Podcast
Questions and Answers
What are the key principles of information security that are critical for safeguarding data?
What are the key principles of information security that are critical for safeguarding data?
Confidentiality, Integrity, and Availability.
Explain the importance of risk assessment in information security management.
Explain the importance of risk assessment in information security management.
Risk assessment identifies vulnerabilities and threats, allowing organizations to prioritize their security measures.
What role does encryption play in ensuring information security?
What role does encryption play in ensuring information security?
Encryption transforms data into a coded format, preventing unauthorized access during storage and transmission.
Describe how security policies contribute to organizational information security.
Describe how security policies contribute to organizational information security.
Signup and view all the answers
What is the significance of user awareness training in information security?
What is the significance of user awareness training in information security?
Signup and view all the answers
How do firewalls contribute to network security?
How do firewalls contribute to network security?
Signup and view all the answers
What is the purpose of incident response planning in information security?
What is the purpose of incident response planning in information security?
Signup and view all the answers
Explain the difference between a vulnerability and an exploit in the context of information security.
Explain the difference between a vulnerability and an exploit in the context of information security.
Signup and view all the answers
What is multi-factor authentication, and why is it important?
What is multi-factor authentication, and why is it important?
Signup and view all the answers
In what ways can companies mitigate insider threats within their organization?
In what ways can companies mitigate insider threats within their organization?
Signup and view all the answers
Study Notes
Chapter 12: Information Security Maintenance
- Information security maintenance is crucial and ongoing
- Change is inevitable, so programs must adapt
- Organizations must avoid complacency after improving their security profiles
- Changes that may occur include the acquisition of new assets, new vulnerabilities, changes in business priorities, and partnerships
- A lack of adaptation can lead to re-engineering efforts, which are more time-consuming and expensive.
Learning Objectives
- Discuss the need for ongoing maintenance of the information security program
- List recommended security management models
- Define a full maintenance program model
- Identify key factors for external and internal environment monitoring
Learning Objectives (cont'd)
- Describe how planning, risk assessment, vulnerability assessment, and remediation tie into information security maintenance
- Explain how to build readiness and review procedures into information security maintenance
- Define digital forensics and describe the management of the digital forensics function
- Describe the process of acquiring, analyzing, and maintaining potential evidentiary material
Introduction
- Organizations should avoid overconfidence after improving their information security profile.
- Organizational changes might include acquiring new assets, new vulnerabilities, shifting business priorities and/or dissolving/forming partnerships
- Failure to adapt can make reengineering the security profile necessary, which is more costly.
Security Management Maintenance Models
- A management model is essential for managing and operating an ongoing security program.
- Models (frameworks) structure tasks of managing a particular set of business functions or activities.
NIST SP 800-100 Information Security Handbook
- NIST SP 800-100 provides managerial guidance for establishing and implementing an information security program.
- It outlines 13 areas of information security management.
- Each task requires specific monitoring activities.
- Ongoing monitoring is crucial.
- Not all issues are negative.
NIST SP 800-100 Information Security Handbook (cont'd)
- Information security governance requires agencies to monitor program status for proper support of agency mission, ensure current policies and procedures are aligned with technology, and make sure controls meet intended purposes.
- A system development life cycle (SDLC) is needed for the overall process of developing, implementing, and retiring information systems.
NIST SP 800-100 Information Security Handbook (cont'd)
- Awareness and training programs are critical to tracking activities, assessing program status, and ensuring evolution.
- Capital planning and investment control is used to facilitate and control expenditure of agency funds.
- Select-control-evaluate investment life cycle is essential.
Figure 12-1: Select-Control-Evaluate Investment Life Cycle
- The cycle includes selecting IT investments, controlling their management, and evaluating their effectiveness.
NIST SP 800-100 Information Security Handbook (cont'd)
- Interconnecting systems can expose organizations to heightened risk but also offers increased efficiency, centralized data access, and functionality when properly managed.
- Performance measures and metrics support decision-making in a six-phase iterative process.
Figure 12-3: Information Security Metrics Development Process
- This process involves stakeholders, goals and objectives, goal/objective redefinition, policy updates, program result, and program implementation. Metrics development and selection focus on efficiency and effectiveness, including service delivery, program performance, and value management measurement.
NIST SP 800-100 Information Security Handbook (cont'd)
- Security planning is among the most important responsibilities in security management and should focus on recovery procedures.
