Chapter 16 - Security Governance and Compliance.pdf

Full Transcript

Chapter 16
Security Governance and Compliance

THE COMPTIA SECURITY+ EXAM OBJECTIVES COVERED IN THIS
CHAPTER INCLUDE:
Domain 1.0: General Security Concepts
1.3. Explain the importance of change management processes and the impact
to security.
Business processes impacting security operation (Approval process,
Ownership, Stakeholders, Impact analysis, Test results, Backout plan,
Maintenance window, Standard operating procedure)
Technical implications (Allow lists/deny lists, Restricted activities,
Downtime, Service restart, Application restart, Legacy applications,
Dependencies)
Documentation (Updating diagrams, Updating policies/procedures)
Version control
Domain 2.0: Threats, Vulnerabilities, and Mitigations
2.5. Explain the purpose of mitigation techniques used to secure the
enterprise.
Least privilege
Domain 5.0: Security Program Management and Oversight
5.1. Summarize elements of effective security governance.
Guidelines
Policies (Acceptable use policy (AUP), Information security policies,
Business continuity, Disaster recovery, Incident response, Software
development lifecycle (SDLC), Change management)
Standards (Password, Access control, Physical security, Encryption)
Procedures (Change management, Onboarding/offboarding, Playbooks)
External considerations (Regulatory, Legal, Industry, Local/regional,
National, Global)
Monitoring and revision
Types of governance structures (Boards, Committees, Government
entities, Centralized/decentralized)
5.3. Explain the processes associated with third-party risk assessment and
management.
 Vendor assessment (Penetration testing, Right-to-audit clause, Evidence of
internal audits, Independent assessments, Supply chain analysis)
Vendor selection (Due diligence, Conflict of interest)
Agreement types (Service-level agreement (SLA), Memorandum of
agreement (MOA), Memorandum of understanding (MOU), Master service
agreement (MSA), Work order (WO)/Statement of Work (SOW), Non-
disclosure agreement (NDA), Business partners agreement (BPA))
Vendor monitoring
Questionnaires
Rules of engagement
5.4. Summarize elements of effective security compliance.
Compliance reporting (Internal, External)
Consequences of non-compliance (Fines, Sanctions, Reputational damage,
Loss of license, Contractual impacts)
Compliance monitoring (Due diligence/care, Attestation and
acknowledgement, Internal and external, Automation)
5.6. Given a scenario, implement security awareness practices.
Phishing (Campaigns, Recognizing a phishing attempt, Responding to
reported suspicious messages)
Anomalous behavior recognition (Risky, Unexpected, Unintentional)
User guidance and training (Policy/handbooks, Situational awareness,
Insider threat, Password management, Removable media and cables,
Social engineering, Operational security, Hybrid/remote work
environments)
Reporting and monitoring (Initial, Recurring)
Development
Execution

Governance structures ensure that organizations achieve their strategic objectives while
complying with their obligations. Policy serves as one of the primary governance tools
for any cybersecurity program, setting out the principles and rules that guide the
execution of security efforts throughout the enterprise. Often, organizations base these
policies on best practice frameworks developed by industry groups, such as the National
Institute of Standards and Technology (NIST) or the International Organization for
Standardization (ISO). In many cases, organizational policies are also influenced and
directed by external compliance obligations that regulators impose on the organization.
In this chapter, you will learn about good governance practices and the important
elements of the cybersecurity policy framework.
Security Governance
Governance programs are the sets of procedures and controls put in place to allow an
organization to effectively direct its work. Without governance, running a large
organization would be virtually impossible. Imagine if thousands of employees
throughout the organization each had to make their own determinations about which
work was most important, who should carry out each function, and how the
organization would conduct its work. The organization would quickly find itself in a
state of unmanageable chaos. Governance efforts function at all layers of an organization
to coordinate the development and execution of strategic plans. This ensures that every
aspect of an organization's work aligns with the organization's strategy and goals.

Corporate Governance
At the highest levels of the organization, corporate governance programs ensure that the
organization sets an appropriate strategic direction, develops a plan to implement that
strategy, and then executes its strategic plan. This is done through a hierarchical model,
such as the one shown in Figure 16.1, which is the common governance model for
publicly traded corporations.
This approach is designed for use in an environment where the owners are so numerous
or unengaged that they are unable to carry out day-to-day oversight of the company.
This is the situation where a publicly traded company typically finds itself. The owners
of that company's stock own the corporation, but they may number in the thousands or
millions and their membership may change on a daily basis. It would quickly cripple a
public corporation if all of its shareholders were required to vote on every action taken
by the company. To alleviate this burden, the shareholders of the company conduct
regular meetings where they elect a group of individuals to direct the actions of the
corporation on their behalf. This group, known as the board of directors, has ultimate
authority over the organization as the owners' representatives.
These directors are typically drawn from the major shareholders and have expertise in
corporate governance, perhaps having served as senior corporate executives themselves.
Although some members of the board may also be employed as senior leaders within the
organization, it is considered a best practice in corporate governance for a majority of
the members of the board to be independent directors, meaning that they have no
significant relationship with the company other than their board membership. In fact,
the major stock exchanges each have requirements about the number of independent
directors that a corporation must have to qualify for listing on the exchange.

FIGURE 16.1 Typical corporate governance model
Boards typically meet on a fairly infrequent basis, perhaps monthly or quarterly, so it is
not practical for a board to dictate the day-to-day operations of the company. Instead,
they hire a chief executive officer (CEO) who manages the company's operations. The
CEO is hired by the board, may be dismissed by the board, and has their performance
reviews and compensation determined by the board.
Of course, the CEO also can't control every single function of the organization, so they
must hire a team of executives, managers, and individual contributors to perform this
work. Once again, the flow of governance cascades downward. The shareholder owners
of the company delegate authority to run the organization to their elected board of
directors. The board then hires and manages the CEO, who then hires and manages
other senior executives, who hire and manage middle managers, who hire and manage
teams of individual contributors. The size of the management hierarchy depends on the
size of the organization and is intended to preserve a reasonable number of direct
subordinates for each manager.

The governance model described here is the one used for publicly
traded companies. Nonprofit organizations follow a similar model, with the major
difference being that the board members are either elected by the membership of
the organization or elected in a “self-perpetuating” model, where current board
members vote to elect new board members. Privately owned organizations may
follow many different governance models. For example, the sole owner of a
corporation may also serve as the CEO or carry out the functions of a board on their
own. Alternatively, multiple owners of a corporation may each appoint a number of
board members proportional to their ownership stake. There are many possible
variations on this model, but the key point is that the owners control the
organization either directly or through a board that they control.

Governance, Risk, and Compliance Programs
Organizations carry out the work of governance through the creation and
implementation of a governance, risk, and compliance (GRC) program. GRC programs
integrate three related tasks:
Governance of the organization, as discussed in this chapter
Risk management, as discussed in Chapter 17, “Risk Management and Privacy”
Compliance, as discussed later in this chapter

Information Security Governance
Information security governance is a natural extension of corporate governance. The
board delegates operational authority to the CEO, who then delegates specific areas of
authority to subordinate executives. For example, the CEO might delegate financial
authority to the chief financial officer (CFO) and operational authority to the chief
operations officer (COO). Similarly, the CEO delegates information security
responsibility to the chief information security officer (CISO) or other responsible
executive.
This hierarchical approach to governance helps ensure that information security
governance efforts are integrated into corporate governance efforts, ensuring that the
organization's information security program supports broader organizational goals and
objectives. The CISO and CEO must work together to ensure the proper alignment of the
information security program with corporate governance.
The CISO then works with other peers on the senior management team to design and
implement an information security governance framework that guides the activity of the
information security function and ensures alignment with the organization's
information security strategy. This governance framework may take many different
forms. It normally involves the establishment of a management structure for the
cybersecurity team that aligns with management approaches used elsewhere in the
organization.
The information security governance framework should also include the mechanisms
that the security team will use to enforce security requirements across the organization.
This is particularly important because the CISO does not exercise operational control
over the entire organization but needs management leverage to ensure the organization
meets its cybersecurity requirements. This is normally done through the creation of
policies that apply to the entire organization, as discussed later in this chapter.
The lines of authority for the cybersecurity function flow through the defined corporate
governance mechanisms of the organization. The CISO and other security leaders
should use existing reporting and communications channels when available and
establish new channels when necessary. They should also include escalation procedures
in the event that the cybersecurity team requires management assistance getting
traction in other areas of the organization.

