

B. The level of insurance required to cover the asset

C. The initial and outgoing costs of purchasing, licensing, and supporting the asset

D. The asset’s value to the organization’s production operations

Extended Questions:

CORRECT B. The level of insurance required to cover the asset is not a consideration when assigning values to assets. It is actually the other way around: By knowing the value of an asset, an organization can more easily determine the level of insurance coverage to purchase for that asset. In fact, understanding the value of an asset is the first step to understanding what security mechanisms should be put in place and what funds should go toward protecting it. This knowledge can also help companies perform effective cost/benefit analyses, understand exactly what is at risk, and comply with legal and regulatory requirements.

WRONG A is incorrect because the asset’s value in the external marketplace is a factor that should be considered when determining the value of an asset. It should also include the value the asset might have to competitors or what others are willing to pay for a given asset.

WRONG C is incorrect because the initial and outgoing costs of purchasing, licensing, and supporting the asset are considerations when determining the cost and value of an asset. The asset must be cost-effective to the business directly. If the supporting requirements of maintaining the asset outweighs the business need for the asset, its value will decrease.

WRONG D is incorrect because it is a factor to be considered when determining an asset’s value. The asset’s value to the organization’s production operations is the determination of cost to an organization if the asset is not available for a certain period of time. Along these same lines, the asset’s usefulness and role in the organization should be considered as well as the operational and production activities affected if the asset is unavailable. If the asset helps operations it is valuable; the trick is to figure out how valuable.

130

Collusion

Two or more people working together to carry out fraudulent activities.

131

Threat

The danger of a threat agent exploiting a vulnerability.

132

31. Which are the two most common situations that require the type of control covered in the scenario to be implemented?

A. Defense-in-depth is required and the current controls only provide one protection layer.

B. Primary control costs too much or negatively affects business operations.

C. Confidentiality is the highest concern in a situation where defense-in-depth is required.

D. Availability is the highest concern in a situation where defense-in-depth is required.

Extended Questions:

CORRECT B. A compensating control is implemented because the primary control that was suggested is too expensive, but this type of protection is still required. A less expensive control that provides this same type of protection is identified and implemented. Another situation where a compensating control might be implemented is if the primary control negatively affects business operations.

WRONG A is incorrect because while a compensating control can help in providing defense-in-depth, this is not the reason this category of control would be put into place.

WRONG C is incorrect because a compensating control may or may not provide confidentiality. But the service that a control provides, as in confidentiality, is not the reason a compensating control is put into place. A compensating control is an alternate control type.

WRONG D is incorrect because a compensating control may or may not provide availability. But the service that a control provides, as in availability, is not the reason a compensating control is put into place. A compensating control is an alternate control type.

133

Human interaction

Accidental or intentional action or inaction that can disrupt productivity

134

Informative

This type of policy informs employees of certain topics. It is not an enforceable policy, but rather one that teaches individuals about specific issues relevant to the company. It could explain how the company interacts with partners, the company’s goals and mission, and a general reporting structure in different situations.

135

audit committee

The audit committee should be appointed by the board of directors to help it review and evaluate the company’s internal operations, internal audit system, and the transparency and accuracy of financial reporting so the company’s investors, customers, and creditors have continued confidence in the organization.

136

Security Policy

Oh look, this paper tells us what we need to do. I am going to put smiley-face stickers all over it.

A security policy is an overall general statement produced by senior management (or a selected policy board or committee) that dictates what role security plays within the organization. A security policy can be an organizational policy, an issue-specific policy, or a system-specific policy. In an organizational security policy, management establishes how a security program will be set up, lays out the program’s goals, assigns responsibilities, shows the strategic and tactical value of security, and outlines how enforcement should be carried out. This policy must address relative laws, regulations, and liability issues, and how they are to be satisfied. The organizational security policy provides scope and direction for all future security activities within the organization. It also describes the amount of risk senior management is willing to accept.

137

Guidelines

Guidelines are recommended actions and operational guides to users, IT staff, operations staff, and others when a specific standard does not apply. Guidelines can deal with the methodologies of technology, personnel, or physical security. Life is full of gray areas, and guidelines can be used as a reference during those times. Whereas standards are specific mandatory rules, guidelines are general approaches that provide the necessary flexibility for unforeseen circumstances.

138

Procedures

Procedures are detailed step-by-step tasks that should be performed to achieve a certain goal. The steps can apply to users, IT staff, operations staff, security members, and others who may need to carry out specific tasks. Many organizations have written procedures on how to install operating systems, configure security mechanisms, implement access control lists, set up new user accounts, assign computer privileges, audit activities, destroy material, report incidents, and much more.

139

baseline

The term baseline refers to a point in time that is used as a comparison for future changes. Once risks have been mitigated and security put in place, a baseline is formally reviewed and agreed upon, after which all further comparisons and development are measured against it. A baseline results in a consistent reference point.

140

ISO/IEC 27005

Guideline for information security risk management

141

Product Line Manager

Who’s responsible for explaining business requirements to vendors and wading through their rhetoric to see if the product is right for the company? Who is responsible for ensuring compliance to license agreements? Who translates business requirements into objectives and specifications for the developer of a product or solution? Who decides if the company really needs to upgrade their operating system version every time Microsoft wants to make more money? That would be the product line manager.

142

Baselines

The term baseline refers to a point in time that is used as a comparison for future changes. Once risks have been mitigated and security put in place, a baseline is formally reviewed and agreed upon, after which all further comparisons and development are measured against it. A baseline results in a consistent reference point.

143

Steps of a Quantitative Risk Analysis

If we follow along with our previous sections in this chapter, we have already carried out our risk assessment, which is the process of gathering data for a risk analysis. We have identified the assets that are to be assessed, associated a value to each asset, and identified the vulnerabilities and threats that could affect these assets. Now we need to carry out the risk analysis portion, which means that we need to figure out how to interpret all the data that was gathered during the assessment.

144

Advisory

This type of policy strongly advises employees as to which types of behaviors and activities should and should not take place within the organization. It also outlines possible ramifications if employees do not comply with the established behaviors and activities. This policy type can be used, for example, to describe how to handle medical or financial information.

145

ISO/IEC 27002

Code of practice for information security management

146

British Standard 7799 (BS7799)

British Standard 7799 (BS7799) was developed in 1995 by the United Kingdom government’s Department of Trade and Industry and published by the British Standards Institution. The standard outlines how an information security management system (ISMS) (aka security program) should be built and maintained. The goal was to provide guidance to organizations on how to design, implement, and maintain policies, processes, and technologies to manage risks to its sensitive information assets.

147

15. For what purpose was the COSO framework developed?

A. To address fraudulent financial activities and reporting

B. To help organizations install, implement, and maintain CobiT controls

C. To serve as a guideline for IT security auditors to use when verifying compliance

D. To address regulatory requirements related to protecting private health information

Extended Questions:

CORRECT A. COSO is an acronym for the Committee of Sponsoring Organizations of the Treadway Commission, which was formed in 1985 to provide sponsorship for the National Commission on Fraudulent Financial Reporting, an organization that studies deceptive financial reports and the elements that lead to them. Thus, the COSO framework was essentially developed to deal with fraudulent financial activities and reporting. Basically, COSO helps ensure that public companies who report their financial information to the Security Exchange Commission (SEC) are telling the truth and not "cooking the books."

