Www2 jblearning com my account terms and conditions

Operations Security

Refer: https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-55r1.pdf

Read the NIST documents that I provided and Chapter 12 in your text. Select one of the following types of breaches:1. A SQL Injection was performed by a hacker, resulting in the loss of PII data.
2. You have discovered a covert leak (exfiltration) of sensitive data to China.
3. Malcious code or malware was reported on multiple users' systems.
4. Remote access for an internal user was compromised - resulting in the loss of PII data.
5. Wireless access. You discovered an "evil twin" access point that resulted in many of your users connecting to the hacker's access point while working with sensitive data.
6. Compromised passwords. You discovered that an attacker used rainbow tables to attack your domain's password file in an offline attack. Assume that all of your user's passwords are compromised.

7. A DoS or DDoS was performed against your system, resulting in the loss of 3 hours of downtime and lost revenue.Your submission should include three paragraphs and a cover page and references for the following:

Paragraph 1: IRT Team. What would the IRT team look like for this incident (who would be on the team to be able to effectively handle the event)? Justify your choices.

Paragraph 2: Approach. Address HOW you would respond. What logs or tools would you use to identify/analyze the incident? What would alert you to the incident? What tools would you use to contain/recover from the incident?

Paragraph 3: Metrics. Who would you measure your team's response effectivenss? What measurements/metrics would you track?

Jones & Bartlett Learning books and products are available through most bookstores and online booksellers. To contact Jones & Bartlett Learning directly, call 800-832-0034, fax 978-443-8000, or visit our website, www.jblearning.com.

Substantial discounts on bulk quantities of Jones & Bartlett Learning publications are available to corporations, professional associations, and other qualified organizations. For details and specific discount information, contact the special sales department at Jones & Bartlett Learning via the above contact information or send an email to specialsales@jblearning.com.

Copyright © 2015 Jones & Bartlett Learning, LLC, an Ascend Learning Company

All rights reserved. No part of the material protected by this copyright may be reproduced or utilized in any form, electronic or mechanical, including photocopying, recording, or by any information storage and retrieval system, without written permission from the copyright owner.

Security Policies and Implementation Issues, Second Edition is an independent publication and has not been authorized, sponsored, or otherwise approved by the owners of the trademarks or service marks referenced in this product. The screenshots in this product are for educational and instructive purposes only. All trademarks displayed are the trademarks of the parties noted therein. Such use of trademarks is not an endorsement by said parties of Jones & Bartlett Learning, its products, or its services, nor should such use be deemed an endorsement by Jones & Bartlett Learning of said third party’s products or services.

Microsoft, Internet Explorer, Windows, Microsoft Office, Microsoft Security Development Lifecycle, and Microsoft Baseline Security Analyzer are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries. (ISC)2, CISSP, ISSAP, ISSMP, ISSEP, CSSLP, CCFP, CAP, SSCP, and CBK are registered and service marks of (ISC)2, Inc.

This publication is designed to provide accurate and authoritative information in regard to the subject matter covered. It is sold with the understanding that the publisher is not engaged in rendering legal, accounting, or other professional service. If legal advice or other expert assistance is required, the service of a competent professional person should be sought.

Production Credits Chief Executive Officer: Ty Field President: James Homer Chief Product Officer: Eduardo Moura SVP, Curriculum Solutions: Christopher Will Director of Sales, Curriculum Solutions: Randi Roger Author: vLab Solutions, LLC, David Kim, President Editorial Management: High Stakes Writing, LLC, Lawrence J. Goodrich, President

5

mailto:info@jblearning.com
http://www.jblearning.com
http://www.jblearning.com
mailto:specialsales@jblearning.com
Copy Editor, High Stakes Writing: Ruth Walker Product Manager, Custom and Curriculum Solutions: Rainna Erikson Associate Director of Production: Julie Bolduc Composition: Gamut+Hue, LLC Rights & Photo Research Manager: Lauren Miller Manufacturing and Inventory Control Supervisor: Amy Bacus Senior Marketing Manager: Andrea DeFronzo Cover Design: Scott Moden Cover Image: © HunThomas/ShutterStock, Inc. Chapter Opener Image: © Rodolfo Clix/Dreamstime.com Printing and Binding: Edwards Brothers Malloy Cover Printing: Edwards Brothers Malloy

ISBN: 978-1-284-05599-3

Library of Congress Cataloging-in-Publication Data not available at time of printing

6048

Printed in the United States of America 18 17 16 15 14 10 9 8 7 6 5 4 3 2 1

6

http://Clix/Dreamstime.com
Contents

Preface

Acknowledgments

PART ONE The Need for IT Security Policy Frameworks

CHAPTER 1 Information Systems Security Policy