Week 4 Discussion Post

AJ2020
risk3e_ppt_ch09.pptx

CHAPTER 9

Identifying and Analyzing Risk Mitigation Security Controls

Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com.

Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com

Learning Objective(s) and Key Concepts

Identify risk mitigation security controls and develop a risk mitigation plan.

In-place and planned controls

Families of controls defined by NIST

Procedural, technical, and physical controls

Learning Objective(s)

Key Concepts

Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com

In-Place Controls

Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com

Installed in an operational system

Replace in-place controls that don’t meet goals

Three primary objectives of controls:

Prevent

Recover

Detect

Planned Controls

Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com

Those that have been approved but not yet installed

Identify planned controls before approving others

Vulnerabilities that planned controls mitigate still exist

Evaluate effectiveness of a planned control through research

Control Categories

Some controls are categorized using either of the following methods:

NIST SP 800-53, Security and Privacy Controls for Federal Information Systems and Organizations

Implementation method—Three implementation methods are used to categorize controls:

Procedural controls

Technical controls

Physical controls

Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com

NIST Control Families

Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com

Access Control (AC)

Audit and Accountability (AU)

Awareness and Training (AT)

Configuration Management (CM)

Contingency Planning (CP)

Identification and Authentication (IA)

Incident Response (IR)

Maintenance (MA)

Media Protection (MP)

Personnel Security (PS)

NIST Control Families (Cont.)

Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com

Physical and Environment Protection (PE)

Planning (PL)

Program Management (PM)

Risk Assessment (RA)

Assessment, Authorization, and Monitoring (CA)

System and Communications Protection (SC)

System and Information Integrity (SI)

System and Services Acquisition (SA)

Personally Identifiable Information Processing and Transparency (PT)

Supply Chain Risk Management (SR)

Procedural Control Examples

Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com

Policies and procedures

Security plans

Insurance and bonding

Background and financial checks

Procedural Control Examples (Cont.)

Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com

Data loss prevention program

Education, training, and awareness

Rules of behavior

Software testing

Policies and Procedures

Written documents that provide guidelines and rules for an organization

Policy: A high-level document that provides overall direction without details

Procedure: Provides the detailed steps needed to implement a policy

Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com

Policy examples:

Acceptable use policy (AUP)

Vulnerability scanning policy

Removable media policy

Procedure examples:

AUP procedure

Vulnerability scanning procedures

Removable media enforcement

Security Plans

Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com

Business continuity plan (BCP)

Helps an organization prepare for different types of emergencies

Disaster recovery plan (DRP)

Provides the details for recovering one or more systems after a disaster

Backup plan

Identifies data valuable to the organization and specifies storage and retention requirements

Incident response plan

Documents how an organization should respond to a security incident

Insurance and Bonding

Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com

Insurance policies specify shared responsibilities between the insurance company and the customer

Fire and flood

Business interruption

Errors and omissions

Bonding covers against losses by

Theft

Fraud

Dishonesty

Background and Financial Checks

Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com

Initiation – Existing architecture and security systems are documented and a risk assessment is conducted

Acquisition and Development – A more complete risk assessment is completed and a baseline security level is established

Implementation and Testing – The new system is installed and unit and integration tests are conducted

Operation and Maintenance – Longest phase; systems are continuously monitored, incidents are addressed and a business continuity plan is created

Sunset or Disposal – Old systems must be removed without exposing the organization to addition risk during the migration to a new system

13

Background checks

Financial checks

Internet resources

Commonly include police and FBI checks, which will identify any criminal behavior

A person with a poor credit rating may be viewed suspiciously

Google and Facebook may expose problematic behavior

Data Loss Prevention Program

Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com

Loss of confidentiality

Occurs when unauthorized entities view a company's data

Loss due to corruption

Can occur many ways, have reliable backups to mitigate

Education, Training, and Awareness

Controls aren’t effective if employees don’t know what they are or how to implement them

Awareness programs are generic and apply to all personnel

Logon or welcome banners

Emails

Posters

Training can be generic for all personnel or specialized and targeted at specific groups

Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com

Rules of Behavior

Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com

Document that lets users know what they can and cannot do with systems

Users must read and/or sign the document to indicate they understand the rules

Common elements in a rules of behavior document:

Privacy

List of restricted activities

Email usage

Protection of credentials

Consequences or penalties for noncompliance

Software Testing

Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com

Organizations that develop software should have a policy that mandates software testing

Goal is to reduce the number of undiscovered bugs in the software

Types of software testing include data range and reasonableness checks

Technical Control Examples

Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com

Logon identifier

Session time-out

System logs and audit trails

Data range and reasonableness checks

Firewalls and routers

Encryption

Public key infrastructure

Firewalls and Routers

Control traffic by allowing some traffic and blocking other traffic

Router provides basic filtering of traffic based on:

Internet protocol (IP) addresses

Ports

Some protocols

Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com

Encryption

Changes plaintext data into ciphered data

Example: "password" is in plaintext may look like this in encrypted form: MFIGs3x/$6o0D

Data can be encrypted at rest or when transferred

Encryption algorithms are designed to make decryption too difficult and take too much time to make it worthwhile

Encryption is classified as either:

Symmetric

Asymmetric

Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com

Public Key Infrastructure (PKI)

Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com

Some elements of a PKI

Certificate authority

Issues and manages certificates; can be public, such as VeriSign, or private

Certificates

Used for identification and to aid in encryption

Public and private keys

Data encrypted with one key can be decrypted only with the matching key

Web of trust

Ensures that the binding between a public key and its owner is authentic

Public Key Infrastructure (Cont.)

Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com

Physical Control Examples

Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com

Locked doors, guards, CCTV

Fire detection and suppression

Water detection

Temperature and humidity detection

Electrical grounding and circuit breakers

Temperature and Humidity Detection

Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com

Best Practices for Risk Mitigation Security Controls

Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com

Ensure the control is effective

Review controls in all areas

Review NIST SP 800-53 families

Redo a risk assessment if a control has changed

Summary

In-place and planned controls

Families of controls defined by NIST

Procedural, technical, and physical controls

Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com

10/9/2020

26