CISSP Week 9


Published on

StaridLabs CISSP Study slides for week 9

Published in: Technology
1 Like
  • Be the first to comment

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

CISSP Week 9

  1. 1. Domain 3: Information Security Governance & Risk Management July 27, 2013 Tim Jensen StaridLabs
  2. 2. ●Risk Analysis ●Data Classification ●Risk Assessment ●Security Awareness Information Security Governance includes:
  3. 3. Risk Management Minnimize loss of information assets through: ● Identification ● Measurement ● control
  4. 4. Security Management Lifecycle Image Src:
  5. 5. IT Governance ● Governance must be informed about information security ● Set direction to drive policy and strategy ● Provide resources to security efforts ● Assign management responsibilities ● Set priorities ● Support Changes required ● Insist that security investments are made measurable and reported on for program effectiveness
  6. 6. Impact from organizational changes ● Acquisitions and mergers ● Divestitures ● Spin-offs ● Governance Committees
  7. 7. Acquisitions and Mergers ● Friendly VS Hostile ● New staff and roles require new security awareness and training ● Threats from former employees or threats that the new company will face due to the merger ● Vulnerabilities when systems are merged ● New regulations/compliance ● External business partner review and assessment
  8. 8. Divestitures and Spin-offs ● Data Loss/data leak due to employees leaving ● System ports/protocols/connections left open after systems were removed ● Loss of visibility into systems if both organizations didn't keep security monitoring tools ● New threats from laidoff employees ● Revision of policies, procedures, and standards for new governance/compliance
  9. 9. Governance Committee Changes ● Ensure the committee understands at a high level the importance of information security and risk management ● Ensure someone on the committee has security and risk aptitude ● Maintain working relationship with committee and be aproachable
  10. 10. Security Roles & Responsibilities
  11. 11. End User ● End user is responsible for protecting information assets on a daily bases through adherence to the security policies ● End user compliance failures include: ● Downloading unauthorized software ● Opening attachments from unknown senders ● Visiting malicious websites ● End user can be turned into human security sensors with proper training
  12. 12. Phishing Effectiveness Img Src: 2013 Verizon Breach Report Pg 38
  13. 13. Executive Management ● EM maintains the overall responsibility for protection of the information assets. ● EM must be aware of the risks they are accepting on behalf of the organization ● Risk must be identified through risk assessment so management can make informed decisions
  14. 14. Security Officer ● Directs, coordinates, plans, and organizes information security activities throughout the organization ● Responsible for the design, implementation, management, and review of the organization's security policies, standards, procedures, baselines, and guidelines
  15. 15. Information Systems Security Professional ● Drafting of security policies, standards, and supporting guidelines and procedures ● Baselines ● Guidance on technical security issues and emerging threats ● Interpretation of regulations ● Analysis of vendor solutions
  16. 16. Data/Information/Business Owners ● Classify information assets ● Ensure business information is protected ● Review access rights ● Approve access to information ● Determine criticality, backups, and safeguards for data
  17. 17. Data/Information Custodian/Steward ● Individual or function who takes care of information on behalf of the owner ● Makes sure information is available, backed up, and consistent
  18. 18. Information Systems Auditor ● Verifies compliance with security policies, procedures, standards, baselines, designs, architectures, management direction, and other requirements ● Provide independent assurance to management on appropriateness of security controls
  19. 19. Business Continuity Planner ● Develop contingency plans to prepare for disasters ● Ensures business processes can continue during and after: ● Earthquakes, tornadoes, hurricanes, blackouts, political change, terrorist activities, fires, floods, etc
  20. 20. IS/IT professionals ● Convert security controls into actionable security on IT systems ● Test controls
  21. 21. Security Administrator ● Manages user access requests and ensures privileges are provided to authorized users ● Manages privileges needs over time ● Removes access upon user termination
  22. 22. Network/Systems Administrator ● Configures network and server hardware/operating system to insure information is available and accessible ● Manages patching and vulnerability management
  23. 23. Physical Security ● Monitors physical locations with cameras, alarms, card readers, etc. ● Verifies physical breaches do not occur and mitigates damage if breach does occur
  24. 24. Administrative Assistant/Secretaries ● First line of defense at most companies: ● Greets visitors ● Signs for packages ● Screens phone calls for executives ● Very prone to social engineering attacks ● Friendly for a living
  25. 25. Help Desk Administrator ● Fields technical questions from users ● Likely going to hear about security issues before anyone else ● Viruses ● Systems freezing ● Wierd popups** ● Help desk usually responsible for identifying threats and notifying the incident response (CIRT) team
  26. 26. Purposes for roles ● Increased efficiency by reducing confusion on who does what ● Lowers risk to company reputation/brand ● Personal accountability ● Support of disciplinary actions for security violations ● Demonstratable compliance with applicable laws and regulations ● Shielding of management from liability and negligence ● Roadmap for auditors ● Segregation by role is useful for determining the level of security training required