WRONG B is incorrect because COSO preceded CobiT; therefore, COSO was not developed to help organizations install, implement, and maintain CobiT controls. CobiT was derived from the COSO framework and offers a way to meet many of the COSO objectives from an IT perspective. COSO is a model for corporate governance on a strategic level, while CobiT is a model for IT governance on an operational level.

WRONG C is incorrect because COSO was not developed to serve as a guideline to help IT security auditors. However, CobiT, which was derived from the COSO framework and defines goals for the controls that should be used to properly manage IT and ensure IT maps to business needs, is often used by auditors. CobiT lays out executive summaries, management guidelines, frameworks, control objectives, an implementation toolset, and audit guidelines. A majority of regulation compliance and audits are built on the CobiT framework.

WRONG D is incorrect because COSO was not developed to address regulatory requirements related to private health information. However, NIST SP 800-66 is a risk assessment methodology that is designed to be implemented in the healthcare field or other regulated industries.

148

commonly

The classifications listed in the table are commonly used in the industry, but there is a lot of variance. An organization first must decide the number of data classifications that best fit its security needs, then choose the classification naming scheme, and then define what the names in those schemes represent. Company A might use the classification level "confidential," which represents its most sensitive information. Company B might use "top secret," "secret," and "confidential," where confidential represents its least sensitive information. Each organization must develop an information classification scheme that best fits its business and security needs.

149

Functionality vs. Security

Yes, we are secure, but we can’t do anything.

Anyone who has been involved with a security initiative understands it involves a balancing act between securing an environment and still allowing the necessary level of functionality so that productivity is not affected. A common scenario that occurs at the start of many security projects is that the individuals in charge of the project know the end result they want to achieve and have lofty ideas of how quick and efficient their security rollout will be, but they fail to consult the users regarding what restrictions will be placed upon them. The users, upon hearing of the restrictions, then inform the project managers that they will not be able to fulfill certain parts of their job if the security rollout actually takes place as planned. This usually causes the project to screech to a halt. The project managers then must initialize the proper assessments, evaluations, and planning to see how the environment can be slowly secured and how to ease users and tasks delicately into new restrictions or ways of doing business. Failing to consult users or to fully understand business processes during the planning phase causes many headaches and wastes time and money. Individuals who are responsible for security management activities must realize they need to understand the environment and plan properly before kicking off the implementation phase of a security program.

Security Management

150

Costs That Make Up the Value

An asset can have both quantitative and qualitative measurements assigned to it, but these measurements need to be derived. The actual value of an asset is determined by the importance it has to the organization as a whole. The value of an asset should reflect all identifiable costs that would arise if the asset were actually impaired. If a server cost $4,000 to purchase, this value should not be input as the value of the asset in a risk assessment. Rather, the cost of replacing or repairing it, the loss of productivity, and the value of any data that may be corrupted or lost must be accounted for to properly capture the amount the organization would lose if the server were to fail for one reason or another.

151

Results of a Quantitative Risk Analysis : The risk analysis team should have clearly defined goals. The following is a short list of what generally is expected from the results of a risk analysis:

  • Monetary values assigned to assets
  • Comprehensive list of all possible and significant threats
  • Probability of the occurrence rate of each threat
  • Loss potential the company can endure per threat in a 12-month time span
  • Recommended controls

152

Availability

Reliable and timely access to data and resources is provided to authorized individuals.

153

TOGAF

Model and methodology for the development of enterprise architectures developed by The Open Group

154

risk assessment

A risk assessment, which is really a tool for risk management, is a method of identifying vulnerabilities and threats and assessing the possible impacts to determine where to implement security controls. A risk assessment is carried out, and the results are analyzed. Risk analysis is used to ensure that security is cost-effective, relevant, timely, and responsive to threats. Security can be quite complex, even for well-versed security professionals, and it is easy to apply too much security, not enough security, or the wrong security controls, and to spend too much money in the process without attaining the necessary objectives. Risk analysis helps companies prioritize their risks and shows management the amount of resources that should be applied to protecting against those risks in a sensible manner.

155

annualized rate of occurrence (ARO)

The annualized rate of occurrence (ARO) is the value that represents the estimated frequency of a specific threat taking place within a 12-month timeframe. The range can be from 0.0 (never) to 1.0 (once a year) to greater than 1 (several times a year) and anywhere in between. For example, if the probability of a fire taking place and damaging our data warehouse is once every ten years, the ARO value is 0.1.

156

SABSA framework

Risk-driven enterprise security architecture that maps to business initiatives, similar to the Zachman framework.

157

Six Sigma

Business management strategy that can be used to carry out process improvement

158

Architecture Development Method (ADM)

So this architecture framework can be used to create individual architectures through the use of its Architecture Development Method (ADM). This method is an iterative and cyclic process that allows requirements to be continuously reviewed and the individual architectures updated as needed. These different architectures can allow a technology architect to understand the enterprise from four different views (business, data, application, and technology) so she can ensure her team develops the necessary technology to work within the environment and all the components that make up that environment and meet business requirements. The technology may need to span many different types of network types, interconnect with various software components, and work within different business units. As an analogy, when a new city is being constructed, people do not just start building houses here and there. Civil engineers lay out roads, bridges, waterways, and commercial and housing zoned areas. A large organization that has a distributed and heterogeneous environment that supports many different business functions can be as complex as a city. So before a programmer starts developing code, the architect of the software needs to be developed in the context of the organization it will work within.

159

Determining the value of assets may be useful to a company for a variety of reasons, including the following:

  • To perform effective cost/benefit analyses
  • To select specific countermeasures and safeguards
  • To determine the level of insurance coverage to purchase
  • To understand what exactly is at risk
  • To comply with legal and regulatory requirements

160

exposure

An exposure is an instance of being exposed to losses. A vulnerability exposes an organization to possible damages. If password management is lax and password rules are not enforced, the company is exposed to the possibility of having users’ passwords captured and used in an unauthorized manner. If a company does not have its wiring inspected and does not put proactive fire prevention steps into place, it exposes itself to potentially devastating fires.

161

Security Program Development

No organization is going to put all the previously listed items (ISO/IEC 27000, COSO, Zachman, SABSA, CobiT, NIST 800-53, ITIL, Six Sigma, CMMI) in place. But it is a good toolbox of things you can pull from, and you will find some fit the organization you work in better than others. You will also find that as your organization’s security program matures, you will see more clearly where these various standards, frameworks, and management components come into play. While these items are separate and distinct, there are basic things that need to be built in for any security program and its corresponding controls. This is because the basic tenets of security are universal no matter if they are being deployed in a corporation, government agency, business, school, or nonprofit organization. Each entity is made up of people, processes, data, and technology and each of these things needs to be protected.

162

Board of Directors

Hey, Enron was successful for many years. What’s wrong with their approach?

The board of directors is a group of individuals who are elected by the shareholders of a corporation to oversee the fulfillment of the corporation’s charter. The goal of the board is to ensure the shareholders’ interests are being protected and that the corporation is being run properly. They are supposed to be unbiased and independent individuals who oversee the executive staff’s performance in running the company.

