Chapter 16 Security Governance and Compliance PDF

Summary

This document is about security governance practices and the important elements of the cybersecurity policy framework. It covers concepts such as change management, threats, vulnerabilities, mitigations, security program management, and oversight.

Full Transcript

Chapter 16 Security Governance and Compliance THE COMPTIA SECURITY+ EXAM OBJECTIVES COVERED IN THIS CHAPTER INCLUDE: Domain 1.0: General Security Concepts 1.3. Explain the importance of change management processes and the impact to security. Business processes impacting securit...

Chapter 16 Security Governance and Compliance THE COMPTIA SECURITY+ EXAM OBJECTIVES COVERED IN THIS CHAPTER INCLUDE: Domain 1.0: General Security Concepts 1.3. Explain the importance of change management processes and the impact to security. Business processes impacting security operation (Approval process, Ownership, Stakeholders, Impact analysis, Test results, Backout plan, Maintenance window, Standard operating procedure) Technical implications (Allow lists/deny lists, Restricted activities, Downtime, Service restart, Application restart, Legacy applications, Dependencies) Documentation (Updating diagrams, Updating policies/procedures) Version control Domain 2.0: Threats, Vulnerabilities, and Mitigations 2.5. Explain the purpose of mitigation techniques used to secure the enterprise. Least privilege Domain 5.0: Security Program Management and Oversight 5.1. Summarize elements of effective security governance. Guidelines Policies (Acceptable use policy (AUP), Information security policies, Business continuity, Disaster recovery, Incident response, Software development lifecycle (SDLC), Change management) Standards (Password, Access control, Physical security, Encryption) Procedures (Change management, Onboarding/offboarding, Playbooks) External considerations (Regulatory, Legal, Industry, Local/regional, National, Global) Monitoring and revision Types of governance structures (Boards, Committees, Government entities, Centralized/decentralized) 5.3. Explain the processes associated with third-party risk assessment and management. Vendor assessment (Penetration testing, Right-to- audit clause, Evidence of internal audits, Independent assessments, Supply chain analysis) Vendor selection (Due diligence, Conflict of interest) Agreement types (Service-level agreement (SLA), Memorandum of agreement (MOA), Memorandum of understanding (MOU), Master service agreement (MSA), Work order (WO)/Statement of Work (SOW), Non-disclosure agreement (NDA), Business partners agreement (BPA)) Vendor monitoring Questionnaires Rules of engagement 5.4. Summarize elements of effective security compliance. Compliance reporting (Internal, External) Consequences of non-compliance (Fines, Sanctions, Reputational damage, Loss of license, Contractual impacts) Compliance monitoring (Due diligence/care, Attestation and acknowledgement, Internal and external, Automation) 5.6. Given a scenario, implement security awareness practices. Phishing (Campaigns, Recognizing a phishing attempt, Responding to reported suspicious messages) Anomalous behavior recognition (Risky, Unexpected, Unintentional) User guidance and training (Policy/handbooks, Situational awareness, Insider threat, Password management, Removable media and cables, Social engineering, Operational security, Hybrid/remote work environments) Reporting and monitoring (Initial, Recurring) Development Execution Governance structures ensure that organizations achieve their strategic objectives while complying with their obligations. Policy serves as one of the primary governance tools for any cybersecurity program, setting out the principles and rules that guide the execution of security efforts throughout the enterprise. Often, organizations base these policies on best practice frameworks developed by industry groups, such as the National Institute of Standards and Technology (NIST) or the International Organization for Standardization (ISO). In many cases, organizational policies are also influenced and directed by external compliance obligations that regulators impose on the organization. In this chapter, you will learn about good governance practices and the important elements of the cybersecurity policy framework. Security Governance Governance programs are the sets of procedures and controls put in place to allow an organization to effectively direct its work. Without governance, running a large organization would be virtually impossible. Imagine if thousands of employees throughout the organization each had to make their own determinations about which work was most important, who should carry out each function, and how the organization would conduct its work. The organization would quickly find itself in a state of unmanageable chaos. Governance efforts function at all layers of an organization to coordinate the development and execution of strategic plans. This ensures that every aspect of an organization's work aligns with the organization's strategy and goals. Corporate Governance At the highest levels of the organization, corporate governance programs ensure that the organization sets an appropriate strategic direction, develops a plan to implement that strategy, and then executes its strategic plan. This is done through a hierarchical model, such as the one shown in Figure 16.1, which is the common governance model for publicly traded corporations. This approach is designed for use in an environment where the owners are so numerous or unengaged that they are unable to carry out day-to-day oversight of the company. This is the situation where a publicly traded company typically finds itself. The owners of that company's stock own the corporation, but they may number in the thousands or millions and their membership may change on a daily basis. It would quickly cripple a public corporation if all of its shareholders were required to vote on every action taken by the company. To alleviate this burden, the shareholders of the company conduct regular meetings where they elect a group of individuals to direct the actions of the corporation on their behalf. This group, known as the board of directors, has ultimate authority over the organization as the owners' representatives. These directors are typically drawn from the major shareholders and have expertise in corporate governance, perhaps having served as senior corporate executives themselves. Although some members of the board may also be employed as senior leaders within the organization, it is considered a best practice in corporate governance for a majority of the members of the board to be independent directors, meaning that they have no significant relationship with the company other than their board membership. In fact, the major stock exchanges each have requirements about the number of independent directors that a corporation must have to qualify for listing on the exchange. FIGURE 16.1 Typical corporate governance model Boards typically meet on a fairly infrequent basis, perhaps monthly or quarterly, so it is not practical for a board to dictate the day-to-day operations of the company. Instead, they hire a chief executive officer (CEO) who manages the company's operations. The CEO is hired by the board, may be dismissed by the board, and has their performance reviews and compensation determined by the board. Of course, the CEO also can't control every single function of the organization, so they must hire a team of executives, managers, and individual contributors to perform this work. Once again, the flow of governance cascades downward. The shareholder owners of the company delegate authority to run the organization to their elected board of directors. The board then hires and manages the CEO, who then hires and manages other senior executives, who hire and manage middle managers, who hire and manage teams of individual contributors. The size of the management hierarchy depends on the size of the organization and is intended to preserve a reasonable number of direct subordinates for each manager. The governance model described here is the one used for publicly traded companies. Nonprofit organizations follow a similar model, with the major difference being that the board members are either elected by the membership of the organization or elected in a “self-perpetuating” model, where current board members vote to elect new board members. Privately owned organizations may follow many different governance models. For example, the sole owner of a corporation may also serve as the CEO or carry out the functions of a board on their own. Alternatively, multiple owners of a corporation may each appoint a number of board members proportional to their ownership stake. There are many possible variations on this model, but the key point is that the owners control the organization either directly or through a board that they control. Governance, Risk, and Compliance Programs Organizations carry out the work of governance through the creation and implementation of a governance, risk, and compliance (GRC) program. GRC programs integrate three related tasks: Governance of the organization, as discussed in this chapter Risk management, as discussed in Chapter 17, “Risk Management and Privacy” Compliance, as discussed later in this chapter Information Security Governance Information security governance is a natural extension of corporate governance. The board delegates operational authority to the CEO, who then delegates specific areas of authority to subordinate executives. For example, the CEO might delegate financial authority to the chief financial officer (CFO) and operational authority to the chief operations officer (COO). Similarly, the CEO delegates information security responsibility to the chief information security officer (CISO) or other responsible executive. This hierarchical approach to governance helps ensure that information security governance efforts are integrated into corporate governance efforts, ensuring that the organization's information security program supports broader organizational goals and objectives. The CISO and CEO must work together to ensure the proper alignment of the information security program with corporate governance. The CISO then works with other peers on the senior management team to design and implement an information security governance framework that guides the activity of the information security function and ensures alignment with the organization's information security strategy. This governance framework may take many different forms. It normally involves the establishment of a management structure for the cybersecurity team that aligns with management approaches used elsewhere in the organization. The information security governance framework should also include the mechanisms that the security team will use to enforce security requirements across the organization. This is particularly important because the CISO does not exercise operational control over the entire organization but needs management leverage to ensure the organization meets its cybersecurity requirements. This is normally done through the creation of policies that apply to the entire organization, as discussed later in this chapter. The lines of authority for the cybersecurity function flow through the defined corporate governance mechanisms of