Types of Governance Structures
The governance model described in this chapter is the one most commonly used in for-
profit businesses, but many organizations have their own unique approaches to security
governance. These approaches fit into two major categories:
Centralized governance models use a top-down approach where a central authority
creates policies and standards, which are then enforced throughout the organization.
Decentralized governance models use a bottom-up approach, where individual
business units are delegated the authority to achieve cybersecurity objectives and
then may do so in the manner they see fit.

Exam Note

Be able to tell the difference between centralized and decentralized governance
models. These topics come directly from the SY0-701 exam objectives!
In addition to using a formal board of directors, governance structures may incorporate
a variety of internal committees consisting of subject matter experts (SMEs) and
managers. Government entities, such as regulatory agencies, may also play a role in the
governance of some organizations. For example, banks may be regulated by the U.S.
Treasury Department or similar agencies in other countries.

Understanding Policy Documents
An organization's information security policy framework contains a series of
documents designed to describe the organization's cybersecurity program. The scope
and complexity of these documents vary widely, depending on the nature of the
organization and its information resources. These frameworks generally include four
types of document:
Policies
Standards
Procedures
Guidelines

In the remainder of this section, you'll learn the differences between each of these
document types. However, keep in mind that the definitions of these categories vary
significantly from organization to organization and it is very common to find the lines
between them blurred. Though at first glance that may seem incorrect, it's a natural
occurrence as security theory meets the real world. As long as the documents are
achieving their desired purpose, there's no harm and no foul.
As you prepare the documents in your policy framework, you should not only take into
account your organization's business objectives but also consider external
considerations that may impact your policies. These include:
Regulatory and legal requirements that mandate the use of certain controls
Industry-specific considerations that may alter your approach to information
security
Jurisdiction-specific considerations based on global, national, and/or local/regional
issues in the areas where you operate

Policies
Policies are high-level statements of management intent. Compliance with policies is
mandatory. An information security policy will generally contain broad statements
about cybersecurity objectives, including the following:
A statement of the importance of cybersecurity to the organization
Requirements that all staff and contractors take measures to protect the
confidentiality, integrity, and availability of information and information systems
 Statement on the ownership of information created and/or possessed by the
organization
Designation of the CISO or other individual as the executive responsible for
cybersecurity issues
Delegation of authority granting the CISO the ability to create standards,
procedures, and guidelines that implement the policy

In many organizations, the process to create a policy is laborious and requires very high-
level approval, often from the CEO. Keeping policy statements at a high level provides
the CISO with the flexibility to adapt and change specific security requirements with
changes in the business and technology environments. For example, the five-page
information security policy at the University of Notre Dame simply states:
The Information Governance Committee will create handling standards for each
Highly Sensitive data element. Data stewards may create standards for other data
elements under their stewardship. These information handling standards will
specify controls to manage risks to University information and related assets based
on their classification. All individuals at the University are responsible for
complying with these controls.
By way of contrast, the federal government's Centers for Medicare & Medicaid Services
(CMS) has a 95-page information security policy. This mammoth document contains
incredibly detailed requirements, such as:
A record of all requests for monitoring must be maintained by the CMS CIO along
with any other summary results or documentation produced during the period of
monitoring. The record must also reflect the scope of the monitoring by
documenting search terms and techniques. All information collected from
monitoring must be controlled and protected with distribution limited to the
individuals identified in the request for monitoring and other individuals
specifically designated by the CMS Administrator or CMS CIO as having a specific
need to know such information.
The CMS document even goes so far as to include a complex chart describing the many
cybersecurity roles held by individuals throughout the agency. An excerpt from that
chart appears in Figure 16.2.
 FIGURE 16.2 Excerpt from CMS roles and responsibilities chart
Source: Centers for Medicare and Medicaid Services Information Systems Security and Privacy
Policy, May 21, 2019. (www.cms.gov/Research-Statistics-Data-and-Systems/CMS-Information-
Technology/InformationSecurity/Downloads/CMS-IS2P2.pdf)

This approach may meet the needs of CMS, but it is hard to imagine the long-term
maintenance of that document. Lengthy security policies often quickly become outdated
as necessary changes to individual requirements accumulate and become neglected
because staff are weary of continually publishing new versions of the policy.
Organizations commonly include the following documents in their information security
policy library:
Information security policy that provides high-level authority and guidance for the
security program
Incident response policy that describes how the organization will respond to security
incidents
Acceptable use policy (AUP) that provides network and system users with clear
direction on permissible uses of information resources
Business continuity and disaster recovery policies that outline the procedures and
strategies to ensure that essential business functions continue to operate during and
after a disaster, and that data and assets are recovered and protected
Software development life cycle (SDLC) policy that establishes the processes and
standards for developing and maintaining software, ensuring that security is
considered and integrated at every stage of development
Change management and change control policies that describe how the
 organization will review, approve, and implement proposed changes to information
systems in a manner that manages both cybersecurity and operational risk

Exam Note

The policies listed here are specifically mentioned in the SY0-701 exam objectives.
Be sure that you're familiar with the nature and purpose of policies related to
information security, incident response, acceptable use, business continuity,
disaster recovery, SDLC, and change management as you prepare for the exam.

Standards
Standards provide mandatory requirements describing how an organization will carry
out its information security policies. These may include the specific configuration
settings used for a common operating system, the controls that must be put in place for
highly sensitive information, or any other security objective. Standards are typically
approved at a lower organizational level than policies and, therefore, may change more
regularly.
For example, the University of California at Berkeley maintains a detailed document
titled the Minimum Security Standards for Electronic Information, available at
https://security.berkeley.edu/minimum-security-standards-electronic-information.
This document divides information into four data protection levels (DPLs) and then
describes what controls are required, optional, and not required for data at different
levels, using a detailed matrix. An excerpt from this matrix appears in Figure 16.3.

FIGURE 16.3 Excerpt from UC Berkeley Minimum Security Standards for
Electronic Information
Source: University of California at Berkeley Minimum Security Standards for Electronic Information
The standard then provides detailed descriptions for each of these requirements with
definitions of the terms used in the requirements. For example, requirement 3.1 in
Figure 16.3 simply reads “Secure configurations.” Later in the document, UC Berkeley
expands this to read “Resource Custodians must utilize well-managed security
configurations for hardware, software, and operating systems based on industry
standards.” It goes on to define “well-managed” as including the following:
Devices must have secure configurations in place prior to deployment.
Any deviations from defined security configurations must be approved through a
change management process and documented. A process must exist to annually
review deviations from the defined security configurations for continued relevance.
A process must exist to regularly check configurations of devices and alert the
Resource Custodian of any changes.

