ZT Planning

Question 1

What are the core ZT principles for Zero-Trust Planning

Answer 1

1. Never trust, always verify
2. Inside-out security
3. Risk-based security approach (assuming budget scarcity use risk to allocate budget)

Question 2

What differences do you see in ZT planning and implementation between large and small companies?

Answer 2

Large organizations may pursue a portfolio of ZT initiatives with different motivations/success criteria
Small organizations may only have a single ZT effort

Question 3

Which five steps should be considered initially when planning ZT

Answer 3

1. Define the protect surface
2. Map the transaction flows
3. Build a ZTA
4. Create a ZT policy
5. Monitor and maintain the network

Question 4

What does the CISA high-level ZT Maturity Model consist of?

Answer 4

The CISA High-Level ZT Maturity model consists of:
1. Five pillars
2. Three cross-cutting concerns
3. Four maturity levels

Question 5

What are the three cross-cutting concerns in the CISA ZT Maturity Model

Answer 5

1. Visibility and Analytics
2. Automation and Orchestration
3. Governance

Question 6

Which stage is the starting point for a ZT transformation?

Answer 6

The ‘traditional’ model is the starting point.

Question 7

What are the four stages in the CISA ZT MM?

Answer 7

1. Traditional - no implementation of ZT
2. Initial - starting to move to ZTA but still lacks essential features
3. Advanced - Essential capabilities in place
4. Optimal - continuous monitoring and optimization

Question 8

What are the five pillars of the CISA ZT MM

Answer 8

1. Identity
2. Devices
3. Network
4. Applications and workloads
5. Data

Question 9

What should the primary focus during ZT planning be?

Answer 9

Aligning activities and resources to achieve business outcomse with acceptable risk levels defined by the board of directors and senior leadership

Question 10

Which are initial considerations for planning the implementation of ZT philosophy, approach, and design principles?

Answer 10

1. The maturity level of the organization’s security approach
2. The complexity of service architecture and data flows
3. The risk appetite and regulatory environment of the organization

Question 11

Which assets may ZT migration tactics and design principle applied to based on the organization’s risk profile and risk appetite?

Answer 11

All assets in the organization
A limited set of assets

Question 12

What are examples key factors to be considered during ZT planning?

Answer 12

Stakeholders to engage
Technology strategy
BIA results
Risk Register
Supply chain risk management
Organizational security policies
Architecture options
Compliance requirements
Workforce training

Question 13

Why is stakeholder identification critical?

Answer 13

It requires significant, concerted time/energy investment
It can make or break an organization’s ZT effort

Question 14

What are examples of stakeholders to be considered?

Answer 14

Business/service owners
Application/data owners
Infrastructure/asset owners
Service architecture owners
CISO/security teams
Legal officers
Compliance officers
Procurement officers

Question 15

What must be done once stakeholders are identified?

Answer 15

Planning efforts should map out respective responsibilities (RACI chart)
Communications plan development

Question 16

What is the most critical ZT-specific role?

Answer 16

The asset owner:
- Determines valide users/roles/privileges/data usage
Typically exist in the business

Question 17

What are best practices for stakeholder invovlement?

Answer 17

Should not lose focus on other internal users/groups
Must consist of stakeholders across organization and levels, including functional areas
Bring stakeholders in early, keep them engaged
Should be well-informed of organization’s collective mission/ongoing priorities

Question 18

What is the role of an asset custodian?

Answer 18

Asset custodians implement directives set by asset owners
Asset custodians are usually in IT

Question 19

What should communications plan in ZT contain at a minimum?

Answer 19

Define a communication strategy, establish cadence
Incorporate mechanisms for setting proper expectations
Means to communicate/document key decisions

Question 20

What is a technology strategy?

Answer 20

A technology strategy describes how technology is being used to achieve business objectives

Question 21

Questions to ask about ZT and technology strategy?

Answer 21

1. How does the ZT strategy fit into the organization’s technology strategy?
2. How does the ZT strategy need to be updated to incorporate the technology strategy?
3. How does the ZT strategy impact existing plans/processes/procedures?
4. How does ZT strategy affect existing budgets/investments?
5. How does ZT strategy affect existing internal standards/best practices?

Question 22

What does a BIA typically provide?

