CSEC 705 Midterm Review

governance

a process whereby senior management exerts strategic control over business functions through policies, objectives, delegation of authority, and monitoring

information security governance 

a collection of top down activities intended to control the security of the organization, from a strategic perspective to ensure that information security supports the business 

ISG processes

personnel management, change management, risk management, incident management, configuration management, & business continuity plan 

board of directors role in csec

they are not in charge of cybersecurity management, but in charge of cybersecurity oversight, meaning they set expectations for management

5 principles for effective cybersecurity at the board level

1. cybersecurity as a strategic risk

2. legal and disclosure implications

3. board oversight structure and access to expertise

4. an enterprise framework for managing cyber risk

5. cybersecurity measurement and reporting

ISA-ANSI framework

outlines seven steps in establishing cyber team

startegy

the path that you have outlines, communicated, and documented that the organization will follow from where you are (current state) to where you want to be (strategic state)

digital transformation

cost rising greatly, integrates technology to reshape business operations and value delivery

security strategy

security participants, objectives, development, constraints, and resources

security strategy objectives

business alignment, risk appetite alignment, effective risk management, value delivery, resource optimization, and performance measurement

security strategy participants

board of directors, executive management, security leader, security team, and outside experts

NIST CSF

govern, identify, protect, detect, respond, recover

security strategy development 

improvements in protective controls, incident visibility, and incident respond; reductions in risk and cost; increased resiliency of key business systems  

security strategy constraints

resistance to change, normalcy bias, culture, staff capabilities, time, budget and cost, legal and regulatory obligations

risk

the likelihood of a threat source exploiting a vulnerability and the corresponding business impact

risk management

the process of identifying and assessing risk, reducing it to an acceptable oevel, and ensuring it remains at that level

holistic risk management 

tier 1: organization, tier 2: mission/business processes, tier 3: information systems 

risk management process

frame, asses, monitor, respond

NIST 800-30

focused on computer systems and IT security

facilitated risk analysis process FRAP

intended to be used to analyze one system, application, or business process at a time 

OCTAVE

used to assess all systems, applications, and business processes

failure modes and effect analysis FMEA

used to determine functions and identifying functional failures causes and effects; used in product development and operational environments

single loss expectancy SLE

a monetary value that is assigned to a single harmful event; asset value x exposure factor

exposure factor

the percentage of a loss a threat could have on an asset

annualized loss expectancy

SLE x annualized rate of occurrence (ARO)

annualized rate of occurrence ARO

an estimated frequency of a specific threat taking place within 12-month timeframe

risk responses

transfer, avoid, accept, & mitigate 

risk monitoring

the ongoing process of adding new risks, reevaluating old ones, removing moot ones, and assessing the effectiveness of controls at mitigating all risks to acceptable levels

information security program

consists of a collection of activities such as policies, procedures, controls, and practices aimed at safeguarding the CIA of information assets

ISP steps

risk management, policies and procedures, incident response, awareness and training, asset classification, and third-party risk management 

security framework

a structured set of guidelines, best practices, and standards designed to help orgs manage and improve their cybersecurity posture; help ensure that orgs implement comprehensive security controls and can comply with regulatory requirements

gov regulations exmaples

GDPR and CCPA

industry specific regulations 

HIPAA and PCI DSS

standards and frameworks

NIST 800-53, ISO 27001

SMART

specific, measurable, attainable, relevant, timely

information asset 

BLANK

asset classification

public, internal only, restricted, highly confidential

AAA

authentication, authorization, accounting

authentication 

knowledge-based authentication

biometric authentication

ownership-based authentication 

multi-factor authentication

authorization

access control

access controls

DAC, MAC, RBAC (rule and role), risk BAC

accounting

measures the resurces a user consumes during access; can include the amount fo system timeor amount of data user has sent/recieved

information security control

the procedures, mechanisms, systems, and other measures designed to reduce risk through compliance to policies

information security control classification

detection, deterrent, preventive, corrective, compensating, recovery

detective

this type of control is used to record both wanted and unwanted events 

deterrent

this type of control exists to convince someone that they should not perform some unwanted activity

preventive

this type of control is used to prevent the occurrence of an unwanted event

corrective 

this type of control is activated after some unwanted event has occurred 

compensating

this type of control is enacted because some other direct control cannot be used

recovery

this type of control is used to restore a system or an asset to its pre-incident state

types of information security control

technical controls, administrative controls, and physical controls 

attack framework

1. MITRE ATT&CK

2. cyber kill chain

data

digital asset and should be treated with asset security

data lifecycle

create, store, use, share, archive, destroy 

states of data

data at rest, data in motion, data in use

data loss prevention

a program or set of tools and policies designed to prevent the unauthorized access, sharing, or distribution of sensitive or confidential data within an organization

primary goal of DLP

to protect sensitive information from being leaked, stolen, or exposed to unauthorized individuals within and outside the organization 

data destruction

overwriting, encryption, degaussing, and physical destruction

overwriting

replacing the 1s and 0s with a random/fixed pattern of 1s and 0s

encryption

encrypting with a strong key

degaussing

removing or reducing the magnetic field patterns, a strong magnetic force is applied to the media

physical destruction

shredding or exposing to corrosive chemicals

security training and awareness

includes education, training, and awareness

supply chain risk

raw materials, supplier, manufacturer, distributer, retailer, consumer

third-party risk

freelancers/contractors, consultants, outsourced IT technicians, external sales agents/brokers, lawyers, cloud providers, marketing agencies, & payment processors

supply chain risk management 

high level enterprise: strategy, implementation, plan & policy

mid level mission & business process: strategies, policies, & implementation plans

low level operational: plans

vendor selection and due diligence TPRM

risk assessment, background checks, certifications and compliance audits

contracts and service level agreements (SLAs) TPRM

clear contract terms, SLAs for security and performance, termination clauses

AAA in TPRM

limit access, monitoring and logging, multi-factor authentication 

data protection and privacy TPRM

CIA tried, DLP

incident response and contingency planning TPRM

clear contract terms, data breach notification clauses, business continuity and disaster recovery

exit strategy and offboarding TPRM

access revocation, termination procedures 

training and awareness TPRM

security awareness training, policy adherence