the organization. The CISO and other security leaders should use existing reporting and communications channels when available and establish new channels when necessary. They should also include escalation procedures in the event that the cybersecurity team requires management assistance getting traction in other areas of the organization. Types of Governance Structures The governance model described in this chapter is the one most commonly used in for-profit businesses, but many organizations have their own unique approaches to security governance. These approaches fit into two major categories: Centralized governance models use a top-down approach where a central authority creates policies and standards, which are then enforced throughout the organization. Decentralized governance models use a bottom-up approach, where individual business units are delegated the authority to achieve cybersecurity objectives and then may do so in the manner they see fit. Exam Note Be able to tell the difference between centralized and decentralized governance models. These topics come directly from the SY0-701 exam objectives! In addition to using a formal board of directors, governance structures may incorporate a variety of internal committees consisting of subject matter experts (SMEs) and managers. Government entities, such as regulatory agencies, may also play a role in the governance of some organizations. For example, banks may be regulated by the U.S. Treasury Department or similar agencies in other countries. Understanding Policy Documents An organization's information security policy framework contains a series of documents designed to describe the organization's cybersecurity program. The scope and complexity of these documents vary widely, depending on the nature of the organization and its information resources. These frameworks generally include four types of document: Policies Standards Procedures Guidelines In the remainder of this section, you'll learn the differences between each of these document types. However, keep in mind that the definitions of these categories vary significantly from organization to organization and it is very common to find the lines between them blurred. Though at first glance that may seem incorrect, it's a natural occurrence as security theory meets the real world. As long as the documents are achieving their desired purpose, there's no harm and no foul. As you prepare the documents in your policy framework, you should not only take into account your organization's business objectives but also consider external considerations that may impact your policies. These include: Regulatory and legal requirements that mandate the use of certain controls Industry-specific considerations that may alter your approach to information security Jurisdiction-specific considerations based on global, national, and/or local/regional issues in the areas where you operate Policies Policies are high-level statements of management intent. Compliance with policies is mandatory. An information security policy will generally contain broad statements about cybersecurity objectives, including the following: A statement of the importance of cybersecurity to the organization Requirements that all staff and contractors take measures to protect the confidentiality, integrity, and availability of information and information systems Statement on the ownership of information created and/or possessed by the organization Designation of the CISO or other individual as the executive responsible for cybersecurity issues Delegation of authority granting the CISO the ability to create standards, procedures, and guidelines that implement the policy In many organizations, the process to create a policy is laborious and requires very high-level approval, often from the CEO. Keeping policy statements at a high level provides the CISO with the flexibility to adapt and change specific security requirements with changes in the business and technology environments. For example, the five-page information security policy at the University of Notre Dame simply states: The Information Governance Committee will create handling standards for each Highly Sensitive data element. Data stewards may create standards for other data elements under their stewardship. These information handling standards will specify controls to manage risks to University information and related assets based on their classification. All individuals at the University are responsible for complying with these controls. By way of contrast, the federal government's Centers for Medicare & Medicaid Services (CMS) has a 95-page information security policy. This mammoth document contains incredibly detailed requirements, such as: A record of all requests for monitoring must be maintained by the CMS CIO along with any other summary results or documentation produced during the period of monitoring. The record must also reflect the scope of the monitoring by documenting search terms and techniques. All information collected from monitoring must be controlled and protected with distribution limited to the individuals identified in the request for monitoring and other individuals specifically designated by the CMS Administrator or CMS CIO as having a specific need to know such information. The CMS document even goes so far as to include a complex chart describing the many cybersecurity roles held by individuals throughout the agency. An excerpt from that chart appears in Figure 16.2. FIGURE 16.2 Excerpt from CMS roles and responsibilities chart Source: Centers for Medicare and Medicaid Services Information Systems Security and Privacy Policy, May 21, 2019. (www.cms.gov/Research- Statistics-Data-and-Systems/CMS-Information- Technology/InformationSecurity/Downloads/CMS-IS2P2.pdf) This approach may meet the needs of CMS, but it is hard to imagine the long-term maintenance of that document. Lengthy security policies often quickly become outdated as necessary changes to individual requirements accumulate and become neglected because staff are weary of continually publishing new versions of the policy. Organizations commonly include the following documents in their information security policy library: Information security policy that provides high-level authority and guidance for the security program Incident response policy that describes how the organization will respond to security incidents Acceptable use policy (AUP) that provides network and system users with clear direction on permissible uses of information resources Business continuity and disaster recovery policies that outline the procedures and strategies to ensure that essential business functions continue to operate during and after a disaster, and that data and assets are recovered and protected Software development life cycle (SDLC) policy that establishes the processes and standards for developing and maintaining software, ensuring that security is considered and integrated at every stage of development Change management and change control policies that describe how the organization will review, approve, and implement proposed changes to information systems in a manner that manages both cybersecurity and operational risk Exam Note The policies listed here are specifically mentioned in the SY0-701 exam objectives. Be sure that you're familiar with the nature and purpose of policies related to information security, incident response, acceptable use, business continuity, disaster recovery, SDLC, and change management as you prepare for the exam. Standards Standards provide mandatory requirements describing how an organization will carry out its information security policies. These may include the specific configuration settings used for a common operating system, the controls that must be put in place for highly sensitive information, or any other security objective. Standards are typically approved at a lower organizational level than policies and, therefore, may change more regularly. For example, the University of California at Berkeley maintains a detailed document titled the Minimum Security Standards for Electronic Information, available at https://security.berkeley.edu/minimum-security-standards- electronic-information. This document divides information into four data protection levels (DPLs) and then describes what controls are required, optional, and not required for data at different levels, using a detailed matrix. An excerpt from this matrix appears in Figure 16.3. FIGURE 16.3 Excerpt from UC Berkeley Minimum Security Standards for Electronic Information Source: University of California at Berkeley Minimum Security Standards for Electronic Information The standard then provides detailed descriptions for each of these requirements with definitions of the terms used in the requirements. For example, requirement 3.1 in Figure 16.3 simply reads “Secure configurations.” Later in the document, UC Berkeley expands this to read “Resource Custodians must utilize well-managed security configurations for hardware, software, and operating systems based on industry standards.” It goes on to define “well-managed” as including the following: Devices must have secure configurations in place prior to deployment. Any deviations from defined security configurations must be approved through a change management process and documented. A process must exist to annually review deviations from the defined security configurations for continued relevance. A process must exist to regularly check configurations of devices and alert the Resource Custodian of any changes. This approach provides a document hierarchy that is easy to navigate for the reader and provides access to increasing levels of detail as needed. Notice also that many of the requirement lines in Figure 16.3 provide links to guidelines. Clicking those links leads to advice to organizations subject to this policy that begins with this text: UC Berkeley security policy mandates compliance with Minimum Security Standard for Electronic Information for devices handling covered data. The recommendations below are provided as optional guidance. This is a perfect example of three elements of the information security policy framework working together. Policy sets out the high- level objectives of the security program and requires compliance with standards, which include details of required security controls. Guidelines provide advice to organizations seeking to comply with the policy and standards. In some cases, organizations may operate in industries that have commonly accepted standards that the organization either must follow or chooses to follow as a best practice. Failure to follow industry best practices may be seen as negligence and can cause legal liability for the organization. Many of these industry standards are expressed in the standard frameworks discussed later in this chapter. As you prepare your organization's standards, you should pay particular attention to four types of standards: Password standards set forth requirements for password length, complexity, reuse, and similar issues. Access control standards describe the account life cycle from provisioning through active use and decommissioning. This policy should include specific requirements for personnel who are employees of the organization as well as third-party contractors. It should also include requirements for credentials