Overview of IT Security Governance and Management

IT Security Governance

Who is authorized to make decisions on cybersecurity risks within an organization. Ensures security strategies are aligned with an organization's business objectives and compliant with regulations.

IT Security Management

Defines and implements controls to mitigate risks in an organization.

Data Governance

Determines who is authorized to make decisions about data within an organization.

Data Owner

Ensures compliance with policies and procedures. Assigns proper classification to information assets. Determines criteria for accessing information assets.

Data Controller

Determines the purposes for which, and the way in which, personal data is processed.

Data Processor

Processes personal data on behalf of the data controller.

Data Custodian

Implements the classification and security controls for the data with rules set by the data owner. Technical control of data.

Data Steward

Ensures data is supported for business needs and meets regulatory requirements.

Data Protection Officer

Oversees an organization's data protection strategy.

Master Cybersecurity Policy

Blueprint. Strategic plan for implementing cybersecurity controls.

System-specific Policy

Establish standardization of specific devices or systems such as approved applications, software, operating system, configurations, hardware, and hardening countermeasures. Example: Setting Up Your Firewall Policy.

Issue-specific Policy

Developed for certain operational issues, circumstances or conditions. Example: Email and Internet Acceptable Use Policy.

Identification and authentication policy

Who should be permitted to network resources. Verification procedures.

Password policy

Minimum password requirements such as number and type of characters. How often passwords needed to be changed.

Acceptable use policy

Access to and use of network resources. Consequences of policy violations.

Remote access policy

How to remotely connect to an organization's internal network. Explains which remotely accessible information exists.

Network maintenance policy

Updating and organization's specified operating systems and end-user applications.

Incident handling policy

How to report and respond to security-related incidents.

Data policy

Measurable rules for processing data. Specifies data storage, classification, handling, and disposal.

Credential policy

Composing credentials, such as the minimum and maximum length of a password.

Organizational policy

How work should be carried out.

Security Awareness Training

Prevent employees from falling victim to social engineering attacks such as phishing scams.

User Access Controls

Restricting access to data on a "need to know principle". Access should only be given to those that need it for their job.

IDS/IPS Monitoring

Counter downloading unauthorized programs or files.

Tracking and monitoring abnormal employee behavior

Mitigate potential erratic job performance and security risks.

Common Good approach

Ethical actions should benefit the entire community

Computer-targeted crime

Computer is the target of crime activity. Examples: malware attack, hacking, DoS

Computer-assisted crime

Computer is used to commit a crime. Examples: theft, fraud

Computer-incidental crime

Computer provides information incidental to an actual crime. Example: storing illegally downloaded videos

Agencies working against cybercrime

Federal Bureau of Investigation Internet Crime Complaint Center (FBI IC3), InfraGard, Software and Information Industry Association (SIIA)

Statutory Law

Federal agencies and regulatory framework with civil and criminal penalties. Examples: Computer Fraud and Abuse Act

Administrative Law

Legal framework governing activities of administrative agencies of government. Example: Federal Communications Communication (FCC), Federal Trade Commission (FTC)

Common Law

Worked their way through the judicial system. Precedents and constitutional bases

Federal Information Security Management Act (FISMA)

Created in 2002. Covers federal agencies' IT systems

FISMA Requirements for Federal Agencies

Risk assessments, Annual inventory of IT systems, Policies and procedures to reduce risk, Security awareness training, Testing and evaluation of all IT system controls, Incident response procedures, Continuity of operations plan

Gramm-Leach-Bliley Act (GLBA)

Finance industry. Opt-out provisions for individuals. Restricts information sharing with third party organizations

Sarbanes-Oxley Act (SOX)

Corporate accounting industry. Financial and corporate accounting standards

Payment Card Industry Data Security Standard (PCI DSS)

Credit card industry. Contractual rules to protect cardholder payment data and improve confidentiality of network communications

Cryptography regulations

Certain regulations set by the Bureau of Industry and Security on the import and export of commercial encryption products

Electronic Communications Privacy Act of 1986 (ECPA)

Ensure workplace privacy and protection of electronic communications such as email and telephone

Computer Fraud and Abuse Act of 1986 (CFAA)

Amendment to the Comprehensive Crime Control Act of 1984. Prohibits unauthorized access to computer systems. Criminalizes trafficking of passwords and transmitting destroying programs or code

Privacy Act of 1974

Code of fair information practices. Governs the collection, maintenance, use and dissemination of personally identifiable information (PII) of individuals in federal agencies

Freedom of Information Act (FOIA)

Public access to US government records

Family Education Records and Privacy Act (FERPA)

Parents must approve the disclosure of a student's education information to public entities. Rights transfer from parent to student at 18 years old or upon enter of postsecondary institutions

US Children's Online Privacy Protection Action (COPPA)

Protect the privacy of children under 13 years of age. Parental consent to obtain and use information by an organization

US Children's Internet Protection Act (CIPA)

Protect children under 17 from offensive Internet content and obscene material

Video Privacy Protection Act (VPPA)

Concerns the sharing of videotape, DVD and video game rental information to other parties. Allows consented collection to be public for up to two years

Health Insurance Portability and Accountability Act (HIPAA)

Creation of national standards for safeguards to the storage, maintenance, transmission and access to an individual's health information

California Senate Bill 1386 (SB 1386)

Individuals should be given notice in the event of their personal information being lost or disclosed

Privacy policies

Organizational compliance with laws on privacy and data collection

Privacy impact assessment (PIA)

