CISSP Domain 3: Information Security Governance and Risk Management
Ways to provide:
-Redundant data and power lines
-Software and data backups
-Co-location and off-site facilities
Ways to provide:
-Hashing (data integrity)
-Config Mgmt (system integrity)
-Change Control (process integrity)
-Access controls (physical and technical)
-Software digital signing
-Transmission CRC functions
Level of confidentiality should persist with data at rest, devices within network, data in flight, and once data reaches its destination.
Can be provided by:
-encrypting data at rest (whole disk, database encryption)
-encrypt data in transit (IPSec, SSL, PPTP, SSH)
-strict access control and data classification (physical and technical)
Basically, a weakness that allows a threat to cause harm.
Anything that potentially can cause harm to an asset.
Risk ties the vulnerability, threat, and likelihood of an exploitation to the resulting business impact.
RISK = THREAT x VULNERABILITY
RISK = THREAT x VULNERABILITY x IMPACT (COST)
1. Market Approach: Assumes that the fair value of an asset reflects the price which comparable assets have been purchased in transactions under similar situations.
2. Income Approach: Based on premise that the value of a security or asset is the present value of the future earning capacity that an asset will generate over its useful life.
3. Cost Approach: Estimates the fair value of the asset by reference to the costs that would be incurred in order to recreate or replace the asset.
May be a software configuration, hardware device, or procedure.
-access control mechanisms
Software or hardware components
-Identification and Authentication mechanisms
The more sensitive an asset, the more layers of protection put in place.
-Intended to discourage a potential attacker
-Intended to avoid an incident from occurring
-Should be number 1 consideration for security structure of an environment
-Should implement with detective
-Fixes components or systems after an incident occurred
-Intended to bring the environment back to regular operations
-Helps identify an incident’s activities and potentially an intruder
-Should be implemented with preventive
-Controls that provide and alternative measure of control
-Alternate control that provides similar protection as the original control, but has to be used because it is more affordable or allows specifically required business functionality.
ISO/IEC 27000 Series
-Developed in 1995 by U.K.
-Outlines how an Information Security Management System (ISMS) –aka security program–should be built and maintained.
-Goal was to provide guidance to organizations on how to design, implement, and maintain policies, processes, and technologies to manage risks to its sensitive assets.
-Industry best practice
-Follows PDCA cycle:
–Plan (establish objectives and make plans)
–Do (implementation of plans)
–Check (measure results to see if objectives are met)
–Act (how to correct and improve plans to better achieve success)
ISO 27000: Overview/Vocabulary
ISO 27001: ISMS requirements
ISO 27002: Code of practice in info security mgmt
ISO 27003: Guidelines for ISMS implementation
ISO 27004: Guidelines for ISMS measurement and metrics
ISO 27005: Guidelines for info security risk mgmt
ISO 27006: Guidelines for audit and certification of ISMS
ISO 270011: Guidelines for telecommunications
ISO 27031: Guidelines for business continuity
ISO 27033-1: Guidelines for network security
ISO 27799: Guidelines for health organizations
When developing an architecture, first identify stakeholders. Then create views that illustrate the information in a way conducive to the parties looking at the architecture.
Should allow one to understand the company from several different views and to understand how a change at one level will affect items at another level.
Enterprise Architecture is needed to present information in a way in which all consumers of the information can understand.
Two dimensional model using 6 basic communication interrogatives (what, how, where, who, when, and why) intersecting with different viewpoints (Planner, Owner, Designer, Builder, Implementer, and Worker) to give a holistic understanding of the enterprise.
Goal of the model is to be able to look at the same organization from different views (Planner, Owner, Designer, Builder, Implementer, and Worker).
This framework is NOT security oriented.
Provides an approach to design, implement, and govern an enterprise information architecture.
Develops the following architecture types:
Creates individual architectures through use of its Architecture Development Method (ADM). This allows an analyst to understand organization from 4 different views (business, data, applications, technology).
