Governance, Risks, and Compliance
Control Categories:
Managerial: Control that address sec design, implementation and sec policies.
Operational: Control implemented by people: guards, phishing awarness campaign.
Technical: Control implemented using systems: firewall, OS control, IPS.
Control Types:
Preventive: Prevents access to. Security guards, door lock, firewall.
Detective: Cannot prevent but detect. Motion detector, IDS.
Corrective: Designed to mitigate damage. Backup to mitigate ransomeware, IPS to block IPs.
Deterrent: Discourages attacker. Warning signs, login banner.
Compensating: Doesn't prevent an attack. Hot site, backup power system, re-image or restore from backup.
Physical: Fences, lock, mantraps.
Security Regulation and Standards
Complaince: Meeting standards of laws, policies, and regulations. Industry specific. Pentalties for not coping.
GDPR:
General Data Protection Regulation.
Europian Union regulation for data protection and privacy for individuals in the EU. Name, address, photo, email, bank details, etc.
Controls export of personal data. User can decide where their data go.
Individial right to be forgotten from site.
PCI DSS:
Payment Card Industry Data Security Standards.
Standard for protecting credit cards.
Protects cardholder details. Build, maintains and reguarly monitors secure infrastructure.
Security Frameworks
Centre for Internet Security (CIS):
Critical Security Controls (CSC)
Categorized for different organization sizes. Designed for IT professionals - includes implmentation.
NIST RMF:
Risk Management Framework (RMF)
Mandetory for US Federal agencies and oranizations which handle federal data.
NIST CSF:
Cybersecurity Framework (CSF)
Framework core: Indentify, Protect, Detect, Respond, Recover.
ISO/IEC Frameworks:
International Organization for Standardization (ISO). International Electrotechnical Commision.
ISO/IEC 27001: Standard for Information Security Management Systems (ISMS)
ISO/IEC 27002: Code of practice for Information Security Controls.
ISO/IEC 27701: Privacy Information Management System (PIMS).
ISO 31000: International Standards for risk management practices.
SSAE SOC Type I/II:
The American Institute of Certified Public Accountants (AICPA) auditing standard Statement on Standards for Attestation Engagements number 18 (SSAE 18).
SOC 2 - Trust Service Criteria (security controls). Firewalls, intrusion detection, and MFA.
Type I audit: Tests controls in place at a particular point of time.
Type II audit: Tests controls over a period of 6 consecutive months.
Cloud Security Alliance:
Security in cloud computing.
Cloud Control Matrix (CCM)
Controls are mapped to standards, best practices and regulations.
Secure Configuration
Default configs are not secure. Manufacturer's hardening guide is the key.
Web server hardening: Huge potential of data leaks, server access.
Info leakage: banner grabbing.
Permissions: should not be run from priviliged account and have minimum permissions.
Configure SSL: Managing and installing certs.
Log files: to monitor access and error logs.
OS Hardening: Varity of OS need updates, sec patches.
User account should be secured with password policies.
Implementation of network access and sec.
Monitoring and securing using AV, Anti-malware.
Application Server: Programming langs, runtime libraries, etc.
b/w webserver and DB. Also called middleware.
Unnecessary services should be dissabled.
Security Patching.
File permissions should be limited. Access from other devices should be limited.
Network Infrastructure devices: Switches, routers, firewalls, IPS, etc.
Purporse-built OS: embedded OS.
Don't use default config, use manufacturer's guide to harden sec.
Constantly check for updates from manufaacturer's.
Personal Security
Acceptable Use Policy (AUP): Detailed documentations, Rule of Behaviours.
Covers topic regarding internet use, telephone, computer, mobiles.
Used by organization to limit legal liability.
Business Policies:
Job Rotation: Keep moving people b/w responsibilities.
Mandatory Vacation: Rotate others thorugh job, to identify fraud.
Seperation of Duties: Split knowledge. Ex: two people know parts of PIN. Also known as Dual Control.
Clean Desk Policy: When you leave nothing should be on the desk. Limits the exposure of sensitive informations.
