TABLE 2-3 Description of Standards, Procedures, Guidelines, and Baselines
Title |
Description |
Standards |
Mandatory actions, explicit rules, or controls that are designed to support and conform to a policy. A standard should make a policy more meaningful and effective by including accepted specifications for hardware, software, or behavior. Standards should always point to the policy to which they relate. |
Procedures |
Written steps to execute policies through specific, prescribed actions; this is the how in relation to a policy. Procedures tend to be more detailed than policies. They identify the method and state, in a series of steps, exactly how to accomplish an intended task, achieve a desired business or functional outcome, and execute a policy. |
Guidelines |
An outline for a statement of conduct. This is an additional (optional) document in support of policies, standards, and procedures and provides general guidance on what to do in particular circumstances. Guidelines are not requirements to be met but are strongly recommended. |
Baselines |
Platform-specific rules that are accepted across the industry as providing the most effective approach to a specific implementation. |
Item |
Attributes |
Inherent risk |
The risk that naturally occurs because of the nature of the business before controls are applied |
Control risk |
The risk that internal controls will not prevent a material error |
Detection risk |
The risk that misstatements or possibly material errors have occurred and were not detected |
Class |
Function |
Example |
Preventive |
Prevents problems before they occur |
Access control software that uses passwords, tokens, and/or biometrics |
Detective |
Senses and detects problems as they occur |
Security logs |
Corrective |
Reduces the impact of threats and minimizes the impact of problems |
Backup power supplies |
TABLE 3-3 Performing a Qualitative Assessment
Asset |
Loss of Confidentiality |
Loss of Integrity |
Loss of Availability |
Customer credit card and billing information |
High |
High |
Medium |
Production documentation |
Medium |
Medium |
Low |
Advertising and marketing literature |
Low |
Low |
Low |
HR (employee) records |
High |
High |
Medium |
TABLE 3-6 Separation of Duties
First Job Role |
Combined (Yes/No) |
Second Job Role |
Systems analyst |
No |
Security administrator |
Application programmer |
Yes |
Systems analyst |
Help desk |
No |
Network administrator |
Data entry |
Yes |
Quality assurance |
Computer operator |
No |
Systems programmer |
Database administrator |
Yes |
Systems analyst |
Systems administrator |
No |
Database administrator |
Security administrator |
No |
Application programmer |
Systems programmer |
No |
Security administrator |
TABLE 3-7 Key Employee Controls
Terms |
Control Usage |
Attributes |
Background checks |
Hiring practice |
Helps match the right person to the right job |
Required vacations |
Uncovers misuse |
Serves as a detective control to uncover employee malfeasance |
Rotation of assignment |
Prevents excessive control |
Rotate employees to new areas |
Dual control |
Limits control |
Aids in separation of duties |
Non-disclosure agreement (NDA) |
Aids in confidentiality |
Helps prevent disclosure of sensitive information |
Security training |
Improves performance |
Improves performance and gives employees information on how to handle certain situations |
Segregation of duties (SoD) |
Reduces the risk of error and fraud |
Reduces the risk of human error or fraud by requiring that higher-risk transactions be performed by two or more people |
TABLE 5-2 Project Organizational Forms
Form |
Description |
Pure project |
Formal authority is held by the project manager. The team may have a dedicated project work area. |
Influence |
The project manager has no real authority, and the functional manager remains in charge. |
Weak matrix |
The project manager has little or no authority and is part of the functional organization. |
Balanced matrix |
The project manager has some functional authority, and management duties are shared with functional managers. |
Strong matrix |
In this more expensive model, the project has members assigned for dedicated tasks. The advantage is that this offers a greater level of authority. |
TABLE 5-4 The NIST SDLC Process (NIST SP 800-34)
Waterfall Phase |
Description |
Initiation |
Benefits and needs are determined at this phase of the SDLC. |
Development / Acquisition |
At this phase, the purpose of the project must be defined. The systems must be designed, developed, constructed, or purchased. |
Implementation |
