Information security Governance and Riskmanagement
Help!
|
|
|
||||||
|---|---|---|---|---|---|---|---|---|
| Fundamental Principle of Security | Objectives: -Availability -Integrity -Confidentiality |
🗑
|
||||||
| Availabilty | Reliability and timely access to data/resources to authorized users. |
🗑
|
||||||
| Integrity | Assurance of accuracy and reliability of systems/information & prevention of unauthorized access. |
🗑
|
||||||
| Confidentiality | Ensures necessary level of secrecy is enforced at each level of data processing & prevents unauthorized disclosure |
🗑
|
||||||
| Shoulder surfing | Viewing information in unauthorized manner by looking over the shoulder of someone else |
🗑
|
||||||
| Social Engineering | Gaining unauthorized access by tricking someone in divulging sensitive information |
🗑
|
||||||
| Vulnerability | Lack of countermeasure or weakness in a countermeasure |
🗑
|
||||||
| Threat | Potential danger associated with the exploitation of a vulnerability |
🗑
|
||||||
| Threat agent | Entity that takes advantage of a vulnerability |
🗑
|
||||||
| Risk | Likelihood of a threat agent exploiting a vulnerability and the corresponding business impact |
🗑
|
||||||
| Exposure | Instance of being exposed to losses |
🗑
|
||||||
| Control or countermeasure | Safeguard that is put in place to reduce a risk |
🗑
|
||||||
| Control Types | 1. Administrative / Management 2. Technical / Logical 3. Physical / Operational All the above controls are preventive in nature |
🗑
|
||||||
| Functionalities of control types | Preventive-avoid an incdnt frm ocurin{Deterrent-to discrge a potntial attker} [Corrective-fixes compnts aftr an incdnt occurd] (Detective-ident incdnts activity/potential intruder) Recovery-brng bak 2 reglr oprtn Compensating-ctrls tat giv altrnt msre |
🗑
|
||||||
| Defense in depth | Implementation of multiple control types & functionalities so that successful penetration and compromise is difficult to attain |
🗑
|
||||||
| Security through obscurity | Placing door key under doormat |
🗑
|
||||||
| British standard 7799 ( BS 7799 ) | - Developed by UK in 1995 published by British standards Institution. - Part 1 control objectives and range of controls to meet those objectives - Part 2 Outlines how security program (ISMS) can be implemented and maintained |
🗑
|
||||||
| BS 7799 coverage | 1.IS policy for org 2.Creation IS infrastructure 3.Asset classification & control 4.Personal security 5.Physical & envi security 6.Communication and ops mgmnt 7.Access ctrl 8.Syst dev n maintenance 9.Business continuity mgmnt 10.Compliance |
🗑
|
||||||
| ISO/IEC 27000 Origin | ISO & IEC worked together on top of BS7799 launchin a global standard as ISO\IEC 27000. International standard on how to develop and maintain ISMS. |
🗑
|
||||||
| ISO/IEC 27000 | Overview and vocabulary |
🗑
|
||||||
| ISO/IEC 27001 | ISMS requirements |
🗑
|
||||||
| ISO/IEC 27002 | Code of practice for ISM |
🗑
|
||||||
| ISO/IEC 27003 | Guideline for ISMS implementation |
🗑
|
||||||
| ISO/IEC 27004 | Guideline for ISM measurement and metrics framework |
🗑
|
||||||
| ISO/IEC 27005 | Guideline for IS risk management |
🗑
|
||||||
| ISO/IEC 27006 | Guidelines for bodies providing audit and certification of ISMS |
🗑
|
||||||
| ISO/IEC 27011 | ISM guidelines for telecommunications industry |
🗑
|
||||||
| ISO/IEC 27031 | Guideline for IT business continuity |
🗑
|
||||||
| ISO/IEC 27033-1 | Guideline for network security |
🗑
|
||||||
| ISO/IEC 27799 | Guideline for ISM in health industry |
🗑
|
||||||
| ISO/IEC 27007 | Guideline for ISMS auditing |
🗑
|
||||||
| ISO/IEC 27013 | Guideline for integrated implementation of of ISO/IEC 27000-1 and ISO/IEC 27001 |
🗑
|
||||||
| ISO/IEC 27014 | Guideline for IS governance |
