CS340 GRC terms

What is GRC

An integrated collection of capabilities that organizations use to achieve objectives, address uncertainty, and act with integrity. It is integrated with the entire business.

Governance

The means by which and organization is directed and controlled (who we are and how we operate).

Risk

Taking measures to limit the chances of bad outcomes, the center of GRC in practice

People, processes, and technology

GRC involves this, and it takes input from this to ensure companies are protected from risk

Control risk

Develop treatment & response plans for each risk

Compliance

Act of ensuring a standard or set of guidelines is being followed, provides direction when starting GRC

Risk (as a concept)

Likelihood that a loss will occur; loss occurs when a threat exposes a vulnerability

Threat

Any activity that represents a possible danger, external or internal, natural or manmade, intentional or accidental

Vulnerability

A weakness in a system

Loss

Results in a compromise to business functions or assets, tangible or intangible

Tangible loss

Easy to quantify, physical, and has direct financial impact

Intangible loss

Harder to represent, non physical, example is a hit to reputation

Tangible Asset

Physical assets, are present in person

Intangible asset

Assets that are digital but still worth protecting

Principle of proportionality

Amount spent on controls should be proportional to the value of the risk

Residual Risk

Risk after risk management is applied

Inherent risk

Full risk of a vulnerability

Contingent risk

Low likelihood, high impact

Significant risk

High likelihood, high impact

Minor risk

Low likelihood, low impact

High incidence risk

high likelihood and low impact

Risk formula

Probability * impact

Unintentional threats

Environmental threats, human error threats, accidental threats, failures

Intentional threats

Greed, Anger, Desire to damage, individuals or organizations with malicious intent

Threat-vulnerability pair

Occurs when a threat exploits a vulnerability, the vulnerability provides a path for the threat

Exploit

The act of taking advantage of a vulnerability

Hubs of vulnerabilities and exploits

Blogs/forums, CVE list, Reverse engineering, dark web

NIST

creates publications and sets standards about topics and technologies

CISA

Gives guidance to companies to help with their security

HIPAA

Passed in 1996 as federal law, creates national standards to protect patient health info.

HIPAA covered entity

Health plans, healthcare clearing houses, healthcare providers

HIPAA business associate

Any person/org using or disclosing individually identifiable health info to perform or provide functions, activities, or services for a covered entity. Can include anyone that interacts with covered entities.

HHS Office of Civil Rights

Responsible for enforcement of HIPAA and imposes penalties on non-compliant companies

PCI-DSS

Set of standards that any company dealing with credit cards must abide by. Levels based on how many transactions are processed yearly

PCI-DSS Level 1

Applies to companies doing 6 million or more transactions yearly, required to have an internal audit resulting in a report on compliance, as well as submitting a PCI scan quarterly

PCI-DSS Levels 2-3

Must complete self assessment once a year and is also up for a quarterly PCI scan from an approved vendor

PCI-DSS Level 4

Self assessment and may have a quarterly scan, less than 20000 transactions yearly.

Six principles of PCI-DSS

1. Build and maintain secure network

2. Protect cardholder data

3. Maintain vulnerability management program

4. implement strong access control measures

5. regular monitoring of networks should occur

6. Maintain an infosec policy

SOX

Passed to protect public from fraudulent or erroneous practices by corporations and other business entities

SOX cyber application

Keep data safe from insider threats, cyber attacks, and security breaches

SOX data security framework

• Ensure financial data security

• Prevent malicious tampering of financial data

• Track data breach attempts and remediation efforts

• Keep logs available for auditors and demonstrate compliance in 90 day cycles

GDPR

Designed to harmonize data privacy laws across EU countries

Personal data

Any info allowing a living person to be directly or indirectly ID’d

Data controller

Maintains control over provided data; can update, modify, or delete data.

