IAS Midterm - Reviewer PDF

Summary

This document appears to be a reviewer for a midterm exam, focusing on topics like risk management and information security governance. The text includes different principles related to these areas, such as risk prioritization, communication, and roles of stakeholders.

Full Transcript

MODULE 6 stakeholders at each and every step of decision
making. They should remain aware of even the
Risk Management – a basic understanding literally
smallest decision made.
speaking, risk management is the process of minimizing
3. Organizational Objectives – when dealing with
or mitigating the risk. It starts with the identification and
a risk it is important to keep the organizational
evaluation of risk followed by optimal use of resources
objectives in mind. The risk management
to monitor and minimize the same.
process should explicitly address the
- Ideally in risk management, a risk prioritization uncertainty.
process is followed in which those risks that 4. Reporting – in risk management communication
pose the threat of great loss and have great is the key. The authenticity of the information
probability of occurrence are dealt with first. has to be ascertained. Decisions should be
- According to the cycle there are four steps in made on best available information and there
the process of risk management. The first step is should be transparency and visibility regarding
the assessment of risk, followed by evaluation the same.
and management of the same. The last step is 5. Roles and Responsibility – risk management has
measuring the impact. to be transparent and inclusive. It should take
- Risk identification can start at the base of the into account the human factors and ensure that
surface level, in the former case the source of each one knows it roles at each stage of the risk
problem is identified. We now have two things management process.
to deal with the source and the problem. 6. Support Structure – support structure
underlines the importance of the risk
Risk Source – the source can be either internal or management team. The team members have to
external to the system. be dynamic, diligent and responsive to change.
External Sources – are beyond control whereas internal 7. Early Warning Indicators – keep track of early
sources can be controlled to a certain extent. For signs of a risk translating into an active problem.
example, the amount of rainfall, weather over an airport This is achieved through continual
etc. communication by one and all at each level.
8. Review Cycle -keep evaluating inputs at each
Problem – a problem at the surface level could be the step of the risk management process – identify,
threat of accident and casually at the plant, a fire assess, respond and review. The observations
incident etc. are markedly different in each cycle.
Principle of Risk Management – various organization 9. Supportive Culture – brainstorm and enable a
have laid down principles for risk management. There culture of questioning, discussing. This will
are risk management principles by International motivate people to participate more.
standardization organization and by Project 10. Continual Improvement– be capable of
Management Body of Knowledge. improving and enhancing your risk management
strategies and tactics. Use your learning’s to
- The Project Management Body of Knowledge access the way you look at and manage ongoing
(PMBOK) has laid down 10 principles. This risk.
article carries an amalgamation of both PMBOK
and ISO principles.

The Various Principles are: MODULE 7

1. Organizational Context – every organization is A. Information Security Governance – information
affected to varying degrees by various factors in security governance (GSI) is the system by which
its environment (Political, Social, Legal, and the information security activities of a particular
Technological, Societal etc). organization are directed and controlled. GSI,
2. Involvement of Stakeholders – the risk loke IT Governance , represents an unfolding
management process should involve the organizational governance and, although there
are several possible models in general, GSI and
 GTI have a certain overlap, depending on their the organization wants to protect its
respective objectives and scope. information assets.

Take a Risk-Based Approach Information Security Policies – information security
policies are high-level plans that describe the goals of
- Decision related to information security must be
the procedures. Policies are not guidelines or standards,
made on the basis of risk. The information
nor are they procedures or controls.
security risk management approach must be
integrated with the corporate risk management How Policies Should Be Developed – before policy
model. documents can be written, the overall goal of the policy
must be determined. In any case, the first step is to
Establish the Direction of Investment Decisions
determine what is being protected and why it is being
– Identifying the right investment is an open- protected.
ended research topic and a headache for those
Policies can be written to affect:
responsible for conducting the GSI strategy. An
investment strategy on information security 1. Hardware
should be established based on the result and 2. Software
objectives of the business. 3. Access
4. People
Ensure Compliance with Internal and External
5. Connections
Requirements
6. Network
- Information security must comply with relevant 7. Telecommunications
laws and regulations. A consistent security 8. Enforcement
program that is risk-based is the first step for
Identify what is to be Protected
organization to seek compliance with new laws
and regulations without the uncertainties that - If you remember that computers are the tools
the General Data Protection (GPL) should for processing the company’s intellectual
provoke in organizations that do not have a property, that the disks are storing that
consistent safety program. property, and that the network are for allowing
that information to flow through the various
Promote a Positive Security Environment
business processes.
- Human behavior is a key component for us to
The following is an example of what can be
maintain the appropriate level of information
inventoried:
security.
1. Hardware
Perform Analysis
2. Software
- Top management should critically analyze 3. Network Equipment
information security performance against its 4. Diagnostic Equipment
business impact. It is not enough to assess the 5. Documentation
effectiveness and efficiency of the controls 6. Information Assets
implemented. 7. Preprinted Forms
8. Human Resource assets