163

12. Jill is establishing a companywide sales program that will require different user groups with different privileges to access information on a centralized database. How should the security manager secure the database?

A. Increase the database’s security controls and provide more granularity.

B. Implement access controls that display each user’s permissions each time they access the database.

C. Change the database’s classification label to a higher security status.

D. Decrease the security so that all users can access the information as needed.

Extended Questions:

CORRECT A. The best approach to securing the database in this situation would be to increase the controls and assign very granular permissions. These measures would ensure that users cannot abuse their privileges and the confidentiality of the information would be maintained. Granularity of permissions gives network administrators and security professionals additional control over the resources they are charged with protecting, and a fine level of detail enables them to give individuals just the precise level of access they need.

WRONG B is incorrect because implementing access controls that display each user’s permissions each time they access the database is an example of one control. It is not the overall way of dealing with user access to a full database of information. This may be an example of increasing database security controls, but it is only one example and more would need to be put into place.

WRONG C is incorrect because the classification level of the information in the database was previously determined based on its confidentiality, integrity, and availability levels. These levels do not change simply because more users need access to the data. Thus, you would never increase or decrease the classification level of information when more users or groups need to access that information. Increasing the classification level would only mean a smaller subset of users could access the database.

WRONG D is incorrect because it puts data at risk. If security is decreased so that all users can access it as needed, then users with lower privileges will be able to access data of higher classification levels. Lower security also makes it easier for intruders to break into the database. As stated in answer C, a classification level is not changed just because the number of users who need to access the data increases or decreases.

164

Confidentiality

Necessary level of secrecy is enforced and unauthorized disclosure is prevented.

165

enterprise security architecture

An enterprise security architecture is a subset of an enterprise architecture and defines the information security strategy that consists of layers of solutions, processes, and procedures and the way they are linked across an enterprise strategically, tactically, and operationally. It is a comprehensive and rigorous method for describing the structure and behavior of all the components that make up a holistic information security management system (ISMS). The main reason to develop an enterprise security architecture is to ensure that security efforts align with business practices in a standardized and cost-effective manner. The architecture works at an abstraction level and provides a frame of reference. Besides security, this type of architecture allows organizations to better achieve interoperability, integration, ease-of-use, standardization, and governance.

166

Standard

Compulsory rules that support the security policies.

167

total risk

Residual risk is different from total risk, which is the risk a company faces if it chooses not to implement any type of safeguard. A company may choose to take on total risk if the cost/benefit analysis results indicate this is the best course of action. For example, if there is a small likelihood that a company’s web servers can be compromised, and the necessary safeguards to provide a higher level of protection cost more than the potential loss in the first place, the company will choose not to implement the safeguard, choosing to deal with the total risk.

168

control

A control, or countermeasure, is put into place to mitigate (reduce) the potential risk. A countermeasure may be a software configuration, a hardware device, or a procedure that eliminates a vulnerability or that reduces the likelihood a threat agent will be able to exploit a vulnerability. Examples of countermeasures include strong password management, firewalls, a security guard, access control mechanisms, encryption, and security-awareness training.

169

Integrity

Accuracy and reliability of the information and systems are provided and any unauthorized modification is prevented.

170

Misuse of data

Sharing trade secrets, fraud, espionage, and theft

171

Creation of information security infrastructure

Create and maintain an organizational security structure through the use of a security forum, a security officer, defining security responsibilities, authorization processes, outsourcing, and independent reviews.

172

August 2005

Former WorldCom Chief Financial Officer Scott Sullivan was sentenced to five years in prison for his role in engineering the $ 11 billion accounting fraud that led to the bankruptcy of the telecommunications powerhouse.

173

Sam is the security manager of a company that makes most of its revenue from its intellectual property. Sam has implemented a process improvement program that has been certified by an outside entity. His company received a Level 2 during an appraisal process, and he is putting in steps to increase this to a Level 3. A year ago when Sam carried out a risk analysis, he determined that the company was at too much of a risk when it came to potentially losing trade secrets. The countermeasure his team implemented reduced this risk, and Sam determined that the annualized loss expectancy of the risk of a trade secret being stolen once in a hundred-year period is now $400.

27. Which of the following is the criteria Sam’s company was most likely certified under?

A. SABSA

B. Capability Maturity Model Integration

C. Information Technology Infrastructure Library

D. PRINCE2

Extended Questions:

CORRECT B. Capability Maturity Model Integration (CMMI) is a process improvement approach that is used to help organizations improve their performance. The CMMI model may also be used as a framework for appraising the process maturity of the organization. The levels used in CMMI are Level 1-Initial, Level 2-Managed, Level 3-Defined, Level 4-Quantitatively Managed, and Level 5-Optimizing.

WRONG A is incorrect because Sherwood Applied Business Security Architecture (SABSA) is a model and methodology for the development of information security enterprise architectures. Since it is a framework, this means it provides a structure for individual architectures to be built from. Since it is a methodology also, this means it provides the processes to follow to build and maintain this architecture.

WRONG C is incorrect because the Information Technology Infrastructure Library (ITIL) is the de facto standard of best practices for IT service management. ITIL was created because of the increased dependence on information technology to meet business needs. Although ITIL has a component that deals with security, its focus is more toward internal service level agreements between the IT department and the "customers" it serves. The customers are usually internal departments. ITIL does not use the levels described in the scenario.

WRONG D is incorrect because PRINCE2 (PRojects IN Controlled Environments) is a process-based method for effective project management. It is commonly used by the UK government and is not a topic covered by the CISSP exam.

174

Methodologies for Risk Assessment

Are there rules on how to do this risk stuff or do we just make it up as we go along?

The industry has different standardized methodologies when it comes to carrying out risk assessments. Each of the individual methodologies has the same basic core components (identify vulnerabilities, associate threats, calculate risk values), but each has a specific focus. As a security professional it is your responsibility to know which is the best approach for your organization and its needs.

175

ISO/IEC 27014

Guideline for information security governance

176

So up to this point, we have accomplished the following items:

  • Developed a risk management policy
  • Developed a risk management team
  • Identified company assets to be assessed
  • Calculated the value of each asset
  • Identified the vulnerabilities and threats that can affect the identified assets
  • Chose a risk assessment methodology that best fits our needs

177

Security Steering Committee

Our steering committee just ran us into a wall.

A security steering committee is responsible for making decisions on tactical and strategic security issues within the enterprise as a whole and should not be tied to one or more business units. The group should be made up of people from all over the organization so they can view risks and the effects of security decisions on individual departments and the organization as a whole. The CEO should head this committee, and the CFO, CIO, department managers, and chief internal auditor should all be on it.

178

CSO vs. CISO

The CSO and chief information security officer (CISO) may have similar or very different responsibilities. How is that for clarification? It is up to the individual organization to define the responsibilities of these two roles and whether they will use both, either, or neither. By and large, the CSO role usually has a farther-reaching list of responsibilities compared to the CISO role. The CISO is usually focused more on technology and has an IT background. The CSO usually is required to understand a wider range of business risks, including physical security, not just technological risks.

179

4. Steve, a department manager, has been asked to join a committee that is responsible for defining an acceptable level of risk for the organization, reviewing risk assessment and audit reports, and approving significant changes to security policies and programs. What committee is he joining?

