Is411 Study Guide

Study Guide IS 411 Security Policies and Implementation Issues A perfect policy will not prevent all threats. Key to determining if a business will implement any policy is cost. Policies support the risk assessment to reduce the cost by providing controls and procedures to manage the risk. A good policy includes support for incident handling. Pg 15 Policy may add complexity to a job but that is not important. Unmanageable complexity refers to how complex and realistic the project is. The ability of the organization to support the security policies will be an important topic.Pg 105 Who should review changes to a business process? Policy change control board, minimally you should include people from information security, compliance, audit, HR, leadership from other business units, and Project Managers (PMs). Pg 172 ————————————————- Policy – a document that states how the organization is to perform and conduct business functions and transactions with a desired outcome. Policy is based on a business requirement (such as legal or organizational) ————————————————- ———————————————— Standard – an established and proven norm or method, which can be a procedural standard or a technical standard implemented organization-wide ————————————————- ————————————————- Procedure – a written statement describing the steps required to implement a process. Procedures are technical steps taken to achieve policy go als (how-to document) ————————————————- ————————————————-Guideline – a parameter within which a policy, standard, or procedure is suggested but optionalpg 11-13 Resiliency is a term used in IT to indicate how quickly the IT infrastructure can recover. Pg 279. The Recovery Time Objective (RTO) is the measurement of how quickly individual business processes can be recovered. Recovery Point Objectives (RPOs) is the maximum acceptable level of data loss from the point of the disaster. The RTO and RPO may not be the same value. Pg 287 Policies are the key to repeatable behavior.To achieve repeatable behavior you just measure both consistency and quality. Oversight phases to operational consistency: * Monitor * Measure * Review * Track * Improve pg 40 Find ways to mitigate risk through reward. Reward refers to how management reinforces the value of following policies. An organization should put in place both disciplinary actions for not following policies and recognition for adhering to policies. This could be as simple as noting the level of compliance to policies in the employee’s annual review. Pg 78 Domain | Key policies and controls|User | Acceptable Use Policy (AUP)E-mail policyPrivacy policy – covers physical securitySystem access policy – IDs & passwordsAuthorization – Role Base Access Control (RBAC)Authentication – most important| Workstation| Microsoft system center configuration manager: * Inventory – tracks LAN connections * Discovery – detects software and info installed for compliance * Patch – current patches installed * Help desk – remote access to diagnose, reconfigure, reset IDs * Log – extracts logs to central repository * Security – ensures use rs have limited rights, alerts added administer accounts| LAN| Hub – connects multiple devicesSwitch – can filter trafficRouter – connects LANs or LAN-WANFirewall – filters traffic in and out of LAN, commonly used to filter traffic from public internet WAN to private LANFlat network – has little or no control to limit network trafficSegmented – limits what and how computers are able to talk to each other by using switches, routers, firewalls, etc. | LAN-WAN| Generally, routers and firewalls are used to connect LAN-WAN. Demilitarized Zone (DMZ) provide a public-facing access to the organization, such as public websites. DMZ sits between two layers of firewalls to limit traffic between LAN-WAN| WAN| Unsecure public Internet. Virtual Private Network (VPN) secure and private encrypted tunnel. Firewalls have capability to create and maintain a VPN tunnel.Lower cost, save time for small to medium companies with VPN instead of leased line| Remote A ccess| Enhanced user domainRemote authentication – two factor * Something you know (id/password) * Something you have (secure token) * Something you are (biometric)VPN client communicates with VPN hardware for tunneling, client-to-site VPN:Maintains authentication, confidentiality, integrity and nonrepudiation. | System/Application| Application software is the heart of all business applications. Application transmits the transaction to server. Data Loss Protection (DLP) or Data Leakage Protection (DLP) refers to a program that reduces the likelihood of accidental or malicious loss of data. DLP involves inventory, perimeter (protected at endpoints) and encryption of mobile devices. Pg 67|Motivation – pride (work is important), self-interest (repeat behavior rewarded, most important pg 326), and success (winning, ethical, soft skills). Pg 91 Executive management support is critical in overcoming hindrances. A lack of support makes implementing security policies impossibl e. Listen to executive needs and address in policy. Pg 341 Security policies let your organization set rules to reduce risk to information assets. Pg 22. Three most common security controls are: * Physical – prevent access to device * Administrative – procedural control such as security awareness training * Technical – software such as antivirus, firewalls, and hardware pg 27Information System Security (ISS) is the act of protecting information and the systems that store and process it. Information Assurance (IA) focuses on protecting information during process and use. Security tenets known as the five pillars of the IA model: * Confidentiality * Integrity * Availability * Authentication * Nonrepudiation Policy must be clearly written. Unclear purpose refers to the clarity of value a project brings. In the case of security policies, it’s important to demonstrate how these policies will reduce risk. It’s equally important to demonstrate how the pol icies were derived in a way that keep the business cost and impact low. Pg 104 ———————————————— Head