ISC - CPA Exam

NIST

-National Institute of Standards and Technology

-Established in 1901 to promote research capabilities

- Improved in 1995 to include cybersecurity

Three Standardized Frameworks from NIST

1) NIST Cybersecurity Framework (CSF)

2) NIST Privacy Framework

3) NIST SP 800-53 - Security and Privacy Controls

NIST Cybersecurity Framework Components

a) Framework Core

b) Framework Implementation Tiers

c) Framework Profile

a) Framework Core

-IDENTIFY: keep record of assets, system users, all systems

-PROTECT: deploy safeguards, regular updates, backups

-DETECT: detect active cyber security attacks, monitor network

-RESPOND: contain cybersecurity event, react, notify affected parties

-RECOVER: support restoration, restore files

*5 functions, 23 categories, 108 subcategories

b) Implementation Tiers

-benchmark identifying the degree to which information security practices are integrated throughout an organization

-Tier 1: partial

-Tier 2: risk-informed

-Tier 3: repeatable

-Tier 4: adaptive

Tier 1 - partial

-ad hoc, no formal process

-inconsistent actions

Tier 2 - risk informed

-growing company, management approves cybersecurity efforts

-cybersecurity is isolated from risk management

-awareness, but no consistent response to risk

Tier 3 - repeatable

-formal, documented policies

-cybersecurity integrated into planning and regularly communicated

Tier 4 - adaptive

-responsive to evolving threats

-organization wide

c) Framework Profiles

-measure cybersecurity risk and how to minimize risk

-current profile: current state of organizational risk management

-target profile: desired future state of organizational risk management

*gap analysis: differences between current and desired state

2. NIST Privacy Framework

-framework on data protection

-developed to be industry agnostic

-overlap with NIST Cybersecurity Framework

Components of NIST Privacy Framework

-Identify: privacy risks related to data processing

-Govern: governance structure (new)

-Control: management structure (new)

-Communicate: dialogue around privacy risks (new)

-Protect: safeguards

-Detect: discovering privacy risks

-Respond: reacting to privacy breach

-Recover: continuing business after privacy breach

Privacy Framework Tiers

identical to NIST CSF Tiers

-Tier 1: partial

-Tier 2: risk-informed

-Tier 3: repeatable

-Tier 4: adaptive

Based On:

-RM Process

-RM Program Integration

-External Participation

-Workforce

SP 800-53

-NIST Security and Privacy Controls

-applicable to all information systems but STANDARD for federal information security systems

-stricter standards and less cost effective

-well defined security and privacy requirements

-use of trustworthy information system components

SP 800-53: 20 Control Families (be familiar)

-AC: access and control

-AT: awareness and training

-AU: audit and accountability

-CA: assessment, authorization, monitoring

-CM: configuration management

-CP: contingency planning

-IA: identity and authentication

-IR: incident response

-MA: maintenance

-MP: media protection

-PE: physical and environmental protection

-PL: planning

-PM: program management

-PS: personnel security

-PT: PII processing and transparency

-RA: risk assessment

-SA: system and services acquisition

-SC: systems and communication protection

-SI: systems and information integrity

-SR: supply chain risk management

SP 800-53: Control Implementation Approaches

-Common Control: Implemented at the organizational level

-System Specific Control: implemented at information system level

-Hybrid Control: combination of entity and system level controls

SP 800-53: Intended Audience

individuals with:

-security and privacy assessment and monitoring responsibilities

(auditors, inspectors general, system evaluators, control assessors, independent verifiers and validators, analysts)

-logistical or disposition related responsibilities

-system development responsibilities

SP 800-53 - Purpose and Applicability toward other security and privacy requirements

-Office of Management and Budget (OMB) Circular A -130: controls over federal information systems

-Federal Information Security Modernization Act (FISMA): minimum controls over federal info and information systems

S1 M2 - Privacy and Data Security Standards

Data Breach Consequences

-business disruptions

-reputation harm

-financial loss

-data loss

-legal and regulatory implications

Cost of a Data Breach

average cost of $4 million

-detection and escalation expenses: forensic and investigative efforts

-notification: cost to notify consumers and regulators

-post-breach response: paying fines, implementing credit monitoring, ongoing communication to consumers