A. Security policy committee

B. Audit committee

C. Risk management committee

D. Security steering committee

Extended Questions:

CORRECT D. Steve is joining a security steering committee, which is responsible for making decisions on tactical and strategic security issues within the enterprise. The committee should consist of individuals from throughout the organization and meet at least quarterly. In addition to the responsibilities listed in the question, the security steering committee is responsible for establishing a clearly defined vision statement that works with and supports the organizational intent of the business. It should provide support for the goals of confidentiality, integrity, and availability as they pertain to the organization’s business objectives. This vision statement should, in turn, be supported by a mission statement that provides support and definition to the processes that will apply to the organization and allow it to reach its business goals.

WRONG A is incorrect because a security policy committee is a committee chosen by senior management to produce security policies. Usually senior management has this responsibility unless they delegate it to a board or committee. Security policies dictate the role that security plays within the organization. They can be organizational, issue-specific, or system-specific. The steering committee does not directly create policies but reviews and approves them if acceptable.

WRONG B is incorrect because the audit committee’s goal is to provide independent and open communications among the board of directors, management, internal auditors, and external auditors. Its responsibilities include the company’s system of internal controls, the engagement and performance of independent auditors, and the performance of the internal audit function. The audit committee would report its findings to the steering committee, but not be responsible for overseeing and approving any part of a security program.

WRONG C is incorrect because the purpose of a risk management committee is to understand the risks that the organization faces as a whole and work with senior management to reduce these risks to acceptable levels. This committee does not oversee the security program. The security steering committee usually reports its findings to the risk management committee as it relates to information security. A risk management committee must look at overall business risks, not just IT security risks.

180

Capability Maturity Model Integration (CMMI)

Capability Maturity Model Integration (CMMI) came from the security engineering world. We will covering it more in depth from that point of view in Chapter 10, but this model is also used within organizations to help lay out a pathway of how incremental improvement can take place.

181

Failure Modes and Effect Analysis

Approach that dissects a component into its basic functions to identify flaws and those flaws’ effects.

182

Functionality versus effectiveness of control

Functionality is what a control does, and its effectiveness is how well the control does it.

183

Application error

Computation errors, input errors, and buffer overflows

184

The Value of Information and Assets

If information does not have any value, then who cares about protecting it?

The value placed on information is relative to the parties involved, what work was required to develop it, how much it costs to maintain, what damage would result if it were lost or destroyed, what enemies would pay for it, and what liability penalties could be endured. If a company does not know the value of the information and the other assets it is trying to protect, it does not know how much money and time it should spend on protecting them. If you were in charge of making sure Russia does not know the encryption algorithms used when transmitting information to and from U.S. spy satellites, you would use more extreme (and expensive) security measures than you would use to protect your peanut butter and banana sandwich recipe from your next-door neighbor. The value of the information supports security measure decisions.

185

28. What is the associated single loss expectancy value in this scenario?

A. $65,000

B. $400,000

C. $40,000

D. $4,000

Extended Questions:

CORRECT C. The formula to calculate the Annualized Loss Expectancy value (ALE) is Single Loss Expectancy (SLE) × Annualized Rate of Occurrence (ARO) = ALE. In this scenario, if the ALE is $400 and the ARO is 0.01, then the SLE is $40,000.

WRONG A is incorrect because the formula to obtain the SLE is Asset Value × Exposure Factor = SLE, and ALE is Single Loss Expectancy (SLE) × Annualized Rate of Occurrence (ARO) = ALE. If the ALE of the risk of a trade secret being stolen once in a hundred-year period is $400, then you have to work backwards to obtain the SLE value. If the ALE is $400 and the ARO is 0.01, then the resulting SLE value is $40,000.

WRONG B is incorrect because the formula to obtain the SLE is Asset Value × Exposure Factor = SLE, and ALE is Single Loss Expectancy (SLE) × Annualized Rate of Occurrence (ARO) = ALE. In this scenario, the risk of an asset being stolen once in a hundred-year period is calculated at the ALE being $400. If the ALE is $400 and the ARO is 0.01, then the resulting SLE value is $40,000.

WRONG D is incorrect because the formula to obtain the SLE is Asset Value × Exposure Factor = SLE, and ALE is Single Loss Expectancy (SLE) × Annualized Rate of Occurrence (ARO) = ALE. The goal of carrying out these calculations is to fully understand the criticality of specific risks and to know how much can be spent on implementing a countermeasure in a cost-effective manner.

The following scenario applies to questions 29, 30, and 31.

186

issue-specific policy

An issue-specific policy, also called a functional policy, addresses specific security issues that management feels need more detailed explanation and attention to make sure a comprehensive structure is built and all employees understand how they are to comply with these security issues. For example, an organization may choose to have an e-mail security policy that outlines what management can and cannot do with employees’ e-mail messages for monitoring purposes, that specifies which e-mail functionality employees can or cannot use, and that addresses specific privacy issues.

187

IT

COSO is a model for corporate governance, and CobiT is a model for IT governance. COSO deals more at the strategic level, while CobiT focuses more at the operational level. You can think of CobiT as a way to meet many of the COSO objectives, but only from the IT perspective. COSO deals with non-IT items also, as in company culture, financial accounting principles, board of director responsibility, and internal communication structures. COSO was formed to provide sponsorship for the National Commission on Fraudulent Financial Reporting, an organization that studies deceptive financial reports and what elements lead to them.

188

ISO/IEC 27004

Guideline for information security management measurement and metrics framework

189

Control

Safeguard that is put in place to reduce a risk, also called a countermeasure.

190

ISMS vs. Security Enterprise Architecture

We need to develop stuff and stick that stuff into an organized container.

What is the difference between an ISMS and an enterprise security architecture? An ISMS outlines the controls that need to put into place (risk management, vulnerability management, BCP, data protection, auditing, configuration management, physical security, etc.) and provides direction on how those controls should be managed throughout their life cycle. The ISMS specifies the pieces and parts that need to be put into place to provide a holistic security program for the organization overall and how to properly take care of those pieces and parts. The enterprise security architecture illustrates how these components are to be integrated into the different layers of the current business environment. The security components of the ISMS have to be interwoven throughout the business environment and not siloed within individual company departments.

191

Annualized loss expectancy

Annual expected loss if a specific vulnerability is exploited and how it affects a single asset.

192

convergence

The CSO is commonly responsible for the convergence, which is the formal cooperation between previously disjointed security functions. This mainly pertains to physical and IT security working in a more concerted manner instead of working in silos within the organization. Issues such as loss prevention, fraud prevention, business continuity planning, legal/regulatory compliance, and insurance all have physical security and IT security aspects and requirements. So one individual (CSO) overseeing and intertwining these different security disciplines allows for a more holistic and comprehensive security program.

193

Data owner

Individual responsible for the protection and classification of a specific data set.

194

chief information officer (CIO)

On a lower rung of the food chain is the chief information officer (CIO). This individual can report to the CEO or CFO, depending upon the corporate structure, and is responsible for the strategic use and management of information systems and technology within the organization. Over time, this position has become more strategic and less operational in many organizations. CIOs oversee and are responsible for the day-in-day-out technology operations of a company, but because organizations are so dependent upon technology, CIOs are being asked to sit at the big boys’ corporate table more and more.