Focus is on command, control, communications, computers, intelligence, surveillance, and recon systems and processes.
Helps ensure all systems, processes, and personnel work in concerted effort to accomplish its missions.
Based on DoDAF
Crux of framework is to be able to get data in the right format to the right people as soon as possible.
Subset of enterprise architecture and defines the information security strategy that consists of layers of solutions, processes, and procedures and the way they are linked across an enterprise strategically, tactically, and operationally.
Main reason to develop an enterprise security architecture is to ensure that security efforts align with business practices in a standardized and cost effective manner.
Layered model with first layer defining business requirements from a security perspective.
Framework and methodology for enterprise security architecture and service management.
-Business drivers and the regulatory and legal requirements are being met by the security enterprise architecture.
-Core business processes are integrated into the security operating model–they are standards-based and follow a risk tolerance criteria.
-Organization must take a close look at their business processes that take place on an ongoing basis.
System architecture addresses the structure of software and computing components.
Derived from COSO. COSO is model for corporate governance, CobiT is model for IT governance.
Security framework that acts as a model for IT governance and focuses more on operational goals.
Framework and set of control objectives developed by the Information Systems Audit and Control Association (ISACA) and the IT Governance Institute (ITGI). It defines goals for the controls that should be used to properly manage IT and to ensure that IT maps to business needs.
Broken down into four domains
-Plan and Organize
-Acquire and Implement
-Deliver and Support
-Monitor and Evaluate
Provides checklist approach to IT governance by providing a list of things that must be thought through and accomplished when carrying out different IT functions.
CobiT provides the objectives that the real-world implementations (controls) you chose to put in place need to meet. Where ISO27000 would say “Unauthorized Access should not be permitted”, CobiT would define the specific objectives that must be met to satisfy this.
Most security auditing practices used today in the industry are based off CobiT.
Outlines controls that agencies need to put in place to be compliant with Federal Information Security Management Act of 2002.
Control categories (families) are the Management, Operational, and Technical controls prescribed for an information system to protect confidentiality, integrity, and availability of the system and its information.
Audit and Accountability–Technical
Security Assessment and Authorization–Management
Government auditors use SP 800-53 as their “checklist” approach for ensuring that government agencies are compliant with government-oriented regulations.
Created to deal with fraudulent financial activities and reporting. Made up of the following components:
Security framework that acts as a model for corporate governance and focuses more on strategic goals.
-Information and Communication
Model for corporate governance (where CobiT is model for IT governance).
Deals with more with none-IT items such as company culture, financial and accounting principles, board of director responsibilities, and internal communication structures.
SOX is based on COSO.
Capability Maturity Model Integration (CMMI)
Was created because of the increased dependence on IT to meet business needs.
Focus is more toward internal SLA’s between the IT departments and the “customers” it serves.
Goal is to improve process quality by using statistical methods of measuring operation efficiency and reducing variation, defects, and waste.
Developed by Motorola with goal of identifying and removing defects from it manufacturing processes.
According to this circular, independent audits should be performed every three years.
Model is also used within organizations to help lay out a pathway of how increment improvement can take place.
Crux of CMMI is to develop structured steps that can be followed so an organization can evolve from one level to the next and constantly improve its processes and security posture.
Developed by Carnegie Mellon
Bottom-up: Staff (usually IT) try to develop a security program without getting proper management support.
Bottom-up is far less effective than top-down approach.
–Establish management commitment.
–Establish oversight steering committee.
–Assess business drivers.
–Develop a threat profile on the organization.
–Carry out a risk assessment.
–Develop security architectures at business, data, application, and infrastructure levels.
–Identify solutions per architecture level.
–Obtain management approval to move forward.
–Assign roles and responsibilities.
–Develop and implement security policies, procedures, standards, baselines, and guidelines.
–Identify sensitive data.