Answer 22

Asset list with
- relative values/owners
- RPO/RTO
- Interdepencies/prorities
Assessment of resources required to restore/maintain each asset

Question 23

How does the risk register help ZT planning?

Answer 23

It provides:
- Inventory of potential risk events, recorded/tracked by likelihood/impact/description
- Controls for reducing risk within risk appetite thresholds
- The risk owner and the control owner

Question 24

Which organizational policies will typically require an update when ZT is introduced?

Answer 24

Organizational policies affecting identity, devices, networks, applications and workloads, and data

Question 25

What are the three categories of policies to consider when planning ZT?

Answer 25

Policies that dictate or constrain the ZT initiative Policies that require updating due to ZT Policies that need to be created to support ZT

Question 26

Which policy types are generally. needed for ZT?

Answer 26

General and IT security ZT Data governance Cloud Key management policy Incident response IAM Monitoring DR/BC

Question 27

In which ways is a ZT approach helpful for compliance?

Answer 27

Increased control over regulated data Better overall cybersecurity

Question 28

How should training deal with ZT?

Answer 28

Training is foundational to ZT initiatives ZT should be part of the awareness progams

Question 29

Who will need specific training on ZT?

Answer 29

Staff who determines access controls Staff who configures access controls Support team Auditing staff Upper management, board and CEO to ensure necessary awareness levels

Question 30

Stakeholder identification effors should result in a responsibility matrix known as a

Answer 30

RACI chart

Question 31

RACI stands for

Answer 31

Responsible, Accountable, Consulted, and Informed

Question 32

What should governing documents approved by senior management and the board of directors contain as a starting point for identifying stakeholder responsibilities?

Answer 32

Designate the executive sponsor and provide insights into reporting expectations

Question 33

What do RPO and RTO stand for?

Answer 33

RPO: Recovery Point Objectives RTO: Recovery Time Objectives

Question 34

What should organizations starting with ZT planning start with?

Answer 34

1. Prerequisite for understanding the protect surface 2. Definition of the ZT project's scope/priorities 3. Business case development

Question 35

What is prerequisite to understanding the protect surface?

Answer 35

Undersatnding what the organization wants to protect with ZT: Data/assets, data location, asset where data is hosted, services/processes/classifications. This requires: Data & asset discovery and inventory Data & asset classification Entities/user discovery and inventory

Question 36

What are data and assets classified on?

Answer 36

Data sensitivity

Question 37

What are meant with entities?

Answer 37

Person and non-person users (machines, APIs, service accounts)

Question 38

What is done with the discovered entities?

Answer 38

Discovered entities are mapped to all relevant protect surfaces. Identities are used to define the ZT policies.

Question 39

What will scope typically include?

Answer 39

Success criteria identified for the ZT projects Business units identified for the ZT journey The business units' protect surfaces The protect surface's data and assets Identities accessing the protect surface Entities mapped to the identities/personas

Question 40

Approaches to prioritization:

Answer 40

Based on complexity: start simple, move to more complex Based on risk: select protect surface high on the risk register Based on use case: when a definite use case is identified

Question 41

What are factors to consider in the business case?

Answer 41

BIA Risks that ZT program is designed to address Cost of the project Cost of not doing the project What the organization stands to gain through ZT Additional benefits from improving security culture

Question 42

Use case examples for ZT

Answer 42

Role based access control for internal staff Remote Access Services Accessed using Mobile Devices Third-Party Service Providers Staff Access to Assets in hybrid environments SaaS & PaaS Application release & DevOps ICS, OT, & IoT

Question 43

What is a gap analysis?

Answer 43

A gap-analysis is an industry-accepted tool for helping organizations realize their objectives. It consists generally of four steps: - Determine current state - Determine target state - Create a roadmap to close the gap - Requirements

Question 44

What are crucial steps for determining the ZT current state?

Answer 44

1. Define current protect surfaces and implications for each ZT pillar 2. List current controls for each pillar 3. Determine/declare the current CISA maturity stage for each pillar 4. Risk appetite determination feeds into scoping activities/decisions

Question 45

What is the goal of determining the ZT target state?

Answer 45

1. Define the protect surface and the impact for each in-scope pillar across the organization 2. Determine/declare the desired target CISA maturity stage per pillar

Question 46

What does the roadmap for moving from ZT current state to ZT target state contain?