used by devices, service accounts, and administrator/root accounts. Physical security standards establish the guidelines for securing the physical premises and assets of the organization. This includes security measures like access control systems, surveillance cameras, security personnel, and policies regarding visitor access, protection of sensitive areas, and handling of physical security breaches. Encryption standards specify the requirements for encrypting data both in transit and at rest. This includes the selection of encryption algorithms, key management practices, and the conditions under which data must be encrypted to protect the confidentiality and integrity of information. Exam Note The standards listed here are specifically mentioned in the SY0- 701 exam objectives. Be sure that you're familiar with the nature and purpose of standards related to passwords, access control, physical security, and encryption as you prepare for the exam. Procedures Procedures are detailed, step-by-step processes that individuals and organizations must follow in specific circumstances. Similar to checklists, procedures ensure a consistent process for achieving a security objective. Organizations may create procedures for building new systems, releasing code to production environments, responding to security incidents, and many other tasks. Compliance with procedures is mandatory. For example, Visa publishes a document titled What to Do if Compromised (https://usa.visa.com/dam/VCOM/download/merchants/cisp-what-to- do-if-compromised.pdf) that lays out a mandatory process that merchants suspecting a credit card compromise must follow. Although the document doesn't contain the word procedure in the title, the introduction clearly states that the document “establishes procedures and timelines for reporting and responding to a suspected or confirmed Compromise Event.” The document provides requirements covering the following areas of incident response: Notify Visa of the incident within three days Provide Visa with an initial investigation report Provide notice to other relevant parties Provide exposed payment account data to Visa Conduct PCI forensic investigation Conduct independent investigation Preserve evidence Each of these sections provides detailed information on how Visa expects merchants to handle incident response activities. For example, the forensic investigation section describes the use of Payment Card Industry Forensic Investigators (PFIs) and reads as follows: Upon discovery of an account data compromise, or receipt of an independent forensic investigation notification, an entity must: Engage a PFI (or sign a contract) within five (5) business days. Provide Visa with the initial forensic (i.e., preliminary) report within ten (10) business days from when the PFI is engaged (or the contract is signed). Provide Visa with a final forensic report within ten (10) business days of the completion of the review. There's not much room for interpretation in this type of language. Visa is laying out a clear and mandatory procedure describing what actions the merchant must take, the type of investigator they should hire, and the timeline for completing different milestones. Organizations commonly include the following procedures in their policy frameworks: Change management procedures that describe how the organization will perform change management activities that comply with the organization's change management policy, including the possible use of version control and other tools Onboarding and offboarding procedures that describe how the organization will add new user accounts as employees join the organization and how those accounts will be removed when no longer needed Playbooks that describe the actions that the organization's incident response team will take when specific types of incidents occur Of course, cybersecurity teams may decide to include many other types of procedures in their frameworks, as dictated by the organization's operational needs. Exam Note The procedures listed here are specifically mentioned in the SY0- 701 exam objectives. Be sure that you're familiar with the nature and purpose of procedures related to change management, onboarding, offboarding, and playbooks as you prepare for the exam. Guidelines Guidelines provide best practices and recommendations related to a given concept, technology, or task. Compliance with guidelines is not mandatory, and guidelines are offered in the spirit of providing helpful advice. That said, the “optionality” of guidelines may vary significantly depending on the organization's culture. In April 2016, the chief information officer (CIO) of the state of Washington published a 25-page document providing guidelines on the use of electronic signatures by state agencies. The document is not designed to be obligatory but, rather, offers advice to agencies seeking to adopt electronic signature technology. The document begins with a purpose section that outlines three goals of the guideline: 1. Help agencies determine if and to what extent their agency will implement and rely on electronic records and electronic signatures. 2. Provide agencies with information they can use to establish policy or rule governing their use and acceptance of digital signatures. 3. Provide direction to agencies for sharing of their policies with the Office of the Chief Information Officer (OCIO) pursuant to state law. The first two stated objectives align completely with the guideline functions. Phrases like “help agencies determine” and “provide agencies with information” are common in guideline documents. There is nothing mandatory about them, and in fact, the guidelines explicitly state that Washington state law “does not mandate that any state agency accept or require electronic signatures or records.” The third objective might seem a little strange to include in a guideline. Phrases like “provide direction” are more commonly found in policies and procedures. Browsing through the document, the text relating to this objective is only a single paragraph within a 25-page document: The Office of the Chief Information Officer maintains a page on the OCIO.wa.gov website listing links to individual agency electronic signature and record submission policies. As agencies publish their policies, the link and agency contact information should be emailed to the OCIO Policy Mailbox. The information will be added to the page within 5 working days. Agencies are responsible for notifying the OCIO if the information changes. Reading this paragraph, the text does appear to clearly outline a mandatory procedure and would not be appropriate in a guideline document that fits within the strict definition of the term. However, it is likely that the committee drafting this document thought it would be much more convenient to the reader to include this explanatory text in the related guideline rather than drafting a separate procedure document for a fairly mundane and simple task. The full Washington state document, Electronic Signature Guidelines, is available for download from the Washington State CIO's website at https://ocio.wa.gov/sites/default/files/Electronic_Signature _Guidelines_FINAL.pdf. Exceptions and Compensating Controls When adopting new security policies, standards, and procedures, organizations should also provide a mechanism for exceptions to those rules. Inevitably, unforeseen circumstances will arise that require a deviation from the requirements. The policy framework should lay out the specific requirements for receiving an exception and the individual or committee with the authority to approve exceptions. The state of Washington uses an exception process that requires the requestor document the following information: Standard/requirement that requires an exception Reason for noncompliance with the requirement Business and/or technical justification for the exception Scope and duration of the exception Risks associated with the exception Description of any supplemental controls that mitigate the risks associated with the exception Plan for achieving compliance Identification of any unmitigated risks Many exception processes require the use of compensating controls to mitigate the risk associated with exceptions to security standards. The Payment Card Industry Data Security Standard (PCI DSS) includes one of the most formal compensating control processes in use today. It sets out five criteria that must be met for a compensating control to be satisfactory: 1. The control must meet the intent and rigor of the original requirement. 2. The control must provide a similar level of defense as the original requirement, such that the compensating control sufficiently offsets the risk that the original PCI DSS requirement was designed to defend against. 3. The control must be “above and beyond” other PCI DSS requirements. 4. The control must address the additional risk imposed by not adhering to the PCI DSS requirement. 5. The control must address the requirement currently and in the future. For example, an organization might find that it needs to run an outdated version of an operating system on a specific machine because the software necessary to run the business will only function on that operating system version. Most security policies would prohibit using the outdated operating system because it might be susceptible to security vulnerabilities. The organization could choose to run this system on an isolated network with either very little or no access to other systems as a compensating control. The general idea is that a compensating control finds alternative means to achieve an objective when the organization cannot meet the original control requirement. Although PCI DSS offers a very formal process for compensating controls, the use of compensating controls is a common strategy in many different organizations, even those not subject to PCI DSS. Compensating controls balance the fact that it simply isn't possible to implement every required security control in every circumstance with the desire to manage risk to the greatest feasible degree. In many cases, organizations adopt compensating controls to address a temporary exception to a security requirement. In those cases, the organization should also develop remediation plans designed to bring the organization back into compliance with the letter and intent of the original control. Monitoring and Revision Policy monitoring is an ongoing process that involves regularly evaluating the implementation and efficacy of an organization's information security policies. Through the use of tools like security information and event management (SIEM) systems, as well as by conducting periodic audits and assessments, organizations can assess how well policies are being adhered to and whether they continue to align with current security needs, regulatory requirements, and technological changes. Effective monitoring also includes gathering feedback from staff members who are integral to policy implementation. When inconsistencies or areas for improvement are identified, policy revision becomes necessary. This involves updating policies to address any shortcomings and adapting to new challenges or requirements. It is important that revised policies are promptly communicated to all relevant personnel and, if necessary, that training is provided to ensure effective compliance. Regular