Process that helps ensure PII is properly handled. Generally involve the ff: Establish PIA scope, Identify key stakeholders, Document how the organization handles PII, Review legal and regulatory requirements, Document any potential issues when comparing requirements and current practices, Review findings with key stakeholders

Convention on Cybercrime

First international treaty on cybercrime. Particularly copyright infringement, computer-related fraud, child pornography and network security

Electronic Privacy Information Center (EPIC)

Nonprofit research center in Washington. Promote privacy and open government laws and policies

Risk Assessment

Quantitative and qualitative value of risk

Security Policy

Constraints and behaviors of individuals. Specifies how data can be accessed and by whom

Organization of Information Security

Governance model for information security

Asset Management

Inventory and classification scheme of information assets

Human Resources Security

Security procedures relating to employees joining, moving within, and leaving an organization

Physical and Environmental Security

Physical protection of facilities and information

Communications and Operations Management

Management of technical security controls

Information Systems Acquisition, Development and Maintenance

Security as an integral part of an organization's information systems

Access Control

Restriction of access rights to network systems, applications functions and data

Information Security Incident Management

Approach to the anticipation and response of security breaches

Business Continuity Management

Protect, maintain, and recover business-critical activities following disruptions

Compliance

Ensuring conformance with information security policies, standards and regulations

Control Objectives

High level requirements

Controls

How to accomplish the control objectives

CIA Triad (statement of applicability)

Confidentiality, Integrity, Availability

States of Data (controls to address states on)

Data in process, Data at rest / data in storage, Data in transit

Safeguards (technical direction for objectives)

People, Technology, Policy. Created by National Institute of Standards and Technologies (NIST)

Operate and maintain

Support, administration, maintenance

Protect and defend

Identifies, analyzes, and mitigates threats

Investigate

Investigates cybersecurity events and/or cyber attacks

Collect and operate

Provides specialized denial and deception operations. Collection of cybersecurity operation

Analyze

Highly specialized review and evaluation of incoming cybersecurity information

Oversee and govern

Provides leadership, management, direction or development and advocacy

Securely provision

Conceptualizes, designs, procures or builds secure IT systems

Basic controls

For organizations with limited resources

Foundational controls

For organizations with moderate resources

Organizational controls

For organizations with significant resources. Includes (inclusive of basic and foundational): Security awareness training program, Application software security, Incident response and management, Penetration tests and red team exercises

Cloud Controls Matrix

Provided by Cloud Security Alliance (CSA). Maps cloud-specific security controls to leading standards, best practices and regulations. Composed of 197 control objectives in 17 domains. De-facto standard for cloud security assurance and compliance

Statement on Standards for Attestation Engagements (SSAE) 18 Service Organization Control (SOC) 2 Audit

Independent audit. Security, availability, processing integrity, confidentiality and privacy of a system. Controls are in place at a specific point in time (Type I) or of a period of at least six months (Type II)

Cybersecurity Maturity Model Certification (CMMC)

Aimed at organizations providing a service to the US Department of Defense. Verifies organizations to have adequate cybersecurity practices with 'basic' cyber hygiene. Establishes five certification levels ranging from 'basic cyber hygiene practices' to 'enhanced practices that provide more sophisticated capabilities to detect and respond to APTs'

Cybersecurity Analyst

Manage and configure tools to monitor activities. Investigate cyber events and/or reports. Apply security patches

Cybersecurity Engineer

Create new solutions to solve security issues. Configure firewalls and security tools. Implement security policies

Penetration Tester

Apply tools for vulnerability testing. Perform social engineering tests. Make suggestions for security improvements

Vulnerability Scanners

Assess computers, computer systems, networks, or applications for weaknesses. Can help automate security auditing.

Vulnerabilities

Include the use of default or common passwords, missing patches, open ports, misconfigurations in operating systems and software, and active IP addresses.

Commonly used vulnerability scanners

Include Nessus, Retina, Core Impact, and GDI LanGuard.

Functions of vulnerability scanners

Ipconfig / ifconfig displays TCP/IP settings. Ping tests network connectivity using ICMP. Arp shows a table of known MAC addresses and their IP addresses. Tracert / traceroute traces a packet route for each hop to the destination. Nslookup queries a DNS server. Netstat displays all ports a computer is listening on to determine active connections. Nbstat troubleshoots NetBIOS name resolution problems.

Nmap

Used for security auditing and locating network hosts.

Netcat

Gathers information from TCP/UDP network connections, performs port scanning, monitoring, banner grabbing, and file copying.

Hping

Assembles and analyzes packets for port scanning, path discovery, OS fingerprinting, and firewall testing.

Security Information and Event Management (SIEM)

Aggregates log data from security devices, network devices, servers, and applications. Combines similar events to reduce data load, identifies deviations from the norm, and can be costly to purchase and maintain.

Security Orchestration Automation and Response (SOAR)

Collects data from security threats and responds to low-level events without human intervention. Can be integrated into a SIEM.

Security Test and Evaluation (ST&E)

Involves the examination of protective measures to assess the degree of consistency between system documentation and implementation. Should be repeated periodically and whenever changes are made to the system.

Penetration testing

Simulates attacks from malicious sources to determine the feasibility and consequences of a possible attack.

Network scanning

Involves pinging computers, scanning for listening ports, displaying available resources in the network, and may also detect usernames, groups, and shared resources.

Password cracking

Tests and detects weak passwords.

Log review

Involves reviewing security logs to identify potential security threats, which could involve filtering software to help discover abnormal activity.