Access Control
Process of allowing only authorized users, programs, or other computer systems to observe, modify, or otherwise take possession of the resources of a computer system; also mechanism for limiting the use of some resources to authorized users. Controlling a
Access Controls
Authentication, Identification, Confidentiality, Integrity, Availability
Goal of Security
CIA TRIAD
Authentication (Access Control)
Proof and verification of information - you are who you say you are.
Identification (Access Control)
Identity verification. Not only are you who you say you are, you can prove it.
Confidentiality (Access Control)
Protection from unauthorized viewing. Keep things secret. Ensures that the necessary level of secrecy is enforced at each junction of data processing and prevents unauthorized disclosure.
Integrity (Access Control)
Protecting data from unauthorized modification. Same when you take it out as when went in. Upheld when the assurance of the accuracy and reliability of information and systems is provided and any unauthorized modification is prevented.
Availability (Access Control)
Maintaining system usability. Always there. Ensures reliability and timely access to data and resources to authorized individuals.
Controls for Availability
RAID, Clustering, Load balancing, Redundant data and power lines, software and data backups, disk shadowing, co-location and offsite facilities, rollback functions, failover configurations
Controls for Integrity
Hashing (data integrity), configuration management (system integrity), change control (process integrity), access control (physical and technical), software digital signing, transmission cyclic redundancy check (CRC) functions
Controls for Confidentiality
Encryption for data at rest (whole disk, database encryption), Encryption for data in transit (IPSec, TLS,PPTP,SSH), Access control (physical and technical)
Vulnerability
Weakness in a system that allows a threat source to compromise its security. Can be software, hardware, procedural, or human weakness that is exploited.
Threat
Any potential danger that is associated with the exploitation of a vulnerability.
Threat agent
The entity that takes advantage of a vulnerability.
Risk
Likelihood of a threat source exploiting a vulnerability and the corresponding business impact. Risk ties the vulnerability, threat, and likelihood of exploitation to the resulting business impact.
Exposure
An instance of being exposed to losses.
Control
Countermeasure that is put into place to mitigate (reduce) the potential risk. Terms control, countermeasure and safeguard are interchangeable terms. The right countermeasure can eliminate the vulnerability and exposure, thus reduce the risk.
Relationship among security concepts
Threat agent gives rise to threat that exploits vulnerability which leads to risk which can cause damage to asset and causes an exposure which can be countermeasured by a safeguard which directly affect the threat agent. pg 8
Administrative Controls
soft controls - management oriented.
Technical or Logistic Controls
software and hardware components
Physical controls
items put into place to protect facility, personnel, and resources
Functionalities of Security Controls
Preventative, Detective, Corrective, Deterrent, Recovery, Compensating.
Preventative
Intended to avoid an incident from occurring
Detective
Helps identify an incident's activities and potentially and intruder.
Corrective
Fixes components or systems after and incident has occurred.
Deterrent
Intended to discourage a potential attacker
Recovery
Intended to bring the environment back to regular operations.
Compensating
Controls that provide an alternative measure of control. Maybe suggest security guard but use fence instead because of cost.
Preventive: Administrative
Policies and procedures, effective hiring practices, pre-employment backgroud checks, controlled termination processes, data classification and labeling, security awareness, security awareness training, testing, personnel procedures, information classific
Preventive: Physical
Badges and swipe cards, guards and dogs, fences, locks, mantraps, biometric system
Preventive: Technical
Passwords, biometrics, smart cards, encryption, secure protocols, call-back systems, database views, constrained user interfaces, antimalware software, ACLs, firewalls, intrusion prevention system, antivirus software,
Detective: Administrative
monitoring and supervising, job rotation, investigations, mandatory vacations
Detective: Physical
Motion detectors, closed circuit TVs
Detective: Technical
Audit logs, IDS
Recovery: Physical
Offsite facility
Recovery: Technical
Data backup
Deterrent: Physical
Fences, lighting
Corrective: Technical
Server images
Security through obscurity
Assuming enemies are not as smart as you and cannot figure something out that you feel is very tricky. Do not do.
Security Program Development Standards
ISO/IEC 27000 series. Outlines the necessary components of an organizational security program.
