Week 4 Discussion Post
CHAPTER 9
Identifying and Analyzing Risk Mitigation Security Controls
Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com.
Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
Learning Objective(s) and Key Concepts
Identify risk mitigation security controls and develop a risk mitigation plan.
In-place and planned controls
Families of controls defined by NIST
Procedural, technical, and physical controls
Learning Objective(s)
Key Concepts
Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
In-Place Controls
Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
Installed in an operational system
Replace in-place controls that don’t meet goals
Three primary objectives of controls:
Prevent
Recover
Detect
Planned Controls
Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
Those that have been approved but not yet installed
Identify planned controls before approving others
Vulnerabilities that planned controls mitigate still exist
Evaluate effectiveness of a planned control through research
Control Categories
Some controls are categorized using either of the following methods:
NIST SP 800-53, Security and Privacy Controls for Federal Information Systems and Organizations
Implementation method—Three implementation methods are used to categorize controls:
Procedural controls
Technical controls
Physical controls
Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
NIST Control Families
Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
Access Control (AC)
Audit and Accountability (AU)
Awareness and Training (AT)
Configuration Management (CM)
Contingency Planning (CP)
Identification and Authentication (IA)
Incident Response (IR)
Maintenance (MA)
Media Protection (MP)
Personnel Security (PS)
NIST Control Families (Cont.)
Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
Physical and Environment Protection (PE)
Planning (PL)
Program Management (PM)
Risk Assessment (RA)
Assessment, Authorization, and Monitoring (CA)
System and Communications Protection (SC)
System and Information Integrity (SI)
System and Services Acquisition (SA)
Personally Identifiable Information Processing and Transparency (PT)
Supply Chain Risk Management (SR)
Procedural Control Examples
Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
Policies and procedures
Security plans
Insurance and bonding
Background and financial checks
Procedural Control Examples (Cont.)
Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
Data loss prevention program
Education, training, and awareness
Rules of behavior
Software testing
Policies and Procedures
Written documents that provide guidelines and rules for an organization
Policy: A high-level document that provides overall direction without details
Procedure: Provides the detailed steps needed to implement a policy
Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
Policy examples:
Acceptable use policy (AUP)
Vulnerability scanning policy
Removable media policy
Procedure examples:
AUP procedure
Vulnerability scanning procedures
Removable media enforcement
Security Plans
Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
Business continuity plan (BCP)
Helps an organization prepare for different types of emergencies
Disaster recovery plan (DRP)
Provides the details for recovering one or more systems after a disaster
Backup plan
Identifies data valuable to the organization and specifies storage and retention requirements
Incident response plan
Documents how an organization should respond to a security incident
Insurance and Bonding
Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
Insurance policies specify shared responsibilities between the insurance company and the customer
Fire and flood
Business interruption
Errors and omissions
Bonding covers against losses by
Theft
Fraud
Dishonesty
Background and Financial Checks
Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
Initiation – Existing architecture and security systems are documented and a risk assessment is conducted
Acquisition and Development – A more complete risk assessment is completed and a baseline security level is established
Implementation and Testing – The new system is installed and unit and integration tests are conducted
Operation and Maintenance – Longest phase; systems are continuously monitored, incidents are addressed and a business continuity plan is created
Sunset or Disposal – Old systems must be removed without exposing the organization to addition risk during the migration to a new system
13
Background checks
Financial checks
Internet resources
Commonly include police and FBI checks, which will identify any criminal behavior
A person with a poor credit rating may be viewed suspiciously
Google and Facebook may expose problematic behavior
Data Loss Prevention Program
Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
Loss of confidentiality
Occurs when unauthorized entities view a company's data
Loss due to corruption
Can occur many ways, have reliable backups to mitigate
Education, Training, and Awareness
Controls aren’t effective if employees don’t know what they are or how to implement them
Awareness programs are generic and apply to all personnel
Logon or welcome banners
Emails
Posters
Training can be generic for all personnel or specialized and targeted at specific groups
Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
Rules of Behavior
Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
Document that lets users know what they can and cannot do with systems
Users must read and/or sign the document to indicate they understand the rules
Common elements in a rules of behavior document:
Privacy
List of restricted activities
Email usage
Protection of credentials
Consequences or penalties for noncompliance
Software Testing
Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
Organizations that develop software should have a policy that mandates software testing
Goal is to reduce the number of undiscovered bugs in the software
Types of software testing include data range and reasonableness checks
Technical Control Examples
Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
Logon identifier
Session time-out
System logs and audit trails
Data range and reasonableness checks
Firewalls and routers
Encryption
Public key infrastructure
Firewalls and Routers
Control traffic by allowing some traffic and blocking other traffic
Router provides basic filtering of traffic based on:
Internet protocol (IP) addresses
Ports
Some protocols
Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
Encryption
Changes plaintext data into ciphered data
Example: "password" is in plaintext may look like this in encrypted form: MFIGs3x/$6o0D
Data can be encrypted at rest or when transferred
Encryption algorithms are designed to make decryption too difficult and take too much time to make it worthwhile
Encryption is classified as either:
Symmetric
Asymmetric
Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
Public Key Infrastructure (PKI)
Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
Some elements of a PKI
Certificate authority
Issues and manages certificates; can be public, such as VeriSign, or private
Certificates
Used for identification and to aid in encryption
Public and private keys
Data encrypted with one key can be decrypted only with the matching key
Web of trust
Ensures that the binding between a public key and its owner is authentic
Public Key Infrastructure (Cont.)
Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
Physical Control Examples
Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
Locked doors, guards, CCTV
Fire detection and suppression
Water detection
Temperature and humidity detection
Electrical grounding and circuit breakers
Temperature and Humidity Detection
Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
Best Practices for Risk Mitigation Security Controls
Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
Ensure the control is effective
Review controls in all areas
Review NIST SP 800-53 families
Redo a risk assessment if a control has changed
Summary
In-place and planned controls
Families of controls defined by NIST
Procedural, technical, and physical controls
Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
10/9/2020
26