CISSP Domain 1 - Security and Risk Management
Terms in this set (169)
Act of hiding or preventing disclosure. Often is viewed as a means of cover, obfuscation or distraction.
Countermeasures for Integrity
Access controls, rigorous authentication procedures, IDS, data encryption, hash total verifications, personnel training. Without confidentialisy, integrity cannot be maintained.
AAA - Authentication, authorizing and accountability
Contains Five Elements:
Input Validation should be used in all forms to ensure that data control language is not entered, and field size and data types are enforced
Published software should provide the user with a message digest so the user can validate the accuracy and completeness of the software
Subjects should be prevented from modifying data, unless explicitly allowed.
Software shall meet availability requirements of x% uptime as specified in SLA
Software should support x number of users simultaneously
Software must support replication and provide load balancing
Mission critical functionality of the software should be restored to normal operation within x minutes
The process by which a subject professes an identity and accountability is initiated. Can involve typing in a username, swiping a smart cards, speaking a phrase or positioning face, hand or finger for scanning. Without an identity, a system has no way to correlate an authentication factor with the subject.
Process of verifying or testing that the claimed identity is valid. Most common from of authentication is using password. Authentication verifies the identity of the subject by comparing one or more factors against the database of valid identities. The authentication factor used to verify the identity is private information. Identification and Authorization are always used together as a single two-step process.
Basic: user supplied password
Certificate based: X.509 v4 certificates
Once a subject is authenticated, this must occur. Ensures that the requested activity or access to an object is possible given the rights and privileges assigned to the authenticated identity. In most cases, the system evaluates an access control matrix that compares the subject, the object and the intended activity. If the specific action is allowed, the subject is authorized. If the action is not allowed, the subject is not authorized. Subject only has least privilege access.
Programmatic means by which a subject's actions are tracked and recorded for the purpose of holdin gthe subject accountable for their actions while authenticated on a system. Recording activities of a subject and its objects as well as recording the activities of core system functions. Log files provide an audit trail for re-creating the history of an event, intrusion or system failure.
You can maintain security only if subjects are held accountable for their actions. Effective accountability relies on the capability to prove a subject's identity and track their activities. Established by linking a human to the activities of an online identity through the security services and mechanisms of auditing, authorization, authentication and identification. Human accountability is ultimately dependent on the strength of the authentication process. To have viable accountability, you must be able to support your security in a court of law.
How much security is enough?
Finding proper balance between cost and benefits. Cost/benefit analysis and risk analysis drives this.
Made possible through identification, authentication, authorization, accountability and auditing. Can be established using digital certificates, session identifiers, transaction logs. A suspect cannot be held accountable if they can repudiate the claim against them.
Are common characteristics of security control. Not all security controls must have them, but many controls offer their protection for confidentiality, integrity and availability through the use of these mechanisms. These mechanisms include using multiple layers or levels of access, employing abstraction, hiding data and using encryption
Layering AKA Defense in Depth
The use of multiple controls in a series. No one control can protect against all possible threats. Using a multilayered solution allows for numerous, different controls to guard against whatever threats come to pass. Using layers in a seriers rather than in parallel is important. Only through a series configuration will each attach be scanned, evaluated or mitigated by every security control.
Used for efficiency. Similar elements are put into groups, classes or roles that are assigned security controls, restriction or permissions as a collective. The concept is used when classifying objects or assigning roles to subjects. The concept also includes the definition of object and subject types or of objects themselves. Is used to define what types of data an object can contain, what types of function can be persormed on or by that object and what capabilites that object has.
Preventing data from being discovered or accessed by a subject by positioning the data in a logical storage compartment that is not accessible or seen by the subject. Forms of this include keeping a database from being accessed by unauthorized visitors and restricting a subject at a lower classification level from accessing data at a higher classification level. Preventing an application from accessing hardware directly is also a form of data hiding. Is often a key element in security controls as well as in programming.
Ensures that stakeholder needs, conditions and options are evaluated to determine:
Balanced agreed-upon enterprise objectives to be achieved
Setting direction through prioritization and decision making
Monitoring performance and compliance against agreed-upon direction and objectives
Defines risk appetite.
Plans, builds, runs and monitors activities in alignment with the direction set by the governance body to achieve the enterprise objectives. Defines risk tolerance inside risk appetite.
Aligns the secuirty functions to the strategy, goals, mission and objectives of the organizaiton. Responsibility of upper management and is considered a business operations issue rather than IT administration issue. Without senior management's approval of and committment to the security policy, the policy will not succeed.
Top Down Approach
Upper, or senior management is responsible for initiating and defining policies for the organization. Secuirty policies provide direction for all levels of the organization's hierarhcy. It is the responsibiltiy of middle management to flesh out th esecuirty policy into standards, baselines, guidelines and procedures. The operational managers or secuirty professionals must then implmenet the configurations prescribed in the security management documentation. FInally, the end users must comply with all the security policies.
Bottom Up Approach
The IT department tries to implement security. Is not the proper method, should be using a top down approach!