195

SP 800-53

Set of controls to protect U.S. federal systems developed by the National Institute of Standards and Technology (NIST)

196

Possible background check criteria could include

  • A Social Security number trace
  • A county/state criminal check
  • A federal criminal check
  • A sexual offender registry check
  • Employment verification
  • Education verification
  • Professional reference verification
  • An immigration check
  • Professional license/certification verification
  • Credit report
  • Drug screening

197

risk mitigation

Another approach is risk mitigation, where the risk is reduced to a level considered acceptable enough to continue conducting business. The implementation of firewalls, training, and intrusion/detection protection systems or other control types represent types of risk mitigation efforts.

198

This committee should meet at least quarterly and have a well-defined agenda. Some of the group’s responsibilities are as follows:

  • Define the acceptable risk level for the organization.
  • Develop security objectives and strategies.
  • Determine priorities of security initiatives based on business needs.
  • Review risk assessment and auditing reports.
  • Monitor the business impact of security risks.
  • Review major security breaches and incidents.
  • Approve any major change to the security policy and program.

199

Protection Mechanisms

Okay, so we know we are at risk, and we know the probability of it happening. Now, what do we do?

200

Uncertainty analysis

Assigning confidence level values to data elements.

201

MODAF

Architecture framework used mainly in military support missions developed by the British Ministry of Defence

202

cost/benefit comparison

Risk analysis provides a cost/benefit comparison, which compares the annualized cost of controls to the potential cost of loss. A control, in most cases, should not be implemented unless the annualized cost of loss exceeds the annualized cost of the control itself. This means that if a facility is worth $100,000, it does not make sense to spend $150,000 trying to protect it.

203

July 2005

WorldCom ex-Chief Executive Officer Bernard Ebbers was sentenced to 25 years in prison for his role in orchestrating the biggest corporate fraud in the nation’s history.

204

Social engineering

Gaining unauthorized access by tricking someone into divulging sensitive information.

205

Security through obscurity

Relying upon the secrecy or complexity of an item as its security, instead of practicing solid security practices.

206

ISO/IEC 27037

Guideline for identification, collection, and/or acquisition and preservation of digital evidence

207

do

So the different categories of controls that can be used are administrative, technical, and physical. But what do these controls actually do for us? We need to understand the different functionality that each control type can provide us in our quest to secure our environments.

208

Risk Analysis Approaches

One consultant said this threat could cost us $150,000, another consultant said it was red, and the audit team assigned it a four. Should we be concerned or not?

The two approaches to risk analysis are quantitative and qualitative. A quantitative risk analysis is used to assign monetary and numeric values to all elements of the risk analysis process. Each element within the analysis (asset value, threat frequency, severity of vulnerability, impact damage, safeguard costs, safeguard effectiveness, uncertainty, and probability items) is quantified and entered into equations to determine total and residual risks. It is more of a scientific or mathematical approach to risk analysis compared to qualitative. A qualitative risk analysis uses a "softer" approach to the data elements of a risk analysis. It does not quantify that data, which means that it does not assign numeric values to the data so that they can be used in equations. As an example, the results of a quantitative risk analysis could be that the organization is at risk of losing $100,000 if a buffer overflow was exploited on a web server, $25,000 if a database was compromised, and $10,000 if a file server was compromised. A qualitative risk analysis would not present these findings in monetary values, but would assign ratings to the risks, as in Red, Yellow, and Green.

209

NIST 800-30 Risk Management Guide for Information Technology Systems

A U.S. federal standard that is focused on IT risks.

210

3. Global organizations that transfer data across international boundaries must abide by guidelines and transborder information flow rules developed by an international organization that helps different governments come together and tackle the economic, social, and governance challenges of a globalized economy. What organization is this?

A. Committee of Sponsoring Organizations of the Treadway Commission

B. The Organisation for Economic Co-operation and Development

C. CobiT

D. International Organization for Standardization

Extended Questions:

CORRECT B. Almost every country has its own rules pertaining to what constitutes private data and how it should be protected. As the digital and information age came upon us, these different laws started to negatively affect business and international trade. Thus, the Organisation for Economic Co-operation and Development (OECD) developed guidelines for various countries so that data is properly protected and everyone follows the same rules.

WRONG A is incorrect because the Committee of Sponsoring Organizations of the Treadway Commission (COSO) was formed in 1985 to provide sponsorship for the National Commission on Fraudulent Financial Reporting, an organization that studies deceptive financial reports and what elements lead to them. The acronym COSO refers to a model for corporate governance that addresses IT at a strategic level, company culture, financial accounting principles, and more.

WRONG C is incorrect because the Control Objectives for Information and related Technology (CobiT) is a framework that defines goals for the controls that should be used to properly manage IT and ensure that IT maps to business needs. It is an international open standard that provides requirements for the control and security of sensitive data and a reference framework.

WRONG D is incorrect because the International Organization for Standardization (ISO) is an international standard-setting body consisting of representatives from national standards organizations. Its objective is to establish global standardizations. However, its standardizations go beyond the privacy of data as it travels across international borders. For example, some standards address quality control, while others address assurance and security.

211

28. D. Unfortunately, you will run into questions on the CISSP exam that will be this confusing, so you need to be ready for them. The proper mapping for the ISO/IEC standards are as follows:

  • ISO/IEC 27001 ISMS requirements
  • ISO/IEC 27002 Code of practice for information security management
  • ISO/IEC 27003 Guideline for ISMS implementation
  • ISO/IEC 27004 Guideline for information security management measurement and metrics framework
  • ISO/IEC 27005 Guideline for information security risk management
  • ISO/IEC 27006 Guidance for bodies providing audit and certification of information security management systems

212

Deterrent

Intended to discourage a potential attacker

213

Security effectiveness

Security effectiveness deals with metrics, meeting service level agreement (SLA) requirements, achieving return on investment (ROI), meeting set baselines, and providing management with a dashboard or balanced scorecard system. These are ways to determine how useful the current security solutions and architecture as a whole are performing.

214

The cost of a countermeasure is more than just the amount filled out on the purchase order. The following items should be considered and evaluated when deriving the full cost of a countermeasure:

  • Product costs
  • Design/planning costs
  • Implementation costs
  • Environment modifications
  • Compatibility with other countermeasures
  • Maintenance requirements
  • Testing requirements
  • Repair, replacement, or update costs
  • Operating and support costs
  • Effects on productivity
  • Subscription costs
  • Extra man-hours for monitoring and responding to alerts
  • Beer for the headaches that this new tool will bring about

215

Qualitative Cons

  • The assessments and results are subjective and opinion-based.
  • Eliminates the opportunity to create a dollar value for cost/benefit discussions.
  • Hard to develop a security budget from the results because monetary values are not used.
  • Standards are not available. Each vendor has its own way of interpreting the processes and their results.

216

Qualitative risk analysis

Opinion-based method of analyzing risk with the use of scenarios and ratings.