The system is installed and end users are trained. At this point, the auditor must verify that all required controls that are in the design function as described. |
Operation / Maintenance |
The system or program perform the work for which it was designed. Patching and maintenance are important at this point. |
Disposal |
At this phase the system or program is retired and data is destroyed or archived in an approved method. |
Test Type |
Description |
Alpha test |
The first and earliest version of an application, followed by a beta version. Both are considered prereleases. |
Pilot test |
Used as an evaluation to verify functionality of the application. |
White-box test |
A type of test that verifies inner program logic. This testing is typically cost-prohibitive on a large application or system. |
Black-box test |
Integrity-based testing that looks at inputs and outputs. Black-box testing can be used to ensure the integrity of system interfaces. |
Function test |
A type of test that validates a program against a checklist of requirements. |
Regression test |
A type of test that verifies that changes in one part of the application did not affect any other parts in the same application or interfaces. |
Parallel test |
Parallel tests involve the use of two systems or applications at the same time. The purpose of this testing is to verify a new or changed system or application by feeding data into both and comparing the results. |
Sociability test |
A type of test which verifies that the system can operate in its targeted environment. |
TABLE 5-6 Sample Media Destruction Policy
Media |
Wipe Standard |
Description |
Rewritable magnetic media (hard drive, flash drive, and so on) |
Drive wiping or degaussing |
DOD 5220.22-M seven-pass drive wipe or electric degaussing |
Optical media (CD-RW, DVD-RW, DVD+RW, CD-R, DVD-R, and so on) |
Physical destruction |
Physical destruction of the media by shredding or breaking |
Service |
Description |
Infrastructure as a Service |
A form of cloud computing services that provides virtualized computing resources over the Internet. |
Platform as a Service |
A form of cloud computing services in which a platform allows customers to develop, run, and manage applications without the complexity of building and maintaining the infrastructure typically associated with it. |
Software as a Service |
A form of cloud computing services in which a third-party provider hosts applications and makes them available to customers over the Internet. |
TABLE 6-4 Processing Control Techniques
TABLE 6-6 Continuous Audit Techniques
Technique |
Description |
Issues and Concerns |
Systems control audit review file and embedded audit modules (SCARF/EAM) |
The application must contain embedded audit software to act as a monitoring agent. |
Cannot be used to interrupt regular processing |
Integrated test facilities |
Live and dummy data is fed into the system. The results of the dummy data are compared with precalculated results. |
Should not be used with test data |
Continuous and intermittent simulation (CIS) |
CIS simulates the transaction run. If data meets certain criteria, the simulator logs the transaction; otherwise, processing continues. |
Requires examination of transactions that meet specific criteria |
Snapshots |
This technique tags transactions and then takes snapshots as the data is moved from input to output. |
Requires an audit trail |
Audit hooks |
This technique uses embedded hooks that act as red flags if certain conditions are met. |
Detects items that meet specific criteria |
TABLE 7-2 Frameworks and Best Practices
Name |
Overview |
ITIL |
A leading service management standard |
FitSM |
A lightweight service management standard |
ISO 20000 |
One of the first service management standards |
eTOM |
Designed for the telecommunications market |
Port |
Service |
Protocol |
20/21 |
FTP |
TCP |
22 |
SSH |
TCP |
23 |
Telnet |
TCP |
25 |
SMTP |
TCP |
53 |
DNS |
TCP/UDP |
67/68 |
DHCP |
UDP |
80 |
HTTP |
TCP |
110 |
POP3 |
TCP |
143 |
IMAP |
TCP |
161 |
SNMP |
UDP |
Equipment |
OSI Layer |
Description |
Gateway |
OSI Layer 4 or higher |
Gateways operate at the transport layer and above. Gateways translate each source-layer protocol into the appropriate destination-layer protocol. For example, an application-layer gateway is found at Layer 7. |
Router |
OSI Layer 3 |
Routers are used to connect distant sites connected by a WAN, improve performance by limiting physical broadcast domains, and ease network management by segmenting devices into smaller subnets rather than one large network. |
Switch |
OSI Layer 2 |
