Chapter 1. Security and Risk Management

This chapter covers the following topics:

Security terms: Concepts discussed include confidentiality, integrity, and availability (CIA); default stance; defense in depth; job rotation; and separation of duties.

Security governance principles: Concepts discussed include security function alignment, organizational processes, security roles and responsibilities, control frameworks, due care, and due diligence.

Compliance: Concepts discussed include legislative and regulatory compliance and privacy requirements compliance.

Legal and regulatory issues: Concepts discussed include computer crime concepts, major legal systems, licensing and intellectual property, import/export controls, trans-border data flow, privacy, and data breaches.

Professional ethics: Ethics discussed include (ISC)² Code of Ethics, Computer Ethics Institute, Internet Architecture Board, and organizational ethics.

Security documentation: Documentation types include policies, standards, baselines, guidelines, and procedures.

Business continuity: Concepts discussed include business continuity and disaster recovery concepts, project scope and plan, and business impact analysis.

Personnel security policies: Policies discussed include employment candidate screening; employment agreement and policies; employment termination policies; vendor, consultant, and contractor controls; compliance; and privacy.

Risk management concepts: Concepts discussed include vulnerability, threat, threat agent, risk, exposure, countermeasure, risk management policy, risk management team, risk analysis team, risk assessment, implementation, access control categories, access control types, control assessment, monitoring, measurement, reporting and continuous improvement, and risk frameworks.

Threat modeling: Concepts discussed include identifying threats, potential attacks, and remediation technologies and processes.

Security risks in acquisitions: Concepts discussed include hardware, software, and services; third-party governance; minimum security requirements; and minimum service-level requirements.

Security education, training, and awareness: Concepts discussed include levels required and periodic review.

Information security governance involves the principles, frameworks, and methods that establish criteria for protecting information assets, including security awareness. Risk management allows organizations to identify, measure, and control organizational risks. Threat modeling allows organizations to identify threats and potential attacks and implement appropriate mitigations against these threats and attacks. These facets ensure that security controls that are implemented are in balance with the operations of the organization. Each organization must develop a well-rounded, customized security program that addresses the needs of the organization while ensuring that the organization exercises due care and due diligence in its security plan. Acquisitions present special risks that management must understand prior to completing acquisitions.

Security professionals must take a lead role in their organization’s security program and act as risk advisors to management. In addition, security professionals must ensure that they understand current security issues and risks, governmental and industry regulations, and security controls that can be implemented. Professional ethics for security personnel must also be understood. Security is an ever-evolving, continuous process, and security professionals must be watchful.

Business continuity and disaster recovery ensures that the organization can recover from any attack or disaster that affects operations. Using the results from the risks assessment, security professionals should ensure that the appropriate business continuity and disaster recovery plans are created, tested, and revised at appropriate intervals.

In this chapter, you will learn how to use the information security governance and risk management components to assess risks, implement controls for identified risks, monitor control effectiveness, and perform future risk assessments.

Most security issues result in a violation of at least one facet of the CIA triad. Understanding these three security principles will help security professionals ensure that the security controls and mechanisms implemented protect at least one of these principles.

Every security control that is put into place by an organization fulfills at least one of the security principles of the CIA triad. Understanding how to circumvent these security principles is just as important as understanding how to provide them.

A balanced security approach should be implemented to ensure that all three facets are considered when security controls are implemented. When implementing any control, you should identify the facet that the control addresses. For example, RAID addresses data availability, file hashes address data integrity, and encryption addresses data confidentiality. A balanced approach ensures that no facet of the CIA triad is ignored.

The opposite of confidentiality is disclosure. Encryption is probably the most popular example of a control that provides confidentiality.

The opposite of integrity is corruption. An access control list (ACL) is an example of a control that helps provide integrity. Hashing is another control that helps provide file integrity.

Availability is the opposite of destruction or isolation. Fault-tolerant technologies, such as RAID or redundant sites, are examples of controls that help improve availability.

Today few organizations implement either of these stances to its fullest. In most organizations, you see some mixture of the two. Although the core stance should guide the organization, organizations often find that this mixture is necessary to ensure that data is still protected while providing access to a variety of users. For example, a public website might grant an allow-by-default stance, whereas a SQL database might have a deny-by-default stance.

Figure 1-1 shows an example of the defense-in-depth concept.

Security governance assigns rights and uses an accountability framework to ensure appropriate decision making. It must ensure that the framework used is aligned with the business strategy. Security governance gives directions, establishes standards and principles, and prioritizes investments. It is the responsibility of the organization’s board of directors and executive management.

The IT Governance Institute (ITGI) issued the Board Briefing on IT Governance, 2nd edition, which is available from the Information Systems Audit and Control Association’s (ISACA’s) website at www.isaca.org/Knowledge-Center/Research/ResearchDeliverables/Pages/Board-Briefing-on-IT-Governance-2nd-Edition.aspx. It provides the following definition for IT governance:

IT governance is the responsibility of the board of directors and executive management. It is an integral part of enterprise governance and consists of the leadership and organizational structures and processes that ensure that the organization’s IT sustains and extends the organization’s strategies and objectives.

According to this publication, IT governance covers strategic alignment, value delivery, risk management, resource management, and performance measurement. It includes checklists and tools to help an organization’s board of directors and executive management ensure IT governance.

Security governance principles include security function alignment with the strategy, goals, mission, and objectives of the organization; organizational processes; security roles and responsibilities; control frameworks; due care; and due diligence.

While it may be desirable to state 100% data security as an organizational goal, such a goal is unrealistic in today’s world because new threats and vulnerabilities are being discovered every day. For this reason, it is important that an organization’s security program be open-ended and preemptive. Open-ended refers to the fact that the security analysis and program are always being reviewed. Preemptive means that the organization is proactive and not just reactive as security events occur.

A strategy is a plan of action or a policy designed to achieve a major or overall aim. Goals are the desired results from the security plan. A security management team must address all areas of security, including protecting personnel, physical assets, and data, when designing the organization’s security strategy and goals. The strategy and goals should change over time as the organization grows and changes and the world changes, too. Years ago, organizations did not need to worry about their data being stolen over the Internet. But today, the Internet is one of the most popular mediums used to illegally obtain confidential organizational data.

The appropriate policies, procedures, standards, and guidelines must be implemented to ensure that organizational risk is kept within acceptable levels. Security professionals will advise management on organizational risks. Organizational risk is also affected by government regulations, which may force an organization to implement certain measures that they had not planned. Weighing the risks to the organization and choosing whether to implement security controls is ultimately the job of senior management.

Security management ensures that risks are identified and adequate controls are implemented to mitigate the risks, all within the context of supporting the organizational mission and objectives.

At that point, other business cases for individual security projects will need to be developed. For example, if management wants the security management team to ensure that the organization’s internal network is protected from attacks, the security management team may draft a business case that explains the devices that need to be implemented to meet this goal. This business case may include firewalls, intrusion detection systems (IDSs), ACLs, and other devices, and it should detail how the devices will provide protection.

Security metrics provide information on both short- and long-term trends. By collecting these metrics and comparing them on a day-to-day basis, a security professional can determine the daily workload. When the metrics are compared over a longer period of time, the trends that occur can help to shape future security projects and budgets. Procedures should state who will collect the metrics, which metrics will be collected, when the metrics will be collected, and what the thresholds are that will trigger corrective actions. Security professionals should consult with the information security governance frameworks listed later in this chapter, particularly ISO/IEC 27004 and NIST 800-55, for help in establishing metrics guidelines and procedures.

Although the security team should analyze metrics on a daily basis, periodic analysis of the metrics by a third party can ensure the integrity and effectiveness of the security metrics by verifying the results of the internal team. Data from the third party should be used to improve the security program and security metrics process.

Security professionals should also understand what personnel resources are needed to support any security function. This may include, but is not limited to, data owners, systems administrators, network administrators, IT technicians, software developers, law enforcement, and accounting officers. The size of the organization will influence the availability of resources to any organizational security function. Security professionals should work to build relationships with all personnel resources to ensure a successful security program.

Security professionals should bring several considerations to the attention of management to ensure that organizational security does not suffer as a result of an acquisition or a merger. The other organization may have new data and technology types that may need more protection than is currently provided. For example, the acquired organization may allow personnel to bring their own devices and use them on the network. While a knee-jerk reaction may be to just implement the same policy as in the current organization, security professionals should assess why the personal devices are allowed and how ingrained this capability is in the organization’s culture.

Another acquisition or merger consideration for security professionals is that the staff at the other organization may not have the appropriate security awareness training. If training has not been given, it may be imperative that security awareness training be deployed as soon as possible to the staff of the acquired company.

When acquisitions or mergers occur, usually a percentage of personnel are not retained. Security professionals should understand any threats from former personnel and any new threats that may arise due to the acquisition or merger. Security professionals must understand these threats so they can develop plans to mitigate the threats.

As part of a merger or acquisition, technology is usually integrated. This integration can present vulnerabilities that the organization would not have otherwise faced. For example, if an acquired company maintains a legacy system because personnel need it, the acquiring organization may need to take measures to protect the legacy system or to deploy a new system that will replace it.

Finally, with an acquisition or a merger, new laws, regulations, and standards may need to be implemented across the entire new organization. Relationships with business partners, vendors, and other entities also need to be reviewed. Security professionals must ensure that they properly advise management about any security issues that may arise.

A divestiture, which is the opposite of an acquisition, occurs when part of an organization is sold off or separated from the original organization. A divestiture impacts personnel because usually a portion of the personnel goes with the divestiture.

As with acquisitions, with divestitures, security professionals should bring certain considerations to the attention of management to ensure that organizational security does not suffer. Data leakage may occur as a result of exiting personnel. Personnel who have been laid off as a result of the divestiture are of particular worry. Tied to this is the fact that the exiting personnel have access rights to organizational assets. These access rights must be removed at the appropriate time, and protocols and ports that are no longer needed should be removed or closed.