217

system-specific policy

A system-specific policy presents the management’s decisions that are specific to the actual computers, networks, and applications. An organization may have a system-specific policy outlining how a database containing sensitive information should be protected, who can have access, and how auditing should take place. It may also have a system-specific policy outlining how laptops should be locked down and managed. This policy type is directed to one or a group of similar systems and outlines how they should be protected.

218

Shoulder surfing

Viewing information in an unauthorized manner by looking over the shoulder of someone else.

219

Security Frameworks

With each section we are getting closer to some of the overarching topics of this chapter. Up to this point we know what we need to accomplish (availability, integrity, confidentiality) and we know the tools we can use (administrative, technical, physical controls) and we know how to talk about this issue (vulnerability, threat, risk, control). Before we move into how to develop an organization-wide security program, let’s first explore what not to do, which is referred to as security through obscurity. The concept of security through obscurity is assuming that your enemies are not as smart as you are and that they cannot figure out something that you feel is very tricky. A nontechnical example of security through obscurity is the old practice of putting a spare key under a doormat in case you are locked out of the house. You assume that no one knows about the spare key, and as long as they don’t, it can be considered secure. The vulnerability here is that anyone could gain easy access to the house if they have access to that hidden spare key, and the experienced attacker (in this example, a burglar) knows that these kinds of vulnerabilities exist and takes the appropriate steps to seek them out.

220

June 2005

John Rigas, the CEO of Adelphia Communications Corp., was sentenced to 15 years in prison for his role in the looting and debt-hiding scandal that pummeled the company into bankruptcy. His son, who also held an executive position, was sentenced to 20 years.

221

Delphi technique

The Delphi technique is a group decision method used to ensure that each member gives an honest opinion of what he or she thinks the result of a particular threat will be. This avoids a group of individuals feeling pressured to go along with others’ thought processes and enables them to participate in an independent and anonymous way. Each member of the group provides his or her opinion of a certain threat and turns it in to the team that is performing the analysis. The results are compiled and distributed to the group members, who then write down their comments anonymously and return them to the analysis group. The comments are compiled and redistributed for more comments until a consensus is formed. This method is used to obtain an agreement on cost, loss values, and probabilities of occurrence without individuals having to agree verbally.

222

Information security policy for the organization

Map of business objectives to security, management’s support, security goals, and responsibilities.

223

10. There are several methods an intruder can use to gain access to company assets. Which of the following best describes masquerading?

A. Changing an IP packet’s source address

B. Elevating privileges to gain access

C. An attempt to gain unauthorized access as another user

D. Creating a new authorized user with hacking tools

Extended Questions:

CORRECT C. Masquerading is an attempt to gain unauthorized access by impersonating an authorized user. Masquerading is commonly used by attackers carrying out phishing attacks and has been around for a long time. For example, in 1996 hackers posed as AOL staff members and sent messages to victims asking for their passwords in order to verify correct billing information or verify information about the AOL accounts. Today, phishers often masquerade as large banking companies and well-known Internet entities like Amazon.com and eBay. Masquerading is a type of active attack because the attacker is actually doing something instead of sitting back and gathering data.

WRONG A is incorrect because changing an IP packet’s source address is an example of masquerading and not a definition of masquerading. IP spoofing is the act of presenting false information within packets, to trick other systems and hide the origin of the message. This is usually done by hackers so that their identity cannot be successfully uncovered.

WRONG B is incorrect because elevating privileges is not part of masquerading. Elevating privileges is often the next step after being able to penetrate a system successfully, but it does not have anything to do directly with fooling a user or system about the attacker’s true identity.

WRONG D is incorrect because masquerading involves commonly posing as an authorized user that already exists in the system the attacker is attempting to access. It is common for the attacker then to attempt to create a new authorized user account on a compromised system, but successful masquerading has to happen first.

224

Supervisor

The supervisor role, also called user manager, is ultimately responsible for all user activity and any assets created and owned by these users. For example, suppose Kathy is the supervisor of ten employees. Her responsibilities would include ensuring that these employees understand their responsibilities with respect to security; making sure the employees’ account information is up-to-date; and informing the security administrator when an employee is fired, suspended, or transferred. Any change that pertains to an employee’s role within the company usually affects what access rights they should and should not have, so the user manager must inform the security administrator of these changes immediately.

225

Barry has just been hired as the company security officer at an international financial institution. He has reviewed the company’s data protection policies and procedures. He sees that the company stores its sensitive data within a secured database. The database is located in a network segment all by itself, which is monitored by a network-based intrusion detection system. The database is hosted on a server kept within a server room, which can only be accessed by personnel with the correct PIN value and smart card. Barry finds that the sensitive data backups are not being properly secured and requests that the company implement a secure courier service that moves backup tapes to a secured location. His management states that this option is too expensive, so Barry implements a local hierarchy storage management system that properly protects the sensitive data.

29. Which of the following best describes the control types the company originally had in place?

A. Administrative preventive controls are the policies and procedures. Technical preventive controls are securing the system, network segmentation, and intrusion detection system. Physical detective controls are the physical location of the database and PIN and smart card access controls.

B. Administrative preventive controls are the policies. Technical preventive controls are securing the system and intrusion detection system. Physical preventive controls are the physical location of the database and PIN and smart card access controls.

C. Administrative corrective controls are the policies and procedures. Technical preventive controls are securing the system, network segmentation, and intrusion detection system. Physical preventive controls are the physical location of the database and PIN and smart card access controls.

D. Administrative preventive controls are the policies and procedures. Technical preventive controls are securing the system and network segmentation. The technical detective control is the intrusion detection system. Physical preventive controls are the physical location of the database and PIN and smart card access controls.

Extended Questions:

CORRECT D. The administrative preventive controls are the policies and procedures. Technical preventive controls are securing the system and network segmentation. The technical detective control is the intrusion detection system. Physical preventive controls are the physical location of the database and PIN and smart card access controls.

WRONG A is incorrect because an intrusion detection system is not a preventive control; this is an example of a detective control. It is important to have both prevention and detection controls in place.

WRONG B is incorrect because this answer does not mention procedures, which is an administrative protective control. The answer also incorrectly states that an intrusion detection system is a preventive control, but it is a detective control.

WRONG C is incorrect because the answer incorrectly states that an intrusion detection system is a preventive control, but it is a detective control. The answer also states that policies and procedures are corrective controls, but they are preventive controls.

226

Fault tree analysis

Approach to map specific flaws to root causes in complex systems.

227

Personnel security

Reduce risks that are inherent in human interaction by screening employees, defining roles and responsibilities, training employees properly, and documenting the ramifications of not meeting expectations.

228

vulnerability

A vulnerability is a lack of a countermeasure or a weakness in a countermeasure that is in place. It can be a software, hardware, procedural, or human weakness that can be exploited. A vulnerability may be a service running on a server, unpatched applications or operating systems, an unrestricted wireless access point, an open port on a firewall, lax physical security that allows anyone to enter a server room, or unenforced password management on servers and workstations.

229

Security Administrator

The security administrator is responsible for implementing and maintaining specific security network devices and software in the enterprise. These controls commonly include firewalls, IDS, IPS, antimalware, security proxies, data loss prevention, etc. It is common for there to be delineation between the security administrator and the network administrator. The security administrator has the main focus of keeping the network secure, and the network administrator has the focus of keeping things up and running.