of information management is the single point of contact responsible for data quality within the enterprise. ————————————————- ————————————————- Data stewards are individuals responsible for data quality with a business unit. ————————————————- ————————————————- Data administrators execute policies and procedures such as backup, versio ning, up/down loading, and database administration. ————————————————- ————————————————-Data security administrators grant access rights and assess threats in IA programs. Pg 188 ————————————————- ————————————————- Information security officer identifies, develops and implements security policies. ————————————————- ———————————————à ¢â‚¬â€- Data owners approves access rights to information. ————————————————- ————————————————- Data manager responsible for procedures how data should be handled and classified. ————————————————- ————————————————-Data custodian individual responsible for day-to-day maintenance, grant access based on data owner, backups, and recover, maintain data center and applications. ————————————————- —————â₠¬â€Ã¢â‚¬â€Ã¢â‚¬â€Ã¢â‚¬â€Ã¢â‚¬â€Ã¢â‚¬â€Ã¢â‚¬â€Ã¢â‚¬â€Ã¢â‚¬â€Ã¢â‚¬â€Ã¢â‚¬â€- Data user end user of an application. ————————————————- ————————————————- Auditor are inter or external individual who assess the design and effectiveness of security policies. Pg 115 Separation of duty principle – responsibilities and privileges should be divided to prevent a person or a small group of collaborating people from inappropriately controlling multiple key aspects of a process and causing harm or loss. Pg 156Internal control principle – information security forms the core of an organization’s information internal control systems. Regulations mandate that internal control systems be in place and operating correctly. Organizations rely on technolo gy to maintain business records. It’s essential that such technology include internal control mechanisms. These maintain the integrity of the information and represent a true picture of the organization’s activities. Pg 155 Lines of defense in the service sector: 1. Business Unit (BU) deals with controlling risk daily, mitigate risk when possible. Develops long and short-term strategies, directly accountable. 2. Enterprise Risk Management (ERM) program, team owns the risk process.Provides guidance to BU, aligns policies with company goals, oversight of risk committees and risk initiatives. 3. Independent auditor assures board and executive management the risk function is designed and working well. Pg 192 Health Insurance Portability and Accountability Act (HIPAA) protects a person’s privacy. HIPAA defines someone’s health record as protected health information (PHI). HIPAA establishes how PHI can be collected, processed and disclosed and provides penaltie s for violations. Health care clearinghouses process and facilitate billing. Pg 50 Executive management is ultimately responsible for ensuring that data is protected.Information systems security organization enforces security policies at a program level. The team is accountable for identifying violations of policies. The front-line manager/supervisor enforces security policies at an employee level. Employees are responsible for understanding their roles and the security policies. They are accountable for following those policies. Employees can still be held liable for violations of the law. Employees can be prosecuted for illegal acts. Sampling of key roles to enforce security policies: * General counsel- enforces legal binding agreements * Executive management- implements enterprise risk management * Human resources- enforces disciplinary actions Information systems security organization- enforces polices at program level * Front-line manager/supervisor- enforces policies at employ ee level pg 366 A Privileged-level Access Agreement (PAA) is designed to heighten the awareness and accountability of those users who have administrative rights. Security Awareness Policy (SAP) laws can outline the frequency and target audience. Acceptable Use Policy (AUP) defines the intended uses of computer and networks. A good AUP should accompany security awareness training. Pg 220 Auditors are feared Contractors comply with the same security policies as any other employee (such as an AUP). There may be additional policy requirements on a contractor such as special non-disclosure agreement and deeper background checks. Pg 215Data Class| Class Description| Recovery Period| Examples| Critical| Data must be recovered immediately| 30 minutes| Website, customer records| Urgent| Data can be recovered later| 48 hrs| e-mail backups| Non-vital| Not vital for daily operations| 30 days| Historical records, archives pg 263| U. S. military classification – nation security information document EO 12356. * Top secret – grave damage to national security * Secret – serious damage to NS * Confidential – cause damage to NS * Sensitive but classified – confidential data under freedom of information act * Unclassified – available to the public A Business Continuity Plan (BCP) policy creates a plan to continue business after a disaster. Elements include key assumptions, accountabilities, frequency of testing and part includes BIA.Business Impact Analysis (BIA) purpose is to determine the impact to an organization in the event that key processes and technology are not available. Assets include critical resources, systems, facilities, personnel, and records. Pg 278 Desired results of the BIA include: * A list of critical processes and dependencies * A work flow of processes that include human req to recover key assets * Analysis of legal and regulatory requirements * A list of critical vendors and support agreements * An estimate of the maximum allowable downtime pg 286 Disaster Recovery Plan (DRP) is the policies and documentation needed for an organization to recover its IT assets after a disaster (part of BCP). Pg 288Governance – requires a strong governance structure in place. This includes formal reporting to the board of directors. Most boards receive formal GLBA reporting through the audit committee. The head of