Security professionals should also consider where the different security assets and controls will end up. If security assets are part of the divestiture, steps should be taken to ensure that replacements are implemented prior to the divestiture, if needed. In addition, policies and procedures should be reviewed to ensure that they reflect the new organization’s needs.

Whether an organization is going through an acquisition, a merger, or a divestiture, it is vital that security professionals be proactive to protect the organization.

Senior officials, including the board of directors and senior management, must perform their duties with the care that ordinary, prudent people would exercise in similar circumstances. This is known as the prudent-man rule. Due care and due diligence, discussed later in this chapter, also affect members of the board of directors and high-level management.

The chief executive officer (CEO) is the highest managing officer in any organization and reports directly to the shareholders. The CEO must ensure that an organization grows and prospers.

The chief financial officer (CFO) is the officer responsible for all financial aspects of an organization. Although structurally the CFO might report directly to the CEO, the CFO must also provide financial data for the shareholders and government entities.

The chief information officer (CIO) is the officer responsible for all information systems and technology used in the organization and reports directly to the CEO or CFO. The CIO usually drives the effort to protect company assets, including any organizational security program.

The chief privacy officer (CPO) is the officer responsible for private information and usually reports directly to the CIO. As a newer position, this role is still considered optional but is becoming increasingly popular, especially in organizations that handle lots of private information, including medical institutions, insurance companies, and financial institutions.

The chief security officer (CSO) is the officer who leads any security effort and reports directly to the CEO. Although this role is considered optional, this role must solely be focused on security matters. Its independence from all other roles must be maintained to ensure that the organization’s security is always the focus of the CSO. This role implements and manages all aspects of security, including risk analysis, security policies and procedures, incident handling, security awareness training, and emerging technologies.

Security professionals should ensure that all risks are communicated to executive management and the board of directors, if necessary. Executive management should maintain a balance between acceptable risk and business operations. While executive management is not concerned with the details of any security implementations, the costs or benefits of any security implementation and any residual risk after such implementation will be vital in ensuring their buy-in to the implementation.

Business unit managers provide departmental information to ensure that appropriate controls are in place for departmental data. Often business unit managers are classified as the data owner for all departmental data. Some business unit managers have security duties. For example, the business operations department manager would be best suited to oversee the security policy development.

The data owner role is usually filled by an individual who understands the data best through membership in a particular business unit. Each business unit should have a data owner. For example, a human resources department employee better understands the human resources data than an accounting department employee.

ISO/IEC 27000 Series

Zachman framework

TOGAF

DoDAF

MODAF

SABSA

CobiT

NIST

COSO

ITIL

Six Sigma

CMMI

CRAMM

Top-down versus bottom-up approach

Security program life cycle

The 27000 Series includes a list of standards, each of which addresses a particular aspect of ISMS. These standards are either published or in development. The following standards are included as part of the ISO/IEC 27000 Series at the time of this writing:

27000: Published overview of ISMS and vocabulary

27001: Published ISMS requirements

27002: Published code of practice for information security controls

27003: Published ISMS implementation guidelines

27004: Published ISMS measurement guidelines

27005: Published information security risk management guidelines

27006: Published requirements for bodies providing audit and certification of ISMS

27007: Published ISMS auditing guidelines

27008: Published auditor of ISMS guidelines

27010: Published information security management for inter-sector and inter-organizational communications guidelines

27011: Published telecommunications organizations information security management guidelines

27013: Published integrated implementation of ISO/IEC 27001 and ISO/IEC 20000-1 guidance

27014: Published information security governance guidelines

27015: Published financial services information security management guidelines

27016: Published ISMS organizational economics guidelines

27017: In-development cloud computing services information security control guidelines based on ISO/IEC 27002

27018: Published code of practice for protection of personally identifiable information (PII) in public clouds acting as PII processors

27019: Published energy industry process control system ISMS guidelines based on ISO/IEC 27002

27021: Published competence requirements for information security management systems professionals

27023: Published mapping the revised editions of ISO/IEC 27001 and ISO/IEC 27002

27031: Published information and communication technology readiness for business continuity guidelines

27032: Published cybersecurity guidelines

27033-1: Published network security overview and concepts

27033-2: Published network security design and implementation guidelines

27033-3: Published network security threats, design techniques, and control issues guidelines

27033-4: Published securing communications between networks using security gateways

27033-5: Published securing communications across networks using virtual private networks (VPNs)

27033-6: In-development securing wireless IP network access

27034-1: Published application security overview and concepts

27034-2: In-development application security organization normative framework guidelines

27034-3: In-development application security management process guidelines

27034-4: In-development application security validation guidelines

27034-5: In-development application security protocols and controls data structure guidelines

27034-6: In-development security guidance for specific applications

27034-7: In-development guidance for application security assurance prediction

27035: Published information security incident management guidelines

27035-1: In-development information security incident management principles

27035-2: In-development information security incident response readiness guidelines

27035-3: In-development computer security incident response team (CSIRT) operations guidelines

27036-1: Published information security for supplier relationships overview and concepts

27036-2: Published information security for supplier relationships common requirements guidelines

27036-3: Published information and communication technology (ICT) supply chain security guidelines

27036-4: In-development guidelines for security of Cloud services

27037: Published digital evidence identification, collection, acquisition, and preservation guidelines

27038: Published information security digital redaction specification

27039: Published IDS selection, deployment, and operations guidelines

27040: Published storage security guidelines

27041: Published guidance on assuring suitability and adequacy of incident investigative method

27042: Published digital evidence analysis and interpretation guidelines

27043: Published incident investigation principles and processes

27044: In-development security information and event management (SIEM) guidelines

27050: In-development electronic discovery (eDiscovery) guidelines

27799: Published information security in health organizations guidelines

These standards are developed by the ISO/IEC bodies, but certification or conformity assessment is provided by third parties.

Meeting stakeholder needs

Covering the enterprise end-to-end

Applying a single integrated framework

Enabling a holistic approach

Separating governance from management

These five principles drive control objectives categorized into seven enablers:

Principles, policies, and frameworks

Processes

Organizational structures

Culture, ethics, and behavior

Information

Services, infrastructure, and applications

People, skills, and competencies

Table 1-2 lists the NIST SP 800-53 control families.

NIST 800-55 is an information security metrics framework that provides guidance on developing performance measuring procedures with a U.S. government viewpoint.

Table 1-3 lists the five ITIL version 3 core publications and the 26 processes within them.

Figures 1-3 and 1-4 show both of the Six Sigma methodologies.

1. Identify and value assets.

2. Identify threats and vulnerabilities and calculate risks.

3. Identify and prioritize countermeasures.

1. Plan and Organize: Includes performing risk assessment, establishing management and steering committee, evaluating business drivers, and obtaining management approval.

2. Implement: Includes identifying and managing assets, managing risk, managing identity and access control, training on security and awareness, implementing solutions, assigning roles, and establishing goals.

3. Operate and Maintain: Includes performing audits, carrying out tasks, and managing SLAs.

4. Monitor and Evaluate: Includes reviewing auditing and logs, evaluating security goals, and developing improvement plans for integration into the Plan and Organize step (step 1).

Figure 1-5 shows a diagram of the security program life cycle.

Due care is all about action. Organizations must institute the appropriate protections and procedures for all organizational assets, especially intellectual property. In due care, failure to meet minimum standards and practices is considered negligent. If an organization does not take actions that a prudent person would have taken under similar circumstances, the organization is negligent.

Due diligence is all about gathering information. Organizations must institute the appropriate procedures to determine any risks to organizational assets. Due diligence then provides the information necessary to ensure that the organization practices due care. Without adequate due diligence, due care cannot occur.

Due diligence includes employee background checks, business partner credit checks, system security assessments, risk assessments, penetration tests, and disaster recovery planning and testing. NIST SP 800-53, discussed earlier in this chapter, in the “Control Frameworks” section, provides guidance for implementing security controls that will help with due diligence.

Both due care and due diligence have bearing on the security governance and risk management process. As you can see, due diligence and due care have a dependent relationship. When due diligence occurs, organizations will recognize areas of risk. Examples include an organization determining that regular personnel do not understand basic security issues, that printed documentation is not being discarded appropriately, and that employees are accessing files to which they should not have access. When due care occurs, organizations take the areas of identified risk and implement plans to protect against the risks. For the identified due diligence examples, due care examples to implement include providing personnel security awareness training, putting procedures into place for proper destruction of printed documentation, and implementing appropriate access controls for all files.

All security professionals must understand security and privacy standards, guidelines, regulations, and laws. Usually these are industry specific, meaning that the standards, guidelines, regulations, and laws are based on the type of business the organization is involved in. A great example is the healthcare industry. Due to the Health Insurance Portability and Accountability Act (HIPAA), healthcare organizations must follow regulations regarding how to collect, use, store, and protect PII. Often consideration must be given to local, regional, state, federal, and international governments and bodies.

Organizations and the security professionals that they employ must determine which rules they must comply with. An organization should adopt the most strict rules to which it must comply. If rules conflict with each other, organizations must take the time to determine which rule should take precedence. This decision could be based on data type, industry type, data collection method, data usage, or individual residence of those on whom they collect PII.

Any discussion of compliance would be incomplete without a discussion of a risk management approach referred to as governance, risk management, and compliance (GRC). Governance covers core organizational activities, authority within the organization, organizational accountability, and performance measurement. Risk management identifies, analyzes, evaluates, and monitors risk. Compliance ensures that organizational activities comply with established rules. Each of the three separate objectives accepts input from and supplies input to the other objectives. The GRC relationship is shown in Figure 1-6.

As part of the discussion of compliance, security professionals must understand legislative and regulatory compliance and privacy requirements.