-loss of revenue

HIPAA

-Health Insurance Portability and Accountability Act

-adopt national standards promoting health care privacy and security

-PHI: protected health information

HIPAA Covered Entities

-health care providers that transmit PHI electronically

-health plans

-health care clearing houses (submit healthcare info to insurance carriers)

-service providers who need access to PHI

HIPAA Security Rule

-confidentiality, integrity, and availability of all PHI

-protect against reasonably anticipated threats

-protect against reasonably anticipated impermissible uses or disclosures

-ensure compliance by the covered entity's workforce.

HIPAA Safeguards

-administrative safeguards: security management, security training, information access management, contingency plans

-physical safeguards: facility access, workstation security

-technical safeguards: access controls, audit controls, data integrity controls, authentication

HITECH

-enacted in 2009 to promote transition from paper to electronic records

-increased penalties for HIPAA violations

-required that patients receive the option to obtain records in electronic form

-added "business associates" as a covered entity

-most significant change: required covered entities provide notice of breach to impacted individuals within 60 days of discovery

GDPR

-General Data Protection Regulation

-European Unions general law regarding privacy of data

-strictest privacy laws in the world, imposes steep penalties for violators

GDPR Scope Extended

even if not in the EU, GDPR can apply

-data processors based in the EU

-data processors not based in the EU if the processor is offering good or services to those in the EU or is monitoring

-data processors not based in EU, but EU law applies

GDPR Six Principles

LPDALC

1) Lawfulness, Fairness, Transparency

2) Purpose Limitation (data is for legitimate purposes)

3) Data Minimization (only store what is needed)

4) Accuracy (accurate data, update)

5) Storage Limitation (only store data as long as necessary)

6) Integrity and Confidentiality (data is protected against accidental loss, destruction and damage)

Purpose Limitation versus Data Minimization

Purpose Limitation: data must be processed for Specified, Explicit, and Legitimate purposes (SEL)

Data Minimization: data processing must be Relevant, Adequate, and limited to what is Necessary for purpose (RAN)

PCI DSS

-Payment Card Industry Data Security Standard

-created for data security for cashless transactions

-created by Payment Card Industry Security Standards Council

PCI DSS - 6 Goals

BPVSTP

1) Build and Maintain a Secure Network and Systems

2) Protect Cardholder Data

3) Maintain a Vulnerability Management Program

4) Implement Strong Access Control Measures

5) Regularly Monitor and Test Networks

6) Maintain an Information Security Policy

Build and Maintain a Secure Network and Systems - PCI DSS Requirements

1) install and maintain a firewall configuration to protect cardholder data

2) do not use vendor supplied default password

Protect Cardholder Data - PCI DSS Requirements

3) protect stored cardholder data

4) encrypt transmission of cardholder data accross open, public networks

Maintain a Vulnerability Management Program - PCI DSS Requirements

5) protect systems against malware, regularly update anti-virus software

6) develop and maintain secure systems and applications

Implement Strong Access Control Measures - PCI DSS Requirements

7) restrict access to cardholder data on a need to know basis

8) identify and authenticate access to system

9) restrict physical access to cardholder data

Regularly Monitor and Test Networks - PCI DSS Requirements

10) track and monitor all access to network and cardholder data

11) regularly test security systems and processes

Maintain an Information Security Policy - PCI DSS Requirements

12) maintain a policy that address information security for all employees

Outline of Payment Card Industry

1) customer: makes a purchase

2) retailer/merchant

3) merchant electronic gateway account: retailer submits transaction

4) merchant bank: acquiring bank submits payment request to 3rd party network

5) card network: 3rd party processes payment from issuing bank (customer) to acquiring bank (retailer)

S1 M3 - Center for Internet Security (CIS) Part I

CIS

-Center for Internet Security

-recommended set of actions, processes, and best practices that can be adopted and implemented by organizations to strengthen cybersecurity defenses