Data processors

Acts on behalf of the data controller, no control over data

GDPR principles

• Lawfulness, fullness, transparency

• Purposeful limitation

• Data minimization

• Accuracy

• Storage limitation

• Integrity and confidentiality

• Accountability

NIST 800-37

Nist Risk Management Framework for information systems & organizations

NIST 800-30

NIST Guide for conducting Risk assessments

NIST 800-53

NIST Security & privacy controls for information systems & organizations

NIST RMF Prepare step

• Ready to execute NIST RMF framework by establishing context and priorities for managing enterprise wide security and privacy risk

• Goals include communication, prioritizing requirements and resource allocation, recognizing common controls and baselines, and focusing resources on high value assets

Risk context

All facets of how a risk impacts an organization and how to resolve it

NIST RMF categorize stage

Requires a full review of IT systems in use, system characteristics, and impact of an attack on confidentiality, integrity and availability

NIST RMF select stage

Select controls and allocate them to systems, document the controls in a system security plan, and continuously monitor them.

NIST RMF assess stage

Assess the selection based on candidate qualifications and knowledge, develop the assessment plan, assess the controls, report on effectiveness, remediate the findings, and develop a plan of action for more easily-remediable findings

NIST RMF authorize stage

Provides organizational accountability

NIST RMF monitoring stage

Provides situational awareness and privacy of the information system and organization

Risk owner

Usually the person who would be most affected if the risk manifested, has to decide what to do about the risk

RMP Scope

Identify the boundary of the plan and be crystal clear of what the objective is in order to avoid scope creep. Identify stakeholders and draft scope statement.

Cost benefit analysis formula

Loss before recommendation - loss after recommendation - cost of recommendation

Plan of action and milestones

A POAM is a document tracking progress and assigning responsibility allowing management to follow up on progress.

Steps of RMF

Prepare → Categorize → select → implement → assess → authorize → monitor

Members of risk assessment team

IT department, Auditors, Business Unit leaders, Legal, HR, Management

Administrative controls

Management oriented, tells you what you are/aren’t allowed to do, enforced but can’t physically stop you

Administrative controls examples

Employee management, information classification, Awareness training

Logical controls

Software or hardware components that prevent/allow access to the network

Physical controls

Prevent things from happening in the real world, things like bollards, fencing, cameras

Preventative controls

Keep undesirable events from happening

Detective controls

Identify undesirable events that are taking place

Corrective controls

Correct undesirable events that have already taken place

Single Loss Expectancy

How much the estimated impact of a single event occurring would be in $

Annual Rate of Occurrence

Numerical quantification of impact (number of times annually)

Annual Loss Expectancy

Cost quantification of impact over a year

Data collection methods

Surveys, Interviews, Vulnerability testing, pen testing

SLE formula

Asset value x exposure factor (10000 × 50% =5,000)

ALE Formula

SLE * ARO

Cost Benefit Analysis

The cost of a countermeasure against losses should not exceed the value of the losses

Value of countermeasure

ALE - cost of countermeasure

Security control

Countermeasure to avoid, detect, counteract, or minimize security risk

Measure

Proof of action to achieve a purpose

Security measure

Precaution against threats

Control

Process that addresses or lowers a risk

In place control

In place in operational system, supported by associated documentation

Planned controls

Identified in planning documentation , specific implementation date

Defense in depth

Don’t depend on a single security mechanism, have multiple mechanisms to fall back on

Assumption of breach

Design your system to be secure even as value rises and breaches are expected to occur

Fail-safe state

If a control fails, it should still deny the attacker access rather than allowing it

Simplicity

If you don’t understand how a control works, then you don’t know if its actually secure

Purpose of a risk assessment

Help management quantify risks and identify and evaluate the effectiveness of controls

Policy

A high-level document that provides overall direction without details

Procedure

Provides the detailed steps needed to implement a policy

Audit location

Normally done by an outside, independent party

Assessment location

Normally done by management team internally

FISMA

Requires federal agencies, contractors, and grantees to implement risk-based, cost-effective security controls to protect information systems

GLBA

Federal law requiring financial institutions to explain their information-sharing practices and protect sensitive customer data

FERPA

Protects privacy of student academic records, including education and health data

CIPA

Requires schools to filter internet access to prevent bad content on school devices

COPPA

Protects the information of children under 13 that use the internet

Identity governance

Securing identities for all users, applications, and data

Identity governance and administration

• Managing user accounts from beginning to end

• Grouping user access into roles that make sense for various jobs

• Allowing users to make requests for things they need

• Perform reviews of the access that had been granted

Privileged access management

Allow users to check out privileges rather than hold them 24/7, and holding non-user credentials in a “vault”