The United States and European Union both have established laws and regulations that affect organizations that do business within their area of governance. While security professionals should strive to understand laws and regulations, security professionals may not have the level of knowledge and background to fully interpret these laws and regulations to protect their organization. In these cases, security professionals should work with legal representation regarding legislative or regulatory compliance.

Both the U.S. government and the European Union have enacted laws, regulations, and directives on the collection, handling, storage, and transmission of PII, with the goal of protecting the disclosure of this data to unauthorized entities.

Security professionals are responsible for ensuring that management understands the requirements and the possible repercussions of noncompliance. Staying up to date on the latest developments regarding PII is vital.

Because of these computer crime issues, it is important that security professionals understand the following computer crime concepts:

Computer-assisted crime

Computer-targeted crime

Incidental computer crime

Computer prevalence crime

Hackers versus crackers

In the security world, the terms white hat, gray hat, and black hat are more easily understood and less often confused than the terms hackers and crackers. A white hat does not have any malicious intent. A black hat has malicious intent. A gray hat is considered somewhere in the middle of the two. A gray hat will break into a system, notify the administrator of the security hole, and offer to fix the security issues for a fee.

Fake or rogue antivirus software is often installed on computers because of scare tactics used on the victims. Pop-up boxes tell the user that a virus infection has occurred. By clicking the button in the pop-up box, the victim can purchase and install the antivirus software but unknowingly infect the computer with malware. Web browsers today deploy mechanisms that allow users to block pop-up messages. However, this has the drawback of sometimes preventing wanted pop-ups. Simply configuring an exception for the valid pop-up sites is better than disabling a pop-up blocker completely.

Ransomware is a special category of software that attempts to extort money out of possible victims. One category of ransomware encrypts the user’s data until a payment is made to the attacker. Another category reports to the user that his or her computer has been used for illegal activities and that a fine must be paid to prevent prosecution. But in this case, the “fine” is paid to the attacker, posing as a government official or law enforcement agency. In many cases, malware continues to operate in the background even after the ransomware has been removed. This malware often is used to commit further financial fraud on the victim.

Scareware is a category of software that locks up a computer and warns the user that a violation of federal or international law has occurred. As part of this attack, the banner or browser redirects the user to a child pornography website. The attacker claims to be recording the user and his or her actions. The victim must pay a fine to have control of the computer returned. The line between scareware and ransomware is so fine that it is often hard to distinguish between the two.

These are only a few examples of computer attacks, and attackers are coming up with new methods every day. It is a security professional’s duty to stay aware of the newest trends in this area. If a new method of attack is discovered, security professionals should take measures to communicate with users regarding the new attack as soon as possible. In addition, security professionals should ensure that security awareness training is updated to include any new attack methods. End-user education is one of the best ways to mitigate these attacks.

These systems include the following:

Civil code law

Common law

Criminal law

Civil/tort law

Administrative/regulatory law

Customary law

Religious law

Mixed law

Today, common law uses a jury-based system, which can be waived so the case is decided by a judge. But the prosecution must provide guilt beyond a reasonable doubt. Common law is divided into three systems: criminal law, civil/tort law, and administrative/regulatory law.

In civil law, the liable party has caused injury to the victim. Civil laws include economic damages, liability, negligence, intentional damage, property damage, personal damage, nuisance, and dignitary torts.

In the United States, civil law allows senior officials of an organization to be held liable for any civil wrongdoing by the organization. So if an organization is negligent, the senior officials can be pursued by any parties that were wronged.

The intellectual property covered by this type of law includes the following:

Patent

Trade secret

Trademark

Copyright

Software piracy and licensing issues

Digital rights management (DRM)

This section explains these types of intellectual properties and the internal protection of these properties.

Patent litigation is common in today’s world. You commonly see technology companies, such as Apple, Microsoft, Hewlett-Packard, and Google, filing lawsuits regarding infringement on patents (often against each other). For this reason, many companies involve a legal team in patent research before developing new technologies. Being the first to be issued a patent is crucial in today’s highly competitive market.

Any product that is produced that is currently undergoing the patent application process will usually be identified with the Patent Pending seal, shown in Figure 1-7.

Most organizations that have trade secrets attempt to protect these secrets using non-disclosure agreements (NDAs). These NDAs must be signed by any entity that has access to information that is part of the trade secret. Anyone who signs an NDA will suffer legal consequences if the organization is able to prove that the signer violated it.

Most trademarks are marked with one of the designations shown in Figure 1-8.

If the trademark is not registered, an organization should use a capital TM. If the trademark is registered, an organization should use a capital R that is encircled.

In 1996, the World Intellectual Property Organization (WIPO) standardized the treatment of digital copyrights. Copyright management information (CMI) is licensing and ownership information that is added to any digital work. In this standardization, WIPO stipulated that CMI included in copyrighted material cannot be altered.

The symbol shown in Figure 1-9 denotes a work that is copyrighted.

Freeware: Software available free of charge, including all rights to copy, distribute, and modify the software.

Shareware: Software that is shared for a limited time. After a certain amount of time (the trial period), the software requires that the user purchase the software to access all the software’s features. This is also referred to as trialware.

Commercial software: Software that is licensed by a commercial entity for purchase in a wholesale or retail market.

Software piracy is the unauthorized reproduction or distribution of copyrighted software. Although software piracy is a worldwide issue, it is much more prevalent in Asia, Europe, Latin America, and Africa/Middle East. Part of the problem with software piracy stems from the cross-jurisdictional issues that arise. Obtaining the cooperation of foreign law enforcement agencies and government is often difficult or impossible. Combine this with the availability of the hardware needed to create pirated software and the speed with which it can be made, and you have a problem that will only increase over the coming years.

Security professionals and the organizations they work with must ensure that the organization takes measures to ensure that employees understand the implications of installing pirated software. In addition, large organizations might need to utilize an enterprise software inventory application that will provide administrators with a report on the software that is installed.

First-generation DRM software controls copying. Second-generation DRM controls executing, viewing, copying, printing, and altering works or devices.

The U.S. Digital Millennium Copyright Act (DMCA) of 1998 imposes criminal penalties on those who make available technologies whose primary purpose is to circumvent content protection technologies. DRM includes restrictive license agreements and encryption. DRM protects computer games and other software, documents, ebooks, films, music, and television.

In most enterprise implementations, the primary concern is the DRM control of documents by using open, edit, print, or copy access restrictions that are granted on a permanent or temporary basis. Solutions can be deployed that store the protected data in a central or decentralized model. Encryption is used in the DRM implementation to protect the data both at rest and in transit.

Any organization that engages in export and import activities with entities based in other countries should ensure that legal counsel is involved in the process so that all laws and regulations are followed. In addition, the organization should implement the appropriate controls to ensure that personnel do not inadvertently violate any import and exports laws, regulations, or internal corporate policies.

As part of the security measures that organizations must take to protect privacy, personally identifiable information (PII) must be understood, identified, and protected. Organizations must also understand the privacy laws that governments have adopted. Finally, organizations must ensure that they comply with all laws and regulations regarding privacy.

Keep in mind that different countries and levels of government can have different qualifiers for identifying PII. Security professionals must ensure that they understand international, national, state, and local regulations and laws regarding PII. As the theft of this data becomes even more prevalent, you can expect more laws to be enacted that will affect your job.

A complex listing of PII is shown in Figure 1-10.

This section discusses many of the laws that will affect a security professional. For testing purposes, you need not worry about all the details of the law. You simply need to understand the law’s name(s), purpose, and the industry it affects (if applicable).

Sarbanes-Oxley (SOX) Act

The Public Company Accounting Reform and Investor Protection Act of 2002, more commonly known as the Sarbanes-Oxley (SOX) Act, affects any organization that is publicly traded in the United States. It controls the accounting methods and financial reporting for the organizations and stipulates penalties and even jail time for executive officers.

Health Insurance Portability and Accountability Act (HIPAA)

HIPAA, also known as the Kennedy-Kassebaum Act, affects all healthcare facilities, health insurance companies, and healthcare clearing houses. It is enforced by the Office of Civil Rights of the Department of Health and Human Services. It provides standards and procedures for storing, using, and transmitting medical information and healthcare data. HIPAA overrides state laws unless the state laws are stricter.

Gramm-Leach-Bliley Act (GLBA) of 1999

The Gramm-Leach-Bliley Act (GLBA) of 1999 affects all financial institutions, including banks, loan companies, insurance companies, investment companies, and credit card providers. It provides guidelines for securing all financial information and prohibits sharing financial information with third parties. This act directly affects the security of PII.

Computer Fraud and Abuse Act (CFAA)

The Computer Fraud and Abuse Act (CFAA) of 1986 affects any entities that might engage in hacking of “protected computers” as defined in the Act. It was amended in 1989, 1994, 1996; in 2001 by the Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism (USA PATRIOT) Act; in 2002; and in 2008 by the Identity Theft Enforcement and Restitution Act. A “protected computer” is a computer used exclusively by a financial institution or the U.S. government or used in or affecting interstate or foreign commerce or communication, including a computer located outside the United States that is used in a manner that affects interstate or foreign commerce or communication of the United States. Due to the interstate nature of most Internet communication, any ordinary computer has come under the jurisdiction of the law, including cellphones. The law includes several definitions of hacking, including knowingly accessing a computer without authorization, intentionally accessing a computer to obtain financial records, U.S. government information, or protected computer information, and transmitting fraudulent commerce communication with the intent to extort.

Federal Privacy Act of 1974

The Federal Privacy Act of 1974 affects any computer that contains records used by a federal agency. It provides guidelines on collection, maintenance, use, and dissemination of PII about individuals that is maintained in systems of records by federal agencies on collecting, maintaining, using, and distributing PII.

Federal Intelligence Surveillance Act (FISA) of 1978

The Federal Intelligence Surveillance Act (FISA) of 1978 affects law enforcement and intelligence agencies. It was the first act to give procedures for the physical and electronic surveillance and collection of “foreign intelligence information” between “foreign powers” and “agents of foreign powers” and only applied to traffic within the United States. It was amended by the USA PATRIOT Act of 2001 and the FISA Amendments Act of 2008.

