CompTIA CASP+ CAS-004 – Chapter 01 – Understanding Risk Management Part 3
- Process Life Cycle
A process is a collection of related activities that produce a specific service or product. That is, they serve a particular goal for the organization. Change management and risk management are examples of processes. So once the policy is written, then the appropriate processes should be written and those are based on a life cycle as well. The first step is analyze the policy. The second step is to design the process based on the policy. So when a new process is implemented, all personnel involved in that process should be informed about how the process works.
The process then should be monitored regularly and may be modified as issues arise or the base policy has been updated. We got to keep in mind that these processes are created based on a policy. So if a new policy is adopted, then a new process is needed. If a policy is edited or archived, then the process for the policy should also be edited or retired. And then once everything is documented, we’re going to be moving on to writing procedures. So procedures are going to embody all the detailed action that personnel are required to follow and they’re the closest to the computers and other devices. Procedures are often going to include step by step list on how policies and processes are implemented.
- Reviewing Policies and Processes
As with many things in the area of information technology and certainly in the area of security, we have to realize that policies and processes are not stagnant. They need to be reviewed, they need to be modified as appropriate in the face of organizational change. So anytime you have a new business, business change occurs. New technology, environmental changes, regulatory requirements, any and all of those are going to require us to take a look at the policies and processes to see if there needs to be a change. So let’s talk first about new business. New business occurs when an organization either launches a new area of business or purchases a new area of business. And these are changes that are dictated by the nature of your business.
Often they’re driven by consumer demands. But as these changes occur, the organization then has to ensure that it understands the change and it understands the implication as it relates to the security posture of the organization. We want to take a proactive stance when it comes to these changes. We don’t want to try to wait for problems, just react to them. We want to anticipate them and we want to deploy mitigation techniques to help prevent them.
And of course, we as security professionals are going to be an integral part to any project where new businesses started or business changes are occurring. Because we are the ones that have to make sure the security controls are considered and we have to make sure that all the risk associated with a new business or business change have been documented, have been analyzed and have been reported to management. Technology changes are driven by new technological developments and they force organizations often to adopt new technologies. And this is another area where the organization has to ensure they understand the changes and they understand how and what implications exist for the security posture of the organization.
Again, security professionals are a big part of that and the inclusion or usage of any new technology, we have to be involved because we need to make sure that all the risks associated with those are documented, analyzed, reported to management. Sort of the same thing. Environmental changes as well. These are divided into two categories. Typically they are those motivated by the culture in an organization and those motivated by the environment of the industry. So you know, as with new business or technologies, we kind of have to do the same thing. Understand changes, understand implications.
Regulatory requirements are any requirements that need to be documented and followed based on laws and regulations. Standards can also be a part of this, but they’re not as strictly as enforced as laws and regulations. So we have to understand the security implications of those. And then you have emerging risk. Any risks that have emerged due to recent security landscape. In many cases risk aren’t identified for new technologies, devices and applications. Sometimes they’re not identified until after one of them has been deployed.
Now, organizations should be writing policies and procedures to make sure that security professionals are actually doing the appropriate amount of research to ensure that we have addressed these issues. But emerging risk is an area that can be particularly dependent upon technology, particularly dependent upon patch management. Because vulnerabilities and stuff are found after a technology is released, we need to have patch management systems in place to keep everything as up to date as possible.
- Common Business Documents
Security professionals also need to use many common business documents. These help to support the implementation and management of organizational security. It’s important to understand these business documents to make sure that all the areas of security risk are addressed and the appropriate policies, procedures and processes are developed. So a lot of acronyms here, but essentially for the exam purpose is you really need to know what each of these are. So the first is Risk Assessment or RA, and this is just a tool that’s used in risk management. It’s used to identify vulnerabilities and threats, to assess the impact of those vulnerabilities and threats, and then to determine the type of controls to implement.
Generally speaking, risk Assessment analysis has four main steps identify your assets and the value of those assets. Step two would be to identify vulnerabilities and threats. Three would be to calculate the probability of that threat and the business impact. And then step four would be to balance the impact with the cost of the countermeasure and we’ll be talking more about that at a later time. Business Impact Analysis bia is a functional analysis that occurs as a part of a business continuity plan and disaster recovery and that will help us understand the impact of a disaster. The IA, or Interoperability Agreement is an agreement between two or more organizations that work together and allow information exchange between them. The most common of these would be sister companies that are owned by the same larger organization.