CEO, CSO, CIO, etc
Responsible and liable for security within org, development and support of policies, prioritization of business processes, allocation of resources, decisions based on risk, set the Business continuity policy.
BCP Steering Committee
Conduct the BIA
Coordinate with department reps
Develop analysis group
Long term plan, should include a risk assessment
Midterm plan developed to provide more details on accomplishing the goals set forth in th estrategic plan. A tactical plan is typically useful for about a year and prescribes and schedules the tasks necessary to accomplish organizational goals. Ex include - project plans, acquisition plans, budget plans, maintenance plans
Short term, highly detailed plan based on the strategic and tactical plans. Only valid or useful for a short time. Must be updated often (quarterly or monthly) to retain compliance with tactical plans. Include details on how the implementation processes are in compliance with the organization's security policy. Ex. are training plans, system deployment plans.
Process usually involves reviewing any nondisclosure agreements as well as any other binding contracts or agreements that will continue after employment has ceased.
Helps to define access levels, types of authorized uses, and parameters for declassification and/or destruction of resources that are no longer valuable. It also helps with data life-cycle management which in part is the storage length(retention), usage and destruction of the data.
Seven Phases of Data Classification
1. Identify the custodian and define their responsibilities
2. Specify the evaluation criteria of how the information will be classified and labeled
3. Classify and label each resource (The owner conducts this step)
4. Document any exceptions to the classification policy that are discovered, and integrate them into the evaluation criteria
5. Select the security controls that will be applied to each classification level to provide the necessary level of protection
6. Specify the procedures for declassifying resources and the procedures for transferring custody of a resource to an external entity
7. Create an enterprise-wide awareness program to instruct all personnel about the classification system
Levels of Government/Military Classification
Top Secret - highest level. Classified
Secret - data of restricted nature. Classified
Confidential - private, sensitive data. Classified
Sensitive but unclassified
Unclassified - lowest level
Acronym - US Can Stop Terrorism (backwards is TSCSU)
Business Classification Levels
Confidential - Highest level of classification. Extremely sens company data.
Proprietary - Used for trade secrets
Private - Data that is personal, internal use only. personal data.
Sensitive - Data that is more classified than public data
Public - Lowest level of classification. Disclosure does not have negative impact
Assigned to the person who is responsible for classifying information for placement and protection within the security solution.
User who is responsible for the tasks of implementing the prescribed protection defined by the security policy and senior management. Performs all activities necessary to provide adequate protection for the CIA triad of data. Activities include performing and testing backups, validating data integrity, deploying security solutions and managing data storage based on classification.
COBIT - Control Objectives for Information and Related Technology
Prescribes goals and requirements for security controls and encourages the mapping of IT security ideals to business objectives. Documented set of best IT security practices crafted by ISACA. Based on 5 key principles:
1. Meeting Stakeholder Needs
2. Covering the Enterprise End-to-End
3. Applying a Single, Integrated Framework
4. Enabling a Holistic Approach
5. Separating Governance From Management
Using reasonable care to protect the interests of an organization. Ensuring that "best practices" are implemented and followed. Following up Due Dilligence with action. Using due care and due diligence will not cause business or senior management to be liable for loss.
Practicing the activities that maintain the due care effort. Continuously monitoring an organization practices to ensure they are meeting/exceeding the security requirements.
Ex. Due Care is developing a formalized secuirty structure containing a policy, standards, baselines, guidelines. Due diligence is the continued application of this security structure onto the IT infrastructure.
Prudent Man Rule
Acting responsibly and cautiously as a prudent man would. In 1991, the federal sentencing guidelines formalized a rule that requires senior executives to take personal responsibility for information security matters.
Security Policy (Organizational Security policy)
Document that defines the scope of security needed by the organization and discusses the assts that require protection and the extent to which security solutions should go to provide the necessary protection. Overview or generalization of an organization's security needs. Defines the main security objectives and outlines the security framework of an organization. Should clearly define why security is important and what assets are valuable. Is a strategic plan for implemening security. High level and broad, not a detailed policy.
Overall Categories of Security Policies
Regulatory - required whenever industry or legal standards are applicable
Advisory - Discusses behaviors and activities that are acceptable and defines consequences (most policies)
Informative - Designed to provide information or knowledge about a specific subject
Security Standards, Baselines and Guidelines
Are developed after the main security policies are set. Standards - Define what policy says. Specific requirements for the homogenous use of hardware, software, technology, and security controls. Are tactical documents that define steps or methods to accomplish the goals and overall direction defined by security policies.
Baselines - Define minimum level of security that every system in the org must meet. All systems not in compliance should be taken out of production until they meet baseline.
Guidelines - non-mandatory. Offers recommendations on how standards and baselines are implemented and serves as an operational guide for both security professionals and users. Are flexible so they can be customized for each unique system or condition and can be used in the creation of new procedures.
The final element of the formalized security policy structure. A procedure is a detailed, step-by-step how-to document that describes the exact actions necessary to implement a specific security mechanism, control or solution. Ensure the integrity of a business process.