ISO/IEC 27000 series
International standards on how to develop and maintain an ISMS developed by ISO and IEC. Serves as industry best practices for the management of security controls in a holistic manner within organizations around the world. Based off British Standard 7799.
Enterprise Architecture Development Standards:
Zachman Framework, TOGAF, DoDAF, MODAF, SABSA model
Zachman Framework
Model for the development of enterprise architectures developed by John Zachman. Generic two-dimensional model that uses 6 basic communication interrogatives (What, How, Where, Who, When, Why) intersecting with different perspectives (Executives, Business
TOGAF
The Open Group Architecture Framework - Model and methodology for the development of enterprise architectures developed by The Open Group. Origins in DOD. Provides approach to design, implement and govern an enterprise information architecture. Can be use
DoDAF
Department of Defense Architecture Framework -ensures interoperability of systems to meet military mission goals. Focus of this framework is on command, control, communications, computers, intelligence, surveillance, and reconnaissance systems and process
MODAF
Ministry of Defense Architecture Framework - Used mainly in military support missions, developed by the British ministry of defense, based on DoDAF. Be able to get data in the right format to the right people as soon as possible.
Enterprise Security Architecture
Subset of an enterprise architecture and defines the information security strategy that consists of layers of solutions, processes, and procedures and the way they are linked across an enterprise strategically, tactically, and operationally. Purpose to ma
SABSA
Sherwood Applied Business Security Architecture: Model and methodology for the development of information security enterprise architectures. Similar to Zachman Framework. Layered framework with its first layer defining business requirements from a securit
Enterprise Security Architecture Success needs
Strategic alignment (the business drivers and the regulatory and legal requirements are being met by the security enterprise architecture), Business enablement (core business processes are integrated into the security operating model-they are standards ba
Security Controls Development Standards
COBIT 5, NIST SP 800-53, COSO Internal Control -Integrated Framework. Look at the objectives of the controls we are going to put into place to accomplish the goals outlined in our security program and enterprise architecture.
COBIT 5
Control Objectives for Information and related Technology-A business framework to allow for IT enterprise management and governance that was developed by ISACA and ITGI. Based on five key principles: Meeting stakeholder need, covering the enterprise end t
NIST SP 800-53
Set of controls to protect US federal systems developed by NIST. 800-53 is "Security and Privacy Controls for Federal Information Systems and Organizations" which outlines controls that agencies need to put into place to be compliant with the Federal Info
COSO Internal Control-Integrated Framework (COSO IC)
Set of internal corporate controls to help reduce the risk of financial fraud developed by the COSO of the Treadway Commission. Five internal control principles: Control environment, risk assessment, control activities, information and communication, moni
Process Management Development Standards
ITIL, Six Sigma, Capability Maturity Model Integration CMMI. Way to construct and improve our business, IT, and security processes in a structured and controlled manner.
ITIL
Information Technology Infrastructure Library - Processes to allow for IT service management developed by the United Kingdom's Office of Government Commerce. De facto standard of best practices for IT service management. Focus more toward internal SLAs be
Six Sigma
Business management strategy that can be used to carry out process improvement. Process improvement methodology. New and improved TQM (Total Quality Management) from the 1980s. Goal is to improve process quality by using statistical methods of measuring o
CMMI
Capability Maturity Model Integration -Organizational development for process improvement developed by Carnegie Mellon University for DOD. More emphasis on this compared to Six Sigma and ITIL for exam. Crux is to develop structured steps that can be follo
Blueprints
Important tools to identify, develop, and design security requirements for specific business needs.
Security Frameworks
ISO/IEC 27000 (description of type of house-ranch style), security enterprise framework (architecture layout of house-foundation), blueprints (detailed descriptions of specific components of house-electrical system), control objectives (building specs and
Permissive stance
allow-by-default (own home)
Restrictive stance
deny-by-default(pay per view cable)
Defense in depth
multiple layers of different forms of security controls. More sensitive the asset, more layers used.