Identify from whom it is being Protected
Information Security Policy, Standards and Practices
- Defining access is an exercise in understanding
– Part of information security management is how each system and network component is
determining how security will be maintained in accessed.
the organization. Management defines
information security policies to describe how Some considerations for data access are:
 1. Authorized and Unauthorized Access to 4. Configuration – these procedures cover the
Resource and Information firewalls, routers, switches and operating
2. Unintended or Unauthorized disclosure of systems.
information 5. Incident Response – these procedures cover
3. Enforcement Procedures everything from detection to how to respond to
4. Bugs and Errors the incident.
6. Physical and Environmental – these procedures
Setting Standards
cover not only the air conditioning and other
- When creating policies for an established environmental controls in rooms where servers
organization, there is an existing process for and other equipment are stored, but also
maintaining the security of the assets. shielding of Ethernet cables to prevent them
from being trapped.
Creating Baselines
Implementing Security Education, Training &
- Baselines are used to create a minimum level of Awareness Programs
security necessary to meet policy requirements.
Baselines can be configurations, architectures, Step 1: Define your Network Security Education Goals
or procedures that might or might not reflect
- Before you begin contacting cybersecurity
the business process that can be adapted to
experts and lining up presenters to give
meet those requirements.
seminars at your company’s offices, start by
Guidelines defining the exact goals you want your security
education program to meet.
- Standard and baselines describe specific
products, configurations, or other mechanisms Step 2: Assess Your Audience
to secure the systems.
- Not all employees have the same level of
knowledge when it comes to cybersecurity.
When creating your security education, training,
Setting and Implementing Procedures – the last step and awareness program, it’s important to assess
before implementation is creating the procedures. the overall knowledge level of your employees
Procedures describe exactly how to use the standards before shoving them into a “one-size-fits-all”
and guidelines to implement the countermeasures that network security lesson.
support the policy.
Step 3: Develop SETA Program Topics Based on Critical
- Procedures are written to support the Issues
implementation of the policies.
- After identifying the biggest cybersecurity
Some Types of Procedures might be common amongst knowledge gaps in your organization, you can
Networked systems, including: start to create lesson topics designed to address
1. Auditing – these procedures can include what those gaps.
to audit, how to maintain audit logs, and the Step 4: Consider How You’ll Distribute Security
goals of what is being audited. Education to Current and Future Employees
2. Administrative – these procedures can be used
to have a separation of duties among the people - How you choose to distribute cybersecurity
charged with operating and monitoring the training to your employees may depend on the
systems. size of your company. If your business is
3. Access Control – these procedures are an operating out of a single set of offices, simply
extension of administrative procedures that tell putting an “all hands on deck” meeting on the
administrators how to configure authentication books and knocking out some security
and other access control features of the various education there might be enough. Larger
components. organizations might need to establish a more
 comprehensive security education training and One common business continuity planning tool is a
awareness program that utilizes online training checklist that includes supplies and equipment, the
modules to efficiently distribute learning location of data backups and backup sites, where the
content to people throughout the organization. plan is available and who should have it, and contact
information for emergency responders, key personnel
D. Continuity Strategies
and backup site providers.
How to create an effective business continuity plan
The importance of testing your business continuity
- A business continuity plan outlines procedures plan - Testing a plan is the only way to truly know it will
and instructions an organization must follow in work, says O'Donnell. "Obviously, a real incident is a
the face of disaster, whether fire, flood or true test and the best way to understand if something
cyberattack. Here's how to create one that gives works. However, a controlled testing strategy is much
your business the best chance of surviving such more comfortable and provides an opportunity to
an event. We rarely get advance notice that a identify gaps and improve."
disaster is ready to strike. Even with some lead
Review and improve your business continuity plan -
time, though, multiple things can go wrong;
much effort goes into creating and initially testing a BC
every incident is unique and unfolds in
plan. Once that job is complete, some organizations let
unexpected ways.
the plan sit while other, more critical tasks get attention.
What is business continuity? When this happens, plans go stale and are of no use
when needed.
- Business continuity (BC) refers to maintaining
business functions or quickly resuming them in - Technology evolves, and people come and go, so the
the event of a major disruption, whether caused plan needs to be updated, too. Bring key personnel
by a fire, flood or malicious attack by together at least annually to review the plan and discuss
cybercriminals. A business continuity plan any areas that must be modified.