230

process reengineering

The process enhancement piece can be quite beneficial to an organization if it takes advantage of this capability when it is presented to them. When an organization is serious about securing their environment, it means they will have to take a close look at many of the business processes that take place on an ongoing process. Many times these processes are viewed through the eyeglasses of security, because that’s the reason for the activity, but this is a perfect chance to enhance and improve upon the same processes to increase productivity. When you look at many business processes taking place in all types of organizations, you commonly find a duplication of efforts, manual steps that can be easily automated, or ways to streamline and reduce time and effort that are involved in certain tasks. This is commonly referred to as process reengineering.

231

What

What are you trying to do at this layer? The assets to be protected by your security architecture.

232

Compliance

Comply with regulatory, contractual, and statutory requirements by using technical controls, system audits, and legal awareness.

233

accept the risk

The last approach is to accept the risk, which means the company understands the level of risk it is faced with, as well as the potential cost of damage, and decides to just live with it and not implement the countermeasure. Many companies will accept risk when the cost/benefit ratio indicates that the cost of the countermeasure outweighs the potential loss value.

234

ISO/IEC 27000 series

International standards on how to develop and maintain an ISMS developed by ISO and IEC

235

Operationally Critical Threat, Asset, and Vulnerability Evaluation (OCTAVE)

Team-oriented approach that assesses organizational and IT risks through facilitated workshops.

236

7. Which of the following is not included in a risk assessment?

A. Discontinuing activities that introduce risk

B. Identifying assets

C. Identifying threats

D. Analyzing risk in order of cost or criticality

Extended Questions:

CORRECT A. Discontinuing activities that introduce risk is a way of responding to risk through avoidance. For example, there are many risks surrounding the use of instant messaging (IM) in the enterprise. If a company decides not to allow IM activity because there is not enough business need for its use, then prohibiting this service is an example of risk avoidance. Risk assessment does not include the implementation of countermeasures such as this.

WRONG B is incorrect because identifying assets is part of a risk assessment, and the question asks to identify what is not included in a risk assessment. In order to determine the value of assets, those assets must first be identified. Asset identification and valuation are also important tasks of risk management.

WRONG C is incorrect because identifying threats is part of a risk assessment, and the question asks to identify what is not included in a risk assessment. Risk is present because of the possibility of a threat exploiting a vulnerability. If there were no threats, there would be no risk. Risk ties the vulnerability, threat, and likelihood of exploitation to the resulting business impact.

WRONG D is incorrect because analyzing risk in order of cost or criticality is part of the risk assessment process, and the question asks to identify what is not included in a risk assessment. A risk assessment researches and quantifies the risk a company faces. Dealing with risk must be done in a cost-effective manner. Knowing the severity of the risk allows the organization to determine how to address it effectively.

237

NIST developed a risk methodology, which is published in their SP 800-30 document. This NIST methodology is named a "Risk Management Guide for Information Technology Systems" and is considered a U.S. federal government standard. It is specific to IT threats and how they relate to information security risks. It lays out the following steps:

  • System characterization
  • Threat identification
  • Vulnerability identification
  • Control analysis
  • Likelihood determination
  • Impact analysis
  • Risk determination
  • Control recommendations
  • Results documentation

238

Information risk management (IRM)

Risk in the context of security is the possibility of damage happening and the ramifications of such damage should it occur. Information risk management (IRM) is the process of identifying and assessing risk, reducing it to an acceptable level, and implementing the right mechanisms to maintain that level. There is no such thing as a 100-percent secure environment. Every environment has vulnerabilities and threats. The skill is in identifying these threats, assessing the probability of them actually occurring and the damage they could cause, and then taking the right steps to reduce the overall level of risk in the environment to what the organization identifies as acceptable.

239

ISO/IEC 27033

Guideline for IT network security, a multipart standard based on ISO/IEC 18028:2006

240

Hiring Practices

I like your hat. You’re hired!

Depending on the position to be filled, a level of screening should be done by human resources to ensure the company hires the right individual for the right job. Skills should be tested and evaluated, and the caliber and character of the individual should be examined. Joe might be the best programmer in the state, but if someone looks into his past and finds out he served prison time because he continually flashes old ladies in parks, the hiring manager might not be so eager to bring Joe into the organization.

241

Enterprise Security Architecture

An enterprise security architecture is a subset of an enterprise architecture and defines the information security strategy that consists of layers of solutions, processes, and procedures and the way they are linked across an enterprise strategically, tactically, and operationally. It is a comprehensive and rigorous method for describing the structure and behavior of all the components that make up a holistic information security management system (ISMS). The main reason to develop an enterprise security architecture is to ensure that security efforts align with business practices in a standardized and cost-effective manner. The architecture works at an abstraction level and provides a frame of reference. Besides security, this type of architecture allows organizations to better achieve interoperability, integration, ease-of-use, standardization, and governance.

242

Technical controls that are commonly put into place to provide this type of layered approach are

  • Firewalls
  • Intrusion detection system
  • Intrusion prevention systems
  • Antimalware
  • Access control
  • Encryption

243

A common hierarchy of security policies is outlined here, which illustrates the relationship between the master policy and the issue-specific policies that support it:

  • Organizational policy
  • Acceptable use policy
  • Risk management policy
  • Vulnerability management policy
  • Data protection policy
  • Access control policy
  • Business continuity policy
  • Log aggregation and auditing policy
  • Personnel security policy
  • Physical security policy
  • Secure application development policy
  • Change control policy
  • E-mail policy
  • Incident response policy

244

Residual risk

Risk that remains after implementing a control. Threats × vulnerabilities × assets × (control gap) = residual risk.

245

Standards

Some things you just gotta do.

Standards refer to mandatory activities, actions, or rules. Standards can give a policy its support and reinforcement in direction. Organizational security standards may specify how hardware and software products are to be used. They can also be used to indicate expected user behavior. They provide a means to ensure that specific technologies, applications, parameters, and procedures are implemented in a uniform (standardized) manner across the organization. An organizational standard may require that all employees wear their company identification badges at all times, that they challenge unknown individuals about their identity and purpose for being in a specific area, or that they encrypt confidential information. These rules are compulsory within a company, and if they are going to be effective, they must be enforced.

246

14. Authorization creep is to access controls what scope creep is to software development. Which of the following is not true of authorization creep?

A. Users have a tendency to request additional permissions without asking for others to be taken away.

B. It is a violation of "least privilege."

C. It enforces the "need-to-know" concept.

D. It commonly occurs when users transfer to other departments or change positions.

Extended Questions:

CORRECT C. The "need-to-know" concept is based on the idea that users are only given access rights to resources that they need in order to fulfill their job responsibilities. If access is not explicitly allowed, it should be implicitly denied. Instead of giving access to everything, and then taking privileges away based on "need-to-know," the better approach is to start with nothing and add privileges based on need to know. Authorization creep is contrary to this concept. It is about the accumulation of access rights over time, particularly those that the user does not have a need to know.

WRONG A is incorrect because it correctly describes a cause of authorization creep and the question asks which statement is not true. Authorization creep often occurs due to users’ tendency to request additional permissions without asking for others to be taken away. As a result, users have far more access rights and permissions than they require. This can pose a significant risk because too many users have too much privileged access to company assets.