Access Control General Process
1. Define what trying to protect (asset valuation)
2. Who needs access, how many, what level of access
Access Control Principles
1. Policy
2. Separation of duties
3. Least privilege
4. Need to know
5. Compartmentalization
6. Security domain
Access Control - Policy
Documented, discrete standards and guidelines for determining access to organizational info. Reduces ambiguity. Formal, written, access control policy so everyone on the same page. If don't write it down, didn't happen.
Access Control - Separation of duties
Users are not given oversight over entire process. Reduces fraud and errors. Ex: Auditing - accountants not doing auditing. Writing a check - does person cutting check get to sign it? No. Balance of power.
Access Control - Privileges
1. Least privileges - Users only have the permissions they need for operational purposes.
2. Need to know= Only have access to data they need for operational purposes.
3. Compartmentalization -Isolating groups and information.
Access Control - Security domain
An area of common processes and controls distinct from other areas. Splitting up operation into distinct areas so you can control them - different controls for different domains. Hierarchical structure. Defense in depth. Asset valuation to help determine.
Technical/logical access controls
1. Network access
2. Remote and system access
3. Application access
4. Malware control and encryption
5. Physical access control
Network access
Devices (firewall, IDS, IPS,proxy)
VLANs
Wireless configuration
Network access control (NAC)
Network access control
NAC - ensures a system is configured in accordance with current policies before it is allowed to join the network. Hardened system.
Remote and system access
Remote access - VPN - through encrypted tunnel =virtual private network
System access - userid and password, smartcards, tokens
Application access
Monitor user sessions, inactivity time-outs, validate data entry(for malicious intent), limit access to services(ex:limit macros in word), applications designed for reducing threats (buffer overflow, process scheduling conflicts, system integrity breaches
Malware control
Malware control (malicious software - viruses, worms, trojan horse, spyware, adware) - antivirus, file integrity checks (checksum), IPS (Intrusion Prevention System)-Detect,Prevent and Correct
Encryption
1. Supports confidentiality and authentication
2. Hashed - one-way, irreversible mathematical operation
3. Assists in session validation
Physical Access Control
Full spectrum of tangible controls ( locks, doors, fences, etc). Human safety paramount.
Strategic alignment
Don't do security in absent of corp policy or independent with business. Sr management makes final decision with input from security professionals.
CIA TRIAD
Confidentiality, Integrity, Availability
Security Governance
framework that allows for the security goals of an organization to be set and expressed by senior management, communicated through the different levels of the organization.
IT Governance
A structure of relationships and processes to direct and control the enterprise in order to achieve the enterprise's goals by adding value while balancing risk versus return over IT and its processes.
Information Security
Protect the CIA Triad
Benefits of IS governance
1. Demonstrates "due care"
2. Ensures policy compliance
3 Lowers risks to defined and acceptable levels
4. Improves customer trust
5. Protect org reputation
6. Provides accountability
Due Diligence
Legal standard for what you are expected to do - would reasonable person in your person be expected to act that way.
Board of directors
Responsible overall, need to be informed, set direction, give budget and personnel,pick priorities
Management
Publish sec policies, sec is consultant to management
Components to be managed
acquisistions, divestures, governance committees, Information lifecycle (classification, categorization, ownership)
Governance commitees
Enterprise-wide oversight committee includes - HR,Legal, IT,Business Units, Compliance/Audit, Infosec. Creates mission statement.
Information lifecyle
Classification, categorization, ownership
Third-party governance
Outsourcing - IT farmed out to another vendor
Compliance enforcement
Written and published policies
Regulatory, privacy requirements compliance, internal policies, standards and procedures compliance
Compliance methods
Policy review
Audit
Vulnerability and penetration testing
Security Policy
an overall general statement produced by senior management that dictates what role security plays within the organization. organizational,
Organizational security policy
management establishes how a security program will be set up, lays out programs goals, assigns responsibilities, shows the strategic and tactical value of security, and outlines how enforcement should be carried out. Must address laws, regulations and lia
Issue-specific policy
functional policy - addresses specific security issues that management feels need more detailed explanation and attention. email, acceptable use, change control, and personnel security policy are examples.
