-
Notifications
You must be signed in to change notification settings - Fork 39
/
All-Domains-Tree-View.txt
3526 lines (3525 loc) · 153 KB
/
All-Domains-Tree-View.txt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
Domain 1. Security Management Practices
Fundamental Principles of Security
AIC triad
Availability
• Redundant array of independent disks (RAID)
• Clustering
• Load balancing
• Redundant data and power lines
• Software and data backups
• Disk shadowing
• Co-location and offsite facilities
• Rollback functions
• Failover configurations
Integrity
• Hashing (data integrity)
• Configuration management (system integrity)
• Change control (process integrity)
• Access control (physical and technical)
• Software digital signing
• Transmission cyclic redundancy check (CRC) functions
Confidentiality
• Encryption for data at rest (whole disk, database encryption)
• Encryption for data in transit (IPSec, TLS, PPTP, SSH, described in Chapter 4)
• Access control (physical and technical)
Security Definitions
vulnerability
is a weakness in a system that allows a threat source to compromise its security
threat
is any potential danger that is associated with the exploitation of a vulnerability
risk
is the likelihood of a threat source exploiting a vulnerability and the corresponding business impact
exposure
is an instance of being exposed to losses
“control,” “countermeasure,” and “safeguard”
threat agent
asset
Control Types
1
• Preventive
Locks
Badge system
Security guard
Biometric system
Mantrap doors
Security Police
Separation of duties
Information classification
Personnel procedures
Testing
Security awareness
ACLs
Encyption
Antivirus software
Smart cards
Dial-up call-back systems
• Detective
Motion detectores
Closed-circuit TVs
Monitoring and supervising
Job rotation
Investigations
Audit logs
IDS
• Corrective
Server Images
• Deterrent
Fences
Lighting
• Recovery
Offsite facility
• Compensating
2
• Administrative
• Policies and procedures
• Effective hiring practices
• Pre-employment background checks
• Controlled termination processes
• Data classification and labeling
• Security awareness
• Physical
• Badges, swipe cards
• Guards, dogs
• Fences, locks, mantraps
• Technical
• Passwords, biometrics, smart cards
• Encryption, secure protocols, call-back systems, database views, constrained user interfaces
• Antimalware software, access control lists, firewalls, intrusion prevention system
Security Frameworks
Security Program Development
• ISO/IEC 27000 series
International standards on how to develop and maintain an ISMS developed by ISO and IEC
list
• ISO/IEC 27000 Overview and vocabulary
• ISO/IEC 27001 ISMS requirements
• ISO/IEC 27002 Code of practice for information security controls
• ISO/IEC 27003 ISMS implementation
• ISO/IEC 27004 ISMS measurement
• ISO/IEC 27005 Risk management
• ISO/IEC 27006 Certification body requirements
• ISO/IEC 27007 ISMS auditing
• ISO/IEC 27008 Guidance for auditors
• ISO/IEC 27011 Telecommunications organizations
• ISO/IEC 27014 Information security governance
• ISO/IEC 27015 Financial sector
• ISO/IEC 27031 Business continuity
• ISO/IEC 27032 Cybersecurity
• ISO/IEC 27033 Network security
• ISO/IEC 27034 Application security
• ISO/IEC 27035 Incident management
• ISO/IEC 27037 Digital evidence collection and preservation
• ISO/IEC 27799 Health organizations
Enterprise Architecture Development
• Zachman Framework
Model for the development of enterprise architectures developed by John Zachman
two-dimensional model
six basic communication interrogatives (What, How, Where, Who, When, and Why)
perspectives (Executives, Business Managers, System Architects, Engineers, Technicians, and Enterprise-wide)
• TOGAF
Model and methodology for the development of enterprise architectures developed by The Open Group
Architecture Development Method (ADM)
Military-Oriented Architecture Frameworks
• MODAF
Architecture framework used mainly in military support missions developed by the British Ministry of Defence
• DoDAF
U.S. Department of Defense architecture framework that ensures interoperability of systems to meet military mission goals
Enterprise Security Architecture
• SABSA model
Model and methodology for the development of information security enterprise architectures
provides a life-cycle model so that the architecture can be constantly monitored and improved upon over time.
-
Strategic Alignment
Business Enablement
Process Enhancement
Security Effectiveness
Security Controls Development
• COBIT 5
by ISACA and ITGI(IT Governace Institute)
derived from the COSO
Control Objectives for Information and related Technology (COBIT)
five key principles
1. Meeting stakeholder needs
2. Covering the enterprise end to end
3. Applying a single integrated framework
4. Enabling a holistic approach
5. Separating governance from management
• NIST SP 800-53
by National Institute of Standards and Technology
• COSO Internal Control—Integrated Framework
by the Committee of Sponsoring Organizations (COSO) of the Treadway Commission
deal with fraudulent financial activities and reporting.