Relationship of security policy components
Security process where potential threats are identified, categorized and analyzed. Can be performed as a proactive measure during design and development or as a reactive measure once a product has been deployed. In either case, the process identifies the potential harm, the probability of occurrence, the priority of concern and the means to eradicate or reduce the threat.
Proactive/defensive approach - takes place during early stages of system development, specifically during initial design and spec establishment. Based on predicting threats and designing in specific defenses
Reactive/adversarial approach - Takes place after a product has been created and deployed. Core concept behind ethical hacking, penetration testing, source code review.
Types of Threat Modeling
Focused on Assets
Focused on Software
Focused on Attackers
Specialized dynamic testing technique that provides many different types of input to software to stress its limits and find previously undetected flaws. Fuzz testing software supplies invalid input to the software, either randomly generated or specifically crafted to trigger known software vulns.
Occurs in threat modeling - Often used in relation to assessing threats against applications or operating systems.
Spoofing - Attack with the goal of gaining access to a target system through the use of a falsified identity
Tampering - any action resulting in the unauthorized changes or manipulation of data
Repudiation - ability for user or attacker to deny having performed an action or activity
Information Disclosure - relevant distribution of private, confidential or controlled information to external or unauthorized entities
Denial of Service - dos
Elevation of Privilege - attack where a limited user account is transformed into an account with greater privileges
Determining and Diagramming Potential Attacks
Occurs in threat modeling - Happens after an understanding has been gained in regards to threats facing infrastructure or projects. First, a data flow diagram is created and all technologies involved are identified (OS, protocols, apps). Then, attacks are identified that could be targeted at each element of the data diagram.
Performing Reduction Analysis
Occurs in threat modeling - Happens after determining potential attacks. aka decomposing the app, system, env. Purpose is to gain a greater understanding of the logic of the product as well as its interactions with external elements. System/app/env needs to be divided iinto smaller containers or compartments. It makes it much easier to identify the essential components of each element as well as take notice of vulns and points of attack.
Prioritization and Response
Occurs in threat modeling - Happens after reduction analysis. Next is to fully document the threats. After documentation, threats are ranked or rated.
Probability x Damage Potential
Produces a risk severity number on a scale of 1 to 100 with 100 being the most severe risk possible. Each of the 2 initial values (probability or damage) can be assigned numbers between 1 and 10 with 1 lowest. These rankings can be arbitrary and subjective.
Based on the answers to 5 main questions about each threat:
1. Damage potential - How severe is the damage likely to be if the threat is realized?
2. Reproducibility - How complicated is it for attackers to reproduce the exploit?
3. Exploitability - How hard is it to perform the attack?
4. Affected users - How many users are likely to be affected(percentage)?
5. Discoverability - How hard is it for an attacker to discover the weakness?
By asking these and potentially additional questions, along with assigning high/med/low or 3/2/1 values, you can establish a detailed threat prioritization.
Responses to threats
Once threat priorities are set, this needs to be determined. Technologies and processes to remediate threats should be considered and weighted according to their cost and effectiveness.
The collection of practices related to supporting, defining, and directing the security efforts of an organization. Should be aligned with business goals and processes.
COBIT and COSO focus on goals for security.
ITIL - IT service management.
OCTAVE - self directed risk assessment
ISO 27000 series
ISO 27000 Series
ISO 27001 - Is direction on how to plan, set up, improve, manage ISMS. Uses Plan, Do, Check, Act model. Describes implementation and controls.
ISO 27002 - absorbed: BS 7799-1, BS 7799-2, ISO 17799. Provides advice for how to implement security controls. Best practices or how to.
ISO 27005 - A standards based approach to risk managemnet
Used as a guide for selecitng candidates and properly evaluating them for a position. The thoroughness of the screening process should reflect the security of the position to be filled. Maintaining security through job descriptions includes the use of speration of duties, job responsibilities and job rotation
The occurrence of negative activity undertaken by two or more people, often for the purposes of fraud, theft or espionage
Outlines the rules and restrictions of the organization, security policy, acceptable use and activities policies, details of the job description, violations and consequences and the length of time the position is to be filled by the employee. Should be signed by new employees when hired.
Primary purpose of exit interview
To review the liabilities and restrictions placed on the former employee based on the employment agreement, nondisclosure agreement and any other security related documentation
Steps for Termination
1. Inform the person that they are relieved of their job. with a witness in attendance.
2. Request the returrn of all access badges, keys and company equipment
3. Disable the person's electronic access to all aspects of the organization
4. Remind the person about the NDA obligations
5. Escort the person off the premises
Important when using any type of third-party service provider.
Commonly addressed issues:
Maximum consecutive downtime
Responsibility for diagnostics
Being susceptible to asset loss because of a threat
= Threat x Vulnerability
Is the responsibility of upper management to initiate and support risk analysis and assessment by defining the scope and purpose of the endeavor. All risk assessments, results, decisions and outcomes must be understood and approved by upper management. Primary goal is to reduce risk to an acceptable level.
Risk event that comes as a result of another risk response
Identify Assets, Threats, Vulnerabilities
Risk must be reduced and managed. Risk can never be totally eliminated!!