monitoring and timely revision are crucial for maintaining an adaptive and robust security posture. Change Management Deploying systems in a secure state is important. However, it's also essential to ensure that systems retain that same level of security. Change management helps reduce unanticipated outages caused by unauthorized changes. The primary goal of change management is to ensure that changes do not cause outages. Change management processes ensure that appropriate personnel review and approve changes before implementation and ensure that personnel test and document the changes. Changes often create unintended side effects that can cause outages. For example, an administrator can change one system to resolve a problem but unknowingly cause a problem in other systems. Consider Figure 16.4. The web server is accessible from the Internet and accesses the database on the internal network. Administrators have configured appropriate ports on Firewall 1 to allow Internet traffic to the web server and appropriate ports on Firewall 2 to allow the web server to access the database server. FIGURE 16.4 Web server and database server A well-meaning firewall administrator may see an unrecognized open port on Firewall 2 and decide to close it in the interest of security. Unfortunately, the web server needs this port open to communicate with the database server, so when the port is closed the web server will begin having problems. The help desk is soon flooded with requests to fix the web server, and people begin troubleshooting it. They ask the web server programmers for help, and after some troubleshooting, the developers realize that the database server isn't answering queries. They then call in the database administrators to troubleshoot the database server. After a bunch of hooting, hollering, blamestorming, and finger-pointing, someone realizes that a needed port on Firewall 2 is closed. They open the port and resolve the problem—at least until this well-meaning firewall administrator closes it again or starts tinkering with Firewall 1. Organizations constantly seek the best balance between security and usability. There are instances when an organization makes conscious decisions to improve the performance or usability of a system by weakening security. However, change management helps ensure that an organization takes the time to evaluate the risk of weakening security and compare it to the benefits of increased usability. Unauthorized changes directly affect the A in the CIA triad— availability. However, change management processes allow various IT experts to review proposed changes for unintended side effects before implementing the changes. These processes also give administrators time to check their work in controlled environments before implementing changes in production environments. Additionally, some changes can weaken or reduce security. Imagine an organization isn't using an effective access control model to grant access to users. Administrators may not be able to keep up with the requests for additional access. Frustrated administrators may decide to add a group of users to an Administrators group within the network. Users will now have all the access they need, improving their ability to use the network, and they will no longer bother the administrators with access requests. However, granting administrator access in this way directly violates the least privilege principle and significantly weakens security. Change Management Processes and Controls A change management process ensures that personnel can perform a security impact analysis. Experts evaluate changes to identify any security impacts before personnel deploy the changes in a production environment. Change management controls provide a process to control, document, track, and audit all system changes. This includes changes to any aspect of a system, including hardware and software configuration. Organizations implement change management processes through the life cycle of any system. Standard Operating Procedures for Changes Common tasks within a change management process are as follows: 1. Request the change. Once personnel identify desired changes, they request the change. Some organizations use internal websites, allowing personnel to submit change requests via a web page. The website automatically logs the request in a database, which allows personnel to track the changes. It also allows anyone to see the status of a change request. 2. Review the change. Experts within the organization review the change. Personnel reviewing a change are typically from several different areas within the organization. These should be identified through a complete impact analysis performed in consultation with the owners of the change and the various stakeholders in the change. In some cases, stakeholders may quickly complete the review and approve or reject the change. In other cases, the change may require approval at a formal change review board or change advisory board (CAB) after extensive testing. Board members are the personnel that review the change request. 3. Approve/reject the change. Based on the review, these experts then approve or reject the change. They also record the response in the change management documentation. For example, if the organization uses an internal website, someone will document the results in the website's database. In some cases, the change review board might require the creation of a rollback or backout plan. This ensures that personnel can return the system to its original condition if the change results in a failure. 4. Test the change. Once the change is approved, it should be tested, preferably on a nonproduction server. Testing helps verify that the change doesn't cause an unanticipated problem. Test results should be included in the change documentation. 5. Schedule and implement the change. The change is scheduled so that it can be implemented with the least impact on the system and the system's customers. This may require scheduling the change during off-duty or nonpeak hours. Testing should discover any problems, but it's still possible that the change causes unforeseen problems. Because of this, it's important to have a backout plan. This allows personnel to undo the change and return the system to its previous state if necessary. Exam Note Changes should be performed at a scheduled and coordinated time to avoid undesirable or unexpected impacts on operations. Many organizations use scheduled maintenance windows to coordinate changes to information systems. These windows are preplanned and announced times when all non-emergency changes will take place and often occur on evenings and weekends. 6. Document the change. The last step is the documentation of the change to ensure that all interested parties are aware of it. This step often requires a change in the configuration management documentation. If an unrelated disaster requires administrators to rebuild the system, the change management documentation provides them with information on the change. This ensures that they can return the system to the state it was in before the change. There may be instances when an emergency change is required. For example, if an attack or malware infection takes one or more systems down, an administrator may need to make changes to a system or network to contain the incident. In this situation, the administrator still needs to document the changes. This ensures that the change review board can review the change for potential problems. Additionally, documenting the emergency change ensures that the affected system will include the new configuration if it needs to be rebuilt. When the change management process is enforced, it creates documentation for all changes to a system. This provides a trail of information if personnel need to reverse the change. If personnel have to implement the same change on other systems, the documentation also provides a road map or procedure to follow. Technical Impact of Changes The technical impacts of a change may be far-reaching. As organizations consider the potential for a change to disrupt other processes, they should consider all of those potential impacts. It's very important to involve a diverse set of technical stakeholders in this analysis because most organizations have a complex technical environment that no single person understands completely. Some of the issues you should consider are: Whether the change will require any modifications to security controls, such as firewall rules, allow lists, or deny lists Whether any other business or technical activities need to be restricted during or after the change Whether the change will cause downtime for critical systems Whether the change will require restarting any services or applications Whether the change involves any legacy applications that lack vendor support Whether all possible dependencies have been identified and documented Version Control Version control ensures that developers and users have access to the latest versions of software and that changes are carefully managed throughout the release process. A labeling or numbering system differentiates between different software sets and configurations across multiple machines or at different points in time on a single machine. For example, the first version of an application may be labeled as 1.0. The first minor update would be labeled as 1.1, and the first major update would be 2.0. This helps keep track of changes over time to deployed software. Although most established software developers recognize the importance of versioning and revision control with applications, many new web developers don't recognize its importance. These web developers have learned some excellent skills they use to create awesome websites but don't always recognize the importance of underlying principles such as version control. If they don't control changes through some type of version control system, they can implement a change that effectively breaks the website. Documentation Documentation identifies the current configuration of systems. It identifies who is responsible for the system and its purpose and lists all changes applied to the baseline. Years ago, many organizations used simple paper notebooks to record this information for servers, but today it is much more common to store this information in a formal configuration management system. Keeping this documentation current is a crucial step when completing a change. Before closing out a change management task, be sure that any related documentation, diagrams, policies, and procedures are updated to reflect the impact of the change. Personnel Management An organization's employees require access to information and systems to carry out their assigned job functions. With this access comes the risk that an employee will, through intentional or accidental action, become the source of a cybersecurity incident. Organizations that follow personnel management best practices can reduce the likelihood and impact of employee-centered security risks. Least Privilege The principle of least privilege says that individuals should be granted only the minimum set of permissions necessary to carry out their job functions. Least privilege is simple in concept but sometimes challenging to implement in practice. It requires careful attention to the privileges necessary to perform