COSO IC deals more at the strategic level,while COBIT focuses more at the operational level
17 internal control principles
Control Environment
1. Demonstrates commitment to integrity and ethical values
2. Exercises oversight responsibilities
3. Establishes structure, authority, and responsibility
4. Demonstrates commitment to competence
5. Enforces accountability
Risk Assessment
6. Specifies suitable objectives
7. Identifies and analyzes risk
8. Assesses fraud risk
9. Identifies and analyzes significant change
Control Activities
10. Selects and develops control activities
11. Selects and develops general controls over technology
12. Deploys through policies and procedures
Information and Communication
13. Uses relevant, quality information
14. Communicates internally
15. Communicates externally
Monitoring Activities
16. Conducts ongoing and/or separate evaluations
17. Evaluates and communicates deficiencies
Process Management Development
• ITIL
by the Committee of Sponsoring Organizations (COSO) of the Treadway Commission
Information Technology Infrastructure Library
developed in the 1980s by the UK’s Central Computer and Telecommunications Agency
ITIL was created because of the increased dependence on information technology to meet business needs.
• Six Sigma
is a process improvement methodology
Its goal is to improve process quality by using statistical methods of measuring operation efficiency and reducing variation, defects, and waste
developed by Motorola with the goal of identifying and removing defects in its manufacturing processes.
• Capability Maturity Model Integration (CMMI)
by Carnegie Mellon University
Levels
Level 0
Nonexistent management
No process
No assessment
Level 1
Unpredictable Process
Ad hoc and disorganized
Reactive activities
Level 2
Repeatable process
Immature and developing
Security assigned to IT
Level 3
Defined Process
Documented and communicated
Defined procedures
Level 4
Managed process
Monitored and measured
Security and business objectives mapped
Level 5
Optimized process
Automated practices
Structured and enterprise-wide
Top-Down Approach
Management’s support is one of the most important pieces of a security program
Life cycle
1. Plan and organize
• Establish management commitment.
• Establish oversight steering committee.
• Assess business drivers.
• Develop a threat profile on the organization.
• Carry out a risk assessment.
• Develop security architectures at business, data, application, and infrastructure levels.
• Identify solutions per architecture level.
• Obtain management approval to move forward.
2. Implement
• Assign roles and responsibilities.
• Develop and implement security policies, procedures, standards, baselines, and guidelines.
• Identify sensitive data at rest and in transit.
• Implement the following blueprints:
• Asset identification and management
• Risk management
• Vulnerability management
• Compliance
• Identity management and access control
• Change control
• Software development life cycle
• Business continuity planning
• Awareness and training
• Physical security
• Incident response
• Implement solutions (administrative, technical, physical) per blueprint.
• Develop auditing and monitoring solutions per blueprint.
• Establish goals, SLAs, and metrics per blueprint.
3. Operate and maintain
• Follow procedures to ensure all baselines are met in each implemented blueprint.
• Carry out internal and external audits.
• Carry out tasks outlined per blueprint.
• Manage SLAs per blueprint.
4. Monitor and evaluate
• Review logs, audit results, collected metric values, and SLAs per blueprint.
• Assess goal accomplishments per blueprint.
• Carry out quarterly meetings with steering committees.
• Develop improvement steps and integrate into the Plan and Organize phase.
The Crux of Computer Crime Laws
• 18 USC 1029
Fraud and Related Activity in Connection with Access Devices
• 18 USC 1030
Fraud and Related Activity in Connection with Computers
• 18 USC 2510 et seq.
Wire and Electronic Communications Interception and Interception of Oral Communications
• 18 USC 2701 et seq.