Exposure Factor (EF)
Represents the percentage of loss that an organization would experience if a specific asset were violated by a realized risk. Can also be called the loss potential.
Quantitative Risk Analysis
Value of potential risks. Results in concrete probability percentages. The end result is a report that has dollar figures for levels of risk, potential loss, cost of countermeasures and value of safeguards. Places a dollar figure on each asset and threat. Although some items are not tangible and cannot be quantified.
1. Inventory assets and assign a value
2. Research each asset and produce a list of all possible threats of each individual asset. For each threat, calculate the exposure factor(EF) and single loss expectancy(SLE)
3. Perform a threat analysis to calculate the likelihood of each threat being realized within a single year - annualized rate of occurence (ARO)
4. Derive the overall loss potential per threat by calculating the annualized loss expectancy (ALE)
5. Research countermeasures for each threat and then calculate the changes to ARO and ALE based on applied countermeasures
6. Perform a cost/benefit analysis of each countermeasure for each threat for each asset. Select the most appropriate response to each threat.
Single Loss Expectancy (SLE)
The EF is needed to calculate this. Is the cost associated with a single realized risk against a specific asset. It indicates the exact amount of loss an org woul dexperience if an asset were harmed by a specific threat occurring.
SLE = asset value(AV) * exposure factor (EF)
SLE is expressed in a dollar value.
Annualized Rate of Occurence (ARO)
The expected frequency with which a specific threat or risk will occur within a single year. Can range from a value of 0.0, indicating that the threat or risk will never be realized, to a very large number, indicating that the threat or risk occurs often. It can be derived from historical records, statistical analysis or guesswork. Also known as probability determination. For some threats or risks, it is calculated by multiplyin gthe likelihood of a single occurrence by the number of users who could initiate the threat.
ARO after applied countermeasures
The best of all possible safeguards would reduce the ARO to zero. Many safeguards have an applied ARO that is smaller than the nonsafeguarded ARO.
Annual Loss Expectency (ALE)
Possible yearly cost of all instances of a specific realized threat against a specific asset.
ALE = SLE * ARO
Calculating Safeguard Costs
Numerous factors are involved including:
Cost of purchase, development
Cost of implementation and customization
Cost of annual operation, maintenance
Cost of annual repairs and upgrades, etc.
If the cost of the countermeasure is greater than the value of the asset, you should accept the risk.
Accidental or intentional exploitations of vulnerabilities
Calculating Safeguard Cost Benefit
(ALE before safeguard - ALE after implementing the safeguard) - annual cost of safeguard (ACS) = value of safeguard to the company.
If the result is negative, the safeguard is not a financially responsible choice. If the result is positive, then that value is the savings your orgazniztion will reap.
Total Cost of Ownership (TCO)
is the total cost of implementing a safeguard. Often in addition to initial costs, there are ongoing maintenance fees as well. Ex. purchasing an AV, it also includes annual fees
Return on Investment (ROI)
Amount of money saved by implementation of a safeguard. Sometimes referred to as the value of the safeguard/control
Qualitative Risk Analysis
More scenario based than calculator based. Threats are ranked on a scale to evaluate their risks, costs and effects. May use Delphi Technique. Uses words like high, medium low to describe likelihood and severity of a threat eoxposing a vulnerability.
Simply an anonymous feedback-and-response process used to enable a group to reach an anonymous consensus. Primary purpose is to elicit honest and uninfluenced responses from all participants.
A written description of a single major threat. The description focuses on how a threat would be instigated ans what effects its occurrence could have on the organization, IT infrastructure and specific assets. For each scenario, one or more safguards are described that would completely or partially protect against the major threat discussed in the scenario. The analysis participants then assign to the scenario a threat level, loss potential and advantages of each safeguard. They can be high, med, low or 1-10 scale.
Implementation of safeguards and countermeasures to eliminate vulnerabilities or block threats. Lessens the probability and/or impact of a risk to a tolerable level
Purchasing insurance and outsourcing are common forms of this. Shares the risk with another party.
End process associated with risk
The valuation by management of the cost/benefit analysis of possible safeguards and the determination that the cost of the countermeasure greatly outweighs the possible cost of loss due to a risk. Also means that management has agreed to accept the consequences and the loss if the risk is realized. Whenever you choose to accept a risk, you should maintain detailed documentation of the risk acceptance process to satisfy auditors in the future.
Denying that a risk exists and hoping that is will never be realized. Not acceptable response.
Risk that remains after countermeasures are implemented
total risk - controls gap = residual risk
Total Risk (Inherent Risk)
The amount of risk an organization would face if no safeguards were implemented.
asset value = total risk
Implementation of Controls
(from outside in)Physical>Logical Controls>Admin Controls>Assets
Security controls, countermeasures and safeguards can be implemented administratively, logically/technically, or physically. Should be implemented in a defense-in-depth manner
Technical or logical access involves the hardware or software mechanisms used to manage access and to provide protection for resources and systems. As the name implies, it uses technology. Methods include authentication methods, encyption, acls, protocols, firewalls, routers, ids
The policies and procedures defined by an org's security policy and other regulations or requirements. Sometimes referred to as management controls. Focus on personnel and business practices. Includes: admin access policies, procedures, hiring practices, background checks, data classifications, security awareness, work supervision, etc.
