Question

 Self-Exercises

 Information Security Strategy

 1. An information security strategic plan can position an organization to mitigate, transfer, accept or avoid information risk related to people, processes and technologies. Describe what should be included in an Information Security Strategic Plan.

 2. Describe the steps in developing an information security strategy.

 3. For a security strategy to be effective it should meet certain conditions, i.e. how the strategy should be. Discuss these conditions.

 4. Strategy and planning requires a thorough understanding of many issues. Discuss five (5) of these issues that need to be considered when developing an information security strategy.

 5. Risk management is an important process in security planning. Explain the steps to manage risks, as part of a security plan [NIST SP 800-53].

 Information Security Management System (ISMS)

 1. An Information Security Management System (ISMS) is a set of policies concerned with information security management or IT related risks. The governing principle behind an ISMS is that an organization should design, implement and maintain a coherent set of policies, processes and systems to manage risks to its information assets, thus ensuring acceptable levels of information security risk. Describe the "Plan-Do-Check-Act" (PDCA), or Deming cycle approach in ISMS.

 2. Discuss the critical success factors for an ISMS to be effective.

 3. Discuss three main problems which lead to uncertainty in information security management systems (ISMS).

 4. Discuss the 11 domains of the information security management systems (ISMS).

 Information Security Culture

 1. Information security culture refers to ideas, customs and social behaviors of a group of people, that impacts their security. It describes the kind of behaviors organizations would like to see in their employees, in areas like cybersecurity, physical security and personnel security. Discuss three tips on how to create a cyber security culture at work.

Answer 1

Information Security Strategy

Answer 1 :-  Following are the components of Information Security Strategic plan.

(i). Mission statement

Declaration of the organization's core purpose (generally doesn’t change over time).

Example of what I have used before, “Develop and execute a proactive, company-wide security program based on Company’s strategic business objectives.”

(ii). Vision statement

Aspirational description of what an organization would like to achieve.

Example of what I have seen used, “Incorporate a continuous security mindset into all aspects of our business functions.”

(iii). Introduction

Statement about the business and the environment the security program currently operates in. I have seen the executive leadership team use this section to state its support of the security program and why it is critical for the business.

(iv). Governance

Part of the strategic plan is where the CISO (Cheaf Information Security Officer) explains how it will be managed, who will audit its processes and how changes will be implemented over time. Remember, this is a long-term plan so ensure you have these procedures documented.

(v). Strategic objectives

Core of a CISO’s (Cheaf Information Security Officer) strategic plan which will contain the objectives identified during the most recent risk assessment that need to be remediated. This section will include the latest assessment results and should have an ongoing project plan listing the various projects that are in queue, each one should be tracked to a specific immature security control objective.

Answer 2 :- Below are the 8 steps to develop Information Security Strategy.

(i).  Physical Security

List your physical assets.

• Offices
• Data centers
• Storage facilities
• Printed documents
• Electronic equipment
• Data backup media

List the risks to your physical assets.

• Fire
• Flood
• Tornado
• Theft
• Damage
• Corruption
• Power instability

List the controls to mitigate risk to physical assets.

• Office access
• Security (alarm) systems / door locks
• Access to equipment / data centers
• Locked printed document storage
• Fire suppression / control
• UPS / Surge protection
• Offsite backup media handling procedures

(ii). Workstation Policy

• Handling and care of issued personal computers
• General security (use an antivirus, lock unattended, password usage, patching)
• System and network activities (don’t share passwords, don’t use illegal software or do anything illegal, use common sense)
• Removable media
• Storage of personal files on company-issued personal computers or devices
• Storage of confidential information on personal computers or devices

(iii). Internet Acceptable Use Policy

• Acceptable/unacceptable Internet browsing and use
• Acceptable/unacceptable email use
• Acceptable/unacceptable usage of social networking
• Electronic file transfer of confidential information

(iv). Network Infrastructure Security Policy

• Best practices for secure configuration of routers, switches, access points, firewalls
• Access to network infrastructure equipment
• Logging of activity

(v). Network Server Security Policy

• Securing (use an antivirus, lock unattended, password usage, patching)
• Backup/restore
• Access to servers
• Logging of activity
• Disabling unused services
• Network segmentation
• Internet access to/from servers
• DMZ usage

(vi). Mobile Device Security Policy

• (Pretty much repeat the Workstation Policy)
• Access to production wireless network (or not?)
• Wireless security standards
• Usage of public guest wireless

(vii). IoT Device Security Policy

• What is/is not permitted
• Access to production wireless network (or not?)

