1. Security and Risk Management

Comienza Ya. Es Gratis
ó regístrate con tu dirección de correo electrónico
1. Security and Risk Management por Mind Map: 1. Security and Risk Management

1. 1. CIA Triad

1.1. Information Security Triad

1.1.1. Confidentiality need to know

1.1.2. Integrity info is correct and not modified by un-authorized

1.1.3. Availability always up and running

1.2. Three opposites

1.2.1. Destruction

1.2.2. Alteration

1.2.3. Disclosure

2. 2. Security Governance Principle

2.1. Alignment of Security Function to Strategy, Goals, Mission, and Objectives

2.1.1. Security and Risk Management Relationships Assess risk and determine needs Monitor and evaluate Promote awareness Implement policies and controls

2.1.2. Budget

2.1.3. Metrics

2.1.4. Resources System/Network Administrators Policy/Compliance Officers Legal Council Quality Assurance Testers Budget Officers Business Analysts Enterprise Architects Software Developers

2.2. Organizational Processes

2.2.1. Acquisitions and Mergers

2.2.2. Divestitures and Spinoffs

2.2.3. Governance Committees

2.3. Security Roles and Responsibilities

2.3.1. Responsibilities of the Information Security Officer Ensuring that the security policies, procedures, baselines, standards, and guidelines are written to address the information security needs of the organization Implementing and operating computer incident response teams (CIRTs). Providing the leadership for the information security awareness program Communicate Risks to Executive Management Ensure that the information presented to executive management is based upon a real business need and the facts are represented clearly Staying abreast of emerging regulatory developments to enable response in a timely manner. Maintain the appropriate balance between acceptable risk and ensure that business operations are meeting the mission of the organization

2.3.2. Security Officer Reporting Models Reporting to the CEO Reporting to the Information Technology (IT) Department Reporting to the Administrative Services Department Reporting to the Insurance and Risk Management Department Reporting to the Internal Audit Department Reporting to the Legal Department

2.4. Control Frameworks

2.4.1. Consistent

2.4.2. Measurable

2.4.3. Standardized

2.4.4. Comprehensive

2.4.5. Modular

2.5. Control Frameworks examples

2.5.1. COSO

2.5.2. ISO27000

2.5.3. ITIL

2.5.4. COBIT

2.6. Due care

2.6.1. The care a “reasonable person” with the same training and experience would exercise under given circumstances

2.6.2. An injured party cannot prove negligence

2.7. Due Diligence

2.7.1. An act of management in furtherance of due care

2.7.2. The actions taken to ensure that policies are being properly applied

3. 3. Compliance

3.1. Legislative and Regulatory Compliance

3.1.1. Governance, Risk Management, and Compliance (GRC)

3.2. Privacy Requirements Compliance

3.2.1. European Union member nations - Data Protection Directive (DPD) 95/46/EC

3.2.2. Australia - Privacy Act

3.2.3. Argentina - Personal Data Protection Law

3.2.4. Canada - Personal Information Protection and Electronic Documents Act (PIPEDA)

3.2.5. United States - Health Insurance Portability and Accountability Act (HIPAA)

3.2.6. United States - Gramm-Leach-Bliley Act (GLBA)

3.2.7. Payment Card Industry (PCI) - PCI Data Security Standard (PCI DSS)

4. 4. Understand Legal and Regulatory Issues that Pertain to Information Security in a Global Context

4.1. Computer Crimes

4.2. Licensing and Intellectual Property

4.2.1. Industrial property

4.2.2. Copyright

4.3. Import/Export Controls

4.3.1. The Wassenaar Arrangement (AR)

4.4. Privacy

4.4.1. The rights and obligations of individuals and organizations with respect to the collection, use, retention, and disclosure of personal information

4.4.2. Personally Identifiable Information (PII)

4.4.3. Organization for Economic Cooperation and Development (OECD) Guidelines Collection Limitation Data Quality Purpose Specification Use Limitation Security Safeguards Openness Individual Participation Data Controller Accountability

4.5. Data Breaches

4.5.1. Incident

4.5.2. Breach

4.5.3. Data disclosure

4.5.4. Vocabulary for Event Recording and Incident Sharing (VERIS)

4.6. Relevant Laws and Regulations

4.6.1. The Privacy Act (Australia: 1988)

4.6.2. Health Insurance Portability and Accountability Act (US:1996)

4.6.3. Sarbanes-Oxley Act (US:2002)

4.6.4. Regulation for Electronic Communication Service (EU:2013)

4.6.5. Privacy and Electronic Communications Regulations (UK: 2013)

5. 5. Understand Professional Ethics

5.1. Ethical Considerations for a CISSP

5.1.1. (ISC)2 Code of Ethics Canons Protect society, the commonwealth, and the infrastructure Act honorably, honestly, justly, responsibly, and legally Provide diligent and competent service to principals Advance and protect the profession

5.2. Ethical Standards

5.2.1. Global responsibility

5.2.2. National

5.2.3. Organizational

5.2.4. Personal

6. 6. Develop and Implement Documented Security Policy, Standards, Procedures, and Guidelines

6.1. Procedures, standards, guidelines, and baselines are components that support the implementation of the security policy.