Stored Wire and Electronic Communications and Transactional Records Access
• Digital Millennium Copyright Act
• Cyber Security Enhancement Act of 2002
Complexities in Cybercrime
Electronic Assets
The Evolution of Attacks
advanced persistent threat (APT)
Common Internet Crime Schemes
• Auction fraud
• Counterfeit cashier’s check
• Debt elimination
• Parcel courier e-mail scheme
• Employment/business opportunities
• Escrow services fraud
• Investment fraud
• Lotteries
• Nigerian letter, or “419”
• Ponzi/pyramid
• Reshipping
• Third-party receiver of funds
International Issues
Organisation for Economic Co-operation and Development (OECD) Guidelines
core principles
• Collection Limitation
• Data Quality Principle
• Purpose Specification Principle
• Use Limitation Principle
• Security Safeguards Principle
• Openness Principle
• Individual Participation Principle
• Accountability Principle
General Data Protection Regulation (GDPR) 2016
three relevant entities
• Data subject
The individual to whom the data pertains
• Data controller
Any organization that collects data on EU residents
• Data processor
Any organization that processes data for a data controller
privacy data
• Name
• Address
• ID numbers
• Web data (location, IP address, cookies)
• Health and genetic data
• Biometric data
• Racial or ethnic data
• Political opinions
• Sexual orientation
Role
Data Protection Officer (DPO)
not ultimately responsible
Key provisions of the GDPR
• Consent
Data controllers and data processors cannot use personal data without explicit consent of the data subjects.
• Right to be informed
Data controllers and data processors must inform data subjects about how their data is, will, or could be used.
• Right to restrict processing
Data subjects can agree to have their data stored by a collector but disallow it to be processed.
• Right to be forgotten
Data subjects can request that their personal data be permanently deleted.
• Data breaches
Data controllers must report a data breach within 72 hours of becoming aware of it.
Import/Export Legal Requirements
• Category 1 Special Materials and Related Equipment
• Category 2 Materials Processing
• Category 3 Electronics
• Category 4 Computers
• Category 5 Part 1: Telecommunications
• Category 5 Part 2: Information Security
• Category 6 Sensors and Lasers
• Category 7 Navigation and Avionics
• Category 8 Marine
• Category 9 Aerospace and Propulsion
Types of Legal Systems
Civil (Code) Law System
Civil law generally is derived from common law (case law)
Common Law System
Criminal
• Based on common law, statutory law, or a combination of both
• Addresses behavior that is considered harmful to society.
Civil/Tort
• Offshoot of criminal law.
• usually physical or financial.
Administrative (regulatory):
Customary Law System
Religious Law System
Mixed Law System
Intellectual Property Laws
Trade Secret
is something that is proprietary to a company and important for its survival and profitability.
Copyright
Trademark
is used to protect a word, name, symbol, sound, shape, color, or combination of these
World Intellectual Property Organization (WIPO)
Patent
is the strongest form of intellectual property protection.
Internal Protection of Intellectual Property
Software Piracy
End User License Agreement (EULA)
The Federation Against Software Theft (FAST)
Business Software Alliance
Digital Millennium Copyright Act (DMCA)
a U.S. copyright law that criminalizes the production and dissemination of technology, devices, or services
Copyright Directive
The European Union passed a similar law
Privacy
Personally identifiable information (PII)
Typical compenents
• Full name (if not common)
• National identification number
• IP address (in some cases)
• Vehicle registration plate number
• Driver’s license number
• Face, fingerprints, or handwriting
• Credit card numbers
• Digital identity
• Birthday
• Birthplace
• Genetic information
can fall into the PII
• First or last name, if common
• Country, state, or city of residence
• Age, especially if nonspecific
• Gender or race
• Name of the school they attend or workplace
• Grades, salary, or job position
• Criminal record
Law
Federal Privacy Act of 1974
Gramm-LeachBliley Act of 1999 (GLBA)
also known as the Financial Services Modernization Act of 1999
Financial Privacy Rule
Safeguards Rule
Pretexting Protection
include any organization that provides financial products or services to individuals
Health Insurance Portability and Accountability Act (HIPAA)
HIPAA mandates steep federal penalties for noncompliance
HITECH
Health Information Technology for Economic and Clinical Health (HITECH) Act
addresses the privacy and security concerns associated with the electronic transmission of health information
USA PATRIOT Act
expanded law enforcement powers
Canada’s Personal Information Protection
Personal Information Protection and Electronic Documents Act (PIPEDA)
Electronic Documents Act
New Zealand’s Privacy Act of 1993
Payment Card Industry Data Security Standard (PCI DSS)
Secure Sockets Layer (SSL) and early Transport Layer Security (TLS) are not considered secure.