This approach provides a document hierarchy that is easy to navigate for the reader and
provides access to increasing levels of detail as needed. Notice also that many of the
requirement lines in Figure 16.3 provide links to guidelines. Clicking those links leads to
advice to organizations subject to this policy that begins with this text:
UC Berkeley security policy mandates compliance with Minimum Security
Standard for Electronic Information for devices handling covered data. The
recommendations below are provided as optional guidance.
This is a perfect example of three elements of the information security policy framework
working together. Policy sets out the high-level objectives of the security program and
requires compliance with standards, which include details of required security controls.
Guidelines provide advice to organizations seeking to comply with the policy and
standards.
In some cases, organizations may operate in industries that have commonly accepted
standards that the organization either must follow or chooses to follow as a best
practice. Failure to follow industry best practices may be seen as negligence and can
cause legal liability for the organization. Many of these industry standards are expressed
in the standard frameworks discussed later in this chapter.
As you prepare your organization's standards, you should pay particular attention to
four types of standards:
Password standards set forth requirements for password length, complexity, reuse,
and similar issues.
Access control standards describe the account life cycle from provisioning through
active use and decommissioning. This policy should include specific requirements
for personnel who are employees of the organization as well as third-party
contractors. It should also include requirements for credentials used by devices,
service accounts, and administrator/root accounts.
Physical security standards establish the guidelines for securing the physical
premises and assets of the organization. This includes security measures like access
control systems, surveillance cameras, security personnel, and policies regarding
 visitor access, protection of sensitive areas, and handling of physical security
breaches.
Encryption standards specify the requirements for encrypting data both in transit
and at rest. This includes the selection of encryption algorithms, key management
practices, and the conditions under which data must be encrypted to protect the
confidentiality and integrity of information.

Exam Note

The standards listed here are specifically mentioned in the SY0-701 exam
objectives. Be sure that you're familiar with the nature and purpose of standards
related to passwords, access control, physical security, and encryption as you
prepare for the exam.

Procedures
Procedures are detailed, step-by-step processes that individuals and organizations must
follow in specific circumstances. Similar to checklists, procedures ensure a consistent
process for achieving a security objective. Organizations may create procedures for
building new systems, releasing code to production environments, responding to
security incidents, and many other tasks. Compliance with procedures is mandatory.
For example, Visa publishes a document titled What to Do if Compromised
(https://usa.visa.com/dam/VCOM/download/merchants/cisp-what-to-do-if-
compromised.pdf) that lays out a mandatory process that merchants suspecting a credit
card compromise must follow. Although the document doesn't contain the word
procedure in the title, the introduction clearly states that the document “establishes
procedures and timelines for reporting and responding to a suspected or confirmed
Compromise Event.” The document provides requirements covering the following areas
of incident response:
Notify Visa of the incident within three days
Provide Visa with an initial investigation report
Provide notice to other relevant parties
Provide exposed payment account data to Visa
Conduct PCI forensic investigation
Conduct independent investigation
Preserve evidence

Each of these sections provides detailed information on how Visa expects merchants to
handle incident response activities. For example, the forensic investigation section
describes the use of Payment Card Industry Forensic Investigators (PFIs) and reads as
follows:
 Upon discovery of an account data compromise, or receipt of an independent
forensic investigation notification, an entity must:
Engage a PFI (or sign a contract) within five (5) business days.
Provide Visa with the initial forensic (i.e., preliminary) report within ten (10)
business days from when the PFI is engaged (or the contract is signed).
Provide Visa with a final forensic report within ten (10) business days of the
completion of the review.

There's not much room for interpretation in this type of language. Visa is laying out a
clear and mandatory procedure describing what actions the merchant must take, the
type of investigator they should hire, and the timeline for completing different
milestones.
Organizations commonly include the following procedures in their policy frameworks:
Change management procedures that describe how the organization will perform
change management activities that comply with the organization's change
management policy, including the possible use of version control and other tools
Onboarding and offboarding procedures that describe how the organization will
add new user accounts as employees join the organization and how those accounts
will be removed when no longer needed
Playbooks that describe the actions that the organization's incident response team
will take when specific types of incidents occur

Of course, cybersecurity teams may decide to include many other types of procedures in
their frameworks, as dictated by the organization's operational needs.

Exam Note

The procedures listed here are specifically mentioned in the SY0-701 exam
objectives. Be sure that you're familiar with the nature and purpose of procedures
related to change management, onboarding, offboarding, and playbooks as you
prepare for the exam.

Guidelines
Guidelines provide best practices and recommendations related to a given concept,
technology, or task. Compliance with guidelines is not mandatory, and guidelines are
offered in the spirit of providing helpful advice. That said, the “optionality” of guidelines
may vary significantly depending on the organization's culture.
In April 2016, the chief information officer (CIO) of the state of Washington published a
25-page document providing guidelines on the use of electronic signatures by state
agencies. The document is not designed to be obligatory but, rather, offers advice to
agencies seeking to adopt electronic signature technology. The document begins with a
purpose section that outlines three goals of the guideline:
1. Help agencies determine if and to what extent their agency will implement and rely
on electronic records and electronic signatures.
2. Provide agencies with information they can use to establish policy or rule governing
their use and acceptance of digital signatures.
3. Provide direction to agencies for sharing of their policies with the Office of the Chief
Information Officer (OCIO) pursuant to state law.

The first two stated objectives align completely with the guideline functions. Phrases like
“help agencies determine” and “provide agencies with information” are common in
guideline documents. There is nothing mandatory about them, and in fact, the
guidelines explicitly state that Washington state law “does not mandate that any state
agency accept or require electronic signatures or records.”
The third objective might seem a little strange to include in a guideline. Phrases like
“provide direction” are more commonly found in policies and procedures. Browsing
through the document, the text relating to this objective is only a single paragraph
within a 25-page document:
The Office of the Chief Information Officer maintains a page on the OCIO.wa.gov
website listing links to individual agency electronic signature and record
submission policies. As agencies publish their policies, the link and agency contact
information should be emailed to the OCIO Policy Mailbox. The information will
be added to the page within 5 working days. Agencies are responsible for notifying
the OCIO if the information changes.
Reading this paragraph, the text does appear to clearly outline a mandatory procedure
and would not be appropriate in a guideline document that fits within the strict
definition of the term. However, it is likely that the committee drafting this document
thought it would be much more convenient to the reader to include this explanatory text
in the related guideline rather than drafting a separate procedure document for a fairly
mundane and simple task.

The full Washington state document, Electronic Signature
Guidelines, is available for download from the Washington State CIO's website at
https://ocio.wa.gov/sites/default/files/Electronic_Signature_Guidelines_FINAL.pdf

Exceptions and Compensating Controls
When adopting new security policies, standards, and procedures, organizations should
also provide a mechanism for exceptions to those rules. Inevitably, unforeseen
circumstances will arise that require a deviation from the requirements. The policy
framework should lay out the specific requirements for receiving an exception and the
individual or committee with the authority to approve exceptions.
The state of Washington uses an exception process that requires the requestor
document the following information:
Standard/requirement that requires an exception
Reason for noncompliance with the requirement
Business and/or technical justification for the exception
Scope and duration of the exception
Risks associated with the exception
Description of any supplemental controls that mitigate the risks associated with the
exception
Plan for achieving compliance
Identification of any unmitigated risks

Many exception processes require the use of compensating controls to mitigate the risk
associated with exceptions to security standards. The Payment Card Industry Data
Security Standard (PCI DSS) includes one of the most formal compensating control
processes in use today. It sets out five criteria that must be met for a compensating
control to be satisfactory:
1. The control must meet the intent and rigor of the original requirement.
2. The control must provide a similar level of defense as the original requirement, such
that the compensating control sufficiently offsets the risk that the original PCI DSS
requirement was designed to defend against.
3. The control must be “above and beyond” other PCI DSS requirements.
4. The control must address the additional risk imposed by not adhering to the PCI
DSS requirement.
5. The control must address the requirement currently and in the future.