Items you can physically touch. Include physical mechanisms deployed to prevent, monitor or detect direct contact with systems or areas within a facility. Include guards, fences, motion detectors, locks, lights, badges, cameras, mantraps, alarms, etc.
Modifies the environment to return systems to normal after an unwanted or unauthorized acticity has occured. Can be antivirus solutions that quarentine a threat, or rebooting a system
Extension of corrective controls but have more complex abilities. Ex. include backups and restores, system imaging, server clustering, vm shadowing, etc.
Deployed to discover or detect unwanted or unauthorized activity. Operate after the fact and can discover the activity only after it has occured. Ex. include audit trails, job rotation, honeypots, etc.
Deployed to provide various options to other existing controls to aid in enforcement and support of security policies. Can be any controls used in addition to, or in place of, another control.
Deployed to direct, confine or control the actions of subjects to force or encourage compliance with security policies. Includes security policy requirements or criteria, supervision and procedures.
Goal is to assign to an asset a specific dollar value that encompasses tangible costs as well as intangible ones. It provides values for insurance, foundation for cost/benefit analysis, establishes net worth, helps senior management understand risk, prevents negligence of due care and encourages compliance with legal requirements and regulations.
Performed to provide uppoer management with the details necessary to decide which risks should be mitigated, transferred or accepted. It identifies risk, quantifies the impact of threats and aids in budgeting for security.
Establishes a common baseline or foundation of security understanding across the entire org and focuses on key or basic topics and issues related to security that all employees must understand and comprehend. Issues to be covered are avoiding waste, fraud, and unauthorized activities. Awareness program should be tied to the security policy.
NIST RMF - Risk Management Framework
1. Categorize - the info system and info processed, stored and transmitted by that system based on an impact analysis
2. Select - an initial set of baseline security controls for the information system based on the security categorization
3. Implement - the security controls and describe how the controls are employed within the information system and its env
4. Assess - the security controls using appropriate assessment procedures to determine the extent to which the controls are implemented correctly, operatin gas intended and producing desired outcome
5. Authorize - info system operation based on a determination of the risk to org operations and assets, individulas, other orgs, resulting from the operation of the info system
6. Monitor - the secuirty controls in the info system on an ongoing basis including assessing control effectiveness, documenting changes to the system or its environment, conducting security impact analysis
Awareness, Training and Education
Ultimately trying to modify user behavior.
Awareness - Before training can take place, this must occur
Training - trains employees to perform their work tasks and to comply with the security policy
Education - A more detailed endeavor where students/users learn much more than they actually need to know to perform their work tasks.
Business Continuity Planning (BCP)
Involves assessing the risks to organizational processes and creating policies, plans and procedures to minimize the impact those risks might have on the org if they were to occur. Used to maintain the continuous operation of a business in the event of an emergency situation. Top priority is always ensuring safety of people. Overall goal is to provide a quick, calm and efficient response in the event of an emergency and to enhance a company's ability to recover from a disruptive event proptly.
Has 4 main steps:
1. Project scope and planning
2. Business impact assessment
3. Continuity planning
4. Approval and implementation
BCP vs. DRP
BCP comes first and if the BCP efforts fail, DRP steps in to fill the gap. DRP is more IT focused and goal is to minimize the effects of a disaster. BCP focuses on sustaining operations, long term focused.
BCP Threat Types
Man-Made - terrorism, hackers
Natural - fire, flood, etc.
Technical - power outages, device failures
Declaring a disaster
Anyone can declare an emergency, only Senior Management or the BCP Coordinator can declare a disaster (disaster is when the entire facility is unusable for a day or longer)
Business Organizational Analysis
The first responsibilities of the individuals responsible for business continuity planning is to perform an analysis of the business org to identify all departments and individuals who have a take in the BCP process. This step provides groundwork to help identify potential members of the BCP team. Second, it provides the foundation for the remainder of the BCP process.
Also, the first step of the BCP team is to review and validate the business organization analysis
BCP Team Selection
After organization analysis is conducted, the BCP team is selected.
Representatives from each of the org's departments responsible for the core services performed by the business.
Reps from the key support departments identified by the organizational analysis
IT reps with technical expertise in areas covered by the BCP
Security reps with knowledge of the BCP
Legal representative familar with corporate legal, regulatory and contractual responsibilities
Reps from senior management
Legal and Regulatory requirements
Business leaders must exercise due diligence to ensure that shareholders interests are protected in the event disaster strikes. Some industries are also subject to federal, state and local regulations that mandate specific BCP procedures. Businesses also have contractual obligations to their clients that must be met before, and after a disaster.
The officers and directors of publicly traded firms have a fiduciary responsibility to exercise due diligence in the execution of their business continuity duties.
Business Impact Analysis
Occurs after the 4 steps of BCP planning. It identifies the resources that are critical to an organization's ongoing viability and the threats posed to those resources. It also assesses the likelihood that each threat will actually occur and the impact those occurrences will have on the business. Initiated by the BCP committee.