🗑
|
||||||
| ISO/IEC 27015 | ISM guidelines for finance and insurance |
🗑
|
||||||
| ISO 27000 series methods | It follows plan-do-check-act cycle Plan-establishing objectives & making plans Do-implementation of plan Check-measuring results against objectives Act-correction & improvement to better achieve success |
🗑
|
||||||
| Enterprise Architecture development | 1. Zachman 2. TOGAF-The open group architecture framework Military oriented arch framework 3. DODAF-Department of defense arch framework 4. MODAF-Ministry of defense arch framework |
🗑
|
||||||
| Zachman enterprise architecture | Created by John Zachman in 1980s and is based on classical business architecture that contains rules that governs a ordered set of people |
🗑
|
||||||
| Zachman Framework | Its 2 dimensional & holds 6 basic communication elements. What,How,Where,Where,Who,When & Why intersecting with different view points Planner,Owner,Designer,Builder,Implementer & Worker The Goal is to look the same organization frm different views |
🗑
|
||||||
| TOGAF | Origin from US DOD Framework Design,Implement and Govern TOGAF is a framework that can be used to develope -Business Arch -Data Arch -Application Arch -Technology Arch TOGAF is used to create individual arch through the use of Arch Dev Method(ADM) |
🗑
|
||||||
| DoDAF | When US military purchases tech products and defense sys, enterprise arch framework docs must be created based on DodAF stds to illustrate how they will integrate with the existing syst. It focus is on cmd,ctrl,commun,comp,intel,surveil,reconnaissance |
🗑
|
||||||
| MODAF | Brit std based on DoDAF. Focus To get data in the right format to the right people ASAP. |
🗑
|
||||||
| Choosing right architecture framework | 1. Need to findout who the stakeholders are and what information they need from the architecture. 2. The architecture needs to represent the company in the most useful manner to the people who need to understand it the best. |
🗑
|
||||||
| Enterprise security architecture Eg.SABSA Model | -Subset of Enterp Arch -Reason for dev is to align security efforts with business practices in a standardized and cost effective manner. -Besides security this type of arch allows to achieve interoperability,integration,ease-of-use,stdzn & governance |
🗑
|
||||||
| How do you know if an organization doesnt have an enterprise security architecture | If u get "YES" for most of the below 1.Does security takes place in Silos throughout the Org? 2.Is there continual disconnect btw Sr.Mgmnt & security staff? 3. Are redundant products purchased for diff depts for overlapping needs? 4.Stovepipe solutns? |
🗑
|
||||||
| Successful Enterprises architecture should have ? | Strategic alignment - means business drivers,regulatory and legal requirements are met Process enhancement - while rolling out security thr is high chance for improving productivity Business enablement - Security should help the Org thrive by supp Busin | Security effectiveness - deals with metrics, meeting SLA, ROI, meeting set baselines and providing management a dashboard or scorecard
🗑
|
||||||
| Enterprise vs System architecture | Enterprise Architecture Addresses the system of an organization System Architecture Addresses the structure of software and computers |
🗑
|
||||||
| Security controls developement | Objectives of the controls to be implemented to accomplish the goals of security program and enterprise architecture | CoBiT
NIST 800-53
🗑
|
||||||
| CoBiT Control Objectives for Information and related technology | Is a framework and control objectives developed by ISACA and IT Governance Institute (ITGI). It defines goals to properly manage IT and to ensure it is aligned to business needs | CoBiT was derived from COSO.