For example, an organization might find that it needs to run an outdated version of an
operating system on a specific machine because the software necessary to run the
business will only function on that operating system version. Most security policies
would prohibit using the outdated operating system because it might be susceptible to
security vulnerabilities. The organization could choose to run this system on an isolated
network with either very little or no access to other systems as a compensating control.
The general idea is that a compensating control finds alternative means to achieve an
objective when the organization cannot meet the original control requirement. Although
PCI DSS offers a very formal process for compensating controls, the use of
compensating controls is a common strategy in many different organizations, even those
not subject to PCI DSS. Compensating controls balance the fact that it simply isn't
possible to implement every required security control in every circumstance with the
desire to manage risk to the greatest feasible degree.
In many cases, organizations adopt compensating controls to address a temporary
exception to a security requirement. In those cases, the organization should also develop
remediation plans designed to bring the organization back into compliance with the
letter and intent of the original control.

Monitoring and Revision
Policy monitoring is an ongoing process that involves regularly evaluating the
implementation and efficacy of an organization's information security policies. Through
the use of tools like security information and event management (SIEM) systems, as
well as by conducting periodic audits and assessments, organizations can assess how
well policies are being adhered to and whether they continue to align with current
security needs, regulatory requirements, and technological changes. Effective
monitoring also includes gathering feedback from staff members who are integral to
policy implementation.
When inconsistencies or areas for improvement are identified, policy revision becomes
necessary. This involves updating policies to address any shortcomings and adapting to
new challenges or requirements. It is important that revised policies are promptly
communicated to all relevant personnel and, if necessary, that training is provided to
ensure effective compliance. Regular monitoring and timely revision are crucial for
maintaining an adaptive and robust security posture.

Change Management
Deploying systems in a secure state is important. However, it's also essential to ensure
that systems retain that same level of security. Change management helps reduce
unanticipated outages caused by unauthorized changes.
The primary goal of change management is to ensure that changes do not cause outages.
Change management processes ensure that appropriate personnel review and approve
changes before implementation and ensure that personnel test and document the
changes.
Changes often create unintended side effects that can cause outages. For example, an
administrator can change one system to resolve a problem but unknowingly cause a
problem in other systems. Consider Figure 16.4. The web server is accessible from the
Internet and accesses the database on the internal network. Administrators have
configured appropriate ports on Firewall 1 to allow Internet traffic to the web server and
appropriate ports on Firewall 2 to allow the web server to access the database server.
 FIGURE 16.4 Web server and database server
A well-meaning firewall administrator may see an unrecognized open port on Firewall 2
and decide to close it in the interest of security. Unfortunately, the web server needs this
port open to communicate with the database server, so when the port is closed the web
server will begin having problems. The help desk is soon flooded with requests to fix the
web server, and people begin troubleshooting it. They ask the web server programmers
for help, and after some troubleshooting, the developers realize that the database server
isn't answering queries. They then call in the database administrators to troubleshoot
the database server. After a bunch of hooting, hollering, blamestorming, and finger-
pointing, someone realizes that a needed port on Firewall 2 is closed. They open the port
and resolve the problem—at least until this well-meaning firewall administrator closes it
again or starts tinkering with Firewall 1.

Organizations constantly seek the best balance between security and
usability. There are instances when an organization makes conscious decisions to
improve the performance or usability of a system by weakening security. However,
change management helps ensure that an organization takes the time to evaluate
the risk of weakening security and compare it to the benefits of increased usability.

Unauthorized changes directly affect the A in the CIA triad—availability. However,
change management processes allow various IT experts to review proposed changes for
unintended side effects before implementing the changes. These processes also give
administrators time to check their work in controlled environments before
implementing changes in production environments.
Additionally, some changes can weaken or reduce security. Imagine an organization isn't
using an effective access control model to grant access to users. Administrators may not
be able to keep up with the requests for additional access. Frustrated administrators
may decide to add a group of users to an Administrators group within the network.
Users will now have all the access they need, improving their ability to use the network,
and they will no longer bother the administrators with access requests. However,
granting administrator access in this way directly violates the least privilege principle
and significantly weakens security.

Change Management Processes and Controls
A change management process ensures that personnel can perform a security impact
analysis. Experts evaluate changes to identify any security impacts before personnel
deploy the changes in a production environment.
Change management controls provide a process to control, document, track, and audit
all system changes. This includes changes to any aspect of a system, including hardware
and software configuration. Organizations implement change management processes
through the life cycle of any system.

Standard Operating Procedures for Changes
Common tasks within a change management process are as follows:
1. Request the change. Once personnel identify desired changes, they request the
change. Some organizations use internal websites, allowing personnel to submit
change requests via a web page. The website automatically logs the request in a
database, which allows personnel to track the changes. It also allows anyone to see
the status of a change request.
2. Review the change. Experts within the organization review the change. Personnel
reviewing a change are typically from several different areas within the organization.
These should be identified through a complete impact analysis performed in
consultation with the owners of the change and the various stakeholders in the
change. In some cases, stakeholders may quickly complete the review and approve or
reject the change. In other cases, the change may require approval at a formal
change review board or change advisory board (CAB) after extensive testing. Board
members are the personnel that review the change request.
3. Approve/reject the change. Based on the review, these experts then approve or
reject the change. They also record the response in the change management
documentation. For example, if the organization uses an internal website, someone
will document the results in the website's database. In some cases, the change review
board might require the creation of a rollback or backout plan. This ensures that
personnel can return the system to its original condition if the change results in a
failure.
4. Test the change. Once the change is approved, it should be tested, preferably on a
nonproduction server. Testing helps verify that the change doesn't cause an
unanticipated problem. Test results should be included in the change
documentation.
5. Schedule and implement the change. The change is scheduled so that it can be
implemented with the least impact on the system and the system's customers. This
may require scheduling the change during off-duty or nonpeak hours. Testing should
discover any problems, but it's still possible that the change causes unforeseen
problems. Because of this, it's important to have a backout plan. This allows
 personnel to undo the change and return the system to its previous state if
necessary.

Exam Note

Changes should be performed at a scheduled and coordinated time to avoid
undesirable or unexpected impacts on operations. Many organizations use
scheduled maintenance windows to coordinate changes to information systems.
These windows are preplanned and announced times when all non-emergency
changes will take place and often occur on evenings and weekends.

6. Document the change. The last step is the documentation of the change to ensure
that all interested parties are aware of it. This step often requires a change in the
configuration management documentation. If an unrelated disaster requires
administrators to rebuild the system, the change management documentation
provides them with information on the change. This ensures that they can return the
system to the state it was in before the change.

There may be instances when an emergency change is required. For example, if an
attack or malware infection takes one or more systems down, an administrator may
need to make changes to a system or network to contain the incident. In this situation,
the administrator still needs to document the changes. This ensures that the change
review board can review the change for potential problems. Additionally, documenting
the emergency change ensures that the affected system will include the new
configuration if it needs to be rebuilt.
When the change management process is enforced, it creates documentation for all
changes to a system. This provides a trail of information if personnel need to reverse the
change. If personnel have to implement the same change on other systems, the
documentation also provides a road map or procedure to follow.

Technical Impact of Changes

The technical impacts of a change may be far-reaching. As organizations consider
the potential for a change to disrupt other processes, they should consider all of
those potential impacts. It's very important to involve a diverse set of technical
stakeholders in this analysis because most organizations have a complex technical
environment that no single person understands completely.
Some of the issues you should consider are:
Whether the change will require any modifications to security controls, such as
firewall rules, allow lists, or deny lists
Whether any other business or technical activities need to be restricted during
 or after the change
Whether the change will cause downtime for critical systems
Whether the change will require restarting any services or applications
Whether the change involves any legacy applications that lack vendor support
Whether all possible dependencies have been identified and documented

Version Control
Version control ensures that developers and users have access to the latest versions of
software and that changes are carefully managed throughout the release process. A
labeling or numbering system differentiates between different software sets and
configurations across multiple machines or at different points in time on a single
machine. For example, the first version of an application may be labeled as 1.0. The first
minor update would be labeled as 1.1, and the first major update would be 2.0. This
helps keep track of changes over time to deployed software.
Although most established software developers recognize the importance of versioning
and revision control with applications, many new web developers don't recognize its
importance. These web developers have learned some excellent skills they use to create
awesome websites but don't always recognize the importance of underlying principles
such as version control. If they don't control changes through some type of version
control system, they can implement a change that effectively breaks the website.