So they may be structured, maybe managed differently, they may share systems, but this is a binding agreement between those two. Interconnection Security Agreement is between two organizations that own and operate connected It systems. It documents the technical requirements of that interconnection. A Memorandum of Understanding or MoU. That’s an agreement between two or more organizations. It details a common line of action. So they’re often used in cases where parties either don’t have a legal commitment or in situations where the parties can’t create a legally enforceable agreement. It’s also referred to in some cases as a letter of intent. So this is an understanding that we have between us. Whereas a service level agreement is an agreement about the ability of a support system to respond to problems within a certain time frame. It’s an agreement that we will provide a certain level of service. You can have internal SLAs or you can have external, and most commonly we think of external SLAs with service providers.
How quickly are you going to respond to failed hardware? How much uptime can we expect from this particular set of resources? An operating level agreement, ola is an internal organization document that just defines the relationships that exist between departments to support business activities. Olas are often used with SLAs. Probably the best example of that would be an agreement between the It department and the accounting department, where the It department says, okay, we’re going to be responsible for the backup services of the accounting server, but the day to day operations of the accounting server are maintained by accounting personnel. A Nondisclosure Agreement NDA probably one that we’re all familiar with.
An agreement between two parties that defines information that’s considered confidential and can’t be shared outside of those parties. A business partnership Agreement BPA would be an agreement between two businesses, two business partners, and it establishes the conditions of that partner relationship. Usually includes responsibilities of each partner, profit, loss sharing, details, resource sharing, data sharing, et cetera. A Master Service Agreement, or MSA, is a contract between two parties, and in this case, both parties are agreed to most of the terms that will govern future transactions or future agreements. It’s an ideal type of agreement if an organization is going to have a long term relationship with a vendor or provider. MSAs usually include a statement of work also or of sow sow that’s going to outline the specific work to be executed by the vendor for the client. That’s going to include work activities, deliverables timeline, et cetera, for the work to be accomplished.
- Security for Contracts
Another thing that’s pretty normal as a part of business is going to be contracts with third parties. And organizations really need to consider various provisions as a part of those contracts. In fact, organizations should really consult with legal counsel just to make sure that the contracts that are executed include all of the appropriate security requirements. And this is to set by not only the organization’s needs, but also any government regulations and laws. The first consideration would just be the required policies, practices and procedures that are related to handling organizational data.
Secondly, we need to consider training or certification requirements that might be in place for third party personnel or might be needed for those personnel back ground investigations and or security clearances required. Security reviews of thirdparty devices that are in use, any physical security requirements for thirdparty personnel, as well as laws and regulations that may affect the contract. So security professionals really need to research the security requirements for contracts. And as we’re going to see, these are going to include a number of agreements.
- Contract Requirements
The first of these is the Request for Proposal or RFP. This is essentially a bidding process document. It would be issued by an organization and it would give the details of commodity, the service, the asset that the organization wants to purchase. So then potential suppliers would use the RFP as a sort of guideline for submitting a formal proposal. The Request for Quote or RFQ which is also known as an Invitation for Bid IFB would be the acronym there. That’s a bidding process document that invites suppliers to bid on particular products and services. RFQs are often going to include item specifications or the specifications of a particular service and it’s suitable for sourcing products that are standardized or may be produced in repetitive quantities. So like desktop computers, Ram chips, other devices, et cetera. And you have the Request for information.
This is another bidding process document that’s going to collect written information about the capabilities of different suppliers. An RFI may be used prior to the RFP or RFQ if it’s necessary, but it can also be done after that if either of those doesn’t obtain enough specification information. And then organizations are going to use other types of agreements with third party besides these that we’ve discussed. A lot of these other agreements aren’t as formal as the RFP, Q and RFI, but they’re still important for an organization to address as they relate to any security requirements that are needed to ensure that the third party is aware of those requirements. It’s going to include any types of contracts an organization uses to perform business. So purchase orders, sales agreements, manufacturing agreements, ETCA.
