Originates from BS7799 ISO/EIC 27000 Series International standard on how to develop and maintain an ISMS developed by ISO

and IEC Model for the development of enterprise architectures

Zachman framework TOGAF

Model and methodology for the development of enterprise architectures US Department of Defense architecture framework that ensures interoperability of systems to meet military mission goals Architecture framework used mainly in military support missions developed by British Ministry of Defense Model and Methodology for the development of IS enterprise architectures Set of control objectives for IT Management developed by ISACA Set of Controls to protect US Federal systems developed by NIST Set of internal corporate controls to help reduce the risk of financial fraud Processes to allow for IT service management Business Management strategy that can be used to carry out process improvement Organizational development for process improvement

DoDAF

MODAF

Security Frameworks
Security Concepts Relationships

SABSA

CobiT

SP 800-53

COSO ITIL Six Sigma

Confidentiality

Fundamental Principles of Security Security Definitions

Integrity Availability Balanced Security

Capability Maturity Model Integration

CISSP Information Security Governance and Risk Management

Control Types
All three categories controls should provide concept Defense-In-Depth Categories Administrative Control - "Soft" control, management oriented Technical Control - "Logical" control, software and hardware components Physical Control - items put in place to protect facility, personnel and resources Functionality Deterrent - intended to discourage attacker Preventive - intended to avoid incident from occurring Corrective - fixes components or systems after an incident has occurred Recovery - intended to bring the environment back to regular operations Detective - helps identify an incident's activities and potentially intruder Compensating - controls that provide an alternative measure of control Risk Management Team Common Categories

Security Management

Process of identifying and accessing risk, reducing it to an acceptable level, and implementing mechanisms to maintain that level Physical Damage Human Interaction Equipment malfunction Internal and External attacks Misuse of data Loss of data Application error Should be subset of overall IS Policy Information Risk Management Policy Establishes commitment of management Provides foundation and direction for risk management processes and procedures Overall goal is to ensure that company is protected in cost-effective manner. Assessment - method of identifying vulnerabilities and threats and assessing impacts to determine where to place correct controls and safeguards Results of assessment are analyzed. Risk analysis provides cost/benefit comparison Analysis used to ensure that security is cost-effective, timely, relevant and responsive to threats Includes individuals from many or all departments Risk Analysis Team Should include individuals that understand processes that are part of their departments Cost to acquire or develop an asset Cost to maintain and protect an asset Value of the asset to owners and users Value of an asset to adversaries Identify Cost Value of Information and Assets Price others are willing to pay for the asset Cost of replacement in case of loss Cost of operations affected by loss Liability issues How useful asset for organization Loss Potential - what company would loose if threat agent would exploit vulnerability Loss Delayed - loss well after vulnerability is exploited System Characterization Threat Identification Vulnerability Identification Control Analysis NIST 800-30 (Risk Management guide for Information technology systems) Likelihood Determination Impact analysis Risk Determination Control Recommendations Results documentation Goal is to keep assessment small and assessment processes simple FRAP (Facilitated Risk Analysis Process) Qualitative methodology Focus on systems that need risk assessment the most Methodologies for Risk Assessment Risk Management Used where people manage and direct risk evaluations within their company OCTAVE (Operationally Critical Threat, Asset, and VUlnerability Evaluation) Stresses self-directed team approach Useful to assess all the systems, applications and business processes within the organization. International standard on how risk management should be carried out ISO/IEC 27005 Deal with IT and softer risk issues (people, documentation, trainings, personnel security) Method of identifying function, their functional failures and assessing causes of failure and failure causes through structured process. Failure modes and effect analysis (FMEA) Used in product development and operational environments Goal is to identify what is most likely to fail and either fix the flaws or implement controls to reduce impact of failure Assigns monetary and numeric values to all elements of risk analysis Each element is quantified and entered into equation to determine total and residual risk Single Loss Expectancy (SLE) - Company potential loss amount if specific threat where to take place Exposure Factor - percentage of loss a realized threat could have on a certain asset Once in 10 years = 0.1 Terms to remember Quantitative approach Annualized rate of occurrence(ARO) value that represents the estimated frequency of a specific threat taking place within 12 months time-frame Once in 5 years = 0.5 Once a year = 1 Twice a year = 2 Annual Loss Expectancy (ALE) - shows a company sensible amount to spend on implementing control Risk Analysis approaches Complex calculations Process is laborious without automation tools Cons Detailed information requires better preparations Standards are not available. Assigns rating to the risk, not monetary or numeric values Opinion-based or scenario-based method Qualitative approach Cons Results as assessments are subjectives and opinion-based Eliminates opportunity to see cost/benefit values Hard to develop security budget Standards are not available Delphi technique - group decision method used to ensure that each member gives an honest opinion of what result of a particular threat. Process is anonymous (ALE before control) - (ALE after control implemented) - (annual cost of control) = value of control to the company SLE=Asset Value x Exposure Factor Asset Value (150,000) x Exposure Factor (25%) = 37,500 Procedures Guidelines Baselines Refer to a point in time that is used as comparison for future changes Used to define minimum level of protection required May be not technology-oriented, but should be enforced within organization as well Recommended actions and operational guides for users, IT staff, operational staff and others when a specific standard does not apply Detailed step-by-step tasks that should be performed to achieve a certain goal. Considered as the lowest level in the documentation chain Closest to computers and users Spell out how the policy, standards, and guidelines will actually be implemented in an operating environment Should be detailed enough to be both understandable and useful to a diverse group of individuals Standards Mandatory activities, actions and rules Support policies and reenforce in direction Provide means to ensure that specific technologies, applications, parameters and procedures are implemented in a uniform manner across organization Types of Policies Policies, Standards, Baselines, Guidelines, Procedures Policies Organizational Security Policy - How security program will be set up, lays out goals, assigns responsibilities, shows the strategic and tactical value of security, outlines enforcement of policy.