Switches are hardware based and provide logical segmentation by observing the source and destination physical address of each data frame. Networking VLANs is one function that many switches can provide. VLANs separate various ports on a switch, therefore segmenting traffic much as a Layer 3 router function would. |
802.11 wireless access points |
OSI Layer 2 |
Wireless access points can be found at OSI Layer 2. Devices that have wireless and can route would be found at OSI Layer 3. |
Hub |
OSI Layer 1 |
Hubs connect individual devices and provide physical connectivity so that devices can share data. Hubs amplify and regenerate the electrical signals. They are similar to repeaters except that hubs have multiple ports. |
Type |
Use |
Topology |
Maximum Length or Distance |
Access Standard |
Copper cable |
10BASE-T, 10Mbps 100BASE-TX, 100Mbps 1000BASE-TX, 10Gbps |
Star |
100 meters. 100 meters. 100 meters. |
Ethernet CSMA/CD |
Coaxial cable |
10BASE5, 10Mbps 10BASE2, 10Mbps |
Bus |
500 meters. 185 meters. |
802.3 |
Fiber-optic cable |
10BASE-F, 10Mbps 100BASE-FX, 100Mbps 1000BASE-LX, 1000Mbps |
Bus, star, or mesh |
Long distances. For example, 10BASE-F can range up to 2,000 m. |
802.3 and 802.3ae |
Wireless LAN |
In the 2.4GHz bandwidth |
Wireless |
Varies, depending on the standard. |
802.11 |
TABLE 8-5 Attributes of Symmetric and Asymmetric Encryption
Type of Encryption |
Advantages |
Disadvantages |
Symmetric |
Faster than asymmetric encryption |
Key distribution Provides only confidentiality |
Asymmetric |
Easy key exchange Can provide confidentiality and authentication |
Slower than symmetric encryption |
TABLE 8-6 Attributes of Symmetric and Asymmetric Encryption and the OSI Reference Model
TCP/IP |
OSI Layer (ISO 7498-1) |
Security Control |
Security Model (ISO 7498-2) |
Application |
Application |
SSH, PGP, SET |
Authentication |
Presentation |
SSL and TLS |
Access control |
|
Session |
Nonrepudiation |
||
Transport |
Transport |
Data integrity |
|
Network |
Network |
IPsec |
Confidentiality |
Data link |
PPTP, L2TP, WPA2 |
Assurance |
|
Physical |
Notarization |
TABLE 8-8 Data Classification Types
Commercial Business Classifications |
Military Classifications |
Confidential |
Top secret |
Private |
Secret |
Sensitive |
Confidential |
Public |
Sensitive |
Unclassified |
TABLE 9-2 Best Practices Examples
Item |
Recommendation |
Logs |
Mandatory log monitoring. |
Patching |
Patching all systems and applications. |
Vulnerability assessment |
Establish a process to identify newly discovered security vulnerabilities. |
Encryption |
Enforce encryption for data at rest and data in transit. |
User Accounts |
Remove inactive user accounts at least every 90 days. |
Passwords |
Remove default passwords and require unique passwords for all users. |
TABLE 9-3 Common Security Controls for Virtual Systems
Security Control |
Comments |
Antivirus |
Antivirus must be present on the host and all VMs. |
Authentication |
Use strong access control. |
Encryption |
Use encryption for sensitive data in storage or transit. |
Hardening |
All VMs should be hardened so that nonessential services are removed. |
Physical controls |
Controls should be implemented to limit who has access to the data center. |
Remote access services |
Remote access services should be restricted when not needed. When required, use encryption. |
Resource access |
Use administrative accounts only as needed. |
TABLE 9-5 The NIST Four-Stage Pen Test Methodology
Stage |
Description |
Planning |
At this stage, a signed letter of authorization is obtained. The rules of engagement are established here. The team must have goals, know the time frame, and know the limits and boundaries. |
Discovery |
This stage is divided into two distinct phases: Passive: This phase is concerned with information gathered in a very covert manner. Examples of passive information gathering include surfing the organization’s website to mine valuable information and reviewing job openings to gain a better understanding of the technologies and equipment used by the organization. Active: This phase of the test is split between network scanning and host scanning. As individual networks are enumerated, they are further probed to discover all hosts, determine their open ports, and attempt to pinpoint the OS. Nmap is a popular scanning program. |
Attack |
At this stage, the pen testers attempt to gain access, escalate their privilege, browse the system, and expand their influence. |
Reporting |
In this final stage, documentation is used to compile the final report. This report serves as the basis for corrective action, which can range from nothing more than enforcing existing policies to closing unneeded ports and adding patches and service packs. |