Steps in Business Impact Analysis
1. Identify Business Priorities - assigning an Asset Value, developing the Maximum tolerable downtime or MTO, recovery time objective(amount of time which you think you can feasibly recover functions)
2. Risk Identification - can be man-made or natural risks
3. Likelihood Assessment - likelihood that each risk will occur. Expressed in terms of annualized rate of occurence
4. Impact Assessment - Analyze data gathered during risk id and likelihood and determine what impact each of the risks would have. Exposure factor, annual loss expectancy and single loss expectancy are used in this step.
5. Resource Prioritization - create a list of all the risks analyzed during the BIA process and sort them in descending order according to the ALE computed during the impact assessment phase. This provides a prioritized list of the risks that should be addressed first
Recovery Point Objective - RPO
Maximum amount of data that can be lost
Recovery Time Objective - RTO
Maximum amount of time that systems can be down
Three Phases following a Disruption/Disaster
Notification/Activation - notifying recovery personnel, performing a damage assessment
Recovery Phase--Failover - Actions taken by recovery teams and personnel to restore IT operations at an alternate site. Performed by the Recovery team.
Reconstitution--Failback - Outlines actions taken to return the systems to normal operating conditions. Performed by the Salvage team
Only covers the internal controls of financial reporting
SOC 2 and 3
Covers the security, privacy and availability of controls
Qualitative Concerns of BCP
Loss of goodwill, loss of employees to other jobs after prolonged downtime, social/ethical responsibilities, negative publicity. It may be difficult to put a dollar amount on these, but it is important.
Focuses on developing and implementing a continuity strategy to minimize the impact realized risks might have on protected assets. Subtasks include:
Provisions and processes
Training and Education
The BCP team must take the prioritized list of concerns and determine which risks will be addressed by the BCP. BCP team should look to the MTD to determine which risks must be mitigated.
Provisions and processes
In this task, the BCP team designs the specific procedures and mechanisms that will mitigate the risks deemed unacceptable. People, buildings/facilities and infrastructure must be protected.
Buildings and Facilities
Addressed during continuity planning. Continuity plan should address two areas for each critical facility:
Hardening Provisions - BCP should outline mechanisms and procedures that can be put in place to protect existing facilities against the risks defined in the strategy development phase
Alternate Sites - In the event that it's not feasible to harden a facility agains a risk, BCP should identify alternate sites where business activities can resume
Addressed during continuity planning. Two main methods of providing protection:
Physically hardening systems - Protecting systems against the risks by introducing protective measures such as computer-safe fire suppression systems and UPS
Alternative systems - Business systems can also be protected by introducing redundancy.
Senior Management approval and buy-in
Essential to the success of the overall BCP effort
Training and Education on BCP
Are essential elements of the BCP implementation. All personnel who will be involved in the plan should receive some sort of training on the overall plan and their individual responsibilities to ensure that they are able to complete them efficiently when disaster strikes.
Is a critical step in the BCP planning process. It ensures that BCP personnel have a written continuity document for reference in the event of an emergency. It provides a historical record of the BCP process. It forces the team to commit their thoughts to paper.
Risk Assessment Portion of BCP
Essentially recaps the deciosion-making process undertaken during the BIA. It should include a discussion of all the risks considered during the BIA as well as the quantitative and qualitative analyses performed to assess these risks. For quantitative analysis, the actual AV, EF, ARO, SLE and ALE figures should be included. For qualitative analysis, the thought process behind the risk analysis should be provided.
Vital Records Program
The BCP should also outline this for the org. This document states where critical business records will be stored and the procedures for making and storing backup copies of those records. One of the biggest challenges is identifying the vital records in the first place.
Emergency Response Guidelines
Immediate response procedures (security and safety, fire suppression, notification of emergency response)
A list of individuals who should be notified of the incident(executives, BCP team)
Secondary response procedures that first responders should take
The BCP documentation and the plan itself must be living documents. BCP team should not be disbanded after the plan is developed but should still meet periodically to discuss the plan and review results of plan tests. Any time a change is made, good version control must be practiced. BCP components should also be included in job descriptions.
Testing of BCP
Testing is similar to that of the DRP. Should happen once per year, or after any major change.
Types of BCP Testing
Checklist test - copies of plan distributed to diff departments. Functional managers review. Paper based.
Structured walk through (table top) - Representatives from each department go over plan. Talk through the plan, paper based.
Simulation test - going through a disaster scenario. Continues up to the actual relocation to an offsite facility.
Parallel Test - systems moved to alternate site and processing takes place there
Full Interruption test - original site shut down. All processing moved to offsite facility.
Post Incident Review
Occurs after BCP testing. Purpose is how to get better and improve.