Documentation
Documentation identifies the current configuration of systems. It identifies who is
responsible for the system and its purpose and lists all changes applied to the baseline.
Years ago, many organizations used simple paper notebooks to record this information
for servers, but today it is much more common to store this information in a formal
configuration management system.
Keeping this documentation current is a crucial step when completing a change. Before
closing out a change management task, be sure that any related documentation,
diagrams, policies, and procedures are updated to reflect the impact of the change.

Personnel Management
An organization's employees require access to information and systems to carry out
their assigned job functions. With this access comes the risk that an employee will,
through intentional or accidental action, become the source of a cybersecurity incident.
Organizations that follow personnel management best practices can reduce the
likelihood and impact of employee-centered security risks.

Least Privilege
The principle of least privilege says that individuals should be granted only the
minimum set of permissions necessary to carry out their job functions. Least privilege is
simple in concept but sometimes challenging to implement in practice. It requires
careful attention to the privileges necessary to perform specific jobs and ongoing
attention to avoid security issues. Privilege creep, one of these issues, occurs when an
employee moves from job to job within the organization, accumulating new privileges,
but never has the privileges associated with past duties revoked.

Separation of Duties
Organizations may implement separation of duties for extremely sensitive job functions.
Separation of duties takes two different tasks that, when combined, have great
sensitivity and creates a rule that no single person may have the privileges required to
perform both tasks.
The most common example of separation of duties comes in the world of accounting.
Individuals working in accounting teams pose a risk to the organization should they
decide to steal funds. They might carry out this theft by creating a new vendor in the
accounting system with the name of a company that they control and then issuing
checks to that vendor through the normal check-writing process.
An organization might manage this risk by recognizing that the ability to create a new
vendor and issue a check is sensitive when used in combination and implement
separation of duties for them. In that situation, no single individual would have the
permission to both create a new vendor and issue a check. An accounting employee
seeking to steal funds in this manner would now need to solicit the collusion of at least
one other employee, reducing the risk of fraudulent activity.
Two-person control is a concept that is similar to separation of duties but with an
important difference: instead of preventing the same person from holding two different
privileges that are sensitive when used together, two-person control requires the
participation of two people to perform a single sensitive action.

Job Rotation and Mandatory Vacations
Organizations also take other measures to reduce the risk of fraudulent activity by a
single employee. Two of these practices focus on uncovering fraudulent actions after
they occur by exposing them to other employees.
Job rotation practices take employees with sensitive roles and move them periodically
to other positions in the organization. The motivating force behind these efforts is that
many types of fraud require ongoing concealment activities. If an individual commits
fraud and is then rotated out of their existing assignment, they may not be able to
continue those concealment activities due to changes in privileges and their replacement
may discover the fraud themselves.
Mandatory vacations serve a similar purpose by forcing employees to take annual
vacations of a week or more consecutive time and revoking their access privileges during
that vacation period.

Clean Desk Space
Clean desk policies are designed to protect the confidentiality of sensitive information
by limiting the amount of paper left exposed on unattended employee desks.
Organizations implementing a clean desk policy require that all papers and other
materials be secured before an employee leaves their desk.

Onboarding and Offboarding
Organizations should have standardized processes for onboarding new employees upon
hire and offboarding employees who are terminated or resign. These processes ensure
that the organization retains control of its assets and handles the granting and
revocation of credentials and privileges in an orderly manner.
New hire processes should also include background checks designed to uncover any
criminal activity or other past behavior that may indicate that a potential employee
poses an undetected risk to the organization.

Nondisclosure Agreements
Nondisclosure agreements (NDAs) require that employees protect any confidential
information that they gain access to in the course of their employment. Organizations
normally ask new employees to sign an NDA upon hire and periodically remind
employees of their responsibilities under the NDA. Offboarding processes often involve
exit interviews that include a final reminder of the employee's responsibility to abide by
the terms of the NDA even after the end of their affiliation with the organization.

Social Media
Organizations may choose to adopt social media policies that constrain the behavior of
employees on social media. Social media analysis performed by the organization may
include assessments of both personal and professional accounts, because that activity
may reflect positively or negatively upon the organization. Organizations should make
their expectations and practices clear in a social media policy.

Third-Party Risk Management
Many risks facing an organization come from third-party organizations with whom the
organization does business. These risks may be the result of a vendor relationship that
arises somewhere along the organization's supply chain, or they may be the result of
other business partnerships.

Vendor Selection
Organizations choosing vendors should take special care to evaluate the vendor
thoroughly during the selection process. This is especially true if the vendor will be
involved in critical business processes or handle sensitive information for the
organization.
Due diligence involves thoroughly vetting potential vendors to ensure that they meet the
organization's standards and requirements. This process should include an evaluation of
the vendor's financial stability, business reputation, quality of products or services, and
compliance with relevant regulations. You should also examine the vendor's security
practices and data handling procedures, especially when they will be dealing with
sensitive or proprietary information.
Another essential aspect of vendor selection is identifying and mitigating conflicts of
interest. A conflict of interest arises when a vendor has a competing interest that could
influence their behavior in a way that is not aligned with the best interests of the
organization. For example, a vendor might have financial ties with a competitor or may
be offering similar products or services. In such cases, the organization must assess the
nature and extent of these conflicts and take the necessary steps to manage them. This
may involve adding clauses in the contract that limit the vendor's engagement with
competitors, or in some cases, it may lead to the decision to not engage with the vendor
at all.

Vendor Assessment
After the initial selection process, organizations should continuously assess the chosen
vendors to ensure they maintain the expected quality, security, and performance levels.
One method to evaluate a vendor's security is through penetration testing, where
authorized simulated attacks are carried out to identify vulnerabilities in the vendor's
systems.
Vendor agreements should include a right-to-audit clause that allows the customer to
conduct or commission audits on the vendor's operations and practices to ensure
compliance with terms and conditions, as well as regulatory requirements.
Furthermore, organizations should request evidence of internal audits conducted by the
vendor. These audits can provide insights into the vendor's internal controls,
compliance, and risk management practices.
Independent assessments are also an essential tool. They may involve bringing in third-
party experts to objectively evaluate the vendor's practices and systems. These
assessments can include certification verifications, such as ISO 27001 or SOC reports.
Supply chain analysis is vital in understanding the risks associated with the vendor's
supply chain. This includes assessing the vendor's suppliers and understanding the
interdependencies and risks that could impact the vendor's ability to deliver products or
services.
Organizations can employ questionnaires to collect information regarding the vendor's
practices and performance regularly. These questionnaires can be tailored to focus on
specific areas of concern, such as security policies, data handling procedures, and
business continuity planning.

Vendor Agreements
Organizations may deploy some standard agreements and practices to manage third-
party vendor risks. Commonly used agreements include the following:
Master service agreements (MSAs) provide an umbrella contract for the work that a
 vendor does with an organization over an extended period of time. The MSA
typically includes detailed security and privacy requirements. Each time the
organization enters into a new project with the vendor, they may then create a work
order (WO) or a statement of work (SOW) that contains project-specific details and
references the MSA.
Service level agreements (SLAs) are written contracts that specify the conditions of
service that will be provided by the vendor and the remedies available to the
customer if the vendor fails to meet the SLA. SLAs commonly cover issues such as
system availability, data durability, and response time.
A memorandum of understanding (MOU) is a letter written to document aspects of
the relationship. MOUs are an informal mechanism that allows the parties to
document their relationship to avoid future misunderstandings. MOUs are
commonly used in cases where an internal service provider is offering a service to a
customer that is in a different business unit of the same company.
A memorandum of agreement (MOA) is a formal document that outlines the terms
and details of an agreement between parties, establishing a mutual understanding of
the roles and responsibilities in fulfilling specific objectives. MOAs are generally
more detailed than MOUs and may include clauses regarding resource allocation,
risk management, and performance metrics.
Business partners agreements (BPAs) exist when two organizations agree to do
business with each other in a partnership. For example, if two companies jointly
develop and market a product, the BPA might specify each partner's responsibilities
and the division of profits.