specific jobs and ongoing attention to avoid security issues. Privilege creep, one of these issues, occurs when an employee moves from job to job within the organization, accumulating new privileges, but never has the privileges associated with past duties revoked. Separation of Duties Organizations may implement separation of duties for extremely sensitive job functions. Separation of duties takes two different tasks that, when combined, have great sensitivity and creates a rule that no single person may have the privileges required to perform both tasks. The most common example of separation of duties comes in the world of accounting. Individuals working in accounting teams pose a risk to the organization should they decide to steal funds. They might carry out this theft by creating a new vendor in the accounting system with the name of a company that they control and then issuing checks to that vendor through the normal check-writing process. An organization might manage this risk by recognizing that the ability to create a new vendor and issue a check is sensitive when used in combination and implement separation of duties for them. In that situation, no single individual would have the permission to both create a new vendor and issue a check. An accounting employee seeking to steal funds in this manner would now need to solicit the collusion of at least one other employee, reducing the risk of fraudulent activity. Two-person control is a concept that is similar to separation of duties but with an important difference: instead of preventing the same person from holding two different privileges that are sensitive when used together, two-person control requires the participation of two people to perform a single sensitive action. Job Rotation and Mandatory Vacations Organizations also take other measures to reduce the risk of fraudulent activity by a single employee. Two of these practices focus on uncovering fraudulent actions after they occur by exposing them to other employees. Job rotation practices take employees with sensitive roles and move them periodically to other positions in the organization. The motivating force behind these efforts is that many types of fraud require ongoing concealment activities. If an individual commits fraud and is then rotated out of their existing assignment, they may not be able to continue those concealment activities due to changes in privileges and their replacement may discover the fraud themselves. Mandatory vacations serve a similar purpose by forcing employees to take annual vacations of a week or more consecutive time and revoking their access privileges during that vacation period. Clean Desk Space Clean desk policies are designed to protect the confidentiality of sensitive information by limiting the amount of paper left exposed on unattended employee desks. Organizations implementing a clean desk policy require that all papers and other materials be secured before an employee leaves their desk. Onboarding and Offboarding Organizations should have standardized processes for onboarding new employees upon hire and offboarding employees who are terminated or resign. These processes ensure that the organization retains control of its assets and handles the granting and revocation of credentials and privileges in an orderly manner. New hire processes should also include background checks designed to uncover any criminal activity or other past behavior that may indicate that a potential employee poses an undetected risk to the organization. Nondisclosure Agreements Nondisclosure agreements (NDAs) require that employees protect any confidential information that they gain access to in the course of their employment. Organizations normally ask new employees to sign an NDA upon hire and periodically remind employees of their responsibilities under the NDA. Offboarding processes often involve exit interviews that include a final reminder of the employee's responsibility to abide by the terms of the NDA even after the end of their affiliation with the organization. Social Media Organizations may choose to adopt social media policies that constrain the behavior of employees on social media. Social media analysis performed by the organization may include assessments of both personal and professional accounts, because that activity may reflect positively or negatively upon the organization. Organizations should make their expectations and practices clear in a social media policy. Third-Party Risk Management Many risks facing an organization come from third-party organizations with whom the organization does business. These risks may be the result of a vendor relationship that arises somewhere along the organization's supply chain, or they may be the result of other business partnerships. Vendor Selection Organizations choosing vendors should take special care to evaluate the vendor thoroughly during the selection process. This is especially true if the vendor will be involved in critical business processes or handle sensitive information for the organization. Due diligence involves thoroughly vetting potential vendors to ensure that they meet the organization's standards and requirements. This process should include an evaluation of the vendor's financial stability, business reputation, quality of products or services, and compliance with relevant regulations. You should also examine the vendor's security practices and data handling procedures, especially when they will be dealing with sensitive or proprietary information. Another essential aspect of vendor selection is identifying and mitigating conflicts of interest. A conflict of interest arises when a vendor has a competing interest that could influence their behavior in a way that is not aligned with the best interests of the organization. For example, a vendor might have financial ties with a competitor or may be offering similar products or services. In such cases, the organization must assess the nature and extent of these conflicts and take the necessary steps to manage them. This may involve adding clauses in the contract that limit the vendor's engagement with competitors, or in some cases, it may lead to the decision to not engage with the vendor at all. Vendor Assessment After the initial selection process, organizations should continuously assess the chosen vendors to ensure they maintain the expected quality, security, and performance levels. One method to evaluate a vendor's security is through penetration testing, where authorized simulated attacks are carried out to identify vulnerabilities in the vendor's systems. Vendor agreements should include a right-to-audit clause that allows the customer to conduct or commission audits on the vendor's operations and practices to ensure compliance with terms and conditions, as well as regulatory requirements. Furthermore, organizations should request evidence of internal audits conducted by the vendor. These audits can provide insights into the vendor's internal controls, compliance, and risk management practices. Independent assessments are also an essential tool. They may involve bringing in third-party experts to objectively evaluate the vendor's practices and systems. These assessments can include certification verifications, such as ISO 27001 or SOC reports. Supply chain analysis is vital in understanding the risks associated with the vendor's supply chain. This includes assessing the vendor's suppliers and understanding the interdependencies and risks that could impact the vendor's ability to deliver products or services. Organizations can employ questionnaires to collect information regarding the vendor's practices and performance regularly. These questionnaires can be tailored to focus on specific areas of concern, such as security policies, data handling procedures, and business continuity planning. Vendor Agreements Organizations may deploy some standard agreements and practices to manage third-party vendor risks. Commonly used agreements include the following: Master service agreements (MSAs) provide an umbrella contract for the work that a vendor does with an organization over an extended period of time. The MSA typically includes detailed security and privacy requirements. Each time the organization enters into a new project with the vendor, they may then create a work order (WO) or a statement of work (SOW) that contains project-specific details and references the MSA. Service level agreements (SLAs) are written contracts that specify the conditions of service that will be provided by the vendor and the remedies available to the customer if the vendor fails to meet the SLA. SLAs commonly cover issues such as system availability, data durability, and response time. A memorandum of understanding (MOU) is a letter written to document aspects of the relationship. MOUs are an informal mechanism that allows the parties to document their relationship to avoid future misunderstandings. MOUs are commonly used in cases where an internal service provider is offering a service to a customer that is in a different business unit of the same company. A memorandum of agreement (MOA) is a formal document that outlines the terms and details of an agreement between parties, establishing a mutual understanding of the roles and responsibilities in fulfilling specific objectives. MOAs are generally more detailed than MOUs and may include clauses regarding resource allocation, risk management, and performance metrics. Business partners agreements (BPAs) exist when two organizations agree to do business with each other in a partnership. For example, if two companies jointly develop and market a product, the BPA might specify each partner's responsibilities and the division of profits. Organizations will need to select the agreement type(s) most appropriate for their specific circumstances. Exam Note For the exam, be sure you know the differences between the various agreement types, including SLA, MOA, MOU, MSA, NDA, WO/SOW, and BPA. Vendor Monitoring Effective vendor monitoring is crucial for managing and mitigating third-party risks. It involves the continuous observation and analysis of a vendor's performance and compliance to ensure that they adhere to the contractual obligations and meet the organization's expectations. One of the critical aspects of vendor monitoring is establishing rules of engagement. These rules define the boundaries within which the vendor should operate. They normally include setting clear communication protocols, defining responsibilities, and establishing processes for issue resolution. By setting these rules, organizations can ensure that both parties are on the same page regarding expectations and obligations, which can help in preventing misunderstandings and disputes. Performance monitoring is a central component of vendor monitoring. Organizations should establish key performance indicators (KPIs) that quantitatively measure the vendor's performance. Regularly monitoring these metrics allows organizations to ensure that vendors are meeting the agreed-upon standards. In addition, security monitoring should be performed to ensure that the vendor maintains adequate security practices. This involves monitoring the vendor's security posture, checking for any data breaches or security incidents, and ensuring that they are in compliance with relevant security standards and