7. 7. Understand Business Continuity Requirements

7.1. Develop and Document Project Scope and Plan

7.1.1. Project initiation and management Obtain senior management Define a project scope Estimate project resources needed Define timeline and major project deliverables

7.1.2. Risks Financial Reputational Regulatory

7.2. Conduct Business Impact Analysis

7.2.1. Three primary goals Determine Criticality Estimate Maximum Tolerable Downtime (MTD) Evaluate Internal and External Resource Requirements

7.2.2. The BIA Process Gather Information Quantitative Qualitative Analyze the Information maximum allowable downtime (MAD) Maximum Tolerable Downtime (MTD) Recovery Time Objective (RTO)(RTO < MTD) Recovery Time Objective (RTO) Recovery Point Objective (RPO) Perform a Threat Analysis Document Results and Present Recommendations

8. 8. Contribute to Personnel Security Policies

8.1. Employment Candidate Screening

8.1.1. Job Descriptions

8.1.2. Reference checks

8.1.3. Education, licensing, certification and verification

8.1.4. Background investigations

8.2. Employment Agreements and Policies

8.2.1. Code of Conduct

8.2.2. Conflict of Interest

8.2.3. Gift-Handing

8.2.4. Ethics Statements

8.2.5. Non-Disclosure

8.2.6. Non-Compete

8.2.7. Acceptable Use

8.2.8. Job rotation

8.2.9. Separation of Duties

8.2.10. Need to Know

8.2.11. Mandatory Vacations

8.3. Employment Termination Processes

8.3.1. Voluntary

8.3.2. Involuntary

8.4. Third party Controls

8.4.1. Vendor

8.4.2. Consultant

8.4.3. Contractor

8.4.4. Non-disclosure agreement

8.5. Privacy

8.5.1. Reasonable Expectation of Privacy (REP)

9. 9. Understand and Apply Risk Management Concepts

9.1. Risk

9.1.1. The probability (likelihood) that a given threat source will exercise a particular vulnerability and the resulting impact should that occur

9.2. Risk Concepts

9.2.1. Threats

9.2.2. Vulnerability

9.2.3. Likelihood

9.2.4. Impact

9.2.5. Countermeasures

9.2.6. Residual risk

9.3. Security and Audit Frameworks and Methodologies

9.3.1. COSO (Committee of Sponsoring Organizations of the Treadway Commission) Control environment Risk assessment Control activities Information and communication Monitoring

9.3.2. ITIL (IT Infrastructure Library) Service Strategy Service Design Service Transition Service Operation Continual Service Improvement

9.3.3. COBIT (Control Objectives for Information and Related Technology) COBIT 5.0 Val IT 2.0 Risk IT IT Assurance Framework (ITAF) Business Model for Information Security (BMIS)

9.3.4. ISO 27002:2013 Information security policy Organization of information security Human resources security Asset management Access control Cryptography Physical and environmental security Operations security Communications and operations management Systems acquisition, development, and maintenance Supplier relationships Information security incident management Information security aspects of business continuity management Compliance

9.4. Qualitative Risk Assessment

9.4.1. Description Ordinal scales (such as high, medium, and low) must be used to express risk

9.4.2. Phases Approval Form a risk assessment team Analyze data Calculate risk Countermeasure recommendations

9.5. Quantitative Risk Assessment

9.5.1. Description The hallmark of a quantitative assessment is the numeric nature of the analysis

9.5.2. Phases Management approval Construction of a risk assessment team Review of information currently anailable within the organization

9.5.3. Components Annualized Loss Expectancy (ALE) = SLE x ARO Single Loss Expectancy (SLE) = Asset Value (in $) × Exposure Factor (loss due to successful threat exploit, as a %) Annual Rate of Occurrence (ARO)

9.5.4. Goal No countermeasure should be greater in cost than the risk it mitigates, transfers, or avoids.

9.6. Identify Threats and Vulnerabilities

9.6.1. Vulnerabilities An inherent weakness in an information system, security procedures, internal controls, or implementation that could be exploited by a threat source

9.6.2. Threat sources Environmental Human Nature Technical Physical Operational

9.6.3. Likelihood Likelihood is the chance that something might happen.

9.6.4. Impact Definitions of impact in an organization often include loss of life, monetary loss, loss of market share, system down time, and others.