control objectives
1. Install and maintain a firewall configuration to protect cardholder data.
2. Do not use vendor-supplied defaults for system passwords and other security parameters.
3. Protect stored cardholder data.
4. Encrypt transmission of cardholder data across open, public networks.
5. Use and regularly update anti-virus software or programs.
6. Develop and maintain secure systems and applications.
7. Restrict access to cardholder data by business need to know.
8. Assign a unique ID to each person with computer access.
9. Restrict physical access to cardholder data.
10. Track and monitor all access to network resources and cardholder data.
11. Regularly test security systems and processes.
12. Maintain a policy that addresses information security for employees and contractors.
Federal Information Security Management Act (FISMA) of 2002
• Inventory of information systems
• Categorize information and information systems according to risk level
• Security controls
• Risk assessment
• System security plan
• Certification and accreditation
• Continuous monitoring
Ways to Deal with Privacy
• Laws on government FPA, VA ISA, USA PATRIOT
• Laws on corporations HIPAA, HITECH, GLBA, PIDEDA
• Self-regulation PCI DSS
• Individual user Passwords, encryption, awareness
Data Breaches
U.S. Laws Pertaining to Data Breaches
Health Insurance Portability and Accountability Act
Health Information Technology for Economic and Clinical Health Act
Gramm-Leach-Bliley Act of 1999
Economic Espionage Act of 1996
State Laws
Other Nations’ Laws Pertaining to Data Breaches
Policies, Standards, Baselines, Guidelines, and Procedures
Level
• Strategic
• Security policy
• Tactical
• Mandatory standards
• Recommended guidelines
• Detailed procedures
Security Policy
is an overall general statement produced by senior management
The policy provides the foundation
Types of Policies
• Regulatory
• Advisory
• Informative
outlined
issue-specific policies
system-specific policy
a common hierarchy of security policies
• Organizational policy
• Acceptable use policy
• Risk management policy
• Vulnerability management policy
• Data protection policy
• Access control policy
• Business continuity policy
• Log aggregation and auditing policy
• Personnel security policy
• Physical security policy
• Secure application development policy
• Change control policy
• E-mail policy
• Incident response policy
Standards
Standards refer to mandatory activities, actions, or rules.
eg. ISO/IEC 27000 series
Baselines
refers to a point in time that is used as a comparison for future changes
eg. Evaluation Assurance Level (EAL) 4 baseline
Guidelines
are recommended actions and operational guides to users, IT staff, operations staff, and others
Procedures
are detailed step-by-step tasks that should be performed to achieve a certain goal
Implementation
support them shows DUE CARE
Risk Management
Concept
RM is the process of identifying and assessing risk, reducing it to an acceptable level, and ensuring it remains at that level
the major categories
• Physical damage: Fire, water, vandalism, power loss, and natural disasters
• Human interaction: Accidental or intentional action or inaction that can disrupt productivity
• Equipment malfunction: Failure of systems and peripheral devices
• Inside and outside attacks: Hacking, cracking, and attacking
• Misuse of data: Sharing trade secrets, fraud, espionage, and theft
• Loss of data: Intentional or unintentional loss of information to unauthorized receivers
• Application error: Computation errors, input errors, and buffer overflows
Holistic Risk Management
NIST SP 800-39 defines
• Organizational tier
• Business process tier
• Information systems tier
Information Systems Risk Management Policy
ISRM policy should address
• The objectives of the ISRM team
• The level of risk the organization will accept and what is considered an acceptable level of risk
• Formal processes of risk identification
• The connection between the ISRM policy and the organization’s strategic planning processes
• Responsibilities that fall under ISRM and the roles to fulfill them
• The mapping of risk to internal controls
• The approach toward changing staff behaviors and resource allocation in response to risk analysis
• The mapping of risks to performance targets and budgets
• Key indicators to monitor the effectiveness of controls
The Risk Management Team
• An established risk acceptance level provided by senior management
• Documented risk assessment processes and procedures
• Procedures for identifying and mitigating risks
• Appropriate resource and fund allocation from senior management
• Security awareness training for all staff members associated with information assets
• The ability to establish improvement (or risk mitigation) teams in specific areas when necessary
• The mapping of legal and regulation compliancy requirements to control and implement requirements
• The development of metrics and performance indicators so as to measure and manage various types of risks
• The ability to identify and assess new risks as the environment and company change
• The integration of ISRM and the organization’s change control process to ensure that changes do not introduce new vulnerabilities
The Risk Management Process
• Frame risk
• Assess risk
• Respond to risk
• Monitor risk
Threat Modeling
Threat Modeling Concepts
Vulnerabilities
Information
• Data at rest
• Data in motion
• Data in use
Processes
People
• Social engineering
• Social networks
• Passwords
Threats
potential cause of an unwanted incident, which may result in harm to a system or organization
Threat Modeling Methodologies
Attack Trees
“attack chain”
“kill chain”
Reduction Analysis
controls or countermeasures
Risk Assessment and Analysis
four main goals
• Identify assets and their value to the organization.