WRONG B is incorrect because authorization creep is a violation of "least privilege" and the question asks which statement is not true. Least privilege is a principle that states users should be given the least amount of privileges necessary to be productive when carrying out tasks. Enforcing least privilege on user accounts should be an ongoing job, which means each user’s permissions should be reviewed to ensure the company is not putting itself at risk.

WRONG D is incorrect because it correctly describes a cause of authorization creep, and the question asks which statement is not true. When users transfer to other departments or change positions, they are often assigned more access rights and permissions—far more than they need to get their jobs done. These rights and permissions are commonly added to their original ones, and their access to resources can be too vast and dangerous.

247

6. Assigning data classification levels can help with all of the following except:

A. The grouping of classified information with hierarchical and restrictive security

B. Ensuring that nonsensitive data is not being protected by unnecessary controls

C. Extracting data from a database

D. Lowering the costs of protecting data

Extended Questions:

CORRECT C. Data classification does not involve the extraction of data from a database. However, data classification can be used to dictate who has access to read and write data that is stored in a database. Each classification should have separate handling requirements and procedures pertaining to how that data is accessed, used, and destroyed. For example, in a corporation, confidential information may only be accessed by senior management. Auditing could be very detailed and its results monitored daily, and degaussing or zeroization procedures may be required to erase the data. On the other hand, information classified as public may be accessed by all employees, and no special auditing or destruction methods required.

WRONG A is incorrect because assigning data classification levels can help with the grouping of classified information with hierarchical and restrictive security. Data that shares the same classification, for example, can be grouped together and assigned the same handling requirements and procedures pertaining to how it is accessed, used, and destroyed.

WRONG B is incorrect because assigning data classification levels can help ensure that nonsensitive data is being protected by the necessary controls. Data classification directly deals with ensuring that the different levels of sensitive data are being protected by the necessary controls. This answer is very tricky because of all the negatives, so make sure to read questions and answers slowly.

WRONG D is incorrect because data classification helps ensure data is protected in the most cost-effective manner. Protecting and maintaining data costs money, but it is important to spend this money for the information that actually requires protection. For example, data that is classified confidential may require additional access controls as compared to public data to restrict access. It may also require additional auditing and monitoring. This may be appropriate for a soda company’s proprietary recipe, but it would be a waste of resources if those same measures were implemented for the soda company’s employee directory.

248

Once the scheme is decided upon, the organization must develop the criteria it will use to decide what information goes into which classification. The following list shows some criteria parameters an organization may use to determine the sensitivity of data:

  • The usefulness of data
  • The value of data
  • The age of data
  • The level of damage that could be caused if the data were disclosed
  • The level of damage that could be caused if the data were modified or corrupted
  • Legal, regulatory, or contractual responsibility to protect the data
  • Effects the data has on security
  • Who should be able to access the data
  • Who should maintain the data
  • Who should be able to reproduce the data
  • Lost opportunity costs that could be incurred if the data were not available or were corrupted

249

project sizing

It is important to figure out what you are supposed to be doing before you dig right in and start working. Anyone who has worked on a project without a properly defined scope can attest to the truth of this statement. Before an assessment and analysis is started, the team must carry out project sizing to understand what assets and threats should be evaluated. Most assessments are focused on physical security, technology security, or personnel security. Trying to assess all of them at the same time can be quite an undertaking.

250

The Open Group Architecture Framework

Our business processes, data flows, software programs, and network devices are strung together like spaghetti.

251

Rotation of duties

Detective administrative control used to uncover potential fraudulent activities.

252

ISO/IEC 27000 Series

The British seem to know what they are doing. Let’s follow them.

British Standard 7799 (BS7799) was developed in 1995 by the United Kingdom government’s Department of Trade and Industry and published by the British Standards Institution. The standard outlines how an information security management system (ISMS) (aka security program) should be built and maintained. The goal was to provide guidance to organizations on how to design, implement, and maintain policies, processes, and technologies to manage risks to its sensitive information assets.

253

Recovery

Intended to bring the environment back to regular operations

254

30. The storage management system that Barry put into place is referred to as which of the following?

A. Administrative control

B. Compensating control

C. Physical control

D. Confidentiality control

Extended Questions:

CORRECT B. A compensating control is an alternate control. Instead of a courier service, the company implemented an internal storage management system. A compensating control can be administrative, physical, or technical in nature.

WRONG A is incorrect because the storage management system is not an administrative control; it is a technical compensating control.

WRONG C is incorrect because the storage management system is not a physical control; it is a technical compensating control.

WRONG D is incorrect and a distracter. The main categories of controls are administrative, technical and physical. The controls can provide many different types of services and protection, confidentiality being one type of protection.

255

Enterprise Architectures: Scary Beasts

If these enterprise architecture models are new to you and a bit confusing, do not worry; you are not alone. While enterprise architecture frameworks are great tools to understand and help control all the complex pieces within an organization, the security industry is still maturing in its use of these types of architectures. Most companies develop policies and then focus on the technologies to enforce those policies, which skips the whole step of security enterprise development. This is mainly because the information security field is still learning how to grow up and out of the IT department and into established corporate environments. As security and business truly become more intertwined, these enterprise frameworks won’t seem as abstract and foreign, but useful tools that are properly leveraged.

256

Mandatory vacation

Detective administrative control used to uncover potential fraudulent activities by requiring a person to be away from the organization for a period of time.

257

health informatics

16. A. It is referred to as the health informatics, and its purpose is to provide guidance to health organizations and other holders of personal health information on how to protect such information via implementation of ISO/IEC 27002.

258

Risk Management

Life is full of risk.

Risk in the context of security is the possibility of damage happening and the ramifications of such damage should it occur. Information risk management (IRM) is the process of identifying and assessing risk, reducing it to an acceptable level, and implementing the right mechanisms to maintain that level. There is no such thing as a 100-percent secure environment. Every environment has vulnerabilities and threats. The skill is in identifying these threats, assessing the probability of them actually occurring and the damage they could cause, and then taking the right steps to reduce the overall level of risk in the environment to what the organization identifies as acceptable.

259

Failure Modes and Effect Analysis (FMEA)

Failure Modes and Effect Analysis (FMEA) is a method for determining functions, identifying functional failures, and assessing the causes of failure and their failure effects through a structured process. It is commonly used in product development and operational environments. The goal is to identify where something is most likely going to break and either fix the flaws that could cause this issue or implement controls to reduce the impact of the break. For example, you might choose to carry out an FMEA on your organization’s network to identify single points of failure. These single points of failure represent vulnerabilities that could directly affect the productivity of the network as a whole. You would use this structured approach to identify these issues (vulnerabilities), assess their criticality (risk), and identify the necessary controls that should be put into place (reduce risk).

260

Compensating

Controls that provide an alternative measure of control

261

security steering committee

A security steering committee is responsible for making decisions on tactical and strategic security issues within the enterprise as a whole and should not be tied to one or more business units. The group should be made up of people from all over the organization so they can view risks and the effects of security decisions on individual departments and the organization as a whole. The CEO should head this committee, and the CFO, CIO, department managers, and chief internal auditor should all be on it.