-supported by the SANS institute

CIS Controls Version 8

-18 controls and 153 subcategories known as safeguards

-controls used to organized by who manages a device

-controls are now task-focused and organized by activities

CIS Controls - Design Principles

AMOFF

-Align: controls should map to other cybersecurity standards (NIST, COBIT, HIPAA, NIST 800-53, SOC2)

-Measurable: controls are simple and measurable

-Offense Informs Defense: controls are drafted based on cybersecurity attacker behavior

-Focus: prioritize the most critical problems

-Feasible: controls are practical

CIS Implementation Group - IG1

-limited cybersecurity defense mechanisms in place

-cybersecurity expertise is limited

-data is not sensitive (no PII or PHI)

*similar to NIST Tier 1 (Partial) or NISR Tier 2 (Risk-Informed)

CIS Implementation Group - IG2

-IT staff who support multiple departments

-sensitive client data

*similar to NIST Tier 3 (Repeatable)

CIS Implementation Group - IG3

-security experts in all domains within cybersecurity

-penetration testing, risk management, application security

-sensitive data and likely subject to regulatory oversight

-attack on these organization can cause significant damage

*similar to NIST Tier 4 (Adaptive)

CIS Control 1: Inventory and Control of Enterprise Assets

*companies must know the totality of IT assets

-use of an IT inventory list

-understanding which devices contain sensitive information

-potential for external devices to connect to a company's network

CIS Control 2: Inventory and Control of Software Assets

*track and actively manage software applications

-ensure only authorized software is installed

-software inventory list

-most current software patches are installed

-software reaching end of life are renewed or transitioned out

CIS Control 3: Data Protection

*securely manage the entire life cycle of data

-identify, handle, classify, retain, and dispose data

-classification categories: "internal," "public," "sensitive," "confidential"

-access control lists, access logging mechanisms, data disposal plans

-encryption

CIS Control 4: Secure Configuration of Enterprise Assets and Software

*many applications are sold with default configuration settings that present vulnerabilities

-publicly available security standards (CIS Benchmarks or NIST National Checklist Program Repository) can be used for asset reconfiguration

-remove unnecessary software

-change default passwords

-security tools such as firewalls, intrusion detection, data loss prevention (DLP), mobile device management (MDM)

CIS Control 5: Account Management

*use processes and tools to assign and manage authorization

-accounts should be inventoried and tracked

-credentials are treated as highly sensitive information

-single sign on (SSO) - one password to sign into all applications

-multi factor authentication (MFA)

CIS Control 6: Access Control Management

*processes and tools to create, assign, manage, and revoke access credentials/privileges

-expands off control 5

-"least privilege" and "need to know"

-policies for granting access and revoking access based on job duties and responsibilities

-role based access control, separation of duties

-policies for hiring/firing access

CIS Control 7: Continuous Vulnerability Management

*continuously identifying and tracking vulnerabilities within infrastructure

-keep current on threats and vulnerability in order to defend against them

-assess based on likelihood of exploitation

-classification schemes such as Common Vulnerability Scoring System (CVSS) or Common Vulnerabilities and Exposures (CVE)

CIS Control 8: Audit Log Management

*establish an enterprise log management process so that organizations can be alerted and recover from an attack in real time

-system logs: provide a list of events such as start and end times, points of restoration, and system crashes

-audit logs: tied to a specific user, recording when a person logs in or out, accesses a file, or opens an application

CIS Control 9: Email and Web Browser Protections

*detect and protect against cybercrime attempted through email and web browsers

-phishing scams and business email compromise

-only updated versions of email should be used

-URL filtering and blocking done through domain name system (DNS)

S1 M4 - Center for Internet Security (CIS) Part II

CIS Control 10: Malware Defenses

*preventing the installation and propagation of malware onto company assets and network

-malware forms: viruses, worms, spyware, adware, key loggers, ransomware

-software auto-run and auto-play should be DISABLED

-close all ports to network

-malware actors use LotL "living off the land" which means using our own tools against us

