CISSP Week 2
The 4 Steps In Risk Analysis
1. Risk Identification • Determine risks, identify hazards, • Who or what can be harmed and how?
2. Risk Assessment
3. Implement policies and controls
4. Monitor systems and practices involved 5. Promote awareness
Stage 1 of the 4 stages of a Security Plan Life Cycle(Plan and Organize)
Plan & Organize
•Establish management commitment
•Establish oversight committees
•Management steering & oversight
Assess business drivers / goals
•Create a threat profile for the organization
•Conduct a risk assessment
• Develop security architecture at an organizational,application, network and component level
•Identify solutions per architecture level
•Obtain management approval to move forward
Stage 2 of the 4 Stages of the Securuty Plan life. cycle (Implement)
Implement
•Assign roles & responsibilities
•Develop and implement security policies, procedures, standards, baselines & guidelines
•Identify sensitive data (at rest and in transit) •Implement safeguards/programs
•Implement solutions (per program)
•Develop auditing and monitoring solutions per program (for compliance purposes)
•Change control procedures •Incident response
•Establish goals and metrics per program
Srage 3 of the 4 Stages Security Plan (Operate and Maintain)
Operate & Maintain
•Follow procedures to ensure that all baselines are met in each implemented program
•Carry out internal and external audits
•Carry out tasks outlined per program
• Manage service level agreements per program
Stage 4 of 4 Stages of Security Plan (Monitor and Evaluate)
Monitor & Evaluate
•Review logs, audit results, and SLAs per program
•Assess goal accomplishments per program
•Quarterly Steering Committee meetings
•Recommend changes for improvement
Roles of the Security Administrator
Assist data owners in determining what type of access an employee should have
•Security administration ensures access control is implemented and monitored
•Data owner is often the senior executive or head of department
•Held responsible for data protection and assigning security classifications
•Can be found negligent if not following due care
3 Types of Securiy Controls(Administrative, Technical, Physical
Administrative Controls :
•Developing and publishing of policies, standards, procedures and guidelines •Risk management
•Screening of personnel
•Security awareness training
•Implementing change control procedures
Technical Controls (Logical Controls):
•Primarily for automated or electronic systems
•Configuration of security device & infrastructure
•Implement and maintain access control mechanisms •Password and resource management
•Identification and authentication methods
•Security devices & infrastructure
3. Physical Controls:
•Tangible mechanism (ex. A fence, a lock, a door)
•Controlling individual access into the facility and different departments
•Locking systems and removing unnecessary drives •
Floppy/CD-Rom, USB
•Protecting the perimeter of the facility
• Monitor for intrusion •Environmental controls
explain Security Through Obscurity
Improper understanding of risks can lead to bad security practices
Security Through Obscurity
•This leads to simple and sloppy mistakes and false sense of security
•Lack of understanding typically leads to believing your opponent (attacker) is less intelligent that you
•Relying on security through confusion or obscurity
Example: Leaving a spare house key in your mailbox
Example: Change web server default port to 8080 •
Example: Rename directory •
Security Through Obscurity
Can be used as a layer of security, but not a •.strategy!
The Three areas of Security Planning
Operational •Short term goals
Tactical •Mid term goals
Strategic •Long term goals
6 principles of CObit security FrameWork
CobiT was derived from COSO framework developed by the Committee of Sponsoring Organizations in 1985 to deal with fraudulent financial reporting •Released in 1996, there is now a CobIT 2019
•CObIT presents six principles for a governance system:
1. Meet stakeholder needs,
2. Holistic approach,
3. Dynamic governance system,
4. Distinct governance from management,
5. Tailored to enterprise needs,
6. End-to-end governance system
The 5Ares of the COSO. Security Framework
There are 5 COSO Areas • The Committee of Sponsoring Organizations of the Treadway Commission (COSO)
1. Control Environment
•Management philosophy & operating style
•Company culture toward fraud and ethics
2. Risk Assessment
•Establish risk level
•Manage change
3. Control Activities
•Policies, procedures & practices to mitigate risk
4. Information and Communication
•Organizational structure to ensure information is provided to the right levels of management
5. Monitoring
•Detect and respond to control deficiencies
COSO vs CObit
CobiT is model for IT (Information Technology) governance
•COSO model for corporate governance
•COSO deals more with strategic level
•CobiT deals more with operational level
•CobiT & COSO identify what achieve is to be achieved not how to it