Thursday, October 19, 2017

Domain 1 Security and Risk Management - Part 1

First Domain of the CISSP hold 12 Sections and discuss aspects of Risk Management Concepts, Tools, Laws, Standards, around People Process and Technology.  here are some short highlights from my notes:

Understand and apply concepts of confidentiality, integrity, and availability 

CIA (Confidentiality / Integrity / Availability ) if I would to say them in my own words I would say that  Confidentiality is the way to assure asset is kept secret from any unauthorized system and / or person. 
  • How To Protect: most common is the use of encryption taking data and encrypting is done by multiple different techniques.
Integrity is the assurance that asset you have was not handled in any way shape or form by an unauthorized system and / or person.
  • How To Protect: That is more complex however can be done by introducing multiple mechanisms like together refereed to as the AAA (Triple AAA from networking or 5 A from ISC2 world) Identification Authentication Authorization Audit Accounting 
Availability making sure asset is obtainable (I had to look for other word :-)) when needed
  • How To Protect: In a high level that is by assuring service / asset health and stability 

Now often the CIA is refereed to as CIA triad 

Note: the word asset was mentioned multiple times to assure we get use to the terminology.
Asset: can be "data / person / company / resource / service..." or anything you can put a value to it and is worth protecting.
Google Definition: a useful or valuable thing, person, or quality.

What is AAA in the CISSP world?

Identification - Process of providing Identity available to the next stage of authentication in the world I am from Identification and Authentication are part of the same process as without one the other can't exist however for the sake of CISSP lets keep open mind.
Authentication - Once you received the Identifier we need to be able to authenticate and make sure that this is indeed the account and there are different authentication methods like password, pin code, bio (finger print)...
Authorization - After we have passed Authentication then we need to be able to provide limit access to resources according to our job requirement providing to much may impact confidentiality and integrity and providing to little may impact availability  
Audit - auditing is a very important function and again from my networking world it was part of accounting, the audit function is to provide monitoring and ability to go back and look who did what and when, very important part in troubleshooting and fundamental part of ability to be able  prove non-repudiation  
Accounting - The ability to prove a subject identity and track his activities if needed to later be presented in court of law.

Alignment of security function to business strategy, goals, mission, and objectives  

First maybe lets define what is Governance - according to google dictionary it is the action of governing, meaning ?! if you own a company or if you are one of the C-level function in a company it would be expected of you to govern and lead the company in the path to success, and part of it would be taking responsibility to providing company policies, goals, mission statements.

Elements to remember with related to Governance:
  1. Corporate Executive Must be committed to the Security Plan - Due Care!
  2. Corporate Executive are to define the mission statement and company policy.
  3. CISO / CSO should not be subject to company politics and avoid and possible conflict of interest
  4. Company Executive have the responsibility highest responsibility to the company security and in case they where care less they also may be subject to personal legal actions against them.
  5. Security Plan is subject to Due Diligence, always be responsive to the needed changes

Organizational processes 

Like with life when you get to a cross road there is higher risk as a cross road increase complexity and evolve cars moving on the same road in different directions, introducing proper mechanism like rules signs, light.. will reduce the risk, same is with Organizational Changes when purchasing new company / systems or god forbid when laying of personal the Organization need to be ready to face the implications

  • make sure there is a well elaborated and sorted plan
  • make sure all personal and / or systems are informed and ready for the change
  • prepare a backup / restoration / rollback (you name it) plan
  • make sure you have a way to monitor and measure the change and identify and negative impact

Organizational roles and responsibilities 

Roles and responsibilities are highly important, to do your job well especially in large organization you need to know what are your duties what is expected from you and how can you assist to the goals of your organization.

Key Roles To Know and remember:

Data Owner - as the name suggest it is the data highest authority for making sure data security is in order and normally will be senior manager, the Data owner is responsible for classifying also the data security level.

Data Custodian - this is  for whom that is being given the task of practically making sure data security is addressed as classified and according to the guidelines, normally would be IT / IS.

Auditor - is responsible for the monitor and making sure security policy's are being followed implemented and issue periodic reporting to be review by senior management. in case auditor discover and report issues the senior management must address.

Senior Manager- have the top responsibility and liability for organization security however the implementation of security is a function that is delegated to Security professionals

User - Any user in the organization have his role in keeping the corporate security policy by following the provided policies and procedures.

Due Care/Due Diligence

Due Care

It is the action of "caring" about the possible of system / person other might do harm to an asset!
  •  Data Owner (normally Organization Executive) is obligated to Due Care
Law: the conduct that a reasonable man or woman will exercise in a particular situation, in looking out for the safety of others. If one uses due care then an injured party cannot prove negligence. This is one of those nebulous standards by which negligence is tested. Each juror has to determine what a "reasonable" man or woman would do.  reference 

Due Diligence

It is an action performed in iterative and repeatable manner with steps taken for verifying / monitoring and applying actions in order to preserve company policy and standards.
  • Data Owner is obligated to make sure a due diligence is conducted on normal basis 
  • Data Custodian are normally performing the due diligence in practice.
Google Translate: reasonable steps taken by a person in order to satisfy a legal requirement, especially in buying or selling something.

To be continue...

No comments:

Risk Management - Quantitative risk assessment

The name kind of give away the type of assessment we talk about "Quantitative" according to google translate: relating to, meas...