Discussion post
Chapter 1 Security Governance Through Principles and Policies
Understand and Apply Concepts of Confidentiality, Integrity, and Availability
CIA Triad
AAA Services
Protection Mechanisms
overview
CIA Triad
Confidentiality
Integrity
Availability
Confidentiality
Sensitivity
Discretion
Criticality
Concealment
Secrecy
Privacy
Seclusion
Isolation
Integrity 1/3
Preventing unauthorized subjects from making modifications
Preventing authorized subjects from making unauthorized modifications
Maintaining the internal and external consistency of objects
Integrity 2/3
Accuracy: Being correct and precise
Truthfulness: Being a true reflection of reality
Authenticity: Being authentic or genuine
Validity: Being factually or logically sound
Nonrepudiation: Not being able to deny having performed an action or activity or being able to verify the origin of a communication or event
Integrity 3/3
Accountability: Being responsible or obligated for actions and results
Responsibility: Being in charge or having control over something or someone
Completeness: Having all needed and necessary components or parts
Comprehensiveness: Being complete in scope; the full inclusion of all needed elements
Availability
Usability: The state of being easy to use or learn or being able to be understood and controlled by a subject
Accessibility: The assurance that the widest range of subjects can interact with a resource regardless of their capabilities or limitations
Timeliness: Being prompt, on time, within a reasonable time frame, or providing low latency response
AAA Services
Identification
Authentication
Authorization
Auditing
Accounting/ Accountability
Protection Mechanisms
Layering/Defense in Depth
Abstraction
Data Hiding
Security through obscurity
Encryption
Evaluate and Apply Security Governance Principles
Alignment of Security Function
Security Management Plans
Organizational Processes
Change Control/Management
Data Classification
Organizational Roles and Responsibilities
Security Control Frameworks
Due Care and Due Diligence
overview
Alignment of Security Function
Alignment to Strategy, Goals, Mission, and Objectives
Security Policy
Based on business case
Top-Down Approach
Senior Management Approval
Security Management:
InfoSec team, CISO, CSP, ISO
Security Management Plans
Strategic
Tactical
Operational
Organizational Processes
Security governance
Acquisitions and divestitures risks:
Inappropriate information disclosure
Data loss
Downtime
Failure to achieve sufficient return on investment (ROI)
Change Control/ Management 1/2
Implement changes in a monitored and orderly manner. Changes are always controlled.
A formalized testing process is included to verify that a change produces expected results.
All changes can be reversed (also known as backout or rollback plans/procedures).
Users are informed of changes before they occur to prevent loss of productivity.
Change Control/ Management 2/2
The effects of changes are systematically analyzed to determine whether security or business processes are negatively affected.
The negative impact of changes on capabilities, functionality, and performance is minimized.
Changes are reviewed and approved by a change approval board (CAB).
Data Classification 1/2
Determines: effort, money, and resources
Government/military vs. commercial/private sector
Declassification
Data Classification 2/2
1. Identify the custodian, define responsibilities.
2. Specify the evaluation criteria.
3. Classify and label each resource.
4. Document any exceptions.
5. Select the security controls for each level.
6. Specify declassification and external transfer.
7. Create an enterprise-wide awareness program.
Organizational Roles and Responsibilities
Senior Manager
Security Professional
Data Owner
Data Custodian
User
Auditor
Security Control Frameworks
COBIT (see next slide)
Used to plan the IT security of an organization and as a guideline for auditors
Information Systems Audit and Control Association (ISACA)
Open Source Security Testing Methodology Manual (OSSTMM)
ISO/IEC 27001 and 27002
Information Technology Infrastructure Library (ITIL)
Control Objectives for Information and Related Technologies (COBIT)
Principle 1: Meeting Stakeholder Needs
Principle 2: Covering the Enterprise End-to-End
Principle 3: Applying a Single, Integrated Framework
Principle 4: Enabling a Holistic Approach
Principle 5: Separating Governance From Management
Due Care and Due Diligence
Due care is using reasonable care to protect the interests of an organization.
Due diligence is practicing the activities that maintain the due care effort.
Develop, Document, and Implement
Security Policy, Standards, Procedures, and Guidelines
Security Policies
Security Standards, Baselines, and Guidelines
Security Procedures
overview
Security Policies
Defines the scope of security needed by the organization
Organizational, issue-specific, system-specific
Regulatory, advisory, informative
Security Standards, Baselines, and Guidelines
Standards define compulsory requirements
Baselines define a minimum level of security
Guidelines offer recommendations on how standards and baselines are implemented
Security Procedures
Standard operating procedure (SOP)
A detailed, step-by-step how-to
To ensure the integrity of business processes
Understand and Apply Threat Modeling Concepts and Methodologies
Threat Modeling
Identifying Threats
Threat Categorization Schemes
Determining and Diagramming Potential Attacks
Performing Reduction Analysis
Prioritization and Response
overview
Threat Modeling
Microsoft’s Security Development Lifecycle (SDL)
“Secure by Design, Secure by Default, Secure in Deployment and Communication” (also known as SD3+C)
Proactive vs. reactive approach
Identifying Threats
Focused on Assets
Focused on Attackers
Focused on Software
Threat Categorization Schemes
STRIDE
Process for Attack Simulation and Threat Analysis (PASTA)
Trike
Visual, Agile, and Simple Threat (VAST)
STRIDE
Spoofing
Tampering
Repudiation
Information disclosure
Denial of service
Elevation of privilege
PASTA 1/2
Stage I: Definition of the Objectives (DO) for the Analysis of Risks
Stage II: Definition of the Technical Scope (DTS)
Stage III: Application Decomposition and Analysis (ADA)
Stage IV: Threat Analysis (TA)
Stage V: Weakness and Vulnerability Analysis (WVA)
Stage VI: Attack Modeling and Simulation (AMS)
Stage VII: Risk Analysis and Management (RAM)
PASTA 2/2
Determining and Diagramming Potential Attacks
Diagram the infrastructure
Identify data flow
Identify privilege boundaries
Identify attacks for each diagrammed element
Diagramming to Reveal Threat Concerns
Performing Reduction Analysis
Decomposing
Trust boundaries
Data flow paths
Input points
Privileged operations
Details about security stance and approach
Prioritization and Response
Probability × Damage Potential ranking
High/medium/low rating
DREAD system
Damage potential
Reproducibility
Exploitability
Affected users
Discoverability
Apply Risk-Based Management Concepts to the Supply Chain
Resilient integrated security
Cost of ownership
Outsourcing
Integrated security assessments
Monitoring and management
On-site assessment
Document exchange and review
Process/policy review
Third-party audit (AICPA SOC1 and SOC2)
Conclusion
Read the Exam Essentials
Review the Chapter
Perform the Written Labs
Answer the Review Questions