CoBiT has four Domains
Plan and organize
Acquire and Implement
Deliver and support
Monitor and evaluate
🗑
|
||||||
| NIST 800-53 National Institute of standards and technology | NIST s one of the developed standard is Special Publication 800-53.This outlines the controls that agencies need to put in place to be compliant with Federal Information Security Act 2002 |
🗑
|
||||||
| CoBiT vs SP 800-53 | IS auditors in use commercial sector follow CoBiT for their checklist approach to evaluate Org s compliancy with business oriented regulations | Government auditors use SP 800-53 as their "Checklist" approach for ensuring that government agencies are compliant with government oriented regulations
🗑
|
||||||
| COSO Committee of sponsoring organization | COSO Framework Control Environment Risk Assessment Control activities Information and communication Monitoring | CoBiT - IT governance
COSO - corporate governance
🗑
|
||||||
| Sarbanes Oxley Act (SOX) 2002 | US federal law that could send executives to jail if its was discovered that their company was submitting fraudulent accounting findings to the Security Exchange Commission | For a company to be SOX compliant it has to follow COSO model.
Companies commonly implement ISO/IEC 27000 standards and CoBiT to help construct and maintain COSO structure
🗑
|
||||||
| Process Management development | ITIL, Six sigma and CMMI It allows Organization to construct and improve business, IT and security processes in a structured and controlled manner |
🗑
|
||||||
| ITIL | Information Technology Information Library. Its a de facto standard for best practices for IT service management | It focuses more towards internal SLA between the IT department and the "Custromers" it serves
🗑
|
||||||
| Six sigma | It is a process improvement methodology. Was developed by Motorolo with the goal of identifying and removing defects from mgmt process. The maturity of the process is described by sigma rating which indicates the the % of defects that process contains |
🗑
|
||||||
| Total quality management | Its goal is to improve process quality by using statistical methods of measuring operations efficiency and reducing variation, defects and waste |
🗑
|
||||||
| CMMI Capability maturity model | Used in Org to help layout a pathway of how incremental improvement can take place. The crux of CMMI is to develop structured steps that can be followed so an Org can evolve from one level to another and constantly improve processes & security posture | The only way we can improve is
Where we are starting from
Where we need to go and
the steps we need to take in between
🗑
|
||||||
| Blueprint | It will layout the security solutions,processes and components the organization uses to match its business and security needs |
🗑
|
||||||
| Information Security Governance flow | Description (Two storey) - ISO/IEC 27000 Architecture (Foundation,walls) - Security Architecture framework Blueprints ( Doors,window types) Control Objectives (wiring,construction material) |
🗑
|
||||||
| Information Risk Management | Process of identifying and assessing risk and reducing it to an acceptable level and implementing mechanisms to maintain that level |
🗑
|
||||||
| Risk assessment | Tool for risk management,is a method of identifying vulnerabilities and threats and assessing the possible impact to determine where to implement security controls |
🗑
|
||||||
| Risk analysis | goals -Identify assets and their value for Organization -Identify vulnerabilities and threats -Quantify the probability and impact of these potential threats -Provide an economic balance between the impact of the threat and cost of the counter measure | Used to ensure security is cost effective,relevant,timely and responsive to threats
🗑
|
||||||
| Loss potential | Value that the company looses when threat agent exploits a vulnerability |
🗑
|
||||||
| Delayed loss | Delayed loss may include company's reputation, loss of market share etc |
🗑
|
||||||
| Risk assessment methodologies | 1. NIST's SP 800-30 2. FRAP - Facilitated risk analysis process 3. OCTAVE - Operational critical threat asset and vulnerability evaluation 4. AS/NZS 4360 5. ISO/IEC 27005 6. CRAMM - Central computing and telecom Agency Risk Analysis and Mgmnt method |
🗑
|
||||||