(viii). Remote Access Policy

• Definition of remote access
• Who is permitted (employees/venders)
• Types of permitted devices/operating systems
• Methods permitted (SLVPN, site-to-site VPN, etc)
• Remote-side controls

Answer 3:- Conditions for an effective Security Strategy

(i). Should remove Organizational Issues that impact Information Security Policy.

(ii). Organizing Information Security Policies and Standards into meaningful categories.

(iii). Reviewing draft Policies and Standards with management, Users and Legal Counsel.

(iv). To train all Personnel in the organization's information security Policies and Standards.

(v). Enforcing the Information Security Policies and Standards.

(vi). Reviewing and modifying Policies and Standards, as appropriate but atleast annualy.

Answer 4:- Allowing employees to use their own devices to access company data raises data protection issues that a business must answer.

  BYOD (bring your own device) has been defined as the use of employee-owned mobile devices such as smartphones and tablets to access business enterprise content or networks.

(i). Unknown Assets on the Network

There are many businesses that don’t have a complete inventory of all of the IT assets that they have tied into their network. This is a massive problem. If you don’t know what all of the assets are on your network, how can you be sure your network is secure?

The easiest fix for this is to conduct a review of all the devices on your network and identify all of the various platforms they run. By doing this, you can know what all of the different access points are on your network and which ones are most in need of security updates.

(ii). Abuse of User Account Privileges

According to data cited by the Harvard Business Review, for the year of 2016, “60% of all attacks were carried out by insiders.” Whether it’s because of honest mistakes (accidentally sending info to the wrong email address or losing a work device), intentional leaks and misuse of account privileges, or identity theft arising from a phishing campaign or other social engineering attack that compromises their user account data, the people inside your business represent one of the biggest security problems you’ll ever face.

Because these threats come from trusted users and systems, they’re also among the hardest to identify and stop.

However, there are ways to minimize your risk in case of an insider attack. For example, if your company uses a policy of least privilege (POLP) when it comes to user access, you can limit the damage that a misused user account can do. In a POLP, every user’s access to the various systems and databases on your network is restricted to just those things that they need to do their jobs.

(iii). Unpatched Security Vulnerabilities

Many businesses are concerned with “zero day” exploits. These exploits are those unknown issues with security in programs and systems that have yet to be used against anyone. However, zero day vulnerabilities aren’t the problem—unpatched known vulnerabilities are the problem.

When a “zero day” exploit is used it can be discovered—becoming a known issue that the software vendor can begin working on. The more often the exploit is used, the more likely it is to get discovered and patched. Also, it takes a lot of effort to independently discover a completely unknown vulnerability in a system.

So, attackers generally prefer to stick to known exploits. In fact, as noted in the CSO article, “The Verizon Data Breach Report 2016 revealed that out of all detected exploits, most came from vulnerabilities dating to 2007. Next was 2011.”

In other words, vulnerabilities that were almost a decade old accounted for most of the breaches in 2016. Let that sink in.

The easiest fix for this problem is to maintain a strict schedule for keeping up with security patches. Also, gradually changing the programs and operating systems on your network to make them the same can simplify this process. For example, if every system is Windows-based or Mac-based (rather than a hodgepodge of Mac, Windows, Linux, etc.), then you only have to keep track of Mac OS or Windows OS security patch schedules and alerts.

(iv). A Lack of Defense in Depth

Eventually, despite all of your best efforts, there will be a day where an attacker succeeds in breaching your network security. However, just how much damage this attacker will be capable of depends on how the network is structured.

The problem is that some businesses have an open network structure where once an attacker is in a trusted system, they have unfettered access to all systems on the network.

If the network is structured with strong segmentation to keep all of its discrete parts separate, then it’s possible to slow down the attacker enough to keep them out of vital systems while your security team works to identify, contain, and eliminate the breach.

(v). Not Enough IT Security Management

Another common issue for many companies is that even when they have all of the best cybersecurity solutions in place, they might not have enough people in place to properly manage those solutions.

When this happens, critical cybersecurity alerts may get missed, and successful attacks may not be eliminated in time to minimize damage.

However, finding a large enough internal IT security team to manage all of your needs can be an expensive and time-consuming process. Qualified professionals are in demand, and they know it.

To build up IT security staff quickly, many businesses use the services of a dedicated partner such as Compuquip Cybersecurity. This allows these businesses to access a full team of experienced cybersecurity professionals for a fraction of the cost of hiring them full-time internally.

Some businesses use these cybersecurity solutions partners to shore up their IT security departments in the short-term while they’re preparing their own internal cybersecurity teams.

