Discussion post

profileskollipara1028
ch01.pptx
Home>Reading homework help>Discussion post

Chapter 1 Security Governance Through Principles and Policies

Understand and Apply Concepts of Confidentiality, Integrity, and Availability

CIA Triad

AAA Services

Protection Mechanisms

overview

CIA Triad

Confidentiality

Integrity

Availability

Confidentiality

Sensitivity

Discretion

Criticality

Concealment

Secrecy

Privacy

Seclusion

Isolation

Integrity 1/3

Preventing unauthorized subjects from making modifications

Preventing authorized subjects from making unauthorized modifications

Maintaining the internal and external consistency of objects

Integrity 2/3

Accuracy: Being correct and precise

Truthfulness: Being a true reflection of reality

Authenticity: Being authentic or genuine

Validity: Being factually or logically sound

Nonrepudiation: Not being able to deny having performed an action or activity or being able to verify the origin of a communication or event

Integrity 3/3

Accountability: Being responsible or obligated for actions and results

Responsibility: Being in charge or having control over something or someone

Completeness: Having all needed and necessary components or parts

Comprehensiveness: Being complete in scope; the full inclusion of all needed elements

Availability

Usability: The state of being easy to use or learn or being able to be understood and controlled by a subject

Accessibility: The assurance that the widest range of subjects can interact with a resource regardless of their capabilities or limitations

Timeliness: Being prompt, on time, within a reasonable time frame, or providing low latency response

AAA Services

Identification

Authentication

Authorization

Auditing

Accounting/ Accountability

Protection Mechanisms

Layering/Defense in Depth

Abstraction

Data Hiding

Security through obscurity

Encryption

Evaluate and Apply Security Governance Principles

Alignment of Security Function

Security Management Plans

Organizational Processes

Change Control/Management

Data Classification

Organizational Roles and Responsibilities

Security Control Frameworks

Due Care and Due Diligence

overview

Alignment of Security Function

Alignment to Strategy, Goals, Mission, and Objectives

Security Policy

Based on business case

Top-Down Approach

Senior Management Approval

Security Management:

InfoSec team, CISO, CSP, ISO

Security Management Plans

Strategic

Tactical

Operational

Organizational Processes

Security governance

Acquisitions and divestitures risks:

Inappropriate information disclosure

Data loss

Downtime

Failure to achieve sufficient return on investment (ROI)

Change Control/ Management 1/2

Implement changes in a monitored and orderly manner. Changes are always controlled.

A formalized testing process is included to verify that a change produces expected results.

All changes can be reversed (also known as backout or rollback plans/procedures).

Users are informed of changes before they occur to prevent loss of productivity.

Change Control/ Management 2/2

The effects of changes are systematically analyzed to determine whether security or business processes are negatively affected.

The negative impact of changes on capabilities, functionality, and performance is minimized.

Changes are reviewed and approved by a change approval board (CAB).

Data Classification 1/2

Determines: effort, money, and resources

Government/military vs. commercial/private sector

Declassification

Data Classification 2/2

1. Identify the custodian, define responsibilities.

2. Specify the evaluation criteria.

3. Classify and label each resource.

4. Document any exceptions.

5. Select the security controls for each level.

6. Specify declassification and external transfer.

7. Create an enterprise-wide awareness program.

Organizational Roles and Responsibilities

Senior Manager

Security Professional

Data Owner

Data Custodian

User

Auditor

Security Control Frameworks

COBIT (see next slide)

Used to plan the IT security of an organization and as a guideline for auditors

Information Systems Audit and Control Association (ISACA)

Open Source Security Testing Methodology Manual (OSSTMM)

ISO/IEC 27001 and 27002

Information Technology Infrastructure Library (ITIL)

Control Objectives for Information and Related Technologies (COBIT)

Principle 1: Meeting Stakeholder Needs

Principle 2: Covering the Enterprise End-to-End

Principle 3: Applying a Single, Integrated Framework

Principle 4: Enabling a Holistic Approach

Principle 5: Separating Governance From Management

Due Care and Due Diligence

Due care is using reasonable care to protect the interests of an organization.

Due diligence is practicing the activities that maintain the due care effort.

Develop, Document, and Implement

Security Policy, Standards, Procedures, and Guidelines

Security Policies

Security Standards, Baselines, and Guidelines

Security Procedures

overview

Security Policies

Defines the scope of security needed by the organization

Organizational, issue-specific, system-specific

Regulatory, advisory, informative

Security Standards, Baselines, and Guidelines

Standards define compulsory requirements

Baselines define a minimum level of security

Guidelines offer recommendations on how standards and baselines are implemented

Security Procedures

Standard operating procedure (SOP)

A detailed, step-by-step how-to

To ensure the integrity of business processes

Understand and Apply Threat Modeling Concepts and Methodologies

Threat Modeling

Identifying Threats

Threat Categorization Schemes

Determining and Diagramming Potential Attacks

Performing Reduction Analysis

Prioritization and Response

overview

Threat Modeling

Microsoft’s Security Development Lifecycle (SDL)

“Secure by Design, Secure by Default, Secure in Deployment and Communication” (also known as SD3+C)

Proactive vs. reactive approach

Identifying Threats

Focused on Assets

Focused on Attackers

Focused on Software

Threat Categorization Schemes

STRIDE

Process for Attack Simulation and Threat Analysis (PASTA)

Trike

Visual, Agile, and Simple Threat (VAST)

STRIDE

Spoofing

Tampering

Repudiation

Information disclosure

Denial of service

Elevation of privilege

PASTA 1/2

Stage I: Definition of the Objectives (DO) for the Analysis of Risks

Stage II: Definition of the Technical Scope (DTS)

Stage III: Application Decomposition and Analysis (ADA)

Stage IV: Threat Analysis (TA)

Stage V: Weakness and Vulnerability Analysis (WVA)

Stage VI: Attack Modeling and Simulation (AMS)

Stage VII: Risk Analysis and Management (RAM)

PASTA 2/2

Determining and Diagramming Potential Attacks

Diagram the infrastructure

Identify data flow

Identify privilege boundaries

Identify attacks for each diagrammed element

Diagramming to Reveal Threat Concerns

Performing Reduction Analysis

Decomposing

Trust boundaries

Data flow paths

Input points

Privileged operations

Details about security stance and approach

Prioritization and Response

Probability × Damage Potential ranking

High/medium/low rating

DREAD system

Damage potential

Reproducibility

Exploitability

Affected users

Discoverability

Apply Risk-Based Management Concepts to the Supply Chain

Resilient integrated security

Cost of ownership

Outsourcing

Integrated security assessments

Monitoring and management

On-site assessment

Document exchange and review

Process/policy review

Third-party audit (AICPA SOC1 and SOC2)

Conclusion

Read the Exam Essentials

Review the Chapter

Perform the Written Labs

Answer the Review Questions