system -specific policy
presents the management's decisions that are specific to the actual computers, networks and applications. How a laptop should be locked up example
Policies
Framework for the security program, creates common set of expectations, communicate managements goals, drafted by security offices but with input from others (legal, mgmt, HR,IT,Users,etc), requires enforcement, compliance and maintenance mechanisms. Need
Policy Best Practices
Formally define, endure 2-3 years, don't be too specific, use forceful directive wording, don't include technical, keep brief, provide references, review before publishing,require mgmt signing and employee acknowledgement, adjust policies with new inputs
Types of Security Policies
1. Organizational or program policy (enterprise wide)
2. Functional, issue-specific policy (ie internet usage)
3. System-specific policy (ie for the financial system)
Types of Policies
1. Regulatory (detailed and specific, ensures org is following standards set by specific industry regulations, HIPAA)
2. Advisory (strongly advises and outlines ramifications)
3. Informative (not enforceable, but teachable)
Standards
Policy are rules - what going to do
Mandatory activities, actions or rules
Standards are how you are going to do it - more technical
require consistency, cost-effective, standards linked to policy
Procedures
Step-by-step instructions to support compliance with policies and standards - checklist. Lowest level of documentation.
Baseline
Describe how to implement configuration to ensure consistency. Specific rules describing how to implement the best security controls - easier to maintain starts everyone at same level - then can customize for their domain. Point in time that is used as a
Guidelines
Discretionary or optional recommendations, usually external. Recommended actions and operational guides when a specific standard does not apply.
Governance Analogy
Policy "employees will nail boards together using company-issued hammer"
Standard "company-issued hammers will be 11 inches long and made of fiberglass
Guideline "to avoid splitting wood, a pilot hole should be drilled before hammering"
Procedure: Step 1,
Security Management Program Focus
Strategic, long-term goals (governance,risk mgmt, compliance). Tactical, short-term goals (short-term risks, emerging threats, loss prevention and support org initiatives.
Cost budgeting
implement procedures to measure the ongoing cost-effectiveness of security components
Types of legal systems
Civil (Code) law, Common Law, Customary Law, Religious Law, Mixed Law
Common Law System
Also called case law - courts have already made decision, relies on previous rulings. 3 branches - criminal law, tort law, administrative law.
Adversarial approach - prosecution and defense
Criminal law
Behaviors seen as harmful to public or society, gov sets consequences, jail, death. Based on common law, statutory law or a combo. Responsibility on prosecution to prove guilt beyond reasonable doubt. Criminal law typically is statutory, cases are initiat
Tort/Civil law
Government not involved - money outcome. Wrongs against individuals or companies that result in damages or loss. Jury decide liability instead of innocence or guilt. Defendant is obligated to conform to a particular standard of conduct - reasonable man of
Administrative law
Regulatory in nature - fines or possible jail as punishment, EPA, drug laws. Government agencies create these standards. Officers of company could be liable under administrative, civil or even criminal law.
Civil (Code) Law System
By statue(rule based) not by precedence, not adversarial but judges. Civil law generally is derived from common law(case law), cases are initiated by private parties, and the defendant is found liable or not for damages.
Customary Law System
Social norms and traditions dictate behavior, usually combined with some form of civil law - punishment monetary fine.
Religious Law System
Derived from religious text or practice, both jurists and clergy, punishments may take any and all forms
Mixed law
Convergence of two or more legal systems - often with customary or religious law
Intellectual Property Laws
Intangibles -ideas, etc. Looks at how a company or individual can protect what it rightfully owns from unauthorized duplication or use, and what it can do if these law are violated. Divided into two categories: industrial property (inventions/patents, ind
Patent (Intellectual property)
Strongest form of intellectual property protection - grants the owner a legally-enforceable right to exclude other s from practicing the invention covered for specific time - usually 20 years - requires formal application to patent office. Invention must
Trademark (Intellectual property)
Protects something that effects the reputation of organization. must be distinctive - words, colors, symbol, signs, designs. exclusive right to use that identifies user goods and products. Registered with gov. Overseen by the Wold Intellectual Property Or
Copyright (Intellectual property)
Covers expression of ideas, not ideas themselves. Protect writings, databases, recordings, computer programs. Copyright is usually granted automatically to the creator. Protection is weaker than with patents, but much longer (120 years after creator's dea
Trade Secret (Intellectual property)
Proprietary business or technical information, processes, designs, practices, etc that are confidential and critical to the business. Provides competitive advantage, must generally be not known and there must be reasonable steps to protect secrecy. Can ex
Software piracy
Occurs when the intellectual or creative work of an author is used or duplicated without permission or compensation to the author. Act of infringement on ownership rights and perpetrator could be sued civilly for damages, be criminally prosecuted or both.