| NIST risk management methodology | SP 800-30 It focuses mainly on computer sys and IT security issues. It does not cover large Org threat types like natural disaster, success planning, environmental issue |
🗑
|
||||||
| FRAP | Risk assessment method Facilitated risk analysis process. It focus only on the system that really need assessing to reduce cost and time obligation | Developed by Thomas Peltier. Doesn't provide ALE values. The criticalities are determined by team member experience
🗑
|
||||||
| OCTAVE | Risk assessment method Operational.Created by Carnegie Mellon University's software engineering institute. | Relies on the idea that people working in these environment best understand what is needed and what kind of risk they are facing
🗑
|
||||||
| FRAP vs OCTAVE | FRAP - would be used to assess an application or system OCTAVE - would be used to assess all systems, applications and business process within an Org |
🗑
|
||||||
| ISO/IEC 27005 | International standard for how risk management should be carried out based on ISMS |
🗑
|
||||||
| FMEA | Failure mode effect analysis. It is a method for determining functions, identifying function failures and assessing the cause of failure and their failure effects through a structured process. | It is not useful in discovering complex failure modes that may be involved in multiple systems or subsystems
🗑
|
||||||
| Fault tree analysis | Useful approach in identifying failures that can take place in more complex system. First an undesired effect is taken as the root or top event of the tree logic. Then each situation that has the potential to cause that failure is added to the tree. | Common failures explored through fault tree analysis
1. False alarm
2. Insufficient error handling
3. Sequencing or order
4. Incorrect timing outputs
5. Valid but not expected outputs
🗑
|
||||||
| CRAMM Central computing and telecommunications agency risk analysis and management method | Its not a unique methodology but it has everything in an automated format (Automated tools sold by SIEMENS) | Automated tools contain
Questionnaires, asset dependency modelling, assessment formula and compliancy reporting.
🗑
|
||||||
| Risk assessment approaches | 1. Quantitative - is used to assign monetary and numeric values to all elements 2. Qualitative - It is more of opinion or scenario based and uses rating system to relay the risk levels criticality. | Qualitative techniques - Judgement, best practice, intuition and experience. Examples qualitative technique to gather data is delphi, brainstorming, storyboarding, focusgroups, surveys,questions, checklist, 1to1 meeting and interviews
🗑
|
||||||
| SLE Vs ALE | Equations used in quantitative risk analysis. SLE = Asset value x Exposure factor ALE = SLE x ARO | SLE - single loss expectency
ALE = Annual loss expectency
ARO = Annualized rate of occurance
🗑
|
||||||
| Uncertainity in Risk analysis | Lack of confidence in an estimate. Capturing the degree of uncertainity is important as it helps management decisions |
🗑
|
||||||
| Delphi Technique | Part of qualitative analysis. Its a group decision method used to ensure that each member gives an honest opinion of what he thinks the result of a particular threat will be. |
🗑
|
||||||
| Cost/benefit analysis | Its used in protection mechanism to check cost effectiveness of a control measure. | Cost Benefit
Value of safegaurd=(ALE before safegaurd)-(ALE after safegaurd)-(safegaurd value)
🗑
|
||||||
| Residual risk | The risk that a company faces if it chooses not to have a safegaurd | {Total risk = Threat x vulnerability x asset value}
[Residual risk = (Threat x vulnerability x asset value) x control gap]
Residual risk = Total risk - countermeasures
🗑
|
||||||
| Risk handling | Transfer it, avoid it, reduce/mitigate it or accept it |
🗑
|
||||||
| Policy functionality types / Policy categories | Requlatory - this type of policy ensures that the Org is following stds set by industry regulations. Advisory - This type of policy strongly advices employees as to which types of behaviors/activities should and shouldn't take place in an Org. | 3. Informative - this type of policy informs employees of certain topics. Its not an enforceable policy rather it teaches individuals about specific issues relevant to the company.