regulations. Compliance monitoring is also essential, particularly for vendors handling sensitive data or operating in highly regulated industries. Organizations should ensure that vendors are in compliance with legal and regulatory requirements and that they have the necessary certifications and accreditations. Financial monitoring involves evaluating the vendor's financial health to ensure they remain a viable partner. This is particularly important for long-term contracts where the organization might be dependent on the vendor's services for an extended period. In cases where issues are identified through monitoring, organizations should have a process in place for addressing these issues with the vendor. This may include formal meetings, corrective action plans, and in extreme cases, considering termination of the contract. Winding Down Vendor Relationships All things come to an end, and third-party relationships are no exception. Organizations should take steps to ensure that they have an orderly transition when a vendor relationship ends or the vendor is discontinuing a product or service on which the organization depends. This should include specific steps that both parties will follow to have an orderly transition when the vendor announces a product's end of life (EOL) or a service's end of service life (EOSL). These same steps may be followed if the organization chooses to stop using the product or service on its own. Exam Note We discussed nondisclosure agreements (NDAs) earlier in this chapter in the context of employee relationships, but employees are not the only individuals with access to sensitive information about your organization. Vendor agreements should also include NDA terms, and organizations should ensure that vendors ask their own employees to sign NDAs if they will have access to your sensitive information. Complying with Laws and Regulations Legislators and regulators around the world take an interest in cybersecurity due to the potential impact of cybersecurity shortcomings on individuals, government, and society. Whereas the European Union (EU) has a broad-ranging data protection regulation, cybersecurity analysts in the United States are forced to deal with a patchwork of security regulations covering different industries and information categories. Common Compliance Requirements Some of the major information security regulations facing organizations include the following: The Health Insurance Portability and Accountability Act (HIPAA) includes security and privacy rules that affect health- care providers, health insurers, and health information clearinghouses in the United States. The Payment Card Industry Data Security Standard (PCI DSS) provides detailed rules about the storage, processing, and transmission of credit and debit card information. PCI DSS is not a law but rather a contractual obligation that applies to credit card merchants and service providers worldwide. The Gramm–Leach–Bliley Act (GLBA) covers U.S. financial institutions, broadly defined. It requires that those institutions have a formal security program and designate an individual as having overall responsibility for that program. The Sarbanes–Oxley (SOX) Act applies to the financial records of U.S. publicly traded companies and requires that those companies have a strong degree of assurance for the IT systems that store and process those records. The General Data Protection Regulation (GDPR) implements security and privacy requirements for the personal information of European Union residents worldwide. The Family Educational Rights and Privacy Act (FERPA) requires that U.S. educational institutions implement security and privacy controls for student educational records. Various data breach notification laws describe the requirements that individual states place on organizations that suffer data breaches regarding notification of individuals affected by the breach. Remember that this is only a brief listing of security regulations. There are many other laws and obligations that apply to specific industries and data types. You should always consult your organization's legal counsel and subject matter experts when designing a compliance strategy for your organization. You'll need to understand the various national, territory, and state laws that apply to your operations, and the advice of a well-versed attorney is crucial when interpreting and applying cybersecurity regulations to your specific business and technical environment. Compliance Reporting Organizations need to engage in both internal and external compliance reporting to ensure that they meet the regulatory requirements and maintain transparency within the organization and with external stakeholders. Internal compliance reporting is a vital component in maintaining an organization's security posture and ensuring adherence to various laws and regulations. Internal reporting typically involves regular reports to the management or the board, highlighting the state of compliance, identifying gaps, and providing recommendations for improvement. These reports are essential for decision-makers within the organization to understand the compliance landscape, allocate resources effectively, and ensure that compliance objectives align with the organization's strategic goals. External compliance reporting, on the other hand, is mandated by regulatory bodies or as a part of contractual obligations. It involves providing necessary documentation and evidence to external entities to demonstrate that the organization is in compliance with relevant laws and regulations. For instance, organizations handling credit card data might need to submit compliance reports to the Payment Card Industry Security Standards Council (PCI SSC), and those under GDPR must be ready to provide compliance evidence to data protection authorities. External compliance reporting is crucial for maintaining good standing with regulatory authorities, avoiding penalties, and building trust with customers and partners by demonstrating a commitment to security and privacy. Consequences of Noncompliance Failure to comply with laws and regulations can have severe consequences for organizations, ranging from financial penalties to reputational damage and loss of business. One of the most immediate impacts of noncompliance is the imposition of fines and sanctions. Regulatory bodies have the authority to levy significant fines on organizations that fail to comply with the required standards. For instance, under the GDPR, companies can be fined up to 4 percent of their annual global turnover, or €20 million, whichever is higher, for serious infringements. Additionally, noncompliance can lead to nonfinancial sanctions, which may include restrictions on business operations. In some cases, regulatory authorities might suspend or revoke licenses that are critical to the organization's operations. For example, a financial institution that fails to comply with anti-money-laundering regulations could lose its banking license, which is essential for its core business activities. Reputational damage is another critical consequence of noncompliance. When news of noncompliance, especially involving data breaches or privacy violations, becomes public, it can severely tarnish the image of the organization. Customers and partners may lose trust in the organization's ability to safeguard their information and might choose to take their business elsewhere. Loss of business and contractual impacts are also significant consequences. Noncompliance can lead to the termination of contracts, especially when compliance with specific standards is a prerequisite for engaging in business relationships. This can result in lost revenue and additional costs associated with finding and establishing relationships with new partners. In some cases, noncompliance can also lead to legal action. Individuals or entities affected by an organization's noncompliance may sue for damages. This not only leads to potential monetary losses but also consumes time and resources, as the organization has to deal with legal proceedings. Given the potential severity of these consequences, it is essential for organizations to invest in compliance management and ensure that they are aware of and adhere to all relevant laws and regulations. Regular audits, training, and effective communication channels are critical components in maintaining compliance and mitigating the risks associated with noncompliance. Compliance Monitoring Effective compliance monitoring is a cornerstone in ensuring that organizations adhere to the various laws, regulations, and contractual obligations. An essential aspect of this monitoring involves due diligence, which is the process of continuously researching and understanding the legal and regulatory requirements that pertain to the organization. It is crucial to stay abreast of evolving laws and ensure that the organization has the necessary policies and controls in place. Due care, a complementary concept, refers to the ongoing efforts to ensure that the implemented policies and controls are effective and continuously maintained. This means regularly reviewing and updating policies and taking proactive steps to ensure compliance. Part of due care involves attestation and acknowledgment. Acknowledgment means ensuring that employees and business partners state that they are aware of the compliance requirements. Attestation means that they are aware of these requirements but have also confirmed that their practices adhere to these policies. Internal and external monitoring mechanisms play a pivotal role in compliance monitoring. Internal monitoring includes internal audits, reviews, and checks to ensure that the organization follows its policies and meeting legal requirements. External monitoring, on the other hand, involves third-party audits and assessments, which provide an unbiased view of the organization's compliance status. Automation is an invaluable tool in compliance monitoring, especially for larger organizations with complex compliance requirements. Automated compliance solutions can track changes in regulations, monitor for violations, and ensure that policies are consistently applied. This not only saves time and resources but also reduces the risk of human error and helps in generating detailed reports that can be used for further analysis and improvement. Exam Note Be ready to summarize the elements of effective security compliance, including compliance reporting, the consequences of noncompliance, and compliance monitoring. Adopting Standard Frameworks Developing a cybersecurity program from scratch is a formidable undertaking. Organizations will have a wide variety of control objectives and tools at their disposal to meet those objectives. Teams facing the task of developing a new security program or evaluating an existing program may find it challenging to cover a large amount of ground without a roadmap. Fortunately, several standard security frameworks are available to assist with this task and provide a standardized approach to developing cybersecurity programs. NIST Cybersecurity Framework The National Institute of Standards and Technology (NIST) is responsible for developing cybersecurity standards across the U.S. federal government. The guidance and standard documents they produce in this process often have wide applicability across