• Determine the likelihood that a threat exploits a vulnerability.
• Determine the business impact of these potential threats.
• Provide an economic balance between the impact of the threat and the cost of the countermeasure.
Risk Assessment Team
The Value of Information and Assets
Costs That Make Up the Value
assigning values to assets
• Cost to acquire or develop the asset
• Cost to maintain and protect the asset
• Value of the asset to owners and users
• Value of the asset to adversaries
• Price others are willing to pay for the asset
• Cost to replace the asset if lost
• Operational and production activities affected if the asset is unavailable
• Liability issues if the asset is compromised
• Usefulness and role of the asset in the organization
reasons
• To perform effective cost/benefit analyses
• To select specific countermeasures and safeguards
• To determine the level of insurance coverage to purchase
• To understand what exactly is at risk
• To comply with legal and regulatory requirements
Identifying Vulnerabilities and Threats
Methodologies for Risk Assessment
NIST SP 800-30, Revision 1.
1. Prepare for the assessment.
2. Conduct the assessment:
a. Identify threat sources and events.
b. Identify vulnerabilities and predisposing conditions.
c. Determine likelihood of occurrence.
d. Determine magnitude of impact.
e. Determine risk.
3. Communicate results.
4. Maintain assessment.
Facilitated Risk Analysis Process(FRAP)
qualitative methodology
FRAP is intended to be used to analyze one system, application, or business process at a time
OCTAVE (Operationally Critical Threat, Asset, and Vulnerability Evaluation)
OCTAVE would be used to assess all systems, applications, and business processes within the organization.
AS/NZS ISO 31000
takes a much broader approach to risk management
Australian and New Zealand methodology
ISO/IEC 27000 Series
ISO/IEC 27005
Failure Modes and Effect Analysis (FMEA)
FMEA is commonly used in product development and operational environments.
The goal is to identify where something is most likely going to break and either fix the flaws
steps
1. Start with a block diagram of a system or control.
2. Consider what happens if each block of the diagram fails.
3. Draw up a table in which failures are paired with their effects and an evaluation of the effects.
4. Correct the design of the system, and adjust the table until the system is not known to have unacceptable problems.
5. Have several engineers review the Failure Modes and Effect Analysis.
fault tree analysis
• False alarms
• Insufficient error handling
• Sequencing or order
• Incorrect timing outputs
• Valid but not expected outputs
CRAMM(Central Computing and Telecommunications Agency Risk Analysis and Management Method)
was created by the United Kingdom
three distinct stages
define objectives,
assess risks
identify countermeasures
Choose methodology
deploy an organization-wide risk management
ISO/IEC 27005 or OCTAVE
focus just on IT security risks during your assessment
NIST SP 800-30
have a limited budget and need to carry out a focused assessment on an individual system or process
Facilitated Risk Analysis Process
dig into the details of how a security flaw within a specific system could cause negative ramifications
Failure Modes and Effect Analysis or fault tree analysis
to understand your company’s business risks
AS/NZS ISO 31000
Risk Analysis Approaches
Automated Risk Analysis Methods
Steps of a Quantitative Risk Analysis
Asset Value × Exposure Factor (EF) = SLE
SLE × Annualized Rate of Occurrence (ARO) = ALE
Results of a Quantitative Risk Analysis
• Monetary values assigned to assets
• Comprehensive list of all significant threats
• Probability of the occurrence rate of each threat
• Loss potential the company can endure per threat in a 12-month time span
• Recommended controls
Qualitative Risk Analysis
qualitative methods walk through different scenarios of risk possibilities and rank the seriousness of the threats and the validity of the different possible countermeasures based on opinions
The Delphi Technique
a group decision method
Protection Mechanisms
Control Selection
a cost/benefit analysis.
(ALE before implementing safeguard) – (ALE after implementing safeguard) – (annual cost of safeguard) = value of safeguard to the company
Security Control Assessment
Total Risk vs. Residual Risk
threats × vulnerability × asset value = total risk
total risk (threats × vulnerability × asset value) × controls gap = residual risk
total risk – countermeasures = residual risk
Handling Risk
Supply Chain Risk Management
NIST SP 800-161
“Supply Chain Risk Management Practices for Federal Information Systems and Organizations.”