Organizations will need to select the agreement type(s) most appropriate for their
specific circumstances.

Exam Note

For the exam, be sure you know the differences between the various agreement
types, including SLA, MOA, MOU, MSA, NDA, WO/SOW, and BPA.

Vendor Monitoring
Effective vendor monitoring is crucial for managing and mitigating third-party risks. It
involves the continuous observation and analysis of a vendor's performance and
compliance to ensure that they adhere to the contractual obligations and meet the
organization's expectations.
One of the critical aspects of vendor monitoring is establishing rules of engagement.
These rules define the boundaries within which the vendor should operate. They
normally include setting clear communication protocols, defining responsibilities, and
establishing processes for issue resolution. By setting these rules, organizations can
ensure that both parties are on the same page regarding expectations and obligations,
which can help in preventing misunderstandings and disputes.
Performance monitoring is a central component of vendor monitoring. Organizations
should establish key performance indicators (KPIs) that quantitatively measure the
vendor's performance. Regularly monitoring these metrics allows organizations to
ensure that vendors are meeting the agreed-upon standards.
In addition, security monitoring should be performed to ensure that the vendor
maintains adequate security practices. This involves monitoring the vendor's security
posture, checking for any data breaches or security incidents, and ensuring that they are
in compliance with relevant security standards and regulations.
Compliance monitoring is also essential, particularly for vendors handling sensitive data
or operating in highly regulated industries. Organizations should ensure that vendors
are in compliance with legal and regulatory requirements and that they have the
necessary certifications and accreditations.
Financial monitoring involves evaluating the vendor's financial health to ensure they
remain a viable partner. This is particularly important for long-term contracts where the
organization might be dependent on the vendor's services for an extended period.
In cases where issues are identified through monitoring, organizations should have a
process in place for addressing these issues with the vendor. This may include formal
meetings, corrective action plans, and in extreme cases, considering termination of the
contract.

Winding Down Vendor Relationships
All things come to an end, and third-party relationships are no exception. Organizations
should take steps to ensure that they have an orderly transition when a vendor
relationship ends or the vendor is discontinuing a product or service on which the
organization depends. This should include specific steps that both parties will follow to
have an orderly transition when the vendor announces a product's end of life (EOL) or a
service's end of service life (EOSL). These same steps may be followed if the
organization chooses to stop using the product or service on its own.

Exam Note

We discussed nondisclosure agreements (NDAs) earlier in this chapter in the
context of employee relationships, but employees are not the only individuals with
access to sensitive information about your organization. Vendor agreements should
also include NDA terms, and organizations should ensure that vendors ask their
own employees to sign NDAs if they will have access to your sensitive information.

Complying with Laws and Regulations
Legislators and regulators around the world take an interest in cybersecurity due to the
potential impact of cybersecurity shortcomings on individuals, government, and society.
Whereas the European Union (EU) has a broad-ranging data protection regulation,
cybersecurity analysts in the United States are forced to deal with a patchwork of
security regulations covering different industries and information categories.

Common Compliance Requirements
Some of the major information security regulations facing organizations include the
following:
The Health Insurance Portability and Accountability Act (HIPAA) includes security
and privacy rules that affect health-care providers, health insurers, and health
information clearinghouses in the United States.
The Payment Card Industry Data Security Standard (PCI DSS) provides detailed
rules about the storage, processing, and transmission of credit and debit card
information. PCI DSS is not a law but rather a contractual obligation that applies to
credit card merchants and service providers worldwide.
The Gramm–Leach–Bliley Act (GLBA) covers U.S. financial institutions, broadly
defined. It requires that those institutions have a formal security program and
designate an individual as having overall responsibility for that program.
The Sarbanes–Oxley (SOX) Act applies to the financial records of U.S. publicly
traded companies and requires that those companies have a strong degree of
assurance for the IT systems that store and process those records.
The General Data Protection Regulation (GDPR) implements security and privacy
requirements for the personal information of European Union residents worldwide.
The Family Educational Rights and Privacy Act (FERPA) requires that U.S.
educational institutions implement security and privacy controls for student
educational records.
Various data breach notification laws describe the requirements that individual
states place on organizations that suffer data breaches regarding notification of
individuals affected by the breach.

Remember that this is only a brief listing of security regulations. There are many other
laws and obligations that apply to specific industries and data types. You should always
consult your organization's legal counsel and subject matter experts when designing a
compliance strategy for your organization. You'll need to understand the various
national, territory, and state laws that apply to your operations, and the advice of a well-
versed attorney is crucial when interpreting and applying cybersecurity regulations to
your specific business and technical environment.

Compliance Reporting
Organizations need to engage in both internal and external compliance reporting to
ensure that they meet the regulatory requirements and maintain transparency within
the organization and with external stakeholders. Internal compliance reporting is a vital
component in maintaining an organization's security posture and ensuring adherence to
various laws and regulations. Internal reporting typically involves regular reports to the
management or the board, highlighting the state of compliance, identifying gaps, and
providing recommendations for improvement. These reports are essential for decision-
makers within the organization to understand the compliance landscape, allocate
resources effectively, and ensure that compliance objectives align with the organization's
strategic goals.
External compliance reporting, on the other hand, is mandated by regulatory bodies or
as a part of contractual obligations. It involves providing necessary documentation and
evidence to external entities to demonstrate that the organization is in compliance with
relevant laws and regulations. For instance, organizations handling credit card data
might need to submit compliance reports to the Payment Card Industry Security
Standards Council (PCI SSC), and those under GDPR must be ready to provide
compliance evidence to data protection authorities. External compliance reporting is
crucial for maintaining good standing with regulatory authorities, avoiding penalties,
and building trust with customers and partners by demonstrating a commitment to
security and privacy.

Consequences of Noncompliance
Failure to comply with laws and regulations can have severe consequences for
organizations, ranging from financial penalties to reputational damage and loss of
business.
One of the most immediate impacts of noncompliance is the imposition of fines and
sanctions. Regulatory bodies have the authority to levy significant fines on organizations
that fail to comply with the required standards. For instance, under the GDPR,
companies can be fined up to 4 percent of their annual global turnover, or €20 million,
whichever is higher, for serious infringements.
Additionally, noncompliance can lead to nonfinancial sanctions, which may include
restrictions on business operations. In some cases, regulatory authorities might suspend
or revoke licenses that are critical to the organization's operations. For example, a
financial institution that fails to comply with anti-money-laundering regulations could
lose its banking license, which is essential for its core business activities.
Reputational damage is another critical consequence of noncompliance. When news of
noncompliance, especially involving data breaches or privacy violations, becomes
public, it can severely tarnish the image of the organization. Customers and partners
may lose trust in the organization's ability to safeguard their information and might
choose to take their business elsewhere.
Loss of business and contractual impacts are also significant consequences.
Noncompliance can lead to the termination of contracts, especially when compliance
with specific standards is a prerequisite for engaging in business relationships. This can
result in lost revenue and additional costs associated with finding and establishing
relationships with new partners.
In some cases, noncompliance can also lead to legal action. Individuals or entities
affected by an organization's noncompliance may sue for damages. This not only leads
to potential monetary losses but also consumes time and resources, as the organization
has to deal with legal proceedings.
Given the potential severity of these consequences, it is essential for organizations to
invest in compliance management and ensure that they are aware of and adhere to all
relevant laws and regulations. Regular audits, training, and effective communication
channels are critical components in maintaining compliance and mitigating the risks
associated with noncompliance.