information security usually writes this report each quarter. Pg 51 An Incident Response Team (IRT) is specialized group of people whose purpose is to respond to major incidents. The IRT is typically a cross-functional (different skills) team. Pg 297. Common IRT members include: * Information technology SMEs * Information security representative * HR * Legal * PR * Business continuity representative * Data owner * Management * Emergency services (normally outside agency i. e. olice) pg 302 Visa requires its merchants to report security incidents involving cardholder data. Visa classifies incid ents into the following categories: * Malicious code attacks * Denial of service (DOS) * Unauthorized access/theft * Network reconnaissance probe pg 299 Declare an incident, develop a response/procedure to control the incident. Before a response can be formulated, a discussion needs to be made. This involves whether to immediately pursue the attacker or protect the organization. Having a protocol in advance with management can establish priorities and expedite a decision. It is important to have a set of responses prepared in advance.Allowing the attacker to continue provides evidence on the attack. The most common response is to stop the attack as quickly as possible. Pg 309 How do you collect data? A trained specialist collects the information. A chain of custody is established and documented. Digital evidence, take a bit image of machines and calculate a hash value. The hash value is essentially a fingerprint of the image. IRT coordinator maintains evidence log and only copies ar e logged out for review. Pg 311 Why do policies fail? Without cohesive support from all levels of the organization, acceptance and enforcement will fail. Pg 19 Which law allows companies to monitor employees?The Electronic Communication Privacy Act (ECPA) gives employers the right to monitor employees in the ordinary course of business. Pg 356 Policy enforcement can be accomplished through automation or manual controls. Automated controls are cost efficient for large volumes of work that need to be performed consistently. A short list of several common automated controls: * Authentication methods * Authorization methods * Data encryption * Logging events * Data segmentation * Network segmentation pg 361 Microsoft Baseline Security Analyzer (MBSA) is a free download that can query systems for common vulnerabilities. It starts by downloading an up to date XML file. This file includes known vulnerabilities and release patches. Pg 378Business Continuity Plan (BCP) sustain business durin g disaster Continuity of Operations Plan (COOP) support strategic functions during disaster Disaster Recovery Plan (DRP) plan to recover facility at alternate site during disaster Business Recovery Plan (BRP) recover operation immediately following disaster Occupant Emergency Plan (OEP) plan to minimize loss of life or injury and protect property from physical threat pg 292 Extra notes: There are two types of SAS 70 audits: * Type 1 – is basically a design review of controls. * Type II – includes type 1 and the controls are tested to see if they work. Pg 61 Governance, Risk management, and Compliance (GRC) and Enterprise Risk Management (ERM) both to control risk. ERM takes a broad look at risk, while GRC is technology focused.GRC top three best frameworks are ISO 27000 series, COBIT, COSO. Pg 197 Incident severity classification: * Severity 4 – small number of system probes or scans detected. An isolated instance of a virus. Event handled by automated controls. No unauthorized activity detected. * Severity 3 – significant probes or scans. Widespread virus activity. Event requires manual intervention. No unauthorized activity detected. * Severity 2 – DOS detected with limited impact. automated controls failed to prevent event. No unauthorized activity detected. * Severity 1 – successful penetration or DOS attack with significant disruption. Or unauthorized activity detected.Pg 308 To measure the effectiveness include IRT charter goals and analytics. Metrics are: * Number of incidents * Number of repeat incidents (signifies lack of training) * Time to contain per incident (every incident is diff, least important) * Financial impact to the organization (most important to management) Glossary terms Bolt-on refers to adding information security as a distinct layer of control after the fact. Business Impact Analysis (BIA) a formal analysis to determine the impact in the event key processes and technology are not available. Committee of Sponsoring Organizations (COSO) focuses on financial and risk management.Control Objectives for Information and related Technology (COBIT) framework that brings together business and control requirements with technical issues. Detective control is a manual control that identifies a behavior after it has happened. Federal Desktop Core Configuration (FDCC) a standard image mandated in any federal agency. Image locks down the operating system with specific security settings. Firecall-ID a process granting elevated rights temporarily to resolve a problem. Flat network has little or no controls to limit network traffic. Information Technology and Infrastructure Library a framework that contains comprehensive list of concepts, practices and processes for managing IT services. IRT coordinator documents all activities during an incident, official scribe.IRT manager makes all the final calls on how to respond, interface with management. Non-disclosure Agreement (NDA) also known as a confidentiality agreement. Octave is an acronym for Operationally Critical Threat, Asset, and Vulnerability Evaluation. ISS framework consisting of tools, techniques, and methods. Pretexting is when a hacker outlines a story in which the employee is asked to reveal information that weakens the security. Security Content Automation Protocol (SCAP) NIST spec for how security software products measure, evaluate and report compliance. Supervisory Control and Data Acquisition (SCADA) system hardware and software that collects critical data to keep a facility operating.