Software licensing
Four categories: Freeware (software that is publicly available free of charge and no restrictions), Shareware or Trialware (used by vendors to market their software, after trial are asked to purchase), Commercial (software sold), and Academic (provided fo
Export/Import Controls
Restrictions for export to terrorists and encryption items Gov. Could involve laws of at least three jurisdictions - A user US conducting a transaction with another user in Britain through a server in Canada.
Computer Crime laws
cyberlaw, deal with unauthorized modification or destruction, disclosure of sensitive information, unauthorized access and the use of malware. Protecting intangibles (data and reputation) more difficult than protecting tangibles. 3 categories: computer-as
computer-assisted crime
Attacking financial systems is an example. Computer is only a tool to carry out a traditional type of crime, covered by regular criminal laws, could take place without a computer. As a tool
computer-targeted crime
DDoS,installing malware are examples. Could not take place without a computer. As a target
computer is incidental crime
Is important but computer is not targeted or assisted. as incidental -analysis of digital information.
Council of Europe Convention on Cybercrime
Attempt to create a standard international response to cybercrime.
OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data.
Organization for Economic Cooperation and Development. Core principles or guidelines for international privacy-personal data should be reasonably protected and not disclosed other than for the stated purpose, relevant to purpose and accurate, purpose shou
European Union Principles on Privacy
strict laws pertaining to data that is considered private
EU's Data Protection Directive
The principles and how they are to be followed for transmitting private information. All states in Europe must abide by these principles to be in compliance and any company that wants to do business with EU company must comply if business will include exc
Zombies
compromised systems
bots
Software installed on zombies
botnet
attacker with several compromised systems. Can be used to carry out DDoS attacks, transfer spam or do whatever the attacker programs the bot software to do
Script Kiddies
Hackers who do not necessarily have the skill to carry out specific attacks without the tools provided for them on the Internet and through friends.
Advanced Persistent Threat
APT- Advanced has to do with the expansive knowledge, capabilities, and skill base of the ATP. The persistent component has to do with the fact the attackers are not in a hurry to launch quick attack but will wait for the most beneficial moment to ensure
Privacy
upheld by old laws (not taking into account tech) constitution, privacy laws - new laws EFF,Congress,NSA,State
PII
Personally identifiable information - information that can be used to distinguish or trace an individual's identity, either alone or when combined with other personal or identifying information that is linked or linkable to a specific individual.
Ways to deal with Privacy
Laws on government (FPA, USA Patriot), laws on corporations (HIPAA, HITECH), self-regulation (PCI DSS), Individual user (passwords, encryption, awareness)
Principles associated with legality and justification of employee montoring
Necessity (is it needed), Proportionality (how far to go back and monitor), Finality (specific time), Data accuracy, Transparency (who should monitoring be transparent to), Security (monitoring should not cause subject further risk), Legitimacy (is that l
Data breach
A security event that results in the actual or potential compromise of the confidentiality or integrity of protected information by unauthorized actors. Can be PII, IP(intellectual property), PHI (personal health information, classified information or any
Liability
Legally responsible - civil and criminal
Negligence
Acting without due care; failure to act in the manner of a prudent, reasonable person in similar circumstances. Security officer must act.
Due care/due diligence
Expected level of care demonstrated by officers or executives of an org to meet their fiduciary and management responsibility.
International Cooperation
None required. Russia is top area where attacks being initiated from.
Incident Response
Primary functions of IT security professionals
Response Capability
Good policies, plan, sr management buy-in, trained. Legal, IT, HR, communications, physical security might be part of team.
Triage Phase
Includes detection, identification, and notification. Incident is triggered by awareness. Escalation is very dependent on circumstances. Must filter out false-positives.