Compliance Monitoring
Effective compliance monitoring is a cornerstone in ensuring that organizations adhere
to the various laws, regulations, and contractual obligations. An essential aspect of this
monitoring involves due diligence, which is the process of continuously researching and
understanding the legal and regulatory requirements that pertain to the organization. It
is crucial to stay abreast of evolving laws and ensure that the organization has the
necessary policies and controls in place.
Due care, a complementary concept, refers to the ongoing efforts to ensure that the
implemented policies and controls are effective and continuously maintained. This
means regularly reviewing and updating policies and taking proactive steps to ensure
compliance. Part of due care involves attestation and acknowledgment.
Acknowledgment means ensuring that employees and business partners state that they
are aware of the compliance requirements. Attestation means that they are aware of
these requirements but have also confirmed that their practices adhere to these policies.
Internal and external monitoring mechanisms play a pivotal role in compliance
monitoring. Internal monitoring includes internal audits, reviews, and checks to ensure
that the organization follows its policies and meeting legal requirements. External
monitoring, on the other hand, involves third-party audits and assessments, which
provide an unbiased view of the organization's compliance status.
Automation is an invaluable tool in compliance monitoring, especially for larger
organizations with complex compliance requirements. Automated compliance solutions
can track changes in regulations, monitor for violations, and ensure that policies are
consistently applied. This not only saves time and resources but also reduces the risk of
human error and helps in generating detailed reports that can be used for further
analysis and improvement.

Exam Note

Be ready to summarize the elements of effective security compliance, including
compliance reporting, the consequences of noncompliance, and compliance
monitoring.

Adopting Standard Frameworks
Developing a cybersecurity program from scratch is a formidable undertaking.
Organizations will have a wide variety of control objectives and tools at their disposal to
meet those objectives. Teams facing the task of developing a new security program or
evaluating an existing program may find it challenging to cover a large amount of
ground without a roadmap. Fortunately, several standard security frameworks are
available to assist with this task and provide a standardized approach to developing
cybersecurity programs.

NIST Cybersecurity Framework
The National Institute of Standards and Technology (NIST) is responsible for
developing cybersecurity standards across the U.S. federal government. The guidance
and standard documents they produce in this process often have wide applicability
across the private sector and are commonly referred to by nongovernmental security
analysts due to the fact that they are available in the public domain and are typically of
very high quality.
In 2018, NIST released version 1.1 of a Cybersecurity Framework (CSF) designed to
assist organizations attempting to meet one or more of the following five objectives:
Describe their current cybersecurity posture.
Describe their target state for cybersecurity.
Identify and prioritize opportunities for improvement within the context of a
continuous and repeatable process.
Assess progress toward the target state.
Communicate among internal and external stakeholders about cybersecurity risk.

The NIST framework includes three components:
The Framework Core, shown in Figure 16.5, is a set of five security functions that
apply across all industries and sectors: identify, protect, detect, respond, and
recover. The framework then divides these functions into categories, subcategories,
and informative references. Figure 16.6 shows a small excerpt of this matrix in
completed form, looking specifically at the Identify (ID) function and the Asset
Management category. If you would like to view a fully completed matrix, see the
NIST document Framework for Improving Critical Infrastructure Cybersecurity.
The Framework Implementation Tiers assess how an organization is positioned to
meet cybersecurity objectives. Table 16.1 shows the framework implementation tiers
and their criteria. This approach is an example of a maturity model that describes
the current and desired positioning of an organization along a continuum of
progress. In the case of the NIST maturity model, organizations are assigned to one
of four maturity model tiers.
Framework profile describes how a specific organization might approach the security
functions covered by the Framework Core. An organization might use a framework
profile to describe its current state and then a separate profile to describe its desired
future state.
 FIGURE 16.5 NIST Cybersecurity Framework Core Structure
Source: Framework for Improving Critical Infrastructure Cybersecurity Version 1.1, National
Institute of Standards and Technology
(http://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf)

TABLE 16.1 NIST Cybersecurity Framework implementation tiers
Source: Framework for Improving Critical Infrastructure Cybersecurity Version 1.1, National Institute of
Standards and Technology

Risk
Integrated risk External
Tier management
management program participation
process
There is limited awareness of
Organizational
cybersecurity risk at the The organization
cybersecurity risk
organizational level. The does not understand
management
organization implements its role in the larger
Tier 1: practices are not
cybersecurity risk management ecosystem with
Partial formalized, and risk
on an irregular, case-by-case respect to either its
is managed in an ad
basis due to varied experience dependencies or
hoc and sometimes
or information gained from dependents.
reactive manner.
outside sources.
Generally, the
Risk management
organization
practices are There is an awareness of
understands its role
approved by cybersecurity risk at the
Tier 2: in the larger
management but organizational level, but an
Risk ecosystem with
may not be organization-wide approach to
Informed respect to either its
established as managing cybersecurity risk has
own dependencies or
organization-wide not been established.
dependents, but not
policy.
both.
 The organization
The organization's understands its role,
risk management dependencies, and
There is an organization-wide dependents in the
Tier 3: practices are
approach to manage larger ecosystem and
Repeatable formally approved
cybersecurity risk. may contribute to the
and expressed as
policy. community's broader
understanding of
risks.
The organization
adapts its The organization
cybersecurity There is an organization-wide understands its role,
practices based on approach to managing dependencies, and
previous and cybersecurity risk that uses dependents in the
Tier 4:
current risk-informed policies, larger ecosystem and
Adaptive
cybersecurity processes, and procedures to contributes to the
activities, including address potential cybersecurity community's broader
lessons learned and events. understanding of
predictive risks.
indicators.
The NIST Cybersecurity Framework provides organizations with a sound approach to
developing and evaluating the state of their cybersecurity programs.

At the time this book went to press, NIST was working on the
development of their Cybersecurity Framework 2.0. The new framework is expected
to be released in 2024. More information is available at
www.nist.gov/cyberframework/updating-nist-cybersecurity-framework-journey-
csf-20.

NIST Risk Management Framework
In addition to the CSF, NIST publishes a Risk Management Framework (RMF). The
RMF is a mandatory standard for federal agencies that provides a formalized process
that federal agencies must follow to select, implement, and assess risk-based security
and privacy controls. Figure 16.7 provides an overview of the NIST RMF process. More
details may be found in NIST SP 800-37, Risk Management Framework for
Information Systems and Organizations
(http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-37r2.pdf)
 FIGURE 16.6 Asset Management Cybersecurity Framework
Source: Framework for Improving Critical Infrastructure Cybersecurity Version 1.1, National
Institute of Standards and Technology
(http://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf)

NIST publishes both the NIST CSF and RMF, and it can be a little
confusing to keep them straight. The RMF is a formal process for implementing
security controls and authorizing system use, whereas the CSF provides a broad
structure for cybersecurity controls. It's important to understand that, although
both the CSF and RMF are mandatory for government agencies, only the CSF is
commonly used in private industry.