Least Privileges: Rights and permisions should be set at bare minimum. Don't allow users to run with administrative privileges.
Background Checks: Pre-employment screening. Verify applicant's claims. Discover criminal activities.
Adverse Action: An action that denies employment based on background checks. Requires extensive documents. Can also include existing users.
Personal Security Procedures:
NDA: Confidential agreement/Legal contract. Prevents the use of confidential confidential information.
Social Media Analysis: Gather data from social media to build personal profile.
On-boardring:
New hires. IT agreements needs to be signed. Includes creating new accounts.
Off-boarding:
Pre-planned. Plans decides what happens to hardware and the data. Account informations are usually deactivated but not always deleted.
User traning:
Gamification. CTFs. Phishing simulation. Computer-based training (CBT) - automated pre-built training, includes videos, audios, O&As for all users to have same experience.
Role-based security awarness training:
Training users before providing access.
Specialized training for each user according to their roles.
Also applied to third-parties.
Detailed documentation for records.
Third-party Risk Management
Vendors: Every organization works with vendors. Payroll, customer, relationship management, travel, raw materials.
Important data is often shared. Risk assessment is imporant.
Contracts of clear undersanding should be used.
Supply Chain: The system involved with creating a product. Involves organizations, people, activities, and recources.
Supply Chain Assessment:
Get a product or service from supplier to customer.
Evaluate coordination between groups.
Indentify areas of improvement.
Assess the IT systems supporting the operation.
Document the business process change.
Business partner: Much closer to data than vendor. May require direct access, therefore larger security concern.
Involves communication over a trusted connection. More difficult to monitor traffic.
Partner risk management should be involved.
Additional security between partners.
Common agreement:
Service Level Agreement (SLA): Minimum terms of service provied. Commonly used between customer and service provider.
Memorandum of Understanding (MOU): Both sides agree on the contents of memorandum. Statements of confidentiality. Informal letter of intent; not signed contract.
Measurement System Analysis (MSA): Used with quality management systems. Access the measurement process. Calculate measurement uncertanity.
Business Partnership Agreement (BPA): When going into business together. Decides owner stakes, financial contracts, decision-making agreement, prepare for contengencies.
Product Support Lifetime:
End of Life (EOL): Manufacturer stops selling product. MAY continue supporting product. Important for security updates and patches.
End of Service Life (EOSL): Manufacturer stops selling products and support is no longer available for the product. No ongoing security patches and updates. May continue on premium prices.
Non-disclosure Agreement (NDA): Confidential agreement between parties. Information in the agreement should not be disclosed.
Unilateral or bilateral (or multilateral) One way NDA or mutual NDA.
Formal contract where signature is usually required.
Managing Data
Data Governance: Rules, processes, and accountability assosiated with an organization's data.
Data Steward: Manages the governance processes. Responsible for data accuracy, privacy, and security. Associate sensitive label to data and ensures complaice with any applicable laws and standards.
Data Classification: Identify data types: Personal, Public, Restricted, etc.
Associate governance controls to be classification levels. Then according to data classification, data steward puts label on it.
Data Retention: Keeps files that change frequently for version control.
Recover from virus infection.
Often legal requirements for data retention. Some data are required to be stored for a longer time like emails.
Credential Policies
Credential Management:
Passwords must not be embedded in the application. Everything should reside on server.
Communication across the network should be encrypted.
Personnel Accounts: An account on a computer associated with a specific person. The computer associate the user with a specific identification number.
Storage and files can be private to that user, even if another person is using that computer.
Privileged access to the OS should be restricted, especially with user account.
Third Party Accounts: Access to external third party systems can come from anywhere. 2FA is must. Audit the security posture of third party. All users should have their own account.
Device Accounts: Access to devices - mobile devices.
Issue device certificate to restrict unknown devices to authenticate.
Require lock screen as a standard.
Manage devices using MDM.
Add additional security - geographical based, associate a device with a user.
Service Accounts: Usedf exclusively by services running on a computer.
No interactive/user access. Web server, db server..