–Implement the following blueprints:
—–Asset identification and management
–Identity management and access control
–Software development life cycle
–Business continuity planning
–Awareness and training
–Develop auditing and monitoring solutions.
–Establish goals, service level agreements (SLAs), and metrics.
3. Operate and maintain
–Ensure that all baselines are met.
–Complete internal and external audits.
–Complete tasks outlined in the blueprints.
–Manage SLAs as outlined in the blueprints
4. Monitor and evaluate
–Review logs, audit results, collected metric values, and SLAs per blueprint.
–Carry out quarterly meetings with steering committees.
–Develop improvement steps and integrate into the Plan and Organize phase.
Security enterprise framework is the ARCHITECTURE layout of the house (foundation, walls, ceilings).
Blueprints are the detailed descriptions of specific components in the house (window types, security system, electrical and plumbing).
Inspector (auditor) uses checklists to inspect house like and auditor uses checklists (CobiT/SP 800-53) to ensure that you are building and maintaining your security program securely.
Once house is built, procedures for running the house day in and day out are implemented. This is where ITIL comes into play.
Optimizing daily activities occurs with Six Sigma.
Information Risk Management (IRM) is the process of identifying and assessing risk, reducing it to a acceptable level, and implementing the right mechanisms to maintain that level.
Types of Risk
-Inside and outside attacks
-Misuse of data
-Loss of data
IRM policy provides the foundation and direction for the organization’s security risk management processes and procedures.
Should have one person assigned to lead the IRM team and devote at least 50-70% of their time to this.
Used to GATHER DATA
Risk assessment calculates the probability of a vulnerability being exploited and the associated business impact. In contrast, a vulnerability assessment are jut focused on finding the vulnerabilities (the holes).
Four Main Categories:
1. Identify asset and value to organization
2. Identify vulnerabilities and threats
3. Quantify probability and impact of threats
4. Provide economical balance between impact of threat and cost of control
Provides cost/benefit comparison–this compares the annualized cost of the control versus the potential cost of loss. A control’s cost should generally not exceed the potent loss.
Used to EXAMINE the gathered data and PRODUCE RESULTS that can be acted upon.
Must include people who understand individual process in their department(s)
Loss of market share
Considered U.S. federal government standard
Specific to IT threats and how they relate to IT security risks.
Mainly focused on computer systems and IT security issues.
Covers IT and operations
Does not cover larger threats like natural disasters, succession planning, etc.
Focus only on systems needing assessing to reduce time and cost obligations.
Used if limited budget.
Stressed pre-screening so only those systems needing risk assessments are carried out.
Used to analyze one system, application, or process at a time.
Does not support calculating exploitation probability or annual loss expectancy.
Created by Carnegie Mellon
Methodology intended to be used in situations where people manage and direct the risk evaluation for information security within the company.
Puts people that work inside the company in position to make decisions on what the best approach is to secure organization.
Uses facilitated workshops.
Stresses self-directed team approach.
Used to analyze All systems, ALL applications, and ALL processes (FRAP just analyzes individual systems, applications, and processes).
1. Identify staff knowledge, assets, threats
2. Identify vulnerabilities and evaluates safeguards
3. Conducts Risk Analysis and develops risk mitigation strategy
Used to understand company’s financial, capital, human safety, and business risk decisions.
Focused on health of a company from a business point of view, not security.
International standard on how risk management can be carried out in ISMS.
Covers IT and softer items, like documentation, personnel security, training, etc.
Used for determining functions, identifying functional failures, and assessing cause of failure and their failure effects through a structured process.
Used to dig into details of specific systems.
Commonly used in product development and operational environments.
Goal is to identify where something is most likely to break and either fix the flaw or implement controls to reduce the impact of the break.
Failure Modes (how something can break or fail)
Effects Analysis (impact of that break or failure)
First developed for systems engineering with purpose of examining potential failures in products and the process involved with them.
Not useful in discovering complex failure modes that may be involved in multiple systems or subsystems.