Investigative Phase
Investigate what has happened - reduce impact and identify cause, return to operations as soon as reasonably possible, and prevent reoccurrence. Done in accordance with regulation, policy and law.
Containment (Investigative Phase)
Minimize impact and spread of damage
Analysis and tracking (Investigative Phase)
Determine what is happening, what happened and what might happen - find root cause, requires a great deal of attention in limited time, beneficial to have good working relationships with other response teams. (ISPs, law enforcement)
Recovery Phase
Should not be restored until vulnerability allowing the attack has been addresses, management makes decision to return to operational status.
Post-incident phase
Debriefing/feedback, measure metrics (time between discovery and resolution, etc)
Digital Investigations
Encompasses all domains in which evidence or potential evidence exists in a digital or electronic form. Methodical, verifiable, auditable set of procedures and protocols. Rules of engagement, authorization, scope.
Crime scene
Any place evidence may exist - consists of both physical and digital. Limit access to those with need to know and proper training.
Identifying Evidence
During incident handling and response process. Collect physical stuff, snapshots, media.
5 Rules of Evidence
1. Be authentic
2. Be accurate
3. Be complete
4. Be convincing
5. Be admissible
Collecting or acquiring evidence
Ensure contamination and destruction of scene kept to minimum. Use sound, repeatable collection techniques that allow for demonstration of the accuracy and integrity of evidence.
Examining or analyzing the evidence
Use sound scientific methods to determine the characteristics of the evidence.
Chain of Custody
Who, what, when, where, and how the evidence was handled from identification through destruction or archiving.
Evidence Analysis
Software analysis, network analysis, hardware analysis, media analysis, forensic toolkit.
Security Audits
Consist of Objectives, Scope, Constraints, Approach, results. See whether controls are being met and identify the security status of org.
Audit Purpose
Improve security stance, accountability, regulatory compliance, customer confidence (reputation).
Performance of Audit Activities
Perform site survey, Review (documentation,logs,risk analysis reports,penetration testing results, config data), Observing employee activities, Interview/question employees.
Audit Focus Areas
Security devices, system hardening, identity management, cryptographic controls, contingency and disaster plans, physical security
Post Audit
Data analysis, audit findings, reporting, follow up.
Contractual Agreements and Procurement Processes
Security policies may include requirements for protecting shared data with third-party service providers. SLA. How are they going to maintain CIA triad - org is still responsible for data even when in third party hands, audits performed. Contracts should
Ethical Obligation
Strict adherence to ISC2 Code of Ethics is a condition of certification.
ISC2 Code of Ethics Canons (in order of importance)
1. Protect society, commonwealth and infrastructure
2. Act honorably,honestly, justly, responsibly and legally
3. Provide diligent and competent service to principles
4. Advance and protect the profession
How Code of Ethics Applies to CISSPs
Informed consent, higher ethic in worst case (Canons), change of scale test, owner's conservation of ownership, users conservation of ownership (responsibility)
Computer Ethics Institute
nonprofit organization that works to help advance technology by ethical means.
Internet Architecture Board (IAB)
coordinating committee for Internet design, engineering, and management. issues ethics-related statements concerning use of internet. RFC 1087 (Ethics and the Internet)
Initiation and Management
Obtain senior leadership support, define project scope, objectives and assumptions, estimate project resources, define a timeline and major deliverable.
Risk management
process of identifying and assessing risk, reducing it to an acceptable level, and ensuring it remains at that level.
Three tiers to risk management
Organizational (risk to business as whole), business process tier (risk to major functions of org, bottom tier), information systems tier (risk from information systems perspective)
Information Systems Risk Management Policy
ISRM
Risk management process
Components: Frame risk, assess risk, respond to risk, monitor risk.
Three main areas of risk
Financial (P*M=C), Reputation, Regulatory (Prudent person rule)
Ten Professional Practice Areas
1. Project Initiation and management
2. Risk evaluation and control
3. Business Impact Analysis BIA
4. Developing business continuity strategies
5. Emergency response and operations
6. Developing and implementing business continuity plans
7. Awareness and
Business Continuity Plan (BCP)
broader approach than DRP, dealing with people, facilities etc. Sometimes used interchangeably with BCM.