Electronic Communications Privacy Act (ECPA) of 1986

The Electronic Communications Privacy Act (ECPA) of 1986 affects law enforcement and intelligence agencies. It extended government restrictions on wiretaps from telephone calls to include transmissions of electronic data by computer and prohibited access to stored electronic communications. It was amended by the Communications Assistance to Law Enforcement Act (CALEA) of 1994, the USA PATRIOT Act of 2001, and the FISA Amendments Act of 2008.

Computer Security Act of 1987

The Computer Security Act of 1987 was superseded by the Federal Information Security Management Act (FISMA) of 2002. This Act was the first law written to require a formal computer security plan. It was written to protect and defend any of the sensitive information in the federal government systems and provide security for that information. It also placed requirements on government agencies to train employees and identify sensitive systems.

United States Federal Sentencing Guidelines of 1991

The United States Federal Sentencing Guidelines of 1991 affects individuals and organizations convicted of felonies and serious (Class A) misdemeanors. It provides guidelines to prevent sentencing disparities that existed across the United States.

Communications Assistance for Law Enforcement Act (CALEA) of 1994

The Communications Assistance for Law Enforcement Act (CALEA) of 1994 affects law enforcement and intelligence agencies. It requires telecommunications carriers and manufacturers of telecommunications equipment to modify and design their equipment, facilities, and services to ensure that they have built-in surveillance capabilities. This allows federal agencies to monitor all telephone, broadband Internet, and Voice over IP (VoIP) traffic in real time.

Personal Information Protection and Electronic Documents Act (PIPEDA)

The Personal Information Protection and Electronic Documents Act (PIPEDA) affects how private sector organizations collect, use, and disclose personal information in the course of commercial business in Canada. The Act was written to address European Union (EU) concerns over the security of PII in Canada. The law requires organizations to obtain consent when they collect, use, or disclose personal information and to have personal information policies that are clear, understandable, and readily available.

Basel II

Basel II affects financial institutions. It addresses minimum capital requirements, supervisory review, and market discipline. Its main purpose is to protect against risks the banks and other financial institutions face.

Federal Information Security Management Act (FISMA) of 2002

The Federal Information Security Management Act (FISMA) of 2002 affects every federal agency. It requires the federal agencies to develop, document, and implement an agency-wide information security program.

Economic Espionage Act of 1996

The Economic Espionage Act of 1996 covers a multitude of issues because of the way the Act was structured. But for the purposes of the CISSP exam, this Act affects companies that have trade secrets and any individuals who plan to use encryption technology for criminal activities. A trade secret does not need to be tangible to be protected by this Act. Per this law, theft of a trade secret is now a federal crime, and the United States Sentencing Commission must provide specific information in its reports regarding encryption or scrambling technology that is used illegally.

USA PATRIOT Act

The USA PATRIOT Act of 2001 affects law enforcement and intelligence agencies in the United States. Its purpose is to enhance the investigatory tools that law enforcement can use, including email communications, telephone records, Internet communications, medical records, and financial records. When this law was enacted, it amended several other laws, including FISA and the ECPA of 1986.

Although the USA PATRIOT Act does not restrict private citizen use of investigatory tools, exceptions include if the private citizen is acting as a government agent (even if not formally employed), if the private citizen conducts a search that would require law enforcement to have a warrant, if the government is aware of the private citizen’s search, or if the private citizen is performing a search to help the government.

Health Care and Education Reconciliation Act of 2010

The Health Care and Education Reconciliation Act of 2010 affects healthcare and educational organizations. For the CISSP exam, this Act increased some of the security measures that must be taken to protect healthcare information.

Employee Privacy Issues and Expectation of Privacy

Employee privacy issues must be addressed by all organizations to ensure that the organization is protected. However, organizations must give employees the proper notice of any monitoring that might be used. Organizations must also ensure that the monitoring of employees is applied in a consistent manner. Many organizations implement a no-expectation-of-privacy policy that the employee must sign after receiving the appropriate training. Keep in mind that this policy should specifically describe any unacceptable behavior. Companies should also keep in mind that some actions are protected by the Fourth Amendment. Security professionals and senior management should consult with legal counsel when designing and implementing any monitoring solution.

European Union

The EU has implemented several laws and regulations that affect security and privacy. The EU Principles on Privacy include strict laws to protect private data. The EU’s Data Protection Directive provides direction on how to follow the laws set forth in the principles. The EU then created the Safe Harbor Privacy Principles to help guide U.S. organizations in compliance with the EU Principles on Privacy. Some of the guidelines include the following:

Data should be collected in accordance with the law.

Information collected about an individual cannot be shared with other organizations unless given explicit permission by the individual.

Information transferred to other organizations can only be transferred if the sharing organization has adequate security in place.

Data should be used only for the purpose for which it was collected.

Data should be used only for a reasonable period of time.

The EU Electronic Security Directive defines electronic signature principles. In this directive, a signature must be uniquely linked to the signer and to the data to which it relates so that any subsequent data change is detectable. The signature must be capable of identifying the signer.

The four mandatory canons for the Code of Ethics are as follows:

Protect society, the common good, necessary public trust and confidence, and the infrastructure.

Act honorably, honestly, justly, responsibly, and legally.

Provide diligent and competent service to principals.

Advance and protect the profession.

Any certificate holders are required to report any actions by other certificate holders that they feel are in violation of the Code. If a certificate holder is reported, a peer review committee will investigate the actions and make a decision as to the certificate holder’s standing.

Certification is a privilege that must be earned and maintained. Certificate holders are expected to complete certain educational requirements to prove their continued competence in all aspects of security. They are also expected to promote the understanding and acceptance of prudent information security measures.

Do not use a computer for harm.

Do not interfere with the computer work of other people.

Do not snoop around in the computer files of other people.

Do not use a computer to steal.

Do not use a computer to lie.

Do not install and use licensed software unless you have paid for it.

Do not use another person’s computer unless you have permission or have paid the appropriate compensation for said usage.

Do not appropriate another person’s intellectual output.

Consider the consequences of the program you are writing or the system you are designing.

Always use a computer in ways that ensure consideration and respect of other people and their property.

Request for Comments (RFC) 1087, called Ethics and the Internet, is the specific IAB document that outlines unethical Internet behavior. Refer to http://tools.ietf.org/html/rfc1087 for more information.

Several laws in the United States can affect the development and adoption of an organizational ethics program. If an organization adopts an ethics program, the liability of the organization is often limited, even when the employees are guilty of wrongdoing, provided the organization ensures that personnel have been instructed on the organization’s ethics.

Because management is the most critical link in the computer security chain, management approval must be obtained as part of the first step in forming and adopting an information security policy. Senior management must complete the following steps prior to the development of any organizational security policy:

Define the scope of the security program.

Identify all the assets that need protection.

Determine the level of protection that each asset needs.

Determine personnel responsibilities.

Develop consequences for noncompliance with the security policy.

By fully endorsing an organizational security policy, senior management accepts the ownership of an organization’s security. High-level polices are statements that indicate senior management’s intention to support security.

After senior management approval has been obtained, the first step in establishing an information security program is to adopt an organizational information security statement. The organization’s security policy comes from this organizational information security statement. The security planning process must define how security will be managed, who will be responsible for setting up and monitoring compliance, how security measures will be tested for effectiveness, who is involved in establishing the security policy, and where the security policy is defined.

Security professionals must understand how information security documents work together to form a comprehensive security plan. Information security governance documents include:

Policies

Standards

Baselines

Guidelines

Procedures

Policies are broad and provide the foundation for development of standards, baselines, guidelines, and procedures, all of which provide the security structure. Administrative, technical, and physical access controls fill in the security and structure complete the security program.

The policy levels used in information security are organizational security policies, system-specific security policies, and issue-specific security policies. The policy categories used in information security are regulatory security policies, advisory security policies, and informative security policies. The policies are divided as shown in Figure 1-11.

Define overall goals of security policy.

Define overall steps and importance of security.

Define security framework to meet business goals.

State management approval of policy, including support of security goals and principles.

Define all relevant terms.

Define security roles and responsibilities.

Address all relevant laws and regulations.

Identify major functional areas.

Define compliance requirements and noncompliance consequences.

An organizational security policy must be supported by all stakeholders and should have high visibility for all personnel and be discussed regularly. In addition, it should be reviewed on a regular basis and revised based on the findings of the regular review. Each version of the policy should be maintained and documented with each new release.

Advisory security policies provide instruction on acceptable and unacceptable activities. In most cases, this policy is considered to be strongly suggested, not compulsory. This type of policy usually gives examples of possible consequences if users engage in unacceptable activities.

Informative security policies provide information on certain topics and act as an educational tool.

Capturing a baseline at the appropriate point in time is also important. Baselines should be captured when a system is properly configured and fully updated. When updates occur, new baselines should be captured and compared to the previous baselines. At that time, adopting new baselines based on the most recent data might be necessary.

As a result, security professionals must understand the basic concepts involved in business continuity and disaster recovery planning, including the following:

Disruptions

Disasters

— Technological

— Human-caused

— Natural

Disaster Recovery and the Disaster Recovery Plan (DRP)

Continuity Planning and the Business Continuity Plan (BCP)

Business Impact Analysis (BIA)

Contingency Plan

Availability

Reliability

Recoverability

Fault Tolerance

Non-disasters are temporary interruptions that occur due to malfunction or failure. Non-disasters might or might not require public notification and are much easier to recover from than disasters or catastrophes.

A disaster is a suddenly occurring event that has a long-term negative impact on life. Disasters require that the organization publicly acknowledge the event and provide the public with information on how the organization will recover. Disasters require more effort for recovery than non-disasters but less than catastrophes.