- General Privacy Principles
Now, when you’re considering technology and it’s used today, one of the major concerns is going to be privacy, the privacy of users. And this is going to involve three particular areas which personal information can be shared and with whom. It would also be whether messages can be exchanged confidentially, and then whether and how a user can send messages anonymously.
So as a part of the security measure measures that organizations have to take to protect privacy, we need to understand personally identifiable information, or PII. PII is essentially any piece of data that can be used by itself or along with other information to identify a single person.
Any PII that an organization collects needs to be protected, and it needs to be protected in the strongest manner that is possible. This includes full name identification numbers, a driver’s license, Social Security numbers, date of births, place of birth, financial account numbers like bank accounts and credit card numbers, as well as even digital identities, which can include social media names and tags. But it’s incredibly important that this information is protected.
- Standard Security Practices
There are a number of different security practices that are going to be a part of the policies that are developed by you as a security professional for the organization. These are all things that we need to certainly be aware of for the purposes of the exam. Now, not every one of these is unique to CASP. So if you’ve taken Security Plus leading up to this, then these will sound familiar. In fact, I think some of these may even be in the Network Plus exam. But it is important to understand these concepts. So we’ll start with separation of duties. That’s essentially a preventative administrative control to keep in mind as you’re designing things like the authentication and authorization policies.
What separation of duties does is it prevents fraud and it does so by distributing various tasks along with whatever rights and permissions are necessary to perform those tasks among different users. So it helps to deter fraud, it helps to deter collusion because it would require multiple individuals to actually carry out the fraud against an organization. So for instance, for that would be instead of having one person who does both backup and restore procedures, instead we split those procedures between two administrators. The next is job rotation. Job rotation is probably self explanatory from a security perspective though it refers to the detective administrative control where you have multiple users that are trained to perform the duties of a position in order to help prevent fraud by any individual employee. Okay, so one person doesn’t keep the same job all the time. So the idea is that if you make multiple people familiar with the legitimate functions of a position, well, then the likelihood increases that unusual activities taken by one person would be noticed.
This is often used in conjunction with the next one, which is mandatory vacations. That again is probably self explanatory. All personnel are required to take time off. And what does that do? Well, it allows other personnel to fill their positions while they’re gone. And so it’s another type of detective administrative control. It helps the organization to be able to discover unusual activity or at least increases the opportunity that they might do that least. Privilege is a concept that just requires a user process be given only the minimum access level in order to perform a particular task. And so there are really easy examples of this. If a user needs to utilize a computer on a daily basis, it doesn’t mean we make them an administrator.
If somebody needs read and write permissions to a folder, we don’t give them full control. We see that kind of concept all over the place. And all it really requires is that the organization identify exactly what a person’s job is and then restrict their privileges to only what is necessary for that job. Closely related to that is a need to know principle and I don’t have it on the slide, but need to know just means we’re only going to grant you knowledge of those items or those areas of the organization that you need knowledge. So lease privileges, I’m only going to give you the permissions and then need to know is I’m going to minimize exactly what you are aware of incident response insecurity for It departments, security breaches are going to be inevitable. They are going to happen regardless of the protective mechanisms that we put in place.
The response to the event is equally important. In fact, the response to an event has a great impact on how damaging the event will actually be to the organization. So organizations need to formally define these incident response policies and they need to be communicated and they need to be followed. So let’s discuss these steps that we have in the incident response system and these can vary slightly, but they typically are going to include first detecting the incident, just identifying that the incident has actually occurred. Of course, the worst sort of incident is one that actually goes unnoticed. The second would be to respond to the incident and that would be based on the particular type of incident. Step three is reporting. All incidents should be reported within the time frame. That is going to be in comparison with the seriousness of the incidents. In many cases this is going to be in response to a list of incident types that’s developed in the policy.
And then with each incident type it would include the person to contact when that occurs as well as the time sensitive nature of It. And then we have the recovery phase which includes a reaction that’s designed to just make the network or system functional again. Exactly what that means of course depends on the particular scenario. And then the next would be to remediate eliminate any residual danger, eliminate any damage to the network that might still exist and then finally review. So we review each incident, we discover exactly what we can learn from that incident and then in some cases, if it’s called for, we make changes to procedures. Communication is a big part of incident response because it helps the organization to determine if they are adequately responding to these.