Answer 46

The roadmap contains the future controls required to raise the current maturity stage to the future desired state

Question 47

What is the role of requirements in ZT planning?

Answer 47

ZTA implementation are a key output of the gap analysis

Question 48

Which requirements areas should typically be defined for ZTA?

Answer 48

1. Source of truth for unique identities 2. Full life cycle identity management for employees, contractors and vendors 3. Definition, provisioning and management of entitlements 4. Definition, provisioning and management of access controls 5. Segmentation/micro-segmentation 6. Incident detection and response 7. Reporting and analytics 8. Special considerations 9. Concept of least privilege 10. Segregation of duties

Question 49

Which considerations are relevant for the identity pillar of the target architecture?

Answer 49

Proper identity validation of the entity requesting access to a resource Frequency/technology determined by sensitivity of information being accessed MFA for validating identity of the entity Real-time machine learning to highlight unusual user/device behavior Identity stores with entities and associated information, queried during authentication process Process for ensuring user identities are mapped to real users Accuracy of claims controlled during the user lifecycle Integration of PKI with the identity system

Question 50

Which considerations are relevant for the devices and endpoints pillar?

Answer 50

Devices/endpoints require authentication validation before accessing ZTA-protected resources Security posture validated against security policies before being allowed access Validation steps performed continuously Device behavior analyzed for any unusual activity Complete and accurate inventory of all devices/endpoints is highly sought-after goal Failures primarily due to vast number/relatively short life cycle of deployed devices\Helps achieve device and endpoint data quality goals Gateway/VDI solutions should be explored (for unmanaged devices and contractors)

Question 51

Which considerations are relevant for the network & environment pillar?

Answer 51

Micro-segmentation coupled with encryption to improve network security posture Data plane used for application/service communication Control plane used for network communication control Decision to allow application access made over the control plane Application interaction/data exchange with requesting device occurs via data plane Micro-segmentation technologies and traffic segmentation based on data flow

Question 52

Which considerations are relevant for the workload & application pillar?

Answer 52

Access authorization continuously evaluated with real-time risk analysis Security testing implemented in all stages of CI/CD Integration into monitoring system for sending internal insights

Question 53

Which considerations are relevant for the data pillar?

Answer 53

Data classification policy should codify required data security controls/processes per defined data class Can include secure encryption and network segmentation for highly sensitive data Should include how entities gain access to data and required steps for end-of-life data disposal

Question 54

Which considerations are relevant for the visibility & analytics capability?

Answer 54

UEBA for continually evaluating user behavior against a baseline of previous activity Running regular device posture assessments to ensure accessing devices are properly configured/secured Monitoring application health/security by leveraging systems/sensors external to the application

Question 55

Which considerations are relevant for the automation & orchestration capability?

Answer 55

Takes advantage of automation by using infrastructure-as-code and CI/CD Orchestrating/automating the identity lifecycle Dynamic user identity and group membership/JIT application access

Question 56

Which considerations are relevant for the governance capability?

Answer 56

Helps define ZTA policies Manages/reduces complexity with focus on protect surfaces Governance policies should be enforced by the PEP

Question 57

Which categories do ZTA generally fall into?

Answer 57

1. ZTA using enhanced identity governance 2. ZTA using micro-segmentation 3. ZTA using network infrastructure and SDP

Question 58

Which architecture variations are listed by NIST SP 800-207?

Answer 58

Device agent/gateway-based deployment Enclave-based deployment Resource portal-based deployment Device application sandboxing

Question 59

How is a transaction defined in the context of ZT?

Answer 59

Any action within a system that needs verification

Question 60

Which questions are relevant for each step in the transaction?

Answer 60

Who, what, where, when, how, and why

Question 61

What needs to be considered when collecting data?

Answer 61

Begin with an initial understanding of the data What it is, where it is, and where it goes Start with existing knowledge about the organizations business process and underlying architecture Leverage numerous sources (packet captures, logs, traffic analysis)

Question 62

When should a transaction inventory be created?

Answer 62

New deployments - transaction inventories defined/developed during architecture/design phase - Organizations should create inventory as part of planning exercises Existing deployments - collect/inventory known transactions to maintain - Highlight transactions that will change or become deprecated - Create entries for new transactions expected to be part of the solution