- Risk management includes identifying, analyzing, and managing risks to ensure an ongoing process and effort.
Figure 12-4: Information Security Metrics Program Implementation Process
- The figure illustrates a process for data collection, analysis, identifying corrective actions, and obtaining and applying resources.
Figure 12-5: The NIST Seven Step Contingency Planning Process
- The seven steps include developing a contingency planning process, identifying critical IT resources and performing business impact analysis, identifying preventive controls, developing recovery strategies, developing a plan, testing, training, and exercising, and maintaining the plan.
Figure 12-6: Risk Management in the System Security Life Cycle
- Diagrams the process of risk management within the system security life cycle by incorporating various NIST standards.
NIST SP 800-100 Information Security Handbook (cont'd)
- Security assessments & certifications are necessary components of a security program.
- Regular audits of security controls are essential.
- Security services and product acquisition, incident response procedures, and configuration management are important aspects.
Figure 12-7: The Information Security Services Life Cycle
- Shows a six-phase iterative process for the information security services life cycle.
Figure 12-8: The Incident Response Life Cycle
- Shows a three-step process for incident response: preparation (planning), detection and analysis, and containment, eradication, and recovery.
The Security Maintenance Model
- The model directs organizational effort toward maintaining systems based on five subject areas: External monitoring, internal monitoring, planning and risk assessment, vulnerability assessment and remediation, and readiness and review.
Figure 12-10: The Maintenance Model
- A visual representation of the relationships between external and internal monitoring, planning, risk assessment, vulnerability assessments and remediation, and readiness and review aspects of security maintenance.
Monitoring the External Environment
- Aim to gain early awareness of threats.
- Collect and contextualize intelligence from data sources for organizational decision-makers
Figure 12-11: External Monitoring
- Illustrates how external monitoring collects threat data from various sources (vendors, CERTs, and public internet sites) and integrates it into an organizational database.
Monitoring the External Environment (cont'd)
- Data sources provide threat and vulnerability data.
- Transforming raw intelligence into usable information is critical.
- External intelligence comes from various sources, such as vendors, CERTs, and public networks.
- Data analysis should occur within the context of the organization’s security environment.
Monitoring the External Environment (cont'd)
- The monitoring process involves monitoring, escalation, and incident response activities.
- Monitoring results (warnings) should be delivered in specific warning bulletins, summarized periodically, and consist of detailed intelligence on high-risk warnings.
Monitoring the External Environment (cont'd)
- Data collection and management processes should use appropriate formats and integrate raw intelligence, relative risk impact, and communication for timely decision-making.
Figure 12-12: Data Flow Diagrams for External Data Collection
- Illustrates the flow diagram between external monitoring and internal monitoring aspects of security systems
Monitoring the Internal Environment
- Maintains awareness of networks, systems, and security defenses
- Internal monitoring includes tasks like inventorying network devices, managing IT infrastructure and applications, leading the IT governance process, and performing real-time monitoring.
Figure 12-13: Internal Monitoring
- Illustrates how internal threats are identified and threats are collected into organizational databases to be used to identify and implement responses to various threats.
Monitoring the Internal Environment (cont'd)
- Network characterization and inventory are crucial for organizations
- Once characteristics are identified, there needs to be an automated (or manual) method to retrieve and integrate disparate facts concerning the network's components.
- Intruders or threats and their detection needs to be monitored and logged and analyzed
Monitoring the Internal Environment (cont'd)
- Intrusion detection (IDS) systems yield valuable raw intelligence, enabling the identification of current or imminent vulnerabilities.
- Log files provide insight into threat-related information.
- Traffic analysis allows for analyzing attack signatures of unsuccessful attacks, identifying potential vulnerabilities in security efforts
- Difference analysis contrasts the current network state with earlier known states. Unexpected differences indicate potential trouble.
Planning and Risk Assessment
- The primary goal of planning and risk assessment is maintaining oversight of the entire security program. A key part of this is planning activities to help reduce risk
Planning and Risk Assessment (cont'd)
- Risk assessment involves evaluating organizational processes, and security procedures. Organizations should have a formal information security program review and formal project identification, selection, planning, and management processes to introduce risk assessment for all IT projects.
Figure 12-14: Planning and Risk Assessment
- Illustrates how the security team assesses its own program, evaluates risks from IT projects, and assesses operational risks while feeding data into an organizational database, used for risk assessment, program review, and threat identification.