9.7. Risk Response

9.7.1. Risk Avoidance

9.7.2. Risk Transference

9.7.3. Risk Acceptance

9.7.4. Risk Mitigation

9.8. Risk Assignment

9.8.1. The organization owns the risks that are present during operation of the company

9.9. Risk Frameworks

9.9.1. COSO:2013 Internal environment Objective setting Event identification Risk assessment Risk response Control activities Information and communication Monitoring

9.9.2. ISO 27005:2008

9.9.3. AS/NZS and 31000:2009

9.9.4. ISO Guide 73:2009

9.9.5. NIST Special Publications 800-37 and 800-39

9.9.6. ISACA (2009) Risk IT Framework

9.10. Countermeasure Selection

9.10.1. Accountability

9.10.2. Auditability

9.10.3. Whether source is trusted

9.10.4. Cost-effectiveness

9.10.5. Security

9.10.6. Protections for confidentiality, integrity, and availability of assets

9.10.7. If it creates additional issues during operation

9.10.8. If it leaves residual data from its function

9.11. Implementation

9.11.1. Design Considerations for Security Architects What framework(s) should I use as points of reference? What business issues do I need to take into account? Who are my stakeholders? Why am I only addressing this and not that area of the business? How will I be able to integrate this system design into the overall architecture?

9.11.2. Deployment Considerations for Security Practitioners What tool(s) should I use to set up and deploy these systems? Who are the end users of this system going to be? Why am I only being given “x” amount of time to get this done? How will I be able to integrate this system design into my existing network? Where will I manage this from?

9.11.3. Management Considerations for Security Professionals What are the metrics that I have available to manage these systems? Who do I need to partner with to ensure successful operation of the system? Why are we not addressing this or that concern? How will I be able to communicate the appropriate level of information regarding the system to each of my user audiences? Where will I find the time to be able to do this?

9.12. Controls

9.12.1. Directive

9.12.2. Deterrent

9.12.3. Preventive

9.12.4. Compensating

9.12.5. Detective

9.12.6. Corrective

9.12.7. Recovery

9.13. Access control types

9.13.1. Administrative

9.13.2. Physical

9.13.3. Logical / Technical

9.14. Control Assessment

9.14.1. Effectiveness Assessment Methods Vulnerability Assessment Penetration testing Strategies Categories Methodology Application security testing

9.15. Asset Valuation

9.15.1. Types Tangible Intangible

9.16. Continuous Improvement

9.16.1. Plan

9.16.2. Do

9.16.3. Check

9.16.4. Act

10. 10. Understand and Apply Threat Modeling

10.1. Identification of Threats

10.1.1. Potential Attacks Social Engineering An attacker uses human interaction (social skills) to obtain or compromise information about an organization or its computer systems Pretexting Attacks The act of creating and using an invented scenario (the pretext) to engage a targeted victim in a manner that increases the chance the victim will divulge information Phishing Attacks Use e-mail or malicious websites to solicit personal information by posing as a trustworthy organization Baiting Attacks the attacker leaves a malware infected CD-ROM or USB flash drive in a location sure to be found, gives it a legitimate looking and curiosity-piquing label, and simply waits for the victim to use the device Tailgating Attacks Attacker walks in behind a person who has legitimate access

10.1.2. Perform Reduction Analysis Establish frameworks of trust on an employee/personnel level Identify sensitive information and exposure to social engineering Establish security protocols, policies and procedures for handling sensitive information Train employees in security protocols relevant to their position Perform unannounced, periodic tests of the security framework Review the above steps regularly Use a waste management service

11. 11. Integrate Security Risk Considerations into Acquisitions Strategy and Practice

11.1. Hardware, Software, and Services

11.2. Regular Third-Party Assessment

11.2.1. On-site assessments

11.2.2. Document exchange and review

11.2.3. Process / Policy review

11.2.4. SLA SLAs define the agreed upon level of performance and compensation or penalty between the provider and the customer

11.3. Minimum Security Requirements

11.3.1. Understanding fully what a project will deliver is critical to its success

11.4. Service Level Requirements (SLR)

11.4.1. Contains the requirements for a service from the client viewpoint

12. 12. Establish and Manage Security Education, Training, and Awareness

12.1. Appropriate Levels of Awareness, Training, and Education in the Organization

12.1.1. Security awareness Addresses the why of policy

12.1.2. Awareness Activities and Methods Courses Posters Intranet Awareness mentor Reference Business unit walk-throughs

12.1.3. Training topics Corporate security policies Organizational security program Regulatory compliance requirements Social engineering Business continuity/ Disaster recovery Security incident response Information labeling and handling Physical security Proper care and handling of security credentials Risk assessment

12.1.4. Job Training and Content Relevancy