outlines procedures and instructions an
How to ensure business continuity plan support,
organization must follow in the face of such
awareness - One way to ensure your plan is not
disasters; it covers business processes, assets,
successful is to adopt a casual attitude toward its
human resources, business partners and more.
importance. Every business continuity plan must be
Anatomy of a business continuity plan supported from the top down. That means senior
management must be represented when creating and
- If your organization doesn't have a BC plan in updating the plan; no one can delegate that
place, start by assessing your business responsibility to subordinates.
processes, determining which areas are
vulnerable, and the potential losses if those
processes go down for a day, a few days or a
MODULE 8
week. This is essentially a BIA.
Security Technology: Firewalls and VPNs
Next, develop a plan. This involves six general steps:
- The text begins with the topic of access control. This
Identify the scope of the plan.
chapter uses what may be a familiar meaning, allowing,
Identify key business areas. restricting, and denying access to resources. Before we
Identify critical functions. begin, there is a distinction between authorization and
Identify dependencies between various access you need to understand. Authorization is
business areas and functions. permission, and access is means. Authorization means
Determine acceptable downtime for each we allow someone to do something. Access means
critical function. someone can get at an asset. Other than that, a bit
Create a plan to maintain operations. more vocabulary will help you understand the first
terms in the chapter:
 Owner - A person responsible for the integrity The text tells us that users must first identify themselves
and security of an asset. This may be a to a system, but identification is pointless without
management role instead of a technical role. authentication. Identification is simply entering a user
Custodian - A person who maintains the name.
security of a system, perhaps by adding and
Authentication is one of three keys elements to
removing access by user accounts. (This role is
security:
also called an administrator.)
End User - A person who uses the asset, such as Authentication - confirmation of identity
reading a file, opening a web page, or printing Authorization - granting permissions that are
some data from a database, but who is not linked to the user's account
allowed to change access rights to the asset. Accounting, Accountability, Auditing - tracking
This concept is also called a subject in some what the user does
texts.
- Most security is based on one or more of three types
Subjects (users or processes acting for users)
of things: something you have (like a key or an ID card),
perform operations on objects (assets)
something you know (like a PIN or a password), or
Supplicant - the text also users this word as a
something you are (like a fingerprint).
synonym for "requester"; it is not used in
common discussion unless you are a rather - When a person logs in from a standard workstation in
pedantic member of the attendant a normal environment, one level of protection, like an ID
mathematical priesthood introduces three and password pair, may be secure enough. For a
access control methods. situation that is more vulnerable, like logging in from a
remote location through a public data network, two
You should know something about each of them:
levels may be required, such as a user name-password
Mandatory Access Control (MAC) - the most pair along with a one-time password from a security
restrictive model; the owner defines a security device (that may require a PIN as well).
policy, the custodian implements it, and the end
The text abruptly jumps to the topic of firewalls, which
users cannot change it; this may be
we are told may be classified three different ways:
implemented by setting a security level for each
asset and granting authorization to users by by their processing type
assigning them to a level by their evolutional generation
Nondiscretionary controls come in two type by the way they are implemented (structure).
o Role Based Access Control (RBAC) - access
is granted to roles (groups) defined on the
systems, end users are assigned to roles so Firewalls by Processing type:
they can access assets needed for their jobs;
the text uses Windows Server 2008 as an 1. Packet-filtering firewalls
example of system that can use this model - Traffic on a network is broken into packets,
o Task Based Access Control (TBAC) - may be smaller message units. Each packet must hold at
the most complex model; rules can change least two addresses: that of the sender and that
which role a user is assigned to, based on of the recipient. A packet-filtering firewall will
the task the user is performing, changing hold a database of rules that tell it what to do
the level of access the user has with packets. Often the rules are based on the
Discretionary Access Control (DAC) - least addresses mentioned above and the protocol
restrictive model; subjects (end users) can own (network rules) the packet is being sent under.
objects, and have total control over them (like a The first rule says if the packet is from any
SharePoint web server system); end users must address on the 172.16.0.0 network
set and maintain security for their assets, which (172.16.x.x) and being sent to any address
most people will do badly; processes run by end on the 10.10.0.0 network, using any
users inherit their permission levels protocol (Any), drop the packet (Deny). The
 x characters are used as wildcards on some occurred at the physical layer. The data link layer
firewalls, as the text mentions later. Other encompasses two sub-layers of its own. The first, media