Answer 5:- Following are the steps of Information Security Risk Management.

(i). Identification

• Identify assets: What data, systems, or other assets would be considered your organization’s “crown jewels”? For example, which assets would have the most significant impact on your organization if their confidentiality, integrity or availability were compromised? It’s not hard to see why the confidentiality of data like social security numbers and intellectual property is important. But what about integrity? For example, if a business falls under Sarbanes-Oxley (SOX) regulatory requirements, a minor integrity problem in financial reporting data could result in an enormous cost. Or, if an organization is an online music streaming service and the availability of music files is compromised, then they could lose subscribers.
• Identify vulnerabilities: What system-level or software vulnerabilities are putting the confidentiality, integrity, and availability of the assets at risk? What weaknesses or deficiencies in organizational processes could result in information being compromised?
• Identify threats: What are some of the potential causes of assets or information becoming compromised? For example, is your organization’s data center located in a region where environmental threats, like tornadoes and floods, are more prevalent? Are industry peers being actively targeted and hacked by a known crime syndicate, hacktivist group, or government-sponsored entity? Threat modeling is an important activity that helps add context by tying risks to known threats and the different ways those threats can cause risks to become realized via exploiting vulnerabilities.
• Identify controls: What do you already have in place to protect identified assets? A control directly addresses an identified vulnerability or threat by either completely fixing it (remediation) or lessening the likelihood and/or impact of a risk being realized (mitigation). For example, if you’ve identified a risk of terminated users continuing to have access to a specific application, then a control could be a process that automatically removes users from that application upon their termination. A compensating control is a “safety net” control that indirectly addresses a risk. Continuing with the same example above, a compensating control may be a quarterly access review process. During this review, the application user list is cross-referenced with the company’s user directory and termination lists to find users with unwarranted access and then reactively remove that unauthorized access when it’s found.

(ii).  Assessment

This is the process of combining the information you’ve gathered about assets, vulnerabilities, and controls to define a risk. There are many frameworks and approaches for this, but you’ll probably use some variation of this equation:

Risk = (threat x vulnerability (exploit likelihood x exploit impact) x asset value ) - security controls

Note: this is a very simplified formula analogy. Calculating probabilistic risks is not nearly this straightforward, much to everyone’s dismay.

(iii). Treatment
Once a risk has been assessed and analyzed, an organization will need to select treatment options:

• Remediation: Implementing a control that fully or nearly fully fixes the underlying risk.
  Example: You have identified a vulnerability on a server where critical assets are stored, and you apply a patch for that vulnerability.
• Mitigation: Lessening the likelihood and/or impact of the risk, but not fixing it entirely.
  Example: You have identified a vulnerability on a server where critical assets are stored, but instead of patching the vulnerability, you implement a firewall rule that only allows specific systems to communicate with the vulnerable service on the server.
• Transference: Transferring the risk to another entity so your organization can recover from incurred costs of the risk being realized.
  Example: You purchase insurance that will cover any losses that would be incurred if vulnerable systems are exploited. (Note: this should be used to supplement risk remediation and mitigation but not replace them altogether.)
• Risk acceptance: Not fixing the risk. This is appropriate in cases where the risk is clearly low and the time and effort it takes to fix the risk costs more than the costs that would be incurred if the risk were to be realized.
  Example: You have identified a vulnerability on a server but concluded that there is nothing sensitive on that server; it cannot be used as an entry point to access other critical assets, and a successful exploit of the vulnerability is very complex. As a result, you decide you do not need to spend time and resources to fix the vulnerability.
• Risk avoidance: Removing all exposure to an identified risk
  Example: You have identified servers with operating systems (OS) that are about to reach end-of-life and will no longer receive security patches from the OS creator. These servers process and store both sensitive and non-sensitive data. To avoid the risk of sensitive data being compromised, you quickly migrate that sensitive data to newer, patchable servers. The servers continue to run and process non-sensitive data while a plan is developed to decommission them and migrate non-sensitive data to other servers.

(iv). Communication
Regardless of how a risk is treated, the decision needs to be communicated within the organization. Stakeholders need to understand the costs of treating or not treating a risk and the rationale behind that decision. Responsibility and accountability needs to be clearly defined and associated with individuals and teams in the organization to ensure the right people are engaged at the right times in the process.

(v). Rinse and Repeat
This is an ongoing process. If you chose a treatment plan that requires implementing a control, that control needs to be continuously monitored. You’re likely inserting this control into a system that is changing over time. Ports being opened, code being changed, and any number of other factors could cause your control to break down in the months or years following its initial implementation.