Upstream and Downstream Suppliers
Hardware
Software
Services
reduce its risk when it comes to outsourcing
• Review the service provider’s security program
• Conduct onsite inspection and interviews
• Review contracts to ensure security and protection levels are agreed upon
• Ensure service level agreements are in place
• Review internal and external audit reports and third-party reviews
• Review references and communicate with former and existing customers
• Review Better Business Bureau reports
• Ensure the service provider has a business continuity plan (BCP) in place
• Implement a nondisclosure agreement (NDA)
• Understand the provider’s legal and regulatory requirements
Service Level Agreements
(SLA) is a contractual agreement that states that a service provider guarantees a certain level of service.
Risk Management Frameworks
Commonly Accepted Risk Management Frameworks
• NIST RMF (SP 800-37r1)
It takes a systems life-cycle approach to risk management and focuses on certification and accreditation of information systems
six-step process of applying the RMF
1. Categorize information system.
2. Select security controls.
3. Implement security controls.
4. Assess security controls.
5. Authorize information system.
6. Monitor security controls.
• ISO 31000:2018
this framework is not focused on information systems, but can be applied more broadly to an organization.
• ISACA Risk IT
it is very well integrated with COBIT
Business Continuity and Disaster Recovery
Concepts
disaster recovery plan (DRP)
business continuity plan (BCP)
• Provide an immediate and appropriate response to emergency situations
• Protect lives and ensure safety
• Reduce business impact
• Resume critical business functions
• Work with outside vendors and partners during the recovery period
• Reduce confusion during a crisis
• Ensure survivability of the business
business continuity management (BCM)
is the holistic management process that should cover both of them.
Standards and Best Practices
NIST SP 800-34, Revision 1, “Contingency Planning Guide for Federal Information Systems”
1. Develop the continuity planning policy statement.
2. Conduct the business impact analysis (BIA)
3. Identify preventive controls.
4. Create contingency strategies.
5. Develop an information system contingency plan.
6. Ensure plan testing, training, and exercises.
7. Ensure plan maintenance.
standards-based
ISO/IEC 27031:2011
ISO 22301:2012
This standard replaced BS 25999-2.
Business Continuity Institute’s Good Practice Guidelines (GPG)
Management Practices:
Technical Practices:
DRI International Institute’s Professional Practices for Business Continuity Planners
• Program Initiation and Management
• Risk Evaluation and Control
• Business Impact Analysis
• Business Continuity Strategies
• Emergency Response and Operations
• Plan Implementation and Documentation
• Awareness and Training Programs
• Business Continuity Plan Exercise, Audit, and Maintenance
• Crisis Communications
• Coordination with External Agencies
Making BCM Part of the Enterprise Security Program
BCP Project Components
BCP committee
• Business units
• Senior management
• IT department
• Security department
• Communications department
• Legal department
The initiation process for the BCP program
• Setting up a budget and staff for the program before the BCP process begins.
• Assigning duties and responsibilities to the BCP coordinator and to representatives from all of the functional units of the organization.
• Senior management kick-off of the BCP program with a formal announcement or, better still, an organization-wide meeting to demonstrate high-level support.
• Awareness-raising activities to let employees know about the BCP program and to build internal support for it.
• Establishment of skills training for the support of the BCP effort.
• The start of data collection from throughout the organization to aid in crafting various continuity options.
• Putting into effect “quick wins” and gathering of “low-hanging fruit” to show tangible evidence of improvement in the organization’s readiness, as well as improving readiness.
Scope of the Project
Enterprise-wide BCP
BCP Policy
The process of drawing up a policy
1. Identify and document the components of the policy.
2. Identify and define policies of the organization that the BCP might affect.
3. Identify pertinent legislation, laws, regulations, and standards.
4. Identify “good industry practice” guidelines by consulting with industry experts.
5. Perform a gap analysis. Find out where the organization currently is in terms of continuity planning, and spell out where it wants to be at the end of the BCP process.
6. Compose a draft of the new policy.
7. Have different departments within the organization review the draft.
8. Incorporate the feedback from the departments into a revised draft.
9. Get the approval of top management on the new policy.
10. Publish a final draft, and distribute and publicize it throughout the organization.
Project Management
SWOT analysis
• Strengths Characteristics of the project team that give it an advantage over others
• Weaknesses Characteristics that place the team at a disadvantage relative to others
• Opportunities Elements that could contribute to the project’s success
• Threats Elements that could contribute to the project’s failure
components
• Objective-to-task mapping
• Resource-to-task mapping
• Workflows
• Milestones
• Deliverables
• Budget estimates
• Success factors
• Deadlines
Business Continuity Planning Requirements
Tips
Due diligence is normally associated with leaders, laws, and regulations
Due care is normally applicable to everyone and could be used to show negligence.