BCP Policy
supplies the framework for an governance of designing and building the BCP effort. contents include, scope, mission statement, principles, guidelines, and standards.
SWOT
Strengths/Weaknesses/Opportunities/Threats- part of scope analysis.
Disaster recovery goal
minimize the effects of a disaster or disruption and take the necessary steps to ensure that the resources, personnel, and business processes are able to resume operation in timely manner.
Disaster Recover Plan (DRP)
goal is to handle the disaster and its ramifications right after the disaster hits, usually very IT focused.
Business Continuity Management (BCM)
holistic management process that covers DRP and BCP. Main objective is to allow the organization to continue to perform business operations under various conditions.
ISO/IEC 22301
standard for BCM
FFIEC (Federal Financial Institutions Examination Council) BCP Booklet
Says BCP is about maintaining, resuming and recovering the business, not just the technology and explains that BIA and risk assessment are foundation of effective BCP and that BCP must be tested and audited
NASD Rule 3510
Requires a BCP that addresses a set of rules (what will do)
NYSE Rule 446
Requires written BCP and annual review
HIPAA
Requires a data backup and disaster recovery plan and emergency mode operations plan
Case law
Precedent (already decided by court). Significant case law in area of BCP.
Resource requirements
Financial, Personnel, vital records, risk assessment and BIA, strategy development, alternate site selection and implementation, documenting the plan, testing
Business Impact Analysis (BIA)
*Performed at the beginning of business continuity planning to identify the areas that would suffer the greatest financial or operational loss in the event of a disaster or disruption. It identifies the company's critical systems needed for survival and e
BIA Key Goals
Recovery Time Objective and Recovery Point Objective
Recovery Time Objective
Amount of time a business can function without the process until an irreversible impact occurs *Max Tolerable Downtime (MTD).
Recovery Point Objective
Amount of time during which an organization can lose data
Document the Disaster Recovery Plan
Plan must be detailed and simple enough - includes checklists, plan activation procedures, recovery strategies, how managed, HR issues, how recovery costs tracked and paid, communications plans for stakeholders, detailed action plan for each team and memb
Managing Recovery Communications
Employee notification,
Recovery Exercising and Testing
Plans to ensure that critical business operations may resume in the event of failure or interruption of services. Include Notification, escalation and communication plans, logistics required, documentation development. Test on regular basis.
Structured Walk-Through/Tabletop Test
Step through - talk through not doing steps - Lowest complexity and fidelity of results
Walk-Through\Simulation Test
Actually practicing steps
Functional Drill/Parallel Test
Perform steps on non-production systems
Full Interruption/Full-Scale Test
On production systems - Highest complexity and fidelity of results
Vendor Managment
Controlling risks presented to your company by third-parties.
Interoperability Agreements
Formal contract that defines some form of arrangement where two entities agree to work with each other in some capacity. (SLA,BPA,MOU,ISA)
Service Level Agreement SLA
An agreement between two parties where the level of service is defined.
Business Partner Agreement BPA
A Contract between two entities dictating their business relationship. It defines the expectations and obligations of each party.
Memorandum of Understanding MOU
A letter of intent with a means to document the specifics of an agreement or arrangement between two parties (without legally binding them). Usually seen between same type of business.
Interconnection Security Agreement ISA
A formal declaration of the security stance, risks, and technical requirements of a link between two organizations. How vendor is going to connect to my company.
Integration Considerations
How does vendor protect PII (privacy), risk awareness, unauthorized data sharing, data ownership, data backups. Make sure vendor following security policy and procedures. How verify compliance and performance documented.
On-site Vendor considerations
Escorting, virtual monitoring, ensuring non-disclosure agreement in place, ensure identify what vendors need as relating to access.
Vendors Oversight
Establish performance metrics, ensure oversight is conducted by supervisors with some level of expertise in service provided, monitor financial condition, include triggers to escalate oversight when vendor fails to meet standards.
Ways to address Risk
Avoidance, transfer, mitigation, acceptance, ownership
Avoidance Risk
Do not do what has risk
Transfer Risk
Make someone else pay for risk (Insurance)
Mitigation Risk
Put countermeasure in place - Mitigate to acceptable level.