ISC2 Code of Ethics
All information security professionals who are certified by (ISC)² recognize that such certification is a privilege that must be both earned and maintained. In support of this principle, all (ISC)² members are required to commit to fully support this Code of Ethics (the "Code"). (ISC)² members who intentionally or knowingly violate any provision of the Code will be subject to action by a peer review panel, which may result in the revocation of certification. (ISC)² members are obligated to follow the ethics complaint procedure upon observing any action by an (ISC)² member that breach the Code. Failure to do so may be considered a breach of the Code pursuant to Canon IV.
There are only four mandatory canons in the Code. By necessity, such high-level guidance is not intended to be a substitute for the ethical judgment of the professional.
Protect society, the common good, necessary public trust and confidence, and the infrastructure.
Act honorably, honestly, justly, responsibly, and legally.
Provide diligent and competent service to principles.
Advance and protect the profession.
Contains prohibitions against acts such as murder, assault, robbery and arson. Burden of proof is beyond a reasonable doubt.
Civil Law / Tort Law
Designed to provide for an orderly society and govern matters that are not crimes but that require an impartial arbiter to settle between individuals and organizations. Could include contract disputes, real estate transactions, employment matters and estate/probate procedures. Majority of evidence needed for conviction (less than reasonable doubt)
Policies, procedures and regulations that govern the daily operations of an agency. Covers topics like procedures to be used within a federal agency to obtain a telephone to immigration polices that will be used to enforce laws passed by Congress. Administrative Law is published in the Code of Federal Regulations (CFR)
Burden of proof is "more likely than not"
Ex. HIPAA, Basel II, SOX
Intellectual Property Law
Protecting products of the mind. Company must take steps to protect resources covered by these laws or these laws may not protect them.
**Main international org run by the UN is the World Intellectual Property Organization (WIPO)
Licensing is the most prevalent violation, followed by plagiarism, piracy and corporate espionage.
The most important lesson to be learned is knowing when its necessary to call in an attorney.
Computer Fraud and Abuse Act (CFAA)
CCCA was passed in 1984 then amended to the CFAA in 1986. Covers computer crimes that crossed state boundaries to avoid infringing on states rights.
Includes: First to implement penalties for the creators of viruses worms and other types of malicious code. Also includes any computer used exclusively by the US government. Any computer used exclusively by a financial institution. Any computer used by the governement or a financial instatution when the offense impedes the ability of the government or institution to use that system. Any combination of cumputers used to commit an offense when they are not all located in the same state.
Computer Abuse Amendments at of 1994
Amendment to the CFAA. It outlawed the creation of any type of malicious code that might cause damage to a computer system. Modigied the CFAA to cover any computer used in interstate commerce rather than just federal interest computer systems. Allowed for the imprisonment of offenders, regardless of whether they actually intended to cause damage. Provided legal authority for the victims of computer crime to pursue civil action to gain injunctive relief and compensation for damages.
Computer Security Act of 1987
Four main purposes:
To give the NIST responsibility for developing standards and guidelines for federal computer systems. To provide for the enactment of such standards and guidelines. To require the establishment of security plans by all operators of federal computer systems that contain sensitive information. To require mandatory periodic training for all people involved in management, use, or operation of federal computer systems that contain sensitive information
Federal Sentencing Guidelines
Released in 1991. Provided punishment guidelines to help federal judges interpret computer crime laws. Included:
The guidelines formalized the prudent man rule, which requires senior executives to take personal responsibility for ensuring the due care that ordinary, prudent individuals would exercise in the same situation
Allowed organizations and executives to minimize punishment for infractions by demonstrating that they used due diligence in the conduct of their information security duties.
Outlined 3 burdens of proof for negligence. First, the person accused of negligence must have a legally recognized obligation. Second, the person must have failed to comply with recognized standards. Third, there must be a casual relationship between the act of negligence and subsequent damages.
Government Information Security Reform Act of 2000
Amendment to the Paperwork Reduction Act. Implements additional info security policies and procedures. 5 basic purposes:
To provide comprehensive framework for establishing and ensuring the effectiveness of controls over information resources that support federal operations and assets.
To recognize the highly networked nature of the federal computing environment, including the need for federal government interoperability and in the implementation of improved security management measures, to assure that opportunities for interoperability are not adversely affected.
To provide effective governement wide management and oversight of the related information security risks, including coordination of information security efforts throughout the civilian, national security and law enforcement communities.
To provide for deleopment and maintenance of minimum controls required to protect federla information and information systems
To provide a mechanism for improved oversight of federal agency information sec programs.
Charges NIST with responsibilties for unclassified info prcoessing and NSA for classified info processing.
Also outlines a new category of computer system - Mission critical system. It is mission critical if - It is defined as a national security system by other provisions of law. It is protected by procedures established for clasified information. The loss, misuse, disclosure or unauthorized access to or modification of any info it processes would have a debiltating impact on the mission of an agency.
Federal Information Secuirty Management Act (FISMA)
Passed in 2002. Requires that federal agencies implement an information securiity program that covers the agency's operations. Also requires that government agencies include the activities of contractors in their security management programs. NIST is responsible for developing the FISMA implementation guidelines. Federal agencies and governemnt contractors must develop and maintain substantial documentation of their FISMA compliance activities.