Business Impact Analysis (BIA)
• Maximum tolerable downtime and disruption for activities
• Operational disruption and productivity
• Financial considerations
• Regulatory responsibilities
• Reputation
Risk Assessment
Risk assessment process
Risk Assessment Evaluation and Process
The end goals of a risk assessment
• Identifying and documenting single points of failure
• Making a prioritized list of threats to the particular business processes of the organization
• Putting together information for developing a management strategy for risk control and for developing action plans for addressing risks
• Documenting acceptance of identified risks, or documenting acknowledgment of risks that will not be addressed
Risk = Threat × Impact × Probability.
The main parts of a risk assessment
• Review the existing strategies for risk management
• Construct a numerical scoring system for probabilities and impacts
• Make use of a numerical score to gauge the effect of the threat
• Estimate the probability of each threat
• Weigh each threat through the scoring system
• Calculate the risk by combining the scores of likelihood and impact of each threat
• Get the organization’s sponsor to sign off on these risk priorities
• Weigh appropriate measures
• Make sure that planned measures that alleviate risk do not heighten other risks
• Present the assessment’s findings to executive management
BIA Steps
1. Select individuals to interview for data gathering.
2. Create data-gathering techniques (surveys, questionnaires, qualitative and quantitative approaches).
3. Identify the company’s critical business functions.
4. Identify the resources these functions depend upon.
5. Calculate how long these functions can survive without these resources.
6. Identify vulnerabilities and threats to these functions.
7. Calculate the risk for each different business function.
8. Document findings and report them to management.
Assigning Values to Assets
Loss criteria
• Loss in reputation and public confidence
• Loss of competitive advantages
• Increase in operational expenses
• Violations of contract agreements
• Violations of legal and regulatory requirements
• Delayed-income costs
• Loss in revenue
• Loss in productivity
maximum tolerable downtime (MTD) or maximum period time of disruption (MPTD)
EXAM TIP
A BIA is performed at the beginning of business continuity planning to identify the areas that would suffer the greatest financial or operational loss in the event of a disaster or disruption. It identifies the company’s critical systems needed for survival and estimates the outage time that can be tolerated by the company as a result of a disaster or disruption.
Interdependencies
management’s responsibilities
• Committing fully to the BCP
• Setting policy and goals
• Making available the necessary funds and resources
• Taking responsibility for the outcome of the development of the BCP
• Appointing a team for the process
BCP team’s responsibilities
• Identifying regulatory and legal requirements that must be met
• Identifying all possible vulnerabilities and threats
• Estimating the possibilities of these threats and the loss potential
• Performing a BIA
• Outlining which departments, systems, and processes must be up and running before any others
• Identifying interdependencies among departments and processes
• Developing procedures and steps in resuming business after a disaster
Personnel Security
minimize the risks by implementing preventive measures
Separation of duties
makes sure that one individual cannot complete a critical task by herself.
split knowledge and dual control.
Rotation of duties (rotation of assignments)
an administrative detective control that can be put into place to uncover fraudulent activities
mandatory vacation
usually detect any fraudulent errors or activities
Hiring Practices
Possible background check criteria
• A Social Security number trace
• A county/state criminal check
• A federal criminal check
• A sexual offender registry check
• Employment verification
• Education verification
• Professional reference verification
• An immigration check
• Professional license/certification verification
• Credit report
• Drug screening
Onboarding
Steps
• The new employee attends all required security awareness training.
• The new employee must read all security policies, be given an opportunity to have any questions about the policies answered, and sign a statement indicating they understand and will comply with the policies.
• The new employee is issued all appropriate identification badges, keys, and access tokens pursuant to their assigned roles.
• The IT department creates all necessary accounts for the new employee, who signs into the systems and sets their passwords (or changes any temporary passwords).
Nondisclosure agreements (NDAs) must be developed and signed by new employees
Termination
• The employee must leave the facility immediately under the supervision of a manager or security guard.
• The employee must surrender any identification badges or keys, be asked to complete an exit interview, and return company supplies.
• That user’s accounts and passwords should be disabled or changed immediately.