Addresses laws, regulations, liability issues and how they are to be satisfied Provides scope and direction for all future security activities within the organization. Describe level of risk senior management is willing to accept Referred to as master security policies, and located at highest level of policies. Called Functional Policy Acceptable use policy Issue-specific Policy - addresses specific security issues that management feels need more detailed explanation and attention to make sure a comprehensive structure is built and all employees understand how they are to comply with these issues. Risk Management policy Vulnerability management policy Examples Data protection policy Email use policy Security Policy - overall general statement produced by senior management that dictates what role security plays within the organization Access control policy System-specific Policy - presents management decisions that are specific to the actual computers, networks, applications. Policies should be technology/solution independent Should outline goals and mission, but not tie company to specific ways of accomplishing them Regulatory - ensures company is following standards set by specific industry regulations. Very Detailed and specific to a type of industry Used in Financial, healthcare, public utilities, government-regulated industries Outlines ramifications in case of non compliance Example is policy on how to handle financial information Not enforceable policy, rather teaching about specific issues relevant to the company Informative - informs employees of certain topics. Example is policy explaining how to interact with partners, company goals and mission Controls Information Classification Commercial Sensitivity levels Military Sensitivity levels

Top Secret Secret Confidential Sensitive but unclassified Unclassified Confidential Private Sensitive Public Strict and granular access control for all levels of sensitive data and programs Encryption of data while stored and while in transmission Auditing and monitoring Separation of duties Periodic reviews Backup and recovery procedures Change control procedures Physical security protection Information flow channels Proper disposal actions Marking, labeling, handling procedures

Board of directors Executive Management Chief Information Officer Chief Privacy Officer Chief Security Officer Security Steering Committee Audit Committee Data Owner Data Custodian System Owner Roles Security administrator Security Analyst Application owner Supervisor Change Control Analyst Data Analyst Process Owner Solution provider User Product Line Manager Auditor

Security Governance Framework that allows for the security goals of an organization to be set and expressed by senior management, communicated throughout the different levels of the organization, grant power to the entities needed to implement and enforce security. Metrics ISO/IEC 27004:2009 - for ISO 27001 certified organizations NIST 800-55 for government organizations

Advisory - advises employees as to which types of behaviors and activities should and should not take place within organization.

Identify Threats and Vulnerabilities

Identification of vulnerabilities and threats leads to better understanding loss

Risk Assessment and Analysis

ALE = ARO x SLE

Control Selection

Total Risk - Risk company faces without implementing safeguard Residual Risk - Risk which is left after implementing safeguard Transfer Risk - purchase an insurance and transfer risk to insurance company Avoid Risk - company decides to terminate activity that is introducing risk Handling Risk Mitigate Risk - reduce risk through controls to an acceptable levels Accept Risk - company does not implement controls of handles risk at all.