  27. 27. Legal Negligence ● A failure to behave with the level of care that someone of ordinary prudence would have exercised under the same circumstances. The behavior usually consists of actions, but can also consist of omissions when there is some duty to act
  28. 28. Gross Negligence ● carelessness which is in reckless disregard for the safety or lives of others, and is so great it appears to be a conscious violation of other people's rights to safety. It is more than simple inadvertence, but it is just shy of being intentionally evil. If one has borrowed or contracted to take care of another's property, then gross negligence is the failure to actively take the care one would of his/her own property. If gross negligence is found by the trier of fact (judge or jury), it can result in the award of punitive damages on top of general and special damages.
  29. 29. Legislative and Regulatory Compliance ● As a general rule, laws and regulations represent a “moral minimum” which must be adhered to and should never be considered wholly adequate. ● Regulations often offer specific actions which must be met for compliance. ● Some have a “Safe Harbor” provision which is a set of “good faith” conditions which if met may temporarily or indefinitely protect the organization from penalties of a new law or regulation.
  30. 30. Compliance Examples ● FISMA ● PCI ● DISA STIGS ● NIST 800-53 ● ISO 27001
  31. 31. Privacy Requirements ● Personally identifiable information (PII) is a valuable commodity for marketers and attackers ● Storing the data can become a liability. Certain data falls under privacy regulations which if not followed come with steep fines or jail time. ● International exposure increases the risk. US privacy laws are much less strict compared to European laws (See the EDPD regulations)
  32. 32. Security and privacy control frameworks ● Must be: ● Consistent – if approach and application is not consistent then stakeholders will become confused and loose faith in the program ● Measurable – Must be able to determine progress and set goals. ● Standardized – Departments/companies must be able to be compared against each other ● Comprehensive – Must cover regulatory requirements of the organization and be able to accommodate new requirements or organizational mandates ● Modular – Must be adaptable and able to withstand organizational changes
  33. 33. NIST SP 800-53 ● Over 300 controls in 17 families and 3 classes ● Government agencies build Acceptable Risk Standard (ARS) documents based on FISMA requirements which are based on NIST 800-53. ● An update to the underlying layers propagates up through several security departments and agencies before being implemented across all federal systems ● Federal system owners are expected to re mediate before being mandated based on risk so long as the remediation does not conflict with current regulations (without approval)
  34. 34. ISO 27001 ● Designed to work with organizations of all sizes and types (vs just federal systems)
  35. 35. Compliance Mapping ● Different compliance frameworks can be mapped together for ease of identifying additional controls or conflicting controls ● If a control conflicts the organization generally sides on the most restrictive control for high security or does a risk assessment to identify the risk to production stability vs risk of breach
  36. 36. Information Security Governance & Risk Management Part 2 July 27, 2013 Jem Jensen StaridLabs
  37. 37. Due Care ● Legal Definition ● The conduct that a reasonable man or woman will exercise in a particular situation, in looking out for the safety of others ● What is your legal obligation in a situation? ● Depends on laws ● Depends on who is defining “reasonable” ● Check the laws and precedence to measure your legal exposure
  38. 38. Due Diligence ● Pre-emptive cousin of Due Care ● Attempts to avoid situations which can lead to harm/require due care to be exercised ● Examples: ● Background checks ● Credit checks ● Pen tests
  39. 39. Confidentiality ● Definitions reminders ● Least Privilege: The level of access an individual has is just what's necessary to do their job ● Need-To-Know ● Data classification
  40. 40. Integrity ● Definitions reminders ● Info is protected from unauthorized or accidental changes ● Segregation of duties ● Approval checkpoints ● Testing
  41. 41. Availability ● Definitions reminders ● Info is available and accessible to users when needed ● Denial of Service ● Loss of Service (due to disaster, etc) ●
  42. 42. Security Policy Introduction ● Life without policy ● Employees has no guidance so they act based on their view of what is right or wrong for the company ● Might use past decisions and try to stick to the status quo ● Many small companies operate this way because it's cheap and easy. But it's dangerous
  43. 43. Security Policy Introduction ● Procedures ● Step-By-Step instructions ● Standards ● Specific Hardware and Software ● Baselines ● Consistent Level of Security ● Guidelines ● Recommendations
  44. 44. Security Policy Introduction ● Security policy is implemented with Standards, Procedures, Baselines, and Guidelines ● Without this implementation, the policy can't be enforced ● Both policy and the implementation are usually crafted by Security Officers
  45. 45. Security Policy Introduction ● The policy crafting process should be collaborative and include ● HR ● Legal ● Compliance ● Various IT areas ● Business representatives ● When everyone is involved, it's easier to catch everything and get buy-in from everyone