the private sector and are commonly referred to by nongovernmental security analysts due to the fact that they are available in the public domain and are typically of very high quality. In 2018, NIST released version 1.1 of a Cybersecurity Framework (CSF) designed to assist organizations attempting to meet one or more of the following five objectives: Describe their current cybersecurity posture. Describe their target state for cybersecurity. Identify and prioritize opportunities for improvement within the context of a continuous and repeatable process. Assess progress toward the target state. Communicate among internal and external stakeholders about cybersecurity risk. The NIST framework includes three components: The Framework Core, shown in Figure 16.5, is a set of five security functions that apply across all industries and sectors: identify, protect, detect, respond, and recover. The framework then divides these functions into categories, subcategories, and informative references. Figure 16.6 shows a small excerpt of this matrix in completed form, looking specifically at the Identify (ID) function and the Asset Management category. If you would like to view a fully completed matrix, see the NIST document Framework for Improving Critical Infrastructure Cybersecurity. The Framework Implementation Tiers assess how an organization is positioned to meet cybersecurity objectives. Table 16.1 shows the framework implementation tiers and their criteria. This approach is an example of a maturity model that describes the current and desired positioning of an organization along a continuum of progress. In the case of the NIST maturity model, organizations are assigned to one of four maturity model tiers. Framework profile describes how a specific organization might approach the security functions covered by the Framework Core. An organization might use a framework profile to describe its current state and then a separate profile to describe its desired future state. FIGURE 16.5 NIST Cybersecurity Framework Core Structure Source: Framework for Improving Critical Infrastructure Cybersecurity Version 1.1, National Institute of Standards and Technology (http://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf) TABLE 16.1 NIST Cybersecurity Framework implementation tiers Source: Framework for Improving Critical Infrastructure Cybersecurity Version 1.1, National Institute of Standards and Technology Tier Risk Integrated risk External management management participation process program Tier 1: Organizational There is limited The Partial cybersecurity awareness of organization risk cybersecurity risk at does not management the organizational understand its practices are level. The organization role in the not formalized,implements larger and risk is cybersecurity risk ecosystem with managed in an management on an respect to ad hoc and irregular, case-by-case either its sometimes basis due to varied dependencies reactive experience or or dependents. manner. information gained from outside sources. Tier 2: Risk There is an awareness Generally, the Risk management of cybersecurity risk at organization Informed practices are the organizational understands its approved by level, but an role in the management organization-wide larger but may not be approach to managing ecosystem with established as cybersecurity risk has respect to organization- not been established. either its own wide policy. dependencies or dependents, but not both. Tier Risk Integrated risk External management management participation process program Tier 3: The There is an The Repeatable organization's organization-wide organization risk approach to manage understands its management cybersecurity risk. role, practices are dependencies, formally and approved and dependents in expressed as the larger policy. ecosystem and may contribute to the community's broader understanding of risks. Tier 4: The There is an The Adaptive organization organization-wide organization adapts its approach to managing understands its cybersecurity cybersecurity risk that role, practices based uses risk-informed dependencies, on previous policies, processes, and and and current procedures to address dependents in cybersecurity potential cybersecurity the larger activities, events. ecosystem and including contributes to lessons the learned and community's predictive broader indicators. understanding of risks. The NIST Cybersecurity Framework provides organizations with a sound approach to developing and evaluating the state of their cybersecurity programs. At the time this book went to press, NIST was working on the development of their Cybersecurity Framework 2.0. The new framework is expected to be released in 2024. More information is available at www.nist.gov/cyberframework/updating-nist-cybersecurity- framework-journey-csf-20. NIST Risk Management Framework In addition to the CSF, NIST publishes a Risk Management Framework (RMF). The RMF is a mandatory standard for federal agencies that provides a formalized process that federal agencies must follow to select, implement, and assess risk-based security and privacy controls. Figure 16.7 provides an overview of the NIST RMF process. More details may be found in NIST SP 800-37, Risk Management Framework for Information Systems and Organizations (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.8 00-37r2.pdf) FIGURE 16.6 Asset Management Cybersecurity Framework Source: Framework for Improving Critical Infrastructure Cybersecurity Version 1.1, National Institute of Standards and Technology (http://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf) NIST publishes both the NIST CSF and RMF, and it can be a little confusing to keep them straight. The RMF is a formal process for implementing security controls and authorizing system use, whereas the CSF provides a broad structure for cybersecurity controls. It's important to understand that, although both the CSF and RMF are mandatory for government agencies, only the CSF is commonly used in private industry. ISO Standards The International Organization for Standardization (ISO) publishes a series of standards that offer best practices for cybersecurity and privacy. As you prepare for the Security+ exam, you should be familiar with four specific ISO standards: ISO 27001, ISO 27002, ISO 27701, and ISO 31000. FIGURE 16.7 NIST Risk Management Framework Source: FISMA Implementation Project Risk Management Framework (RMF) Overview, National Institute of Standards and Technology http://csrc.nist.gov/projects/risk-management/rmf-overview ISO 27001 ISO 27001 is a standard document titled “Information security management systems.” This standard includes control objectives covering 14 categories: Information security policies Organization of information security Human resource security Asset management Access control Cryptography Physical and environmental security Operations security Communications security System acquisition, development, and maintenance Supplier relationships Information security incident management Information security aspects of business continuity management Compliance with internal requirements, such as policies, and with external requirements, such as laws The ISO 27001 standard was once the most commonly used information security standard, but it is declining in popularity outside of highly regulated industries that require ISO compliance. Organizations in those industries may choose to formally adopt ISO 27001 and pursue certification programs, where an external assessor validates their compliance with the standard and certifies them as operating in accordance with ISO 27001. ISO 27002 The ISO 27002 standard goes beyond control objectives and describes the actual controls that an organization may implement to meet cybersecurity objectives. ISO designed this supplementary document for organizations that wish to Select information security controls Implement information security controls Develop information security management guidelines ISO 27701 Whereas ISO 27001 and ISO 27002 focus on cybersecurity controls, ISO 27701 contains standard guidance for managing privacy controls. ISO views this document as an extension to their ISO 27001 and ISO 27002 security standards. Be careful with the numbering of the ISO standards, particularly ISO 27001 and ISO 27701. They look nearly identical, but it is important to remember that ISO 27001 covers cybersecurity and ISO 27701 covers privacy. ISO 31000 ISO 31000 provides guidelines for risk management programs. This document is not specific to cybersecurity or privacy but covers risk management in a general way so that it may be applied to any risk. Benchmarks and Secure Configuration Guides The NIST and ISO frameworks are high-level descriptions of cybersecurity and risk management best practices. They don't offer practical guidance on actually implementing security controls. However, government agencies, vendors, and industry groups publish a variety of benchmarks and secure configuration guides that help organizations understand how they can securely operate commonly used platforms, including operating systems, web servers, application servers, and network infrastructure devices. These benchmarks and configuration guides get down into the nitty- gritty details of securely operating commonly used systems. For example, Figure 16.8 shows an excerpt from a security configuration benchmark for Windows Server 2022. FIGURE 16.8 Windows Server 2022 Security Benchmark Excerpt Source: Center for Internet Security (CIS) (http://cisecurity.org/cis- benchmarks) The excerpt shown in Figure 16.8 comes from the Center for Internet Security (CIS), an industry organization that publishes hundreds of benchmarks for commonly used platforms. To give you a sense of the level of detail involved, Figure 16.8 shows a portion of one page from a document that contains 642 pages detailing appropriate security settings for Windows Server 2022. Security Awareness and Training The success of a security program depends on the behavior (both actions and inaction) of many different people. Security training and awareness programs help ensure that employees and other stakeholders are aware of their information security responsibilities and that those responsibilities remain top-of-mind. Information security managers are responsible for establishing, promoting, and maintaining an information security training and awareness program to foster an effective security culture in their organizations. User Training Users within your organization should receive regular security training to ensure that they understand the risks associated with your computing environment and their role in minimizing those risks. Strong training programs take advantage of a diversity of training techniques, including the use of computer-based training (CBT). Role-Based Training Not every user requires the same level of training. Organizations should use role-based training to make sure that individuals receive the appropriate level of training based on their job responsibilities. For example, a systems administrator should receive detailed and highly technical training, whereas a customer service representative requires less technical training with a greater focus on social engineering and pretexting attacks that they may encounter in their work. User Guidance and Training Phishing attacks often target