🗑
|
||||||
| Standards | refers to mandatory activities/actions or rules |
🗑
|
||||||
| Baselines | Refers to a point in time that is used for future reference |
🗑
|
||||||
| Guidelines | Recommended actions and operational guides to users |
🗑
|
||||||
| Procedures | They're step by step tasks that should be performed to achieve a certain goal |
🗑
|
||||||
| Policy | High level document that outlines senior managements security directives |
🗑
|
||||||
| Policy Types | Organizational, Issue specific and system specific |
🗑
|
||||||
| Information classification levels | 1.Top secret, 2.Secret, 3.Confidential, 4.Private, 5.Sensitive, 6.Sensitive but unclassified, 7.Public, 8.Unclassified |
🗑
|
||||||
| Data classification procedures | 1.Define classification levels, 2.Specify the criteria that will determine how data are classified, 3.Identify data owners who will be responsible for classifying data, 4.Identify data custodian who will be responsible for maintg data and its security lvl | 5.Indicate security ctrls reqd for each classification, 6.Doc any excep in prev classification, 7.indicate process for transfer of custody from data owner, 8.Proced for periodical review, 9.proced for declassifyin data,10.Integrate security awareness prgm
🗑
|
||||||
| Audit committee | Should be appointd by board of directors to help it review nd evaluate the comp's internal operations, internal audit system and the transparency and accuracy of financial reporting so the comp's investors, customers nd creditors have continued confidence |
🗑
|
||||||
| Data owner | Individual responsible for protection and classification of a specific data set |
🗑
|
||||||
| Data Custodian | Individual responsible for implementing and maintaining security controls to meet security requirements outlined by data owner |
🗑
|
||||||
| Separation of duties | Preventive administrative control used to ensure one person cannot carryout a critical task alone |
🗑
|
||||||
| Collusion | Two or more people working together to make fraud. This happens in separation of duties. |
🗑
|
||||||
| Rotation of duties | Detective administrative controls that helps us find the potential fraudulent activities by rotating the responsibilities |
🗑
|
||||||
| Mandatory vacation | Detective administrative controls that helps us find the potential fraudulent activities by sending away a person on leave for a period of time |
🗑
|
||||||
| Security Governance | is a framework that allows for security goals of an org to be set & expressed by Sr.Mgmnt, communicated throughout the diff levels, grant power to entities needed to implement & enforce security & provide a way to verify performance of security activities |
🗑
|
||||||
| Metrics | Measurement activities need to provide quantifiable performance based data that is repeatable, reliable and produces results that are meaningful | ISO 27004:27009 metric system can be followed if needed to be certified by ISO27000 and NIST 800-55 should be followed by governmental oriented companies
🗑
|
||||||
| SABSA What Why How When Where Who | Sherwood Applied Business Security Architecture. Similar to Zachman framework. It is a layered model,with its first layer defining business requirements from a security perspective.Each layer decreases in abstraction and increases in detail. | SABSA is a framework and methodology.It provides a lifecycle model so that the architecture can be constantly monitored and improved.
🗑
|
Review the information in the table. When you are ready to quiz yourself you can hide individual columns or the entire table. Then you can click on the empty cells to reveal the answer. Try to recall what will be displayed before clicking the empty cell.
To hide a column, click on the column name.
To hide the entire table, click on the "Hide All" button.
You may also shuffle the rows of the table by clicking on the "Shuffle" button.
Or sort by any of the columns using the down arrow next to any column heading.
If you know all the data on any row, you can temporarily remove it by tapping the trash can to the right of the row.
To hide a column, click on the column name.
To hide the entire table, click on the "Hide All" button.
You may also shuffle the rows of the table by clicking on the "Shuffle" button.
Or sort by any of the columns using the down arrow next to any column heading.
If you know all the data on any row, you can temporarily remove it by tapping the trash can to the right of the row.
Embed Code - If you would like this activity on your web page, copy the script below and paste it into your web page.
Normal Size Small Size show me how
Normal Size Small Size show me how
Created by:
karthiis4u
Popular Engineering sets