  46. 46. Security Policy Introduction ● Once policy is documented, it's important to make it readily available to everyone ● Share documents, either on paper or in shared folders ● Make and distribute forms & checklists ● Training
  47. 47. Security Policy Defined ● In essence, a security policy formalizes what a company expects from employees ● Defines roles and responsibilities ● Assigns authority for security/compliance ● Policy-making is old. Therefore, the path to making them is well-traveled. Lots of guidelines!!!
  48. 48. Security Policy Guidelines ● Guidelines ● Formally define a process for making and maintaining new policy ● Policies should survive for 2-3 years – Should be reviewed annually, eventually rewritten ● Policies shouldn't be too specific – Technology, personnel, and markets change ● Use forceful, directive wording
  49. 49. Security Policy Guidelines ● Guidelines ● Leave out technical implementation details – Policy must be independent of tech ● Keep as short as possible (2-3 pages) ● Provide references to supporting documents ● Thoroughly review before publishing ● Management review/sign-off ● Employee acknowledgement
  50. 50. Security Policy Guidelines ● Guidelines ● Do not use tech jargon – Nontechnical people won't understand if you do ● Adjust policy based on incidents – Regular reviews of incidents ● Review policy periodically ● Define exemption rules ● Develop sanctions for noncompliance – Disciplinary actions/punishment/termination
  51. 51. Security Policy Types ● Organizational or Program Policy ● Issued by senior management ● Scoped to entire org or division ● High-level authority to define sanctions ● Example: ● “If a computer is unplugged, leave it alone”
  52. 52. Security Policy Types ● Functional or Issue-Specific Policy ● Scoped to particular technology or domain ● Example: ● Acceptable Use Policy for company internet
  53. 53. Security Policy Types ● System-specific Policy ● Targeted for specific application/platform ● Greater control for specific area ● Example: ● “Only Accounting and HR can input information into the check-writing application”
  54. 54. Standards ● Policy defines what an org needs ● Standards define the requirements ● Lay out the hardware & software mechanisms ● Provide consistency of implementation ● Permit interoperability ● Can save money and time ● Standard is to use Windows desktops – don't have to support and train for OSX or Linux ● May be external – NIST, ANSI, IEEE, ISO, NSA
  55. 55. Baselines ● Baselines describe how to best implement standards, especially in software ● More technical and specific ● Example: ● “Disable the Telnet service on all servers” ● Also can be external – DISA STIGS, CIS
  56. 56. Procedures ● Step-by-step instructions ● By documenting procedures, a company can more easily assure that they are implementing policy consistently ● Ensures nothing gets left out ● Minimizes liability ● Documenting procedures can help break down interdepartmental walls and assumptions ● Easier to see duplicate work or missing work
  57. 57. Guidelines ● Optional recommendations to help employees make judgment calls ● Suggested steps for doing work ● How to best implement a baseline
  58. 58. Documentation ● Do not combine policies with other documentation! ● Documentation can be edited by employees whereas only management should change policies ● Also a good idea to keep standards separate
  59. 59. Analogy Time! ● Hammer Policy... ● “All boards must be nailed together using company-issued hammers to ensure end-product consistency and worker safety” ● Policy is flexible – allows company to define hammer types and change the hammers if a safer hammer emerges
  60. 60. Analogy Time! ● Hammer Standard ● “Eleven-inch fiberglass hammers will be used. Only hardened-steel nails will be used with the hammers. Automatic hammers are to be used for repetitive jobs only that are > 1 hour.” ● Clearer, more specific
  61. 61. Analogy Time! ● Hammer Guidelines ● “To avoid splitting the wood, a pilot hole may be drilled first.” ● Optional suggestion. May not apply in all cases, depending on the wood being hammered
  62. 62. Analogy Time! ● Hammer Procedure ● “Position nail in upright position on board. Strike nail with full swing of hammer. Repeat until nail is flush with board.” ● Process for using the hammer and nail to get the best results
  63. 63. Manage the Information Life Cycle ● When information is created, someone must be responsible for it ● Determine impact ● Understand info replacement costs ● Determine who in and outside of the org needs the info/when it should be released ● Know when the info is inaccurate/unneeded and should be destroyed
  64. 64. Manage the Information Life Cycle ● Data classification can make the job easier ● Everyone knows how to treat it ● Data categorization too ● Helps define impact of loss and exposure ● A data retention schedule can help ● Mandate destruction of info after a certain date, period, or period of inactivity
  65. 65. Third-Party Governance ● Types of third-parties ● IaaS – Infrastructure as a Service – Provides “bare metal” hardware resources – Example: Co-Lo servers ● PaaS – Platform as a Service – Provides OS or DB – Example: Amazon EC2 ● SaaS – Software as a Service – Provides full tool, company just provides the data
  66. 66. Third-Party Governance ● SLA – Service Level Agreement ● Defines levels of performance and compensation/penalties between providers and customers ● Due Diligence ● On-site inspections ● Third-party policy reviews ● Document exchanges ● Independent inspections ● Legal review – legal exposure, international concerns
  67. 67. To Be Continued, next week... Check the Syllabus! It's been updated!