ISO Standards
The International Organization for Standardization (ISO) publishes a series of
standards that offer best practices for cybersecurity and privacy. As you prepare for the
Security+ exam, you should be familiar with four specific ISO standards: ISO 27001,
ISO 27002, ISO 27701, and ISO 31000.
 FIGURE 16.7 NIST Risk Management Framework
Source: FISMA Implementation Project Risk Management Framework (RMF) Overview, National
Institute of Standards and Technology http://csrc.nist.gov/projects/risk-management/rmf-
overview

ISO 27001
ISO 27001 is a standard document titled “Information security management systems.”
This standard includes control objectives covering 14 categories:
Information security policies
Organization of information security
Human resource security
Asset management
Access control
 Cryptography
Physical and environmental security
Operations security
Communications security
System acquisition, development, and maintenance
Supplier relationships
Information security incident management
Information security aspects of business continuity management
Compliance with internal requirements, such as policies, and with external
requirements, such as laws

The ISO 27001 standard was once the most commonly used information security
standard, but it is declining in popularity outside of highly regulated industries that
require ISO compliance. Organizations in those industries may choose to formally adopt
ISO 27001 and pursue certification programs, where an external assessor validates their
compliance with the standard and certifies them as operating in accordance with ISO
27001.

ISO 27002
The ISO 27002 standard goes beyond control objectives and describes the actual
controls that an organization may implement to meet cybersecurity objectives. ISO
designed this supplementary document for organizations that wish to
Select information security controls
Implement information security controls
Develop information security management guidelines

ISO 27701
Whereas ISO 27001 and ISO 27002 focus on cybersecurity controls, ISO 27701 contains
standard guidance for managing privacy controls. ISO views this document as an
extension to their ISO 27001 and ISO 27002 security standards.

Be careful with the numbering of the ISO standards, particularly ISO
27001 and ISO 27701. They look nearly identical, but it is important to remember
that ISO 27001 covers cybersecurity and ISO 27701 covers privacy.

ISO 31000
ISO 31000 provides guidelines for risk management programs. This document is not
specific to cybersecurity or privacy but covers risk management in a general way so that
it may be applied to any risk.

Benchmarks and Secure Configuration Guides
The NIST and ISO frameworks are high-level descriptions of cybersecurity and risk
management best practices. They don't offer practical guidance on actually
implementing security controls. However, government agencies, vendors, and industry
groups publish a variety of benchmarks and secure configuration guides that help
organizations understand how they can securely operate commonly used platforms,
including operating systems, web servers, application servers, and network
infrastructure devices.
These benchmarks and configuration guides get down into the nitty-gritty details of
securely operating commonly used systems. For example, Figure 16.8 shows an excerpt
from a security configuration benchmark for Windows Server 2022.

FIGURE 16.8 Windows Server 2022 Security Benchmark Excerpt
Source: Center for Internet Security (CIS) (http://cisecurity.org/cis-benchmarks)

The excerpt shown in Figure 16.8 comes from the Center for Internet Security (CIS), an
industry organization that publishes hundreds of benchmarks for commonly used
platforms. To give you a sense of the level of detail involved, Figure 16.8 shows a portion
of one page from a document that contains 642 pages detailing appropriate security
settings for Windows Server 2022.
Security Awareness and Training
The success of a security program depends on the behavior (both actions and inaction)
of many different people. Security training and awareness programs help ensure that
employees and other stakeholders are aware of their information security
responsibilities and that those responsibilities remain top-of-mind. Information security
managers are responsible for establishing, promoting, and maintaining an information
security training and awareness program to foster an effective security culture in their
organizations.

User Training
Users within your organization should receive regular security training to ensure that
they understand the risks associated with your computing environment and their role in
minimizing those risks. Strong training programs take advantage of a diversity of
training techniques, including the use of computer-based training (CBT).

Role-Based Training
Not every user requires the same level of training. Organizations should use role-based
training to make sure that individuals receive the appropriate level of training based on
their job responsibilities. For example, a systems administrator should receive detailed
and highly technical training, whereas a customer service representative requires less
technical training with a greater focus on social engineering and pretexting attacks that
they may encounter in their work.

User Guidance and Training
Phishing attacks often target users at all levels of the organization, and every security
awareness program should include specific antiphishing campaigns designed to help
users recognize suspicious messages and respond to phishing attempts appropriately.
These campaigns often involve the use of phishing simulations, which send users fake
phishing messages to test their skills. Users who click on the simulated phishing
message are sent to a training program designed to help them better recognize
fraudulent messages.
Anomalous behavior recognition is also an important component of security awareness
training. Employees should be able to recognize when risky, unexpected, and/or
unintentional behavior takes place. The insider threat posed by employees with
legitimate access permissions is significant, and other employees may be the first to
notice the signs of anomalous behavior that could be a security concern.
Other topics that should be included in end-user security training programs include:
Security Policies and Handbooks Provide users with information about where
they can find critical security documents.
Situational Awareness Update users on the security threats facing the
organization and how they can recognize suspicious activity.
Insider Threats Remind users that employees, contractors, and other insiders
 may pose a security risk and that they should be alert for anomalous behavior.
Password Management Educate users about your organization's password
standards and the importance of not reusing passwords across multiple sites.
Removable Media and Cables Inform users of the risks associated with the use
of USB drives, external hard drives, and other removable media, as well as
unfamiliar cables. Educate them on the policies for using these devices and the
importance of scanning for malware before accessing files.
Social Engineering Train users to recognize and respond to social engineering
attacks. Teach them to be skeptical of unsolicited communications, especially
those that create a sense of urgency or require sensitive information.
Operational Security Educate users on the importance of protecting sensitive
information during day-to-day operations. This includes understanding the
importance of access controls, not discussing sensitive information in public or
unsecured areas, and being vigilant about who has access to sensitive data.
Hybrid/Remote Work Environments Instruct users on best practices for
securing data and maintaining privacy when working remotely or in hybrid
environments. This includes the use of VPNs, secure Wi-Fi networks, ensuring
physical security of devices, and understanding the specific policies and
procedures that are in place for remote work.

Exam Note

The SY0-701 exam objectives call out specific security awareness practices for
phishing, anomalous behavior recognition, user guidance and training, reporting
and monitoring, development, and execution. Given a scenario, be ready to
implement security awareness best practices.

Training Frequency
You'll also want to think about the frequency of your training efforts. You'll need to
balance the time required to conduct training with the benefit from reminding users of
their responsibilities. One approach used by many organizations is to conduct initial
training whenever an employee joins the organization or assumes new job
responsibilities and then use annual refresher trainings to cover the same material and
update users on new threats and controls.

Development and Execution
The development of security training programs begins with a thorough assessment of
the organization's security landscape and identifying potential risks and threats. Based
on this assessment, the team can develop tailored content that addresses the unique
challenges of the organization.
It's helpful to incorporate real-world examples and interactive elements to keep
participants engaged. Aligning the training with the organization's policies and
procedures ensures consistency and relevance.
The execution phase should include a variety of training methods, such as workshops, e-
learning modules, and simulations, catering to different learning preferences. An
essential aspect of execution is to make training accessible and regular for all employees.
Create a schedule that includes initial training for new employees and periodic
refreshers to keep knowledge current.

Reporting and Monitoring
Reporting and monitoring are crucial components of security training programs.
Administrators should track participation in training programs and assess user
knowledge through quizzes and other means. You should also collect feedback from
employees to understand their perspectives and make necessary adjustments to the
program.
It's helpful to provide decision-makers with regular reports that provide both detailed
data for technical stakeholders and high-level trends for management. Over time, an
analysis of trends in knowledge levels and security incidents is essential for
understanding the long-term impact of the training program.
The team responsible for providing security training should review materials on a
regular basis to ensure that the content remains relevant. Changes in the security
landscape and the organization's business may require updating the material to remain
fresh and relevant.

Ongoing Awareness Efforts
In addition to formal training programs, an information security program should
include security awareness efforts. These are less formal efforts that are designed to
remind employees about the security lessons they've already learned. Unlike security
training, awareness efforts don't require a commitment of time to sit down and learn
new material. Instead, they use posters, videos, email messages, and similar techniques
to keep security top-of-mind for those who've already learned the core lessons.
Figure 16.9 shows an example of a security awareness poster developed by the U.S.
Department of Energy.
 FIGURE 16.9 Security awareness poster
Source: U.S. Department of Energy

Summary