A catastrophe is a disaster that has a much wider and much longer impact. In most cases, a disaster is considered a catastrophe if facilities are destroyed, thereby resulting in the need for the rebuilding of the facilities and the use of a temporary offsite facility.

The causes of disasters are categorized into three main areas according to origin: technological disasters, human-caused disasters, and natural disasters. A disaster is officially over when all business elements have returned to normal function at the original site. The primary concern during any disaster is personnel safety.

Technological Disasters

Technological disasters occur when a device fails. This failure can be the result of device defects, incorrect implementation, incorrect monitoring, or human error. Technological disasters are not usually intentional. If a technological disaster is not recovered from in a timely manner, an organization might suffer a financial collapse.

If a disaster occurs because of a deliberate attack against an organization’s infrastructure, the disaster is considered a human-caused disaster even if the attack is against a specific device or technology. In the past, all technological disasters were actually considered human-caused disasters because technological disasters are usually due to human error or negligence. However, in recent years, experts have started categorizing technological disasters separately from human-caused disasters, although the two are closely related.

Human-Caused Disasters

Human-caused disasters occur through human intent or error. Human-caused disasters include enemy attacks, bombings, sabotage, arson, terrorism, strikes or other job actions, infrastructure failures, personnel unavailability due to emergency evacuation, and mass hysteria. In most cases, human-caused disasters are intentional.

Natural Disasters

Natural disasters occur because of a natural hazard. Natural disasters include flood, tsunami, earthquake, hurricane, tornado, and other such natural events. A fire that is not the result of arson is also considered a natural disaster.

Each organizational function or system will have its own disaster recovery plan (DRP). The DRP for each function or system is created as a direct result of that function or system being identified as part of the business continuity plan (BCP). The DRP is implemented when the emergency occurs and includes the steps to restore functions and systems. The goal of DRP is to minimize or prevent property damage and prevent loss of life. More details on disaster recovery are given later in this chapter.

The BCP considers all aspects that are affected by a disaster, including functions, systems, personnel, and facilities. It lists and prioritizes the services that are needed, particularly the telecommunications and IT functions. More details on continuity planning are given later in this chapter.

Failure of the contingency plan is usually considered a management failure. A contingency plan, along with the BCP and DRP, should be reviewed at least once a year. As with all such plans, version control should be maintained. Copies should be provided to personnel for storage both onsite and offsite to ensure that personnel can access the plan in the event of the destruction of the organization’s main facility.

In regard to availability, most of the unplanned downtime of functions and systems is attributed to hardware failure. Availability places emphasis on technology.

This section covers the personnel components, the project scope, and the business continuity steps that must be completed.

Senior management sets the overall goals of business continuity and disaster recovery. A business continuity coordinator should be named by senior management and leads the BCP committee. The committee develops, implements, and tests the BCP and DRP. The BCP committee should contain a representative from each business unit. At least one member of senior management should be part of this committee. In addition, the organization should ensure that the IT department, legal department, security department, and communications department are represented because of the vital role that these departments play during and after a disaster.

With management direction, the BCP committee must work with business units to ultimately determine the business continuity and disaster recovery priorities. Senior business unit managers are responsible for identifying and prioritizing time-critical systems. After all aspects of the plans have been determined, the BCP committee should be tasked with regularly reviewing the plans to ensure they remain current and viable. Senior management should closely monitor and control all business continuity efforts and publicly praise any successes.

After an organization gets into disaster recovery planning, other teams are involved.

When considering the splitting of the BCP into pieces, an organization might want to split the pieces based on geographic location or facility. However, an enterprise-wide BCP should be developed that ensures compatibility of the individual plans.

The following list summarizes the steps of SP 800-34 R1:

1. Develop contingency planning policy.

2. Conduct business impact analysis (BIA).

3. Identify preventive controls.

4. Create recovery strategies.

5. Develop business continuity plan (BCP).

6. Test, train, and exercise.

7. Maintain the plan.

Figure 1-12 shows a more detailed listing of the tasks included in SP 800-34 R1.

The four main steps of the BIA are as follows:

1. Identify critical processes and resources.

2. Identify outage impacts, and estimate downtime.

3. Identify resource requirements.

4. Identify recovery priorities.

The BIA relies heavily on any vulnerability analysis and risk assessment that is completed. The vulnerability analysis and risk assessment may be performed by the BCP committee or by a separately appointed risk assessment team. The risk assessment process is discussed later in this chapter.

These individuals will gather the data using a variety of techniques, including questionnaires, interviews, and surveys. They might also actually perform a vulnerability analysis and risk assessment or use the results of these tests as input for the BIA.

During the data gathering, the organization’s business processes and functions and the resources upon which these processes and functions depend should be documented. This list should include all business assets, including physical and financial assets that are owned by the organization, and any assets that provide competitive advantage or credibility.

As part of determining how critical an asset is, you need to understand the following terms:

Maximum tolerable downtime (MTD): The maximum amount of time that an organization can tolerate a single resource or function being down. This is also referred to as maximum period time of disruption (MPTD).

Mean time to repair (MTTR): The average time required to repair a single resource or function when a disaster or disruption occurs.

Mean time between failure (MTBF): The estimated amount of time a device will operate before a failure occurs. This amount is calculated by the device vendor. System reliability is increased by a higher MTBF and lower MTTR.

Recovery time objective (RTO): The shortest time period after a disaster or disruptive event within which a resource or function must be restored to avoid unacceptable consequences. RTO assumes that an acceptable period of downtime exists. RTO should be smaller than MTD.

Work recovery time (WRT): The difference between RTO and MTD, which is the remaining time that is left over after the RTO before reaching the maximum tolerable.

Recovery point objective (RPO): The point in time to which the disrupted resource or function must be returned.

Each organization must develop its own documented criticality levels. A good example of organizational resource and function criticality levels include critical, urgent, important, normal, and nonessential. Critical resources are those resources that are most vital to the organization’s operation and should be restored within minutes or hours of the disaster or disruptive event. Urgent resources should be restored in 24 hours but are not considered as important as critical resources. Important resources should be restored in 72 hours but are not considered as important as critical or urgent resources. Normal resources should be restored in 7 days but are not considered as important as critical, urgent, or important resources. Nonessential resources should be restored within 30 days.

Each process, function, and resource must have its criticality level defined to act as an input into the DRP. If critical priority levels are not defined, a DRP might not be operational within the timeframe the organization needs to recover.

The organization must document the resource requirements for every resource that would need to be restored when the disruptive event occurs. This includes device name, operating system or platform version, hardware requirements, and device interrelationships.

Three main levels of recovery priorities should be used: high, medium, and low. The BIA stipulates the recovery priorities but does not provide the recovery solutions. Those are given in the DRP.

Varying levels of fault tolerance can be achieved at most levels of the organization based on how much an organization is willing to spend. However, the backup component often does not provide the same level of service as the primary component. For example, an organization might implement a high-speed T1 connection to the Internet. However, the backup connection to the Internet that is used in the event of the failure of the T1 line might be much slower but at a much lower cost of implementation than the primary T1 connection.

Criminal history checks are allowed under the Fair Credit Reporting Act (FCRA). Employers can request criminal records for most potential employees for the past seven years. If the applicant will be earning more than $75,000 annually, there are no time restrictions on criminal history. Employers need to search state and county criminal records, sex and violent offender records, and prison records. Many companies provide such services for a fee.

Work history should be verified. Former employers should be contacted to confirm dates employed, positions, performance, and reason for leaving. However, security professionals should keep in mind that some companies will only verify the employment term.

Background investigation should research any claim made on the applicant’s application or resume. Verification of the applicant’s claims serves to protect the hiring organization by ensuring that the applicant holds the skills and experience that he or she claims to have. Employees should also be reinvestigated based on their employment level. For example, employees with access to financial data and transactions should undergo periodic credit checks.

Credit history ensures that personnel who are involved in financial transactions for the organization will not be risks for financial fraud. The FCRA and Equal Employment Opportunity Commission (EEOC) provide guidelines that can help human resources personnel in this area. In addition, it is a good idea to involve legal counsel.

Driving records are necessary if the applicant will be operating a motor vehicle as part of his or her job. But often this type of check for other applicants can help reveal lifestyle issues, such as driving under the influence or license suspension, that can cause employment problems later.

Substance-abuse testing will reveal to the employer any drug use. Because a history of drug use can cause productivity and absenteeism, it is always best to perform such testing before offering employment. However, security professionals should ensure that any substance testing is clearly stated as part of the job posting.

Two types of reference checks are performed: work and personal. Work reference checks verify employment history. Personal reference checks contact individuals supplied by the applicant and ask questions regarding the applicant’s capabilities, skills, and personality.

Education and licensing verification is usually fairly easy to complete. Employers can request transcripts from educational institutions. For any licensing or certification, the licensing or certification body can verify the license or certification held.

Social Security number verification and validation can be achieved by contacting the Social Security Administration. Such a check ensures that the Social Security information is accurate. The Social Security Administration will alert you if the Social Security number has been misused, including if the number belongs to a deceased person or a person in a detention facility.

Just as companies exist that can provide criminal history checks, companies have recently started providing services to search federal and international lists of suspected terrorists. Organizations involved in defense, aviation, technology, and biotechnology fields should consider performing such a check for all applicants.

As any security professional knows, the sensitivity of the information that the applicant will have access to should be the biggest determining factor as to which checks to perform. Organizations should never get lax in their pre-employment applicant screening processes.

Code of conduct, conflict of interest, and ethics agreements should also be signed at this time. Also, any non-compete agreements should be verified to ensure that employees do not leave the organization for a competitor. Employees should be given guidelines for periodic performance reviews, compensation, and recognition of achievements.

Security professionals should ensure that personnel are regularly reminded of the no expectation of privacy policy of the organization. In some cases, they may also want to place notification signs in areas where video monitoring occurs.