Used to dig into details of specific systems.
Created by U.K., and tolls sold by Siemens.
1. Define Objectives
2. Assess Risks
3. Identify Countermeasures
Organization would be as risk of losing $100,000 if a buffer overflow was exploited on a web server.
Asset Value x Exposure Factor (EF) = SLE
Exposure Factor (EF) represents the percentage of loss a realized threat could have on a certain asset.
Data warehouse asset value = $150,000
If fire, 25% would be lost
Asset Value ($150,000) x EF (25%) = SLE ($37,500)
SLE x Annualized Rate of Occurrence (ARO) = ALE
ARO is value that represents the estimated frequency of a specific threat taking place within a 12-month timeframe.
Range for ARO:
1.0 (once per year)
> 1 (several times per year)
3 times / year = 3.0
Once every 10 years = 0.1
Once every hundred years = 0.01
Fire in data warehouse causes SLE of $37,500
Expected to occur once every 10 years
SLE ($37,500) x ARO (.1) = ALE ($3,750)
So company could spend $3,750 or less annually on controls to mitigate fire destruction of the data warehouse asset. Spending more than $3,750 would not make sense.
ROI=the amount of money saved by implementing a safeguard.
If TCO is less than ALE, you have a positive ROI (good decision). If TCO is higher than ALE, you have a negative ROI (bad decision).
Examples on gathering data:
-Delphi (group decision making where people submit their ideas individually (not during a group activity). This helps reduce group pressures.
Risk of a buffer overflow exploitation on a web server would be rated as red, yellow, or green. A scale could also be used, such as a scale of 1-5. No monetary values are assigned.
ALE threat hacker brings down web server: $12,000
ALE after implementing safeguard = $3,000
Annual cost of safeguard = $650
$12,000 – $3,000 -$650 = $8,350 (annual value of safeguard)
total risk – countermeasures = residual risk
Threats x vulnerabilities x assets x (control gap) = residual risk
Total risk: Risk company faces if it chooses not to implement any safeguard. Expressed as:
Threats x vulnerabilities x assets = total risk
-Risk Transfer: purchase insurance
-Risk Avoidance: terminate activity that’s introducing risk
-Risk Mitigation: Reduce risk to acceptable level (i.e. implement firewalls, training, IDS/IPS)
-Risk Acceptance: Simply lives with the risk and not implement countermeasures.
A security policy defines the technology that should be used to control access to a company’s network or buildings.
Formulated by the management, this security policy defines the procedure used to set up a security program and its goals. It identifies the major functional areas of information and defines all relevant terms. The management assigns the roles and responsibilities and defines the procedure used to enforce the security policy. A security policy is developed prior to the implementation of standard operating procedures. The organizational polices are strategically developed for a long term.
Referred to as Master Security Policies
Addresses specific security issues that management feels needs more detailed explanation and attention to make sure a comprehensive structure is built and all employees understand how they are to comply with these security issues.
An issue-specific security policy involves the detailed evaluation of security problems and addresses specific security issues. An issue-specific security policy ensures that all employees understand these security issues and that they comply with the security policies defined to address these security issues.
Email security policy stating management has right to read employee’s emails residing on a server, but not when they reside on a user’s workstation.
A system-specific policy defined by management describes the rules governing the protection of information processing systems, such as databases, computers, and other infrastructure equipment. A system-specific policy is strategic in nature and is designed with a long-term focus. This policy restricts the use of software to only those approved by management and further defines the policies and guidelines for system configuration, implementation of firewalls, intrusion detection systems, and network and virus scanners. A system-specific policy is used to implement security configuration settings that have been determined to provide optimum security to the infrastructure assets. It should include a statement of senior executive support and a definition of the legal and regulatory controls.
Policy that outlines how a database containing sensitive info should be protected, who has access, and how auditing will take place.
Advisory: Strong advisement of following a policy. List possible ramifications if not followed. Might describe how to handle medical or financial information.