Acceptance Risk
Live with it
Ownership of Risk
Senior Management
Risk Assessment
Performed by org to determine: Information and asset valuation, threats, vulnerabilities, likelihood a threat will exploit a vulnerability, impact, available countermeasures, residual risk (acceptable level)
Information and Asset Valuation
Consider both tangible and intangible
Determining Risk
Determination of likelihood (incidents, org baseline, availability of countermeasures), Determination of impact (loss of confidentiality, integrity or availability), Determination of risk (product of likelihood and impact). Report findings to senior manag
Risk
Threat x Impact x Probability
Risk analysis approaches
Qualitative vs Quantitative
Vulnerability assessment vs risk assessment
Vulnerability assessment just finds the vulnerability and risk assessment calculates the probability of the vulnerabilities being exploited and the associated business impact.
Qualitative Risk Assessment
No numbers - feeling. more opinion an scenario based and uses a rating system to relay the risk criticality levels. techniques include judgement, best practices, intuition and experience. Good for intangible assets
Quantitative Risk Assessment
Use numbers - assign monetary and numeric values to all elements of the risk analysis process. Use risk calculations that attempt to predict the level of monetary losses and the probability for each type of threat. Good for tangible assets. Can use combo
loss potential
what the company would lose if a threat agent actually exploited a vulnerability
delayed loss
secondary in nature, takes place well after vulnerability is exploited.
Annual Rate of Occurrence (ARO)
value that represents the estimated frequency of a specific threat taking place within a 12 month timeframe. Range from 0(never), 1(once a year) or greater than 1 (several times a year)
Single Loss Expectancy (SLE)
Asset Value x Exposure Factor (EF)
Exposure Factor
represents the percentage of loss a realized threat could have on a certain asset.
Annualized loss expectancy (ALE)
ARO x SLE
Cost/benefit analysis
ALE before implementing safeguard-ALE after implementing safeguard-annual cost of safeguard=value of safeguard to company
Residual risk
cannot reduce risk to 100% always some risk left over
total risk-countermeasures=residual risk
(threats x vulnerability x asset value) x controls gap=residual risk
Total risk
risk a company faces if it chooses not to implement any type of safeguard. threats x vulnerability x asset value=total risk.
Threat Modeling
A planned activity for identifying and assessing threats and vulnerabilities. Enables informed decision making about security risk, identifies and mitigates security issues early, allows for reduction analysis.
Threat Modeling Activities
Assessment Scope, Identify Threat agents and possible attacks, understand existing countermeasures, identify exploitable vulnerabilities, prioritize identified risks, identify countermeasures to reduce threat (Reduction Analysis)
Acquisition Strategies
How to Acquire? One step in the System Development Life Cycle (SDLC). Should be in line with organizations other strategies. Provides a description of roles and responsibilities and milestones. Include processes and guidance.
Personnel Security
Separation of duties, split knowledge and dual control, Rotation of duties, mandatory vacation, NDAs, security-awareness training.
Methodologies for Risk Assessment
Core components - identify vulnerabilities, associate threats, calculate risk values. NIST, FRAP and OCTAVE focus on IT security threats and information security. AS/NZS 4360 takes a broader approach - more focused on health of company from a business poi
Choosing Risk Assessment Methodology
ISO/IEC 27005 or OCTAVE if you want to deploy and organization-wide risk management program and integrate it into your security program.
NIS SP 800-30 if you need to focus just on IT security risks during your assessment
FRAP if you have a limited budget
Risk Management Frameworks (RMF)
a structured process that allows an organization to identify and assess risk, reduce it to an acceptable level, and ensure that it remains at that level. structured approach to risk management. NIST RMF SP 800-37r1, ISO 31000:2009, ISACA Risk IT, COSO Ent
NIST RMF
Six step process:
1. Categorize information systems
2. Select security controls
3. Implement security controls (implement and doc)
4. Assess security controls
5. Authorize information systems
6. Monitor security controls
Security Policy Awareness and Training
Purpose is to enhance security, may be required by law