CIS Control 11: Data Recovery

*establishes data backup, testing, and restoration

-automated backup process

-off-site store for backup

-encryption of backup data

CIS Control 12: Network Infrastructure Management

*establishes procedures and tools for managing and securing a company's network infrastructure and preventing attackers from exploiting vulnerable access points

-physical and virtual devices: firewalls, gateways, routers, switches, and wireless access points

-network architecture should have documentation and diagrams

-sanity checks to ensure hardware or software work flawlessly

CIS Control 13: Network Monitoring and Defense

*processes for monitoring and defending a company's network infrastructure against internal and external security threats

-two common ways networks can be attacked include Denial of Service (DoS) and Ransomware

-tools such as security information and event management (SIEM) help centralize and assist in log analysis

-security or network operations center (SOC or NOC)

CIS Control 14: Security Awareness and Skills Training

*establishing security awareness and training programs

-regular training of unusual behavior, social engineering tactics, best practices, risks, and organization processes

CIS Control 15: Service Provider Management

*develop processes to evaluate third-party service providers that have access to sensitive data or manage a company's IT functions

-standards include the shared assessment program for the finance industry and Higher Education Community Vendor Assessment Toolkit (HECVAT)

-system and organization controls (SOC) audit reports

CIS Control 16: Application Software Security

*safeguards that manage the entire life cycle of software that is acquired, hosted, or developed in house

-software development life cycles have shortened and become more complex

-introduce security early in the software development lifecycle (SDLC)

-vulnerabilities include : buffer overflows, cross-site scripting, SQL injections, and race conditions

CIS Control 17: Incident Response Management

*establish an incident response management program to detect, respond, and prepare for potential cybersecurity attacks

-program should include destination of key contact, establish incident response team, develop communication plans

CIS Control 18: Penetration Testing

*test sophistication of cybersecurity defense system by simulating actual attacks to find and exploit weakness

-goes beyond identifying weakness (control 7)

-"red team" exercises focus on tactics, techniques, and procedures (TTPs) to see how an organization fares against certain attackers

-begins with an observation of environment followed by a scan to locate vulnerabilities

S1 M5 - COBIT 2019 Framework

Control Objectives for Information and Related Technologies (COBIT)

-developed by the Information Systems Audit and Control Association (ISACA) in 1996

-originally developed as a set of standards for auditors that unified unrelated standards

-NOW USED by organizations to implement best practices for IT governance and management

COBIT 2019 Overview

used existing COBIT 5 and added:

1) 6 Governance System Principles (VHDDTE)

2) 3 Governance Framework Principles (CFA)

3) Core Model (1 Governance and 4 Management Objectives)

4) 7 Components of Governance Systems (POPICPS)

5) 11 Design Factors

6) Other Focus Areas

1) Six Principles for a Governance System

Very Healthy Dieters Do Try Everything

1) provide shareholder VALUE: balance risk and return

2) HOLISTIC approach: IT can comprise diverse components

3) DYNAMIC Governance System: flexible and changing

4) governance DISTINCT From management

5) TAILORED to enterprise needs: "No such one fits all" governance systems

6) END-TO-END governance system: considering more than just the IT function

2) Three Principles for a Governance Framework

C - based on CONCEPTUAL MODEL: identify key components and the relationship between components

F - open and FLEXIBLE: able to change. Add relevant content, remove irrelevant content that violates COBIT

A - ALIGNED to major standards: framework aligns with other regulations, framework and standards

3) COBIT Core Model - 1 Governance Objective

EDM: Evaluate, Direct, and Monitor

-evaluate strategic objectives, direct management, monitor if objectives are met

EDM Important Components

-risk optimization

-stakeholder engagement

3) COBIT Core Model - 4 Management Objectives

APO: Align, Plan, and Organize

-align IT's overall strategy, plan how to use technology, organize the resources for most effective use