This section also discusses risk management policy; risk management team; risk analysis team; risk assessment; implementation; access control categories; access control types; control assessment, monitoring, and measurement; reporting and continuous improvement; and risk frameworks.

Countermeasures or controls come in many categories and types. The categories and types of controls are discussed later in this chapter.

All the aforementioned security concepts work together in a relationship that is demonstrated in Figure 1-13.

A risk management policy must include the overall risk management plan and list the risk management team and must specifically list the risk management team’s objectives, responsibilities and roles, acceptable level of risk, risk identification process, risk and safeguards mapping, safeguard effectiveness, monitoring process and targets, and future risk analysis plans and tasks.

Management must also ensure that the members of the risk management team, particularly the team leader, be given the necessary training and tools for risk management. In larger organizations, the team leader should be able to dedicate the majority of his time to the risk management process.

If the risk analysis team cannot contain members from all departments, the members must interview each department to understand all the threats encountered by that department. During the risk analysis process, the risk analysis team should determine the threat events that could occur, the potential impact of the threats, the frequency of the threats, and the level of confidence in the information gathered.

Identify assets and asset value.

Identify vulnerabilities and threats.

Calculate threat probability and business impact.

Balance threat impact with countermeasure cost.

Prior to starting the risk assessment, management and the risk assessment team must determine which assets and threats to consider. This process determines the size of the project. The risk assessment team must then provide a report to management on the value of the assets considered. Management can then review and finalize the asset list, adding and removing assets as it sees fit, and then determine the budget of the risk assessment project.

If a risk assessment is not supported and directed by senior management, it will not be successful. Management must define the risk assessment’s purpose and scope and allocate the personnel, time, and monetary resources for the project.

According to NIST SP 800-30, common information-gathering techniques used in risk analysis include automated risk assessment tools, questionnaires, interviews, and policy document reviews. Keep in mind that multiple sources should be used to determine the risks to a single asset. NIST SP 800-30 identifies the following steps in the risk assessment process:

1. Identify the assets and their value.

2. Identify threats.

3. Identify vulnerabilities.

4. Determine likelihood.

5. Identify impact.

6. Determine risk as a combination of likelihood and impact.

Figure 1-14 shows the risk assessment process according to NIST SP 800-30.

Security professionals may also want to review two other NIST publications: SP 800-39 and SP 800-66r1. SP 800-39 provides guidance for an integrated, organization-wide program for managing information security risk to organizational operations, organizational assets, individuals, other organizations, and the nation resulting from the operation and use of federal information systems. SP 800-66r1 is written specifically to address risks for organizations that must comply with the HIPAA Security Rule. All NIST documents can be accessed at the NIST website: http://csrc.nist.gov.

Value to owner

Work required to develop or obtain the asset

Costs to maintain the asset

Damage that would result if the asset were lost

Cost that competitors would pay for asset

Penalties that would result if asset was lost

After determining the value of the assets, you should determine the vulnerabilities and threats to each asset.

Human: Includes both malicious and non-malicious insiders and outsiders, terrorists, spies, and terminated personnel

Natural: Includes floods, fires, tornadoes, hurricanes, earthquakes, or other natural disaster or weather event

Technical: Includes hardware and software failure, malicious code, and new technologies

Physical: Includes CCTV issues, perimeter measures failure, and biometric failure

Environmental: Includes power and other utility failure, traffic issues, biological warfare, and hazardous material issues (such as spillage)

Operational: Includes any process or procedure that can affect CIA

When the vulnerabilities and threats have been identified, the loss potential for each must be determined. This loss potential is determined by using the likelihood of the event combined with the impact that such an event would cause. An event with a high likelihood and a high impact would be given more importance than an event with a low likelihood and a low impact. Different types of risk analysis, including quantitative risk analysis and qualitative risk analysis, should be used to ensure that the data that is obtained is maximized.

Quantitative Risk Analysis

A quantitative risk analysis assigns monetary and numeric values to all facets of the risk analysis process, including asset value, threat frequency, vulnerability severity, impact, safeguard costs, and so on. Equations are used to determine total and residual risks. The most common equations are for single loss expectancy (SLE) and annual loss expectancy (ALE).

The SLE is the monetary impact of each threat occurrence. To determine the SLE, you must know the asset value (AV) and the exposure factor (EF). The EF is the percent value or functionality of an asset that will be lost when a threat event occurs. The calculation for obtaining the SLE is as follows:

SLE = AV × EF

For example, an organization has a web server farm with an AV of $20,000. If the risk assessment has determined that a power failure is a threat agent for the web server farm and the exposure factor for a power failure is 25%, the SLE for this event equals $5,000.

The ALE is the expected risk factor of an annual threat event. To determine the ALE, you must know the SLE and the annualized rate of occurrence (ARO). The ARO is the estimate of how often a given threat might occur annually. The calculation for obtaining the ALE is as follows:

ALE = SLE × ARO

Using the previously mentioned example, if the risk assessment has determined that the ARO for the power failure of the web server farm is 50%, the ALE for this event equals $2,500. Security professionals should keep in mind that this calculation can be adjusted for different geographical locations. For example, a DNS server located in a small town may have a higher risk of power outage than one in a large city.

Using the ALE, the organization can decide whether to implement controls or not. If the annual cost of the control to protect the web server farm is more than the ALE, the organization could easily choose to accept the risk by not implementing the control. If the annual cost of the control to protect the web server farm is less than the ALE, the organization should consider implementing the control.

Keep in mind that even though quantitative risk analysis uses numeric value, a purely quantitative analysis cannot be achieved because some level of subjectivity is always part of the data. In our example, how does the organization know that damage from the power failure will be 25% of the asset? This type of estimate should be based on historical data, industry experience, and expert opinion.

An advantage of quantitative over qualitative risk analysis is that quantitative uses less guesswork than qualitative. Disadvantages of quantitative risk analysis include the difficulty of the equations, the time and effort needed to complete the analysis, and the level of data that must be gathered for the analysis.

Qualitative Risk Analysis

Qualitative risk analysis does not assign monetary and numeric values to all facets of the risk analysis process. Qualitative risk analysis techniques include intuition, experience, and best practice techniques, such as brainstorming, focus groups, surveys, questionnaires, meetings, interviews, and Delphi. Although all of these techniques can be used, most organizations will determine the best technique(s) based on the threats to be assessed. Experience and education on the threats are needed.

Each member of the group who has been chosen to participate in the qualitative risk analysis uses his experience to rank the likelihood of each threat and the damage that might result. After each group member ranks the threat possibility, loss potential, and safeguard advantage, data is combined in a report to present to management. All levels of staff should be represented as part of the qualitative risk analysis, but it is vital that some participants in this process have some expertise in risk analysis.

Advantages of qualitative over quantitative risk analysis include qualitative prioritizes the risks and identifies areas for immediate improvement in addressing the threats. Disadvantages of qualitative risk analysis include all results are subjective and a dollar value is not provided for cost-benefit analysis or for budget help.

Most risk analysis includes some hybrid use of both quantitative and qualitative risk analyses. Most organizations favor using quantitative risk analysis for tangible assets and qualitative risk analysis for intangible assets.

(ALE before safeguard) – (ALE after safeguard) – (Annual cost of safeguard) = Safeguard value

To complete this equation, you have to know the revised ALE after the safeguard is implemented. Implementing a safeguard can improve the ARO but will not completely do away with it. In the example mentioned earlier in the “Quantitative Risk Analysis” section, the ALE for the event is $2,500. Let’s assume that implementing the safeguard reduces the ARO to 10%, so the ALE after the safeguard is calculated as: $5,000 × 10% or $500. You could then calculate the safeguard value for a control that costs $1,000 as follows:

$2,500 – $500 – $1,000 = $1,000

Knowing the corrected ARO after the safeguard is implemented is necessary for determining the safeguard value. A legal liability exists if the cost of the safeguard is less than the estimated loss that would occur if the threat is exploited.

Maintenance costs of safeguards are not often fully considered during this process. Organizations should fully research the costs of maintaining safeguards. New staff or extensive staff training often must occur to properly maintain a new safeguard. In addition, the cost of the labor involved must be determined. So the cost of a safeguard must include the actual cost to implement plus any training costs, testing costs, labor costs, and so on. Some of these costs might be hard to identify but a thorough risk analysis will account for these costs.

Residual risk = Total risk – Countermeasures

This equation is considered to be more conceptual than for actual calculation.

Risk avoidance: Terminating the activity that causes a risk or choosing an alternative that is not as risky

Risk transfer: Passing the risk on to a third party, including insurance companies

Risk mitigation: Defining the acceptable risk level the organization can tolerate and reducing the risk to that level

Risk acceptance: Understanding and accepting the level of risk as well as the cost of damages that can occur

All organizational personnel should be involved in the deployment of countermeasures and controls for risk management. Each individual involved in the implementation will have a unique perspective on the risks of that individual’s position. Documentation and communication across all areas will ensure that each individual business unit’s risk management implementation is as complete as possible.

Compensative

Corrective

Detective

Deterrent

Directive

Preventive

Recovery

Any access control that you implement will fit into one or more access control category.

Administrative (management) controls

Logical (technical) controls

Physical controls

In any organization where defense in depth is a priority, access control requires the use of all three types of access controls. Even if you implement the strictest physical and administrative controls, you cannot fully protect the environment without logical controls.

Security awareness training is a very important administrative control. Its purpose is to improve the organization’s attitude about safeguarding data. The benefits of security awareness training include reduction in the number and severity of errors and omissions, better understanding of information value, and better administrator recognition of unauthorized intrusion attempts. A cost-effective way to ensure that employees take security awareness seriously is to create an award or recognition program.

Table 1-4 lists many administrative controls and includes in which access control categories the controls fit.