So incident response is something that’s really important to every organization to ensure that any type of security incidents are detected, they’re contained and they are investigated and it really is the beginning of the investigation. Now, in regard to incident response, there’s a basic difference that exists between events and incidents. An event is just the change of state. So events can include actually both negative and positive events. Incident response of course focuses more on the negative events. These are events that have a negative impact on the organization, whereas an incident is a series of events that negatively impacts the operations and the security of the organization. Events can be detected only if an organization has actually established proper auditing and security mechanisms to be able to monitor activity, you can have a single negative event that might occur and it might go overlooked. If that’s not the case.
Organizations ought to also document the rules of engagement, authorization and scope for the Incident Response Team. This defines what actions are acceptable and what actions are unacceptable if an incident has occurred, that being the rules of engagement, the authorization and the scope provide the response team with the authority to actually perform an investigation and within the allowable scope of any investigation that the team has to undertake. So it’s a guideline for the incident response team. Make sure they don’t cross the line from enticement into entrapment. Enticement would be when the opportunity for illegal actions is provided. You’re luring the attacker, but they actually still make their own decision, whereas entrapment is you’re encouraging them to commit a crime and they may have not actually had the intention of doing it.
From Incident Response, we go to Forensics, and I know there’s a lot on this slide, but you know, forensics is a more detailed type of investigation. These investigations are are going to occur over longer periods of time and they are typically going to require experts, even third party experts. So after we’ve made the decision to investigate a computer crime, then we need to be following standardized procedures. The first would be identification of the actual system that needs to be investigated. Then we have preservation of data. We need to make sure that the data remains in a tangible state so we can actually glean information out of it, collection of information, examination, analysis of that information, presentation of it, and then the decision as to what has been done and we’ll go into that a little bit more at a later time.
Some additional practices that are important are going to be employment and termination procedures. In reality, humans are going to be responsible and employees are actually going to be responsible for the vast majority of security issues within an organization. So it’s vital that the organization implement the appropriate personnel security policies. Screening, hiring, termination policies, all of those are going to be very important. Continuous monitoring needs to be done, but before it can be successful, we have to make sure that baselines of the operational performance levels are captured. An organization can’t really recognize abnormal patterns of behavior. If you don’t know what the normal is, you can recognize certain things for what they are. But, you know, tracking trends and things like that are not nearly as easy if you don’t have security baselines.
Security awareness training for users, security training, security education. Those are three terms that are really used interchangeably, but they’re actually three different things. Awareness training is just kind of reinforcing the fact that valuable resources need to be protected by implementing security measures, just making you aware of what you’re doing. Security training, on the other hand, involves teaching people the skill they need to perform their jobs and to do so in a secure manner, where security education is more independent, that’s more targeted at security professionals who require a particular level of expertise in order to manage security programs. So all are important, but they are not exactly the same thing.
Auditing and reporting is going to ensure that users are held accountable for their actions. But an auditing mechanism can only report on events that it’s actually configured to monitor. So we need to find a balance between auditing important events and activities, as well as ensuring that devices are still going to perform well and at an acceptable level. And so we need to determine what requirements we have and the frequency of those requirements.
And then finally, information classification and lifecycle data should be classified. And it’s classified based on its value to the organization as well as its sensitivity to disclosure. So we assign typically values to data because it allows the organization to determine what resources should be used to protect that data. That’s not just monetary resources, but also the technologies that are used. It can include personnel resources, monetary access control, et cetera. So we classify data as it relates to confidentiality, integrity and availability because it helps us then to apply different protective mechanisms.
- Demo – Examining Security Policies
In this demonstration, we’re just going to take a look at some of the ways and tools that you have for creating security policies. And some of the information here in this first chapter is a little bit difficult to demonstrate and so I thought this was a good example. Sans. org is a location where you can obtain a number of different security tools. One of them is in relation to information security policy templates. So you can see here I’m at Sans. org security resources polices, but just go to Sans. org, the main page and you’ll find that. Or you can just search Google for security policy templates. The goal here is just to find policy templates and for us to discuss some of them. Now we haven’t discussed every single one of these, but you’ll find some that we have mentioned in here and you’ll actually find policy templates for just about anything you can think of.