Access can be defined for a specific service account.
Commonly uses usernames and passwords.
Administrator/root accounts: Elevated access to one or more systems. (super user access).
This account should not be used for normal administrations.
Needs to be highly secured.
Scheduled password changes.
Organizational Policies
Change Management: How to make changes? Upgrade softwware, change firewall configuration, modufy switch ports.
Should have clear policies.
Change Control: The formal process of mamageing managing change.
Helps avoid downtime, confusion, and mistakes.
Determine the scope, analyze risks, create plan, get approvals, present propocal to control board, have a backout plan incase change does not work, document the changes.
Asset Management: Indentify and track computing assets, usually an automated process.
Helps responder faster to security problems. Keep an eye on most valuable assets.
Track licenses, amount of licenses in need.
Verify all devices are up to date including digital signatures and malware signatures.
Risk Management Types
Risk Management: Identify assets that could be affected by an attack. Includes hardware, customer data, Intellectual property (IP).
Determine the level of risk - high, medium, low.
Make future security plans.
Risk Assessment:
External threats: outside the organization.
Internal threats: employees, partners, ex-employee.
Legacy Systems: outdated, older technlogies, that may not be supported by the manufacturer.
Multi-party Risk: Breach involving multiple parties. Often trusted business relationship. Events involve many different parties.
Risk Assessment:
Intellectual Property (IP): Theft of ideas, inventions, creative expressions.
Software compliance/licensing: Operational risk with too few license or financial riskl with too many. Legal risk if proper license is not followed.
Risk Management Strategies:
Acceptance: A business decision to take all risk.
XYZ is being attacked by phishers, it decided to rely on its anti-phishing software rather than training users.
Risk-avoidance: Stop participating in high-risk activity.
Stop using outdated technologies.
Transference: Buy some cybersecutiry insurance.
Which will help in financial crisis.
Mitigation: Decrease the risk level.
Investing in cybersecurity software, hardwares
Risk Analysis
Evaluating Risk:
Risk Register: Indentifying and documenting risk associated with every step during builing a project.
Risk matrix/heat map: Viewing the result of risk asessment based on colour based visual chart, where likelihod and consequence of the risk is merged to find overall risk.
Audit Risk Model:
Inherent Risk: Impact + Likelihood. Risk that exists when security controls are NOT places.
Resisual Risk: Inherent risk + controll effectiveness. Risk that exists when security controls are in place.
Risk appetite: The amount of risk an organization is willing to take.
Risk Control Assessment: Controlling risks after creating heat maps.
Find the gap. Often formal audit. Self-assessment in smaller org.
Build and maintain security systems based on the requirements.
Determine if existing controls are compliant or non-compiant.
Risk Awareness: New risks are always emerging. Difficult to manage defence.
Knowledge is the key. Every employee's daily job role.
Maintaining awareness by ongoing group discussion, presenting law enforcement, attenting security conferences and programs.
Regulations that affect risk posture: Requires a minimum level of infosec
HIPPA: Health Insurance Portability and Accountability Act.
Privacy to patient records.
New storage requirements, network sec, protect against threats.
GDPR: General Data Protection Regulation.
EU data protection and privacy.
Personal data must be protected and managed for privacy.
Qualitative Risk Management: Indentify significant risk factors by asking opinions about the significance.
Quantative Risk Assessment:
ARO: Annualized Rate of Occurance - How likely hurricane will hit?
SLE: Single Loss Expectancy
Monetary loss of a single event.
ALE: Annualized Loss Expectancy
ARO * SLE
Business impact can be more than monetory. Qualitative vs quantative.
Disaster Type:
Envoirnmental threats: Tornado, hurricane, earthquake..
Person-made threats: Human intent, negligence, error, riots.
Internal and External
Business Impact Analysis
Recovery:
Recovery Time Objective (RTO): Time to get up and running quickly.
Recovery Point Objective (RPO): Amount of data that is okay to be unavailable.
Mean Time To Repair (MTTR): Time required to fix issue after an outage..