Planning and Risk Assessment (cont'd)
- Periodic reviews of information security programs coupled with planning for program enhancements.
- IT needs of the organization and their impact on the security program should be examined with periodic reviews as part of the annual budget cycle.
- Large projects can be subdivided into smaller projects to achieve more manageable impacts and easier change management.
- Security risk assessments are crucial to drive security program improvements and are essential to determine the projects and processes with organization-wide risk impact.
Vulnerability Assessment and Remediation
- The primary goal is to pinpoint and effectively remediate documented vulnerabilities.
- Various assessment procedures, documenting background information and procedures for resolving identified vulnerabilities, tracking their status, and reporting to their owner are essential aspects.
Figure 12-15: Vulnerability Assessment and Remediation
- Shows the flow of data regarding risk, threats, attack, and vulnerabilities from external and internal environments, helping to make the information useful to the organization regarding vulnerability assessments and remediation needs.
Vulnerability Assessment and Remediation (cont'd)
- Determining vulnerabilities and documenting them, combined with remediation, is critical. The five stages of vulnerability assessment procedures are: planning, scheduling, notification, target selection, test selection, scanning, analysis, and records. Penetration testing (pen tests) can be used to simulate malicious external attacks, but can be done via black-box or white-box techniques, identifying areas of weakness.
Vulnerability Assessment and Remediation (cont'd)
- Internet, Intranet, wireless, and modem vulnerability assessments are all important and involve finding and documenting vulnerabilities in their respective environments.
Vulnerability Assessment and Remediation (cont'd)
- Vulnerability documentation is needed that details information related to vulnerabilities and information assets. Effective documentation is key to effective remediation efforts.
- Remediating vulnerabilities involves repairing the flaw, understanding possible risks, and, if appropriate, accepting some risks.
Readiness and Review
- The main goal of readiness and review is to ensure the information security program is continuously functioning as intended and improving.
- This is achieved via:
- Policy review
- Program review
- Rehearsals
Figure 12-16: Readiness and Review
- Illustrates the process of policy review and the security team maintaining the systems' readiness, leading to rehearsals and war games to ensure security program effectiveness.
Digital Forensics
- Digital forensics investigates attacks and their causes for a variety of possible reasons, including legal or policy-based reasons, by collecting and examining digital data. They preserve data, identify crucial factors, extract data, and interpret data in the context of the investigation.
Digital Forensics (cont'd)
- Digital forensics serves two purposes: investigating incidents of digital malfeasance, and performing root-cause analysis of security incidents.
- Two approaches are used to maintain security: patch and proceed, and pursue and prosecute.
The Digital Forensics Team
- Most organizations lack permanent digital forensics teams.
- Information security group personnel should be trained to manage the forensics process to avoid contaminating evidence
Affidavits and Search Warrants
- An affidavit is sworn testimony by the investigating officer, specifying the facts and place needing investigation, that warrants warrant examination. Once approved by legal authority, it becomes a legitimate search warrant.
Digital Forensics Methodology
- All investigations follow the methodology of identifying relevant items, acquiring the evidence without alteration, ensuring the evidence's authenticity, analyzing the data without modification, and reporting findings.
Figure 12-17: The Digital Forensics Process
- A flow diagram of the steps in a digital forensics process that follows collecting and analyzing evidence, and producing a report for disposition.
Evidentiary Procedures
- Strong procedures for handling potential evidentiary material are necessary to minimize legal challenges.
- Organizations should provide guidance on roles, affidavit/search warrant requirements, methodology, and final report format for investigations.
Summary
- Information security program maintenance is crucial and requires ongoing effort.
- Security management models are vital in planning for ongoing operations.
- It's necessary to monitor both external and internal environments.
- Planning and risk assessment are essential aspects of security maintenance.
Summary (cont'd)
- Understanding the relationships between various aspects, such as vulnerability assessment and remediation within the information security maintenance process, plus digital forensics are vital aspects of ongoing security efforts.
Studying That Suits You
Use AI to generate personalized quizzes and flashcards to suit your learning preferences.
Related Documents
Description
This quiz covers Chapter 12 on Information Security Maintenance, emphasizing the ongoing need to adapt security programs. It explores recommended management models, key factors for monitoring environments, and the importance of planning and assessment in maintaining robust security practices.