Security Awareness Training
Presenting the Training
Periodic Content Reviews
Training Assessments
Security Governance
Metrics
industry best practices
ISO/IEC 27004:2016
ISO/IEC 27001
ISO/IEC 27004
NIST SP 800-55, Revision 1
Six Sigma
the measurements of service-level targets for ITIL
Ethics
the Code of Ethics
• Protect society, the common good, necessary public trust and confidence, and the infrastructure
• Act honorably, honestly, justly, responsibly, and legally
• Provide diligent and competent service to principals
• Advance and protect the profession
The Computer Ethics Institute
Ten Commandments of Computer Ethics
1. Thou shalt not use a computer to harm other people.
2. Thou shalt not interfere with other people’s computer work.
3. Thou shalt not snoop around in other people’s computer files.
4. Thou shalt not use a computer to steal.
5. Thou shalt not use a computer to bear false witness.
6. Thou shalt not copy or use proprietary software for which you have not paid.
7. Thou shalt not use other people’s computer resources without authorization or proper compensation.
8. Thou shalt not appropriate other people’s intellectual output.
9. Thou shalt think about the social consequences of the program you are writing or the system you are designing.
10. Thou shalt always use a computer in ways that ensure consideration and respect for your fellow humans.
The Internet Architecture Board
It is responsible for the architectural oversight of the Internet Engineering Task Force (IETF) activities, Internet Standards Process oversight and appeal, and editor of Requests for Comments (RFCs).
unethical and unacceptable behavior
• Purposely seeking to gain unauthorized access to Internet resources
• Disrupting the intended use of the Internet
• Wasting resources (people, capacity, and computers) through purposeful actions
• Destroying the integrity of computer-based information
• Compromising the privacy of others
• Conducting Internet-wide experiments in a negligent manner
RFC 1087 is called “Ethics and the Internet.”
Domain 2. Asset Security
Information Life Cycle
1. Acquisition
2. Use
3. Archival
Backup
A data backup is a copy of a data set currently in use that is made for the purpose of recovering from the loss of the original data.
Archive
A data archive is a copy of a data set that is no longer in use, but is kept in case it is needed at some future point
4. Disposal
Classification
EXAM TIP
Each classification level should have its own handling and destruction requirements.
An information asset can be either the data, the device on which it is stored and used, or both
Classifications Levels
commercial business
• Confidential
• Private
• Sensitive
• Public
military purposes
• Top secret
• Secret
• Confidential
• Sensitive but unclassified
• Unclassified
criteria parameters for determine the sensitivity of data
• The usefulness of data
• The value of data
• The age of data
• The level of damage that could be caused if the data were disclosed
• The level of damage that could be caused if the data were modified or corrupted
• Legal, regulatory, or contractual responsibility to protect the data
• Effects the data has on security
• Who should be able to access the data
• Who should maintain the data
• Who should be able to reproduce the data
• Lost opportunity costs that could be incurred if the data were not available or were corrupted
Classification Controls
Classification Procedures
1. Define classification levels.
2. Specify the criteria that will determine how data is classified.
3. Identify data owners who will be responsible for classifying data.
4. Identify the data custodian who will be responsible for maintaining data and its security level.
5. Indicate the security controls, or protection mechanisms, required for each classification level.
6. Document any exceptions to the previous classification issues.
7. Indicate the methods that can be used to transfer custody of the information to a different data owner.
8. Create a procedure to periodically review the classification and ownership.
Communicate any changes to the data custodian.
9. Indicate procedures for declassifying the data.
10. Integrate these issues into the security awareness program so all employees understand how to handle data at different classification levels.
Layers of Responsibility
EXAM TIP
Senior management always carries the ultimate responsibility for the organization.
Executive Management
Chief Executive Officer
has the day-to-day management responsibilities of an organization.
The CEO can delegate tasks, but not necessarily responsibility.
Chief Financial Officer
chief information officer (CIO)
The CIO sets the stage for the protection of company assets and is ultimately responsible for the success of the company security program.
chief privacy officer (CPO)
chief security officer (CSO)
is responsible for understanding the risks that the company faces and for mitigating these risks to an acceptable level.
CISO
Data Owner
Data ownership takes on a different meaning when outsourcing data storage requirements.
Data Custodian
is responsible for maintaining and protecting the data.
System Owner
is responsible for one or more systems
Security Administrator
is responsible for implementing and maintaining specific security network devices and software in the enterprise
Supervisor(user manager)
is ultimately responsible for all user activity and any assets created and owned by these users
Change Control Analyst
is responsible for approving or rejecting requests to make changes to the network, systems, or software.
Data Analyst
is responsible for ensuring that data is stored in a way that makes the most sense to the company and the individuals who need to access and work with it.
User
is any individual who routinely uses the data for work-related tasks
Auditor
is to periodically check that everyone is doing what they are supposed to be doing and to ensure the correct controls are in place and are being maintained securely.