Mean Time Before Failures (MTBF): If there is a failure, how long before next failure?
Functional Recovery Plan: Recovery from outage.
Step-by-step guides, contact infos, technical process, recover and test.
Removing single point of failures:
Network configs, facilities, utilities, people, location. Money drives redundancy.
Disaster Recovery Plan (DRP): Detailed plan for resuming operations after a disaster.
Extensive planning prior to disaster about backups, off-site data replication, cloud alternatives, remote site.
Site risk assessment:
All location are a bit different. Recovery plans should consider unique envoirnments - applications, personnel, equipment, work envoirnment.
Privacy and Data Breaches
Information life cycle:
Creation of data internally or receive data from 3rd party.
Distribution - records are sorted and stored.
Use - for business decisions, product creation and services.
Maintenance - of outgoing data retrival and data transfers.
Disposition - Archiving or disposal of data.
Consequences:
Reputation damage, identity theft, fines for lawsuit settlement, Intellectual Property (IP) theft.
Notification:
Internal escalation process - breach is often found by technicans.
External escalation process - know when to ask for external assistance, from security experts.
Public notification and disclosures - delays might lead to criminal investigation.
Privacy impact assessment (PIA):
New business relationship, product updates, website features, service offering almost everything can affect privacy.
Privacy risk needs to be identifies in each initiative.
Advantages: fix privacy issue, avoid breach, shows imporance of privacy to everyone.
Notices:
Terms of service - terms of use, terms and conditions (T&C).
A legal agreement between service provider and user.
Privacy notice, privacy policy. These may be required by the law.
Data Classifications
Labeling Sensitive Data: Not all data has the same level of sensitivity. Different level requires different security and handling. Ex: license tag number v/s health records.
Data Classification:
Proprietary: Data that is property of an organization. May include trade secrets, often data is unique to an organization.
PII: Personal Identifiable Information.
Data used to identify an individual.
Includes name, dob, biometric infos.
PHI: Protected Health Information.
Health insurance associated with an individual. Health status, health care records, payment for health care.
Public / Unclassified: No restrictions on viewing this data.
Private / Classified / Restricted / Internal Use Only:
Restricted access, may require NDA.
Sensitive: IP, PII, PHI
Confidential: Very sensitive, may be approved to view.
Critical: Data that should be available all the time.
Financial Information: Internal Company financial information, customer financial details.
Government data: Open data, transfer b/w govnt entities. May be protected by law.
Customer Data: Data associated with customers. May include user-specific details. Legal handling required.
Enhancing Privacy
Tokenization: Replace sensitive data with non-sensitive data. Common with CC processing. This isn't encryption and no math is involved.
Data Minimization: Minimal Data Collection. HIPPA has a "Minimum Necessary" rule. GDPR - "Personal data shell be adequate, relevant and not excessive in relation to the purposeor purpose for which they are processed."
Some data may not be required and intenal data should be limited.
Anonymization: Make it impossible to identify individual data from a dataset. Allows for data use with privacy concern. Anonymization cannot be reversed.
Data Masking: Data obfuscation. May only be hidden from view. Detail might still be intact in storage. Different techniques are - substituting, shuffling, encrpytion, masking out, etc.
Pseudo-anonymization: Pseudonymization. Replace personal information with pseudonyms. Often used to maintain stastical relationship.
May be reversible.
Random Replacement: A --> B --> C --> D
Consistent Replacement: A --> B, and always will be B.
Data Roles and Responsibilities
Data Responsibility:
Data Owner: Accountable for specific data, often a senior office.
VP of Sales owns customer relationship data.
Treasurer owns financial information.
Data Roles:
Data Controller: Manages the purpose and means by which personal data is procesed,
Data Processor: Processes data on behalf of the data controller. Often a third-party or different group.
Payroll controller and processor:
Payroll department (data controller) defines payroll amounts and timeframes.
Payroll company (data processor) processes payroll and stores employee information.
Additional data roles:
Data custodian/steward: Responsible for data accuracy, privacy, and security.
Last updated