Okay, so password policies, acceptable use, remote access, wireless application, security server security, et cetera. And as we just expand those, we see the different options that we have. Okay, so for instance, let’s just pick one, the Acceptable Use policy. It takes me to another page where I can just download the policy template in Word doc or PDF. This is basically just further down on the page actually. So let me click on Document. We’re just going to open this up real quick.
Acceptable Use, as it says there, defines the acceptable use of equipment and computing services and essentially what the individual employees are responsible for. They have to sign off on this often as a part of the employee handbook. They may be presented with acceptable use type messages when they log into the system. And so it’s important for them to understand this is actually what is required of me. This is what I’m supposed to do with company equipment, this is what I’m not supposed to do with company equipment, and this is what I’m responsible for in the area of security. Okay? And there we go. And you can certainly just enable editing here.
You just get rid of this free use disclaimer as soon as we enable editing, actually. So we enable editing and then we can kind of go down through and see the particulars of this policy. You don’t have to use it all, it’s a template.
But we can see we would have an overview as to the purposes of this. We’re not imposing restrictions contrary to the organization’s culture, but we’re essentially saying that all of this internet intranet, extranet FTP, storage, media, network accounts, it’s all the property of us and they’re to be used for business purposes. The purpose of the policy, the scope of the policy, what does the policy actually include? So the purpose is identifying the goal, the scope is what it includes. And then we get down into the actual policy itself. General use and ownership.
We own all of the equipment. You have the responsibility to promptly report a theft. You may access this information only to the extent that it’s authorized and necessary to fulfill your job duties. You need to exercise good judgment regarding the reasonableness of personal use. We may monitor the equipment, systems and network traffic at any time. And then it references an audit policy identifying security and proprietary information. We’ve even got some password information here. You need a password protected screen saver if you’re posting by an employee email address to news groups. You should have a disclaimer on there. Here’s what defines unacceptable use of the system and network activities. Kind of go through all of those.
Then down here, policy compliance. Here’s what you’re expected to do. What happens if you are non compliant? You may be subject to disciplinary action up to and including termination of employment, some related policies and procedures if there needs to be definitions and terms. And then we notice a very important point is the revision history. So as we’re updating these policies, we need to have that go through a formal change control process and update them appropriately and reference the fact I should say that they were updated. Password policies, password construction guidelines. This is another good one that just gives us basically a document that can be edited but then sent around to users to help them try to construct good passwords. And we’ll talk about that a little bit more. And I realize some of this is not exactly what we just talked about, but we’re talking about security standards and policies, and I think these things are relevant.
So once again, you can see the templates. All of these are very similar. They define the purpose of the template in this case to provide best practices for the creating, for the created. You don’t want to edit these for the creation of strong passwords. The scope applies to everybody, essentially all employees, including contractors and temp workers. And then here are the guidelines along with some examples. I would posit that those are terrible examples, but okay, it’s just a template. We don’t want somebody doing one welcome, one, two, three password, one two, three.
They would work, but that’s not going to be something we want to do. All right, again, policy compliance exceptions, non compliance, if there are any. So Sans. org is a great place for us to go and just obtain some of these templates along with other security best practices. As it says here, there’s no cost for using these resources. And so you really want to make use of what is out there. So if you are starting from scratch on a lot of these policies, if your organization hasn’t had a great posture towards security, or if you join an organization where that’s the case, then this is a great resource for you to utilize.
- Topic C: Risk Mitigation and Control
In this next topic, we’re going to be looking at risk mitigation and control. Security professionals need to help organizations that they work for to put in place the proper mitigation strategies as well as the proper controls.
And in order to do this, we’re going to be using a risk management framework because we want to make sure that risks are properly identified and the appropriate controls are put into place.
- Introduction to Risk Mitigation
So this is a very important part of the security professionals job. We need to understand the different strategies and controls. We need to understand various tasks as well. And these are going to include a number of things like categorizing data types by impact levels based on the CIA confidentiality, integrity and availability incorporating stakeholders into those CIA impact level decisions determining aggregate
CIA scores selecting and implementing controls based on requirements and policies, extreme scenario planning, what happens when the worst happens. And that will also be based on your CIA requirements and organizational policies. Conducting system specific risk analysis, making risk determination based upon known metrics and then translating those technical risk into business terms. So in this topic we’re going to be looking at a number of these aspects.