firewalls might use zeros instead, so you access control (MAC), provides flow control and
need to know the syntax for the firewall you multiplexing for device transmissions over a network.
are configuring. The second, the logical link control (LLC), provides flow
The second rule says if the packet is from and error control over the physical medium as well as
any address on the 192.168.0.0 network identifies line protocols. Protect Your Network Layers
(192.168.x.x) and being sent to the specific with Forcepoint NGFW
address 10.10.10.25 (10.10.10.25), using
Network Layer - The network layer is responsible for
the HTTP protocol (HTTP is hypertext
receiving frames from the data link layer, and delivering
transfer protocol), let that packet through
them to their intended destinations among based on
(Allow). This tells me that 10.10.10.25 is the
the addresses contained inside the frame. The network
address of a web server on that network,
layer finds the destination by using logical addresses,
because HTTP is for web pages.
such as IP (internet protocol). At this layer, routers are a
The third rule says if the source address is
crucial component used to quite literally route
specifically 192.168.0.1 (192.168.0.1) and
information where it needs to go between networks.
the destination address is specifically
10.10.10.10, and the protocol is FTP (FTP is Transport Layer - The transport layer manages the
file transfer protocol), then let the packet delivery and error checking of data packets. It regulates
through (Allow). the size, sequencing, and ultimately the transfer of data
between systems and hosts. One of the most common
Packet filtering firewalls come in three types:
examples of the transport layer is TCP or the
Static - a system administrator sets the rules for Transmission Control Protocol.
the firewall
Session Layer - The session layer controls the
Dynamic - the firewall sets some rules for itself,
conversations between different computers. A session
such as dropping packets from an address that
or connection between machines is set up, managed,
is sending many bad packets
and terminal at layer 5. Session layer services also
Stateful - packets sent by an attacker often are include authentication and reconnections.
sent to a port that the attacker has guessed is
open; a stateful firewall denies packets sent to Presentation Layer - The presentation layer formats or
any port unless a connection to that port has translates data for the application layer based on the
already been negotiated; this kind of checking syntax or semantics that the application accepts.
puts more processing overhead on the firewall Because of this, it at times also called the syntax layer.
This layer can also handle the encryption and decryption
The 7 Layers of the OSI Model required by the application layer.
Physical Layer - The lowest layer of the OSI Model is Application Layer - At this layer, both the end user and
concerned with electrically or optically transmitting raw the application layer interact directly with the software
unstructured data bits across the network from the application. This layer sees network services provided to
physical layer of the sending device to the physical layer end-user applications such as a web browser or Office
of the receiving device. It can include specifications such 365. The application layer identifies communication
as voltages, pin layout, cabling, and radio frequencies. partners, resource availability, and synchronizes
At the physical layer, one might find “physical” resources communication.
such as network hubs, cabling, repeaters, network
adapters or modems. 3. Circuit gateways - According to our text, this firewall
lives on the transport layer, which is associated with
Data Link Layer - At the data link layer, directly guaranteed delivery of packets, Other than that, the
connected nodes are used to perform node-to-node explanation in the text is very unclear. The explanation
data transfer where data is packaged into frames. The at the PCStats web site is clearer. It explains that the
data link layer also corrects errors that may have function of the circuit gateway is less analytical than the
proxy server, but that it does serve as an intermediary
as well, making sure that only requested data is
returned to the requester. It will not examine the data
for content.

4. MAC layer firewalls - The MAC sublayer of the ISO-
OSI Data Link layer is concerned with MAC addresses,
the hard coded addresses that are generally burned into
network cards when they are manufactured. This kind of
firewall will check the MAC address of a requester to
determine whether the device being used to make the
connection is authorized to access the data in question.
This would be useful in situations where devices are
placed in lobbies for customers who are allowed to
browse a catalog, but not allowed to place orders that
would affect inventory.

5. Hybrids - the fifth processing firewall type combines
features of the other four.
Firewalls by Generation type

First generation - static packet filtering
Second generation - application level
Third generation - stateful inspection
Fourth generation - dynamic packet filtering
Fifth generation - examines packets at several
layers

Firewalls by Structure

Commercial appliances - runs on a custom
operating system, on a dedicated device
Commercial systems - a software solution that
runs on a computer that may or may not be
dedicated
Small Office - Home Office appliances - device
may actually be a cable modem, or DSL modem,
may also include router and WAP services, may
include intrusion protection
Residential (consumer) software - typically a
combination of anti-virus, firewall, intrusion
detection software; should be run on all devices
that connect to a home network