Security professionals should help develop organization policies and procedures to ensure that personnel understand what is expected and how to properly carry out their duties. Applicant evaluation prior to employment is also important to protect the organization. Personnel security, evaluation, and clearances ensure that personnel are given access only to those resources or areas required by their specific roles within the organization. Monitoring and logs ensure that security professionals have a way to analyze behavior. User access should be managed, including user access approval, unique user IDs, periodic reviews of user access, user password processes, and access modification and revocation procedures.

Although auditing and monitoring are logical controls and are often listed together, they are actually two different controls. Auditing is a one-time or periodic event to evaluate security. Monitoring is an ongoing activity that examines either the system or users.

Table 1-5 lists many logical controls and includes in which access control categories the controls fit.

Network access, remote access, application access, and computer or device access all fit into this category.

Table 1-6 lists many physical controls and includes in which access control categories the controls fit.

When controlling physical entry into a building, security professionals should ensure that the appropriate policies are in place for visitor control, including visitor logs, visitor escort, and limitation of visitors’ access to sensitive areas.

Security controls should be monitored to ensure that they are always performing in the way expected. As part of this monitoring, security professionals should review all logs. In addition, performance reports should be run and compared with the performance baselines for all security devices and controls. This allows security professionals to anticipate some issues and resolve them before they become critical. The performance measurements that are taken should be retained over time. New baselines need to be captured if significant events or changes occur. For example, if you add 200 new users who will need authentication, you need to capture new authentication baselines to ensure that authentication can still occur in a timely manner. In addition, if you change an authentication setting, such as implementing an account lockout policy, you should monitor the effect that the setting has on performance and security.

Quality improvement commonly uses a four-step quality model, known as Deming’s Plan–Do–Check–Act cycle . These are the steps in this cycle:

1. Plan: Identify an area for improvement and make a formal plan to implement it.

2. Do: Implement the plan on a small scale.

3. Check: Analyze the results of the implementation to determine whether it made a difference.

4. Act: If the implementation made a positive change, implement it on a wider scale. Continuously analyze the results.

Other similar guidelines include Six Sigma, Lean, and Total Quality Management. No matter which of these an organization uses, the result should be a continuous cycle of improvement organization-wide.

Threat modeling can be carried out using three different perspectives:

Application-centric threat modeling: This perspective involves using application architecture diagrams to analyze threats.

Asset-centric threat modeling: This perspective involves identifying the assets of an organization and classifying them according to data sensitivity and their intrinsic value to a potential attacker, in order to prioritize risk levels. This method uses attack trees, attack graphs, or displaying patterns to determine how an asset can be attacked.

Attacker-centric threat modeling: This perspective involves profiling an attacker’s characteristics, skills, and motivation to exploit vulnerabilities. Attacker profiles are then used to understand the type of attacker who would be most likely to execute specific types of exploits and implement a mitigation strategy accordingly. Tree diagrams are often used.

No matter which threat modeling method you decide to use, the basic steps in the threat modeling process are as follows:

1. Identify assets.

2. Identify threat agents and possible attacks.

3. Research existing countermeasures in use by the organization.

4. Identify any vulnerabilities that can be exploited.

5. Prioritize the identified risks.

6. Identify countermeasures to reduce the organization’s risk.

Security professionals should analyze all the threats to identify all the actors who pose significant threats to the organization. Examples of the threat actors include both internal and external actors, such as the following:

Internal actors

Reckless employee

Untrained employee

Partner

Disgruntled employee

Internal spy

Government spy

Vendor

Thief

External actors

Anarchist

Competitor

Corrupt government official

Data miner

Government cyber warrior

Irrational individual

Legal adversary

Mobster

Activist

Terrorist

Vandal

These actors can be subdivided into two categories: non-hostile and hostile. Of the actors listed above, three are usually considered non-hostile: reckless employee, untrained employee, and partner. All the other actors should be considered hostile.

An organization needs to analyze each of these threat actors according to set criteria. The organization should give each threat actor a ranking to help determine which ones should be analyzed. Examples of some of the most commonly used criteria include the following:

Skill level: None, minimal, operational, adept

Resources: Individual, team, organization, government

Visibility: Overt, covert, clandestine, don’t care

Objective: Copy, destroy, injure, take, don’t care

Outcome: Acquisition/theft, business advantage, damage, embarrassment, technical advantage

Based on these criteria, the organization must then determine which of the actors it wants to analyze. For example, the organization may choose to analyze all hostile actors who have a skill level of adept and resources of organization or government. Then the list is consolidated to include only the threat actors that fit all these criteria.

Next, the organization must determine what it really cares about protecting. Often this determination is made using some sort of business impact analysis. Once the vital assets are determined, the organization should then select the scenarios that could have a catastrophic impact on the organization by using the objective and outcome values from the threat actor analysis and the asset value and business impact information from the impact analysis.

Once all the scenarios are determined, the organization should develop an attack tree for each potential attack. The attack tree should include all the steps and/or conditions that must occur for the attack to be successful. The organization then needs to map security controls to the attack trees.

To determine what security controls can be used, an organization needs to look at industry standards, including NIST SP 800-53 (discussed earlier in this chapter). Finally, the controls need to be mapped back to the attack tree to ensure that controls are implemented at as many levels of the attack as possible.

Some of these acquisitions have built-in security mechanisms. However, these security mechanisms are not enough to fully protect the acquisitions. In addition, any security mechanisms need to be regularly updated and perhaps even replaced with more recent, stronger security mechanisms.

Security professionals should be involved in any hardware, software, and service acquisition to ensure that security is an integral part of the decision. If no security advocate is part of the acquisition process, acquisitions are often made that actually put the organization at risk.

As part of the related security considerations, security professionals should develop baseline requirements for acquisitions, train personnel to adapt to security changes with new acquisitions, use common security terms and definitions for acquisitions, and develop a strategy to ensure that acquisitions are minimized.

A member of high-level management usually manages this process so that the third party is given access as needed. As part of this analysis, the third party might need to perform an onsite assessment, a document exchange, or a process/policy review.

For each different acquisition type, it may be necessary to define separate security policies. For example, mobile devices that are not used may need to be locked in a file cabinet or safe. Keys for company vehicles should not be kept out in the open where they are easy to obtain. Computers that are located in a high-traffic area may need some sort of mechanism that locks the device to the desk. The security controls vary just as much as the acquisition types.

Loss of connectivity to the DNS server must be restored within a 30-minute period.

Loss of connectivity to Internet service must be restored in a 5-hour period.

Loss of connectivity of a host machine must be restored in an 8-hour period.

Before an SLA can be written and signed, organizations must negotiate the service-level requirements. If an organization does not have carefully documented requirements, it cannot be sure that the SLA from the vendor will fulfill its needs. Requirements that need to be documented include the following:

Description of service

Hours of service needed

Service interruption process

Availability requirements

Maintenance requirements and allowed downtime

Workload expected

Performance expected

Security professionals need to work with business unit managers when services must be obtained from a third party to ensure that the service-level requirements are documented.

Security awareness training should be developed based on the audience. In addition, trainers must understand the corporate culture and how it will affect security. The audiences you need to consider when designing training include high-level management, middle management, technical personnel, and regular staff.

For high-level management, the security awareness training must provide a clear understanding of potential risks and threats, effects of security issues on organizational reputation and financial standing, and any applicable laws and regulations that pertain to the organization’s security program. Middle management training should discuss policies, standards, baselines, guidelines, and procedures, particularly how these components map to the individual departments. Also, middle management must understand their responsibilities regarding security. Technical staff should receive technical training on configuring and maintaining security controls, including how to recognize an attack when it occurs. In addition, technical staff should be encouraged to pursue industry certifications and higher education degrees. Regular staff need to understand their responsibilities regarding security so that they perform their day-to-day tasks in a secure manner. With regular staff, providing real-world examples to emphasize proper security procedures is effective.

Personnel should sign a document that indicates they have completed the training and understand all the topics. Although the initial training should occur when personnel is hired, security awareness training should be considered a continuous process, with future training sessions occurring annually at a minimum.

administrative control

administrative law

ALE

annualized loss expectancy

annualized rate of occurrence

ARO

availability

Basel II

baseline

business case

CALEA

CFAA

CIA triad

civil code law

civil/tort law

common law

Communications Assistance for Law Enforcement Act (CALEA) of 1994

compensative control

Computer Fraud and Abuse Act (CFAA) of 1986

computer prevalence crime

Computer Security Act of 1987

computer-assisted crime

computer-targeted crime

confidentiality

copyright

corrective control

countermeasure

criminal law

customary law

data breach

default stance

defense in depth

detective control

deterrent control

digital rights management

directive control

disaster

disruption

DRM

due care

due diligence

Economic Espionage Act of 1996

ECPA

EF

Electronic Communications Privacy Act (ECPA) of 1986

exposure

exposure factor

fault tolerance

Federal Information Security Management Act (FISMA) of 2002

Federal Intelligence Surveillance Act (FISA) of 1978

Federal Privacy Act of 1974

FISA

FISMA

GLBA

Gramm-Leach-Bliley Act (GLBA) of 1999

guideline

Health Care and Education Reconciliation Act of 2010

Health Insurance Portability and Accountability Act (HIPAA)

incidental computer crime

integrity

issue-specific security policy

job rotation

Kennedy-Kassebaum Act

logical control

management control

human-caused disasters

human-caused threats

mean time between failure (MTBF)

mean time to repair (MTTR)

mixed law

MTBF

MTD

MTTR

organizational security policy

patent

Personal Information Protection and Electronic Documents Act (PIPEDA)

personally identifiable information (PII)

physical control

PII

PIPEDA

preventive control

procedure

qualitative risk analysis

recovery control

recovery point objective

recovery time objective

regulatory law

regulatory security policy

reliability

religious law

residual risk

risk

risk acceptance

risk avoidance

risk management

risk mitigation

risk transfer

RPO

RTO

safeguard

Sarbanes-Oxley (SOX) Act

separation of duties

software piracy

SOX Act

standard

system threats

system-specific security policy

tactical plans (or goals)

tangible assets

technological disasters

threat

threat agent

TOGAF

tort law

total risk

trade secret

trademark

United States Federal Sentencing Guidelines of 1991

Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism (USA PATRIOT) Act of 2001