Informative: Informs employees of certain topics. Not enforceable. Stuff like how a company interacts with its partners, company’s goals, etc.
Policy is mandatory.
Policy would not use terms like Windows or Linux. Instead, server policy would state things like protecting confidentiality, integrity, and availability of the system.
How to install an OS, configure security parameters, setup new user accounts, etc.
Gives a policy its support and reinforcement in direction.
Describes the specific use of technology:
–All employees receive a Windows 7 -based desktop with 2.8Ghz CPU, 16GB RAM, and 2TB hard drive.
Standards are mandatory.
Deals with methodologies of technology, personnel, or physical security.
Discretionary. Not mandatory.
Consistent reference point.
Used to define minimum level of protection required.
Unified ways to implement a safeguard and discretionary.
Supporting standard mandates all customer info be held in database and be encrypted with AES256.
Procedures explain exactly how to implement AES and IPSec.
Once configuration completed, system is now at baseline.
Primary purpose is to indicate the level of confidentiality, integrity, and availability protection that is required for each type of data set. Ensures data is protected in the most cost-effective manner.
Common levels of sensitivity for Commercial businesses
Common levels of sensitivity for Government
-Sensitive, but unclassified
Goal is to ensure shareholder’s interests are being protected and that corporation is running properly.
Responsible for informing stakeholders of firm’s financial condition and health.
Ultimately responsible for the success of the security program.
Often reports to CSO
Must understand the organization’s business drivers, creating a security program, security compliance, etc.
Security: Is the mechanisms that cane put in place to provide this level of control.
CEO should head this committee.
Should meet at least quarterly.
Goal is to provide open an independent communications between the Board of Director’s and the company’ management, internal/external auditors.
Can be held responsible for data.
Decides on data classification, backups, disclosure, approves access requests.
Delegates responsibilities to Data Custodian.
Fulfilled by IT or Security department.
Implements the controls necessary for protecting, backing up, maintaining security controls, etc.
Ensures systems are properly assessed for vulnerabilities and reports incidents to team and data owner.
Include things like IDS, IPS, antimalware, proxies, data loss prevention, etc.
Includes new user account creation, implementing new security software, testing security patches, and issuing new passwords.
Design level person.
Responsible for dictating who can and cannot access their applications.
Responsible for all user activities and any assets created and owned by these users.
Evaluates various markets, works with vendors, and advises management on proper solutions needed to meet their goals.
Goal is to make sure the organization complies with its own policies and the applicable laws and regulations.
Preventative Administrative control to reduce fraud.
Bank vault that requires two sets of codes to open he vault (each person has only their code).
Two officers must perform identical key-turn in order to launch a missile.
Security Awareness Program created for 3 types of audiences:
3. Technical Employees
Should happen during hiring and at least annually thereafter. Integrate into employee performance reports.
–Reminding users to never share account passwords is an example of awareness
Training provides a skill set.
–Training service desk to open/close new tickets
–training staff to configure a router
Strong management support necessary.
There has to be established policies, procedures, and standards to measure against.
Measurement activities need to provide quantifiable performance-based data that is repeatable, reliable, and produces results that are meaningful.
Breaks individual metrics down into:
ISO 27001 tells you how to BUILD the security program, ISO 27004 tells you how to measure it.
Breaks metrics down into
Due Diligence: is the management of due care. Follows a process.
Accreditation: Is the data owner’s acceptance of the risk represented by that system.
NIST 800-37 specifies 4-step Certification and Accreditation process:
1. Initation phase
2. Security certification phase
3. Security accreditation phase
4. Continuous monitoring phase
Tactical Goals = more time than operational, but not as long as strategic. Milestones within a project.
Strategic Goals=1 year or longer goals
Assurance procedures should be developed based on the organization’s security policy.
-user rights and permissions
-registry permissions, and system services.
Other areas that should be covered include:
-event log settings