users at all levels of the organization, and every security awareness program should include specific antiphishing campaigns designed to help users recognize suspicious messages and respond to phishing attempts appropriately. These campaigns often involve the use of phishing simulations, which send users fake phishing messages to test their skills. Users who click on the simulated phishing message are sent to a training program designed to help them better recognize fraudulent messages. Anomalous behavior recognition is also an important component of security awareness training. Employees should be able to recognize when risky, unexpected, and/or unintentional behavior takes place. The insider threat posed by employees with legitimate access permissions is significant, and other employees may be the first to notice the signs of anomalous behavior that could be a security concern. Other topics that should be included in end-user security training programs include: Security Policies and Handbooks Provide users with information about where they can find critical security documents. Situational Awareness Update users on the security threats facing the organization and how they can recognize suspicious activity. Insider Threats Remind users that employees, contractors, and other insiders may pose a security risk and that they should be alert for anomalous behavior. Password Management Educate users about your organization's password standards and the importance of not reusing passwords across multiple sites. Removable Media and Cables Inform users of the risks associated with the use of USB drives, external hard drives, and other removable media, as well as unfamiliar cables. Educate them on the policies for using these devices and the importance of scanning for malware before accessing files. Social Engineering Train users to recognize and respond to social engineering attacks. Teach them to be skeptical of unsolicited communications, especially those that create a sense of urgency or require sensitive information. Operational Security Educate users on the importance of protecting sensitive information during day-to-day operations. This includes understanding the importance of access controls, not discussing sensitive information in public or unsecured areas, and being vigilant about who has access to sensitive data. Hybrid/Remote Work Environments Instruct users on best practices for securing data and maintaining privacy when working remotely or in hybrid environments. This includes the use of VPNs, secure Wi-Fi networks, ensuring physical security of devices, and understanding the specific policies and procedures that are in place for remote work. Exam Note The SY0-701 exam objectives call out specific security awareness practices for phishing, anomalous behavior recognition, user guidance and training, reporting and monitoring, development, and execution. Given a scenario, be ready to implement security awareness best practices. Training Frequency You'll also want to think about the frequency of your training efforts. You'll need to balance the time required to conduct training with the benefit from reminding users of their responsibilities. One approach used by many organizations is to conduct initial training whenever an employee joins the organization or assumes new job responsibilities and then use annual refresher trainings to cover the same material and update users on new threats and controls. Development and Execution The development of security training programs begins with a thorough assessment of the organization's security landscape and identifying potential risks and threats. Based on this assessment, the team can develop tailored content that addresses the unique challenges of the organization. It's helpful to incorporate real-world examples and interactive elements to keep participants engaged. Aligning the training with the organization's policies and procedures ensures consistency and relevance. The execution phase should include a variety of training methods, such as workshops, e-learning modules, and simulations, catering to different learning preferences. An essential aspect of execution is to make training accessible and regular for all employees. Create a schedule that includes initial training for new employees and periodic refreshers to keep knowledge current. Reporting and Monitoring Reporting and monitoring are crucial components of security training programs. Administrators should track participation in training programs and assess user knowledge through quizzes and other means. You should also collect feedback from employees to understand their perspectives and make necessary adjustments to the program. It's helpful to provide decision-makers with regular reports that provide both detailed data for technical stakeholders and high-level trends for management. Over time, an analysis of trends in knowledge levels and security incidents is essential for understanding the long-term impact of the training program. The team responsible for providing security training should review materials on a regular basis to ensure that the content remains relevant. Changes in the security landscape and the organization's business may require updating the material to remain fresh and relevant. Ongoing Awareness Efforts In addition to formal training programs, an information security program should include security awareness efforts. These are less formal efforts that are designed to remind employees about the security lessons they've already learned. Unlike security training, awareness efforts don't require a commitment of time to sit down and learn new material. Instead, they use posters, videos, email messages, and similar techniques to keep security top-of-mind for those who've already learned the core lessons. Figure 16.9 shows an example of a security awareness poster developed by the U.S. Department of Energy. FIGURE 16.9 Security awareness poster Source: U.S. Department of Energy Summary Policies form the basis of every strong information security program. A solid policy framework consists of policies, standards, procedures, and guidelines that work together to describe the security control environment of an organization. In addition to complying with internally developed policies, organizations often must comply with externally imposed compliance obligations. Security frameworks, such as the NIST Cybersecurity Framework and ISO 27001, provide a common structure for security programs based on accepted industry best practices. Organizations should implement and test security controls to achieve security control objectives that are developed based on the business and technical environment of the organization. Exam Essentials Security governance practices ensure that organizations achieve their strategic objectives. Governance programs are the sets of procedures and controls put in place to allow an organization to effectively direct its work. Governance programs may involve the participation of a variety of boards, committees, and government regulators. Centralized governance models use a top- down approach that dictates how subordinate units meet security objectives, whereas decentralized governance models delegate the authority for meeting security objectives as the subordinate units see fit. Policy frameworks consist of policies, standards, procedures, and guidelines. Policies are high-level statements of management intent for the information security program. Standards describe the detailed implementation requirements for policy. Procedures offer step-by-step instructions for carrying out security activities. Compliance with policies, standards, and procedures is mandatory. Guidelines offer optional advice that complements other elements of the policy framework. Organizations often adopt a set of security policies covering different areas of their security programs. Common policies used in security programs include an information security policy, an acceptable use policy, a data ownership policy, a data retention policy, an account management policy, and a password policy. The specific policies adopted by any organization will depend on that organization's culture and business needs. Policy documents should include exception processes. Exception processes should outline the information required to receive an exception to security policy and the approval authority for each exception. The process should also describe the requirements for compensating controls that mitigate risks associated with approved security policy exceptions. Change management is crucial to ensuring the availability of systems and applications. The primary goal of change management is to ensure that changes do not cause outages. Change management processes ensure that appropriate personnel review and approve changes before implementation and ensure that personnel test and document the changes. Change review processes should carefully evaluate the potential impact of any change. Organizations face a variety of security compliance requirements. Merchants and credit card service providers must comply with the Payment Card Industry Data Security Standard (PCI DSS). Organizations handling the personal information of European Union residents must comply with the EU General Data Protection Regulation (GDPR). All organizations should be familiar with the national, territory, and state laws that affect their operations. Standards frameworks provide an outline for structuring and evaluating cybersecurity programs. Organizations may choose to base their security programs on a framework, such as the NIST Cybersecurity Framework (CSF) or International Organization for Standardization (ISO) standards. U.S. federal government agencies and contractors should also be familiar with the NIST Risk Management Framework (RMF). These frameworks sometimes include maturity models that allow an organization to assess its progress. Some frameworks also offer certification programs that provide independent assessments of an organization's progress toward adopting a framework. Security training and awareness ensures that individuals understand their responsibilities. Security training programs impart new knowledge on employees and other stakeholders. They should be tailored to meet the specific requirements of an individual's role in the organization. Security awareness programs seek to remind users of the information they have already learned, keeping their security responsibilities top-of-mind. Review Questions 1. Joe is authoring a document that explains to system administrators one way in which they might comply with the organization's requirement to encrypt all laptops. What type of document is Joe writing? A. Policy B. Guideline C. Procedure D. Standard 2. Which one of the following statements is not true about compensating controls under PCI DSS? A. Controls used to fulfill one PCI DSS requirement may be used to compensate for the absence of a control needed to meet another requirement. B. Controls must meet the intent of the original requirement. C. Controls must meet the rigor of the original requirement. D. Compensating controls must provide a similar level of defense as the original requirement. 3. What law creates privacy obligations for those who handle the personal information of European Union residents? A. HIPAA B. FERPA

Use Quizgecko on...
Browser
Browser