USA PATRIOT Act

vulnerability

a. integrity

b. availability

c. confidentiality

d. authorization

2. Which of the following controls is an administrative control?

a. security policy

b. CCTV

c. data backups

d. locks

3. What is a vulnerability?

a. the entity that carries out a threat

b. the exposure of an organizational asset to losses

c. an absence or a weakness of a countermeasure that is in place

d. a control that reduces risk

4. Which framework uses the six communication questions (What, Where, When, Why, Who, and How) that intersect with six layers (operational, component, physical, logical, conceptual, and contextual)?

a. Six Sigma

b. SABSA

c. ITIL

d. ISO/IEC 27000 series

5. Which group of threat agents includes hardware and software failure, malicious code, and new technologies?

a. human

b. natural

c. environmental

d. technical

6. Which term indicates the monetary impact of each threat occurrence?

a. ARO

b. ALE

c. EF

d. SLE

7. What is risk avoidance?

a. risk that is left over after safeguards have been implemented

b. terminating the activity that causes a risk or choosing an alternative that is not as risky

c. passing the risk on to a third party

d. defining the acceptable risk level the organization can tolerate and reducing the risk to that level

8. Which security policies provide instruction on acceptable and unacceptable activities?

a. informative security policies

b. regulatory security policies

c. system-specific security policies

d. advisory security policies

9. Which organization role determines the classification level of the information to protect the data for which he is responsible?

a. data owner

b. data custodian

c. security administrator

d. security analyst

10. Which type of crime occurs when a computer is used as a tool to help commit a crime?

a. computer-assisted crime

b. incidental computer crime

c. computer-targeted crime

d. computer prevalence crime

11. Which access control type reduces the effect of an attack or another undesirable event?

a. compensative control

b. preventive control

c. detective control

d. corrective control

12. What is the first stage of the security program life cycle?

a. Plan and Organize

b. Implement

c. Operate and Maintain

d. Monitor and Evaluate

13. Which of the following frameworks is a two-dimensional model that intersects communication interrogatives (What, Why, Where, and so on) with various viewpoints (Planner, Owner, Designer, and so on)?

a. SABSA

b. Zachman framework

c. TOGAF

d. ITIL

14. Which management officer implements and manages all aspects of security, including risk analysis, security policies and procedures, training, and emerging technologies?

a. CPO

b. CFO

c. CSO

d. CIO

15. Which of the following do organizations have employees sign in order to protect trade secrets?

a. trademark

b. patent

c. DRM

d. NDA

16. Which type of access control type is an acceptable use policy (AUP) most likely considered?

a. corrective

b. detective

c. compensative

d. directive

17. What is the legal term used to describe an organization taking all reasonable measures to prevent security breaches and also taking steps to mitigate damages caused by successful breaches?

a. due care

b. due diligence

c. default stance

d. qualitative risk analysis

18. Which threat modeling perspective profiles malicious characteristics, skills, and motivation to exploit vulnerabilities?

a. application-centric

b. asset-centric

c. attacker-centric

d. hostile-centric

19. Which of the following is NOT a consideration for security professionals during mergers and acquisitions?

a. new data types

b. new technology types

c. cost of the merger or acquisition

d. the other organization’s security awareness training program

20. What is the first step of CRAMM?

a. identify threats and vulnerabilities

b. identify and value assets

c. identify countermeasures

d. prioritize countermeasures

2. a. A security policy is an administrative control. CCTV and locks are physical controls. Data backups are a technical control.

3. c. A vulnerability is an absence or a weakness of a countermeasure that is in place. A threat occurs when a vulnerability is identified or exploited. A threat agent is the entity that carries out a threat. Exposure occurs when an organizational asset is exposed to losses. A countermeasure or safeguard is a control that reduces risk.

4. b. SABSA uses the six communication questions (What, Where, When, Why, Who, and How) that intersect with six layers (operational, component, physical, logical, conceptual, and contextual). Six Sigma is a process improvement standard that includes two project methodologies that were inspired by Deming’s Plan–Do–Check–Act cycle. ITIL is a process management development standard that has five core publications: ITIL Service Strategy, ITIL Service Design, ITIL Service Transition, ITIL Service Operation, and ITIL Continual Service Improvement. The ISO/IEC 27000 Series includes a list of standards, each of which addresses a particular aspect of information security management.

5. d. Technical threat agents include hardware and software failure, malicious code, and new technologies. Human threat agents include both malicious and non-malicious insiders and outsiders, terrorists, spies, and terminated personnel. Natural threat agents include floods, fires, tornadoes, hurricanes, earthquakes, or other natural disaster or weather event. Environmental threat agents include power and other utility failure, traffic issues, biological warfare, and hazardous material issues (such as spillage).

6. d. SLE indicates the monetary impact of each threat occurrence. ARO is the estimate of how often a given threat might occur annually. ALE is the expected risk factor of an annual threat event. EF is the percent value or functionality of an asset that will be lost when a threat event occurs.

7. b. Risk avoidance is terminating the activity that causes a risk or choosing an alternative that is not as risky. Residual risk is risk that is left over after safeguards have been implemented. Risk transfer is passing the risk on to a third party. Risk mitigation is defining the acceptable risk level the organization can tolerate and reducing the risk to that level.

8. d. Advisory security policies provide instruction on acceptable and unacceptable activities. Informative security policies provide information on certain topics and act as an educational tool. Regulatory security policies address specific industry regulations, including mandatory standards. System-specific security policies address security for a specific computer, network, technology, or application.

9. a. The data owner determines the classification level of the information to protect the data for which he or she is responsible. The data custodian implements the information classification and controls after they are determined. The security administrator maintains security devices and software. The security analyst analyzes the security needs of the organizations and develops the internal information security governance documents.

10. a. A computer-assisted crime occurs when a computer is used as a tool to help commit a crime. An incidental computer crime occurs when a computer is involved in a computer crime without being the victim of the attack or the attacker. A computer-targeted crime occurs when a computer is the victim of an attack in which the sole purpose is to harm the computer and its owner. A computer prevalence crime occurs due to the fact that computers are so widely used in today’s world.

11. d. A corrective control reduces the effect of an attack or other undesirable event. A compensative control substitutes for a primary access control and mainly acts as mitigation to risks. A preventive control prevents an attack from occurring. A detective control detects an attack while it is occurring to alert appropriate personnel.

12. a. The four stages of the security program life cycle, in order, are as follows:

1. Plan and Organization

2. Implement

3. Operate and Maintain

4. Monitor and Evaluate

13. b. The Zachman framework is a two-dimensional model that intersects communication interrogatives (What, Why, Where, and so on) with various viewpoints (Planner, Owner, Designer, and so on). It is designed to help optimize communication between the various viewpoints during the creation of the security architecture.

14. c. The chief security officer (CSO) is the officer that leads any security effort and reports directly to the chief executive officer (CEO). The chief privacy officer (CPO) is the officer responsible for private information and usually reports directly to the chief information officer (CIO). The chief financial officer (CFO) is the officer responsible for all financial aspects of an organization. The CFO reports directly to the CEO and must also provide financial data for the shareholders and government entities. The CIO is the officer responsible for all information systems and technology used in the organization and reports directly to the CEO or CFO.

15. d. Most organizations that have trade secrets attempt to protect these secrets using non-disclosure agreements (NDAs). These NDAs must be signed by any entity that has access to information that is part of the trade secret. A trademark is an intellectual property type that ensures that the symbol, sound, or expression that identifies a product or an organization is protected from being used by another. A patent is an intellectual property type that covers an invention described in a patent application and is granted to an individual or company. Digital rights management (DRM) is used by hardware manufacturers, publishers, copyright holders, and individuals to control the use of digital content. This often also involves device controls.

16. d. The most popular directive control is an acceptable use policy (AUP) that lists proper (and often examples of improper) procedures and behaviors that personnel must follow. Corrective controls are in place to reduce the effect of an attack or other undesirable event. Examples of corrective controls include installing fire extinguishers and implementing new firewall rules. Detective controls are in place to detect an attack while it is occurring to alert appropriate personnel. Examples of detective controls include motion detectors, IDSs, or guards. Compensative controls are in place to substitute for a primary access control and mainly act as a mitigation to risks. Examples of compensative controls include requiring two authorized signatures to release sensitive or confidential information and requiring two keys owned by different personnel to open a safety deposit box.

17. a. Due care is a legal term that is used when an organization took all reasonable measures to prevent security breaches and also took steps to mitigate damages caused by successful breaches. Due diligence is a legal term that is used when an organization investigated all vulnerabilities. The default stance is the default security posture used by the organization. An allow-by-default stance permits access to any data unless a need exists to restrict access. A deny-by-default stance is much stricter because it denies any access that is not explicitly permitted. Qualitative risk analysis is a method of analyzing risk whereby intuition, experience, and best practice techniques are used to determine risk.

18. c. Attacker-centric threat modeling profiles an attacker’s characteristics, skills, and motivation to exploit vulnerabilities. Application-centric threat modeling uses application architecture diagrams to analyze threats. Asset-centric threat modeling uses attack trees, attack graphs, or displaying patterns to determine how an asset can be attacked. Hostile describes one of two threat actor categories: non-hostile and hostile.

19. c. A security professional should not be concerned with the cost of a merger or an acquisition. A security professional should only be concerned with issues that affect security and leave financial issues to financial officers.

20. b. CRAMM review includes three steps:

1. Identify and value assets.

2. Identify threats and vulnerabilities and calculate risks.

3. Identify and prioritize countermeasures.