BAI: Build, Acquire, and Implement

-build, acquire, and implement IT

DSS: Deliver, Service, and Support

-service requests, problems, continuity

MEA: Monitor, Evaluate, Assess

-continuous monitoring, evaluation, and assessment

APO Important Components

Align, Plan, Organize

-managed data

-managed security

-managed risk

BAI Important Components

Build, Acquire, Implement

-managed knowledge

-managed change

-managed availability and capacity

-managed solutions and build

DSS Important Components

Deliver, Service, Support

-managed problems

-managed continuity

-managed service requests and incidents

MEA Important Components

Monitor, Evaluate, Assess

-managed assurance

-managed compliance w/ external requirements

-managed system of IC

COBIT 2019: 7 Components to Satisfy Management and Governance Objectives

POP ICPS

1) Processes

2) Organizational Structure

3) Principles, Policies, and Frameworks

4) Information

5) Culture, Ethics, and Behavior

6) People, Skills, and Competencies

7) Services, Infrastructure, and Applications

1) Processes - COBIT Governance System

-activities that help achieve IT goals

2) Organizational Structure - COBIT Governance System

-decision making entities within organization

3) Principles, Policies, and Framework - COBIT Governance System

-guidance for turning desired behavior into practice

4) Information - COBIT Governance System

-info needed for governance system to function properly

5) Culture, Ethics, Behavior - COBIT Governance System

-factors that influence success of management and governance

6) People, Skills, Competencies - COBIT Governance System

-people make sound decisions, corrective actions, complete critical objectives

7) Services, Infrastructure, Applications - COBIT Governance System

-governance system tools needed for IT processing

COBIT 2019: how to create a tailored enterprise governance system for IT?

-design factors

-focus areas

COBIT 2019: 11 Design Factors

1) Enterprise Strategy

2) Enterprise Goals

3) Risk Profile

4) Information and Technology Issues

5) Threat Landscape

6) Compliance Requirements

7) Role of IT

8) Sourcing Model of IT

9) IT Implementation

10) Technology Adoption Strategy

11) Size of Company

COBIT Design Factor: Enterprise Strategy

-generally a primary and secondary strategy

-ex. growth/acquisition, innovation/differentiation, cost leadership, client service

COBIT Design Factor: Enterprise Goals

-structured based on balanced scorecard

Financial

Customer

Internal (efficiency)

Growth (growth & innovation)

COBIT Design Factor: Risk Profile

-current risk exposure for the organization

-risk appetite

COBIT Design Factor: Information and Technology

common issues:

-insufficient IT resources

-problems with data quality

-noncompliance with IT regulations

COBIT Design Factor: Threat Landscape

-classified as normal or high

-results from geopolitical threats or issues, industry sector, economic issues (out of a companies control)

COBIT Design Factor: Compliance Requirements

-classified as low, normal, high

low example: mom and pop coffee shop

normal example: advertising agency (some compliance)

high example: bank (lots of compliance regulations)

COBIT Design Factor: Role of IT

it is categorized as

-support: not critical for operations

-factory: IT system will have an immediate impact in business operations if it fails

-turnaround: IT system drives innovation but is not required for critical business operations

-strategic: IT system is crucial for both innovation and business operations

COBIT Design Factor: Sourcing Model for IT

-IT procurement model the company adopts

-cloud based, built in house, or hybrid

COBIT Design Factor: IT Implementation Methods

-Agile Development Method

-DevOps method

-traditional (waterfall) method

-hyrid of these

COBIT Design Factor: Technology Adoption Strategy

-First Mover Strategy: adopt emerging technologies (risk takers)

-Follower Strategy: emerging technologies are adopted after they are proven

-Slow Adopter: late to adopt new technologies

COBIT Design Factor: Enterprise Size

Large: 250+ employees

Small or Medium: 50-250 full-time employees

COBIT Focus Areas

-different types of governance issues, domains, topics that can be solved be a combination of management and governance objectives

COBIT Core Publications

1) COBIT 2019 Framework: Introduction and Methodology

2) COBIT 2019 Framework: Governance and Management Objectives (1 governance, 4 management)

3) COBIT 2019 Design Guide (11 design topics)

4) COBIT 2019 Implementation Guide (continuous improvement)