Copyright and the Digital MIllenium Copyright Act (DMCA)
Copyright law guarantees the creators of original works of authorship protection against the unauthorized duplication of their work. This includes literary, musical, dramatici, pantomimes and choriographic, pictorial, graphical and sculptural, motion pictures and other audiovisiula works, sound recordings, architectural works. Computer software is protected under literary works. It only protects the source code.
Digital Millenium Copyright Act prohibits the circumvention of copy protection mechanisms placed in digital media and limits the liability of ISPs for the activites of their users. The DMCA states that providers are not responsible for the transitory activities of their users. Transmission of information over a network would qualify for this exemption.
Words, slogans, and logos used to identify a company and its products or services. Protect from someone stealing another company's look and feel. Corporate brands and operating system logos. TM symbol is used until registration is granted. Once his application is approved, he can use the R with circle symbol.
Trademark Law Treaty Implementation Act protects trademarks internationally.
Protect the intellectual property rights of inventors. Provides 20 years where the inventor is granted exclusive rights to use the invention. Invention must be novel and non-obvious.
Relies on mistakes such as typo errors made by internet users when inputting a website address into a web browser. ex. typing
Registering, trafficking in, or using an internet domain name with bad faith intent to profit from the goodwill of a trademark belonging to someone else
Guarantees the creators of original works of authorship protection against the unauthorized duplication of their work. Copyright protections lasts for the lifetime of the author plus 70 years or 75 years for corporations. Work does not need to be registered or published to be protected. Protects expression of ideas rather than the ideas themselves.
First sale - can't make copies to sell but can sell the original that was purchased
Fair use - can make a copy for personal use, not sale
Intellectual property that is absolutely critical to their business and significant damage would result if it were disclosed to competitors or the public. Ex. Coke and KFC recipes. Must be reasonably protected. The Economic Espionage Act imposes fines and jail sentences on anyone found guilty of stealing trade secrets from a US corporation.
The basis for privacy rights. Sets the probable cause standard that law enforcement officers must follow when conducting searches or seizures. Also states officers must gain a warrant for search and seizure.
Privacy Act of 1974
Most significant piece of privacy legislation restricting the way the federal government may deal with private information about its citizens.
Electronic Communications Privacy Act of 1986
Broadened the federal wiretap act to apply to any illegal interception of electronic communications. It prohibits the interception or disclosure of electronic communication and defines those situations in which disclosure is legal. Protects the monitoring of email and voicemail communications.
Communications Assistance for Law Enforcement Act (CALEA) of 1994
Amended the Electronic Communications Privacy Act of 1986. Requires all communications carries to make wiretaps possible for law enforcement with an appropriate court order
Economic and Protection of Proprietary Information Act of 1996
Extends the definition of property to include proprietary economic info so that the theft of this information can be considered industrial or corporate espionage.
USA PATRIOT Act of 2001
Provisions of the PATRIOT Act allow authorities to obtain a blanket authorization for a person and then monitor all communications to or from that person under a single warrant. Also, ISPs may provide the government with large range of information.
Software licensing agreements and Uniform Computer Information Transactions Act
Contractual license agreements are written agreements between a software vendor and user. Shrink-wrap agreements are written on software packaging and take effect when a user opens the package. Click-wrap agreements are included in a package but require the user to accept the terms during the software installation process.
The Uniform Computer Information Transactions Act provides a framework for enforcement of these licenses.
First statewide requirement to notify individuals of a breach of their personal information. All but 3 states followed suit. Federal law only requires the notification of individuals when a HIPAA covered entity breaches their PHI
HIPAA (Health Insurance Portability and Accountability Act)
Healthcare clearing houses
EU Data Protection Law
Mandates protection of privacy data. A data controller can hire a third party to process data and in this context, the third party is the data processor. Third parties agree to abide by the seven Safe Harbor principles as a method of ensuring that they are complying with the EU Data Protection law. The US Department of Commerce is responsible for implementing the EU-US Safe Harbor agreement. According to the European Union's Data Protection Directive, third-party organizations that process personal data on behalf of a data controller are known as data processors. The organization that they are contracting with would act in the role of the business or mission owners
Safe Harbor Principles
The seven principles are notice, choice, onward transfer, security, data integrity, access and enforcement.
Are broken into three categories, which cover subjective compensation and values set to deter offenses and create consequences for a violator. The three forms are statutory, compensatory and punitive.
RAID Level 5
Disk striping with parity, requires a minimum of three physical hard disks to operate.
Is a strategic role that helps to develop policies, standards, and guidelines and ensures the security elements are implemented properly.
Is used when evidence might be destroyed. This allows officials to seize evidence before its destruction and without a warrant.
Internet Architecture Board (IAB)
Has developed an ethics-related statement concerning the use of the Internet. As part of this statement, the IAB states that Internet use is a privilege, not a right. Unethical behavior includes: purposely seeking to gain unauthorized access, disrupting Internet use, purposely wasting resources, destroying the integrity of computer-based information, and compromising another person's privacy.
OMB Circular A-130
Was developed to meet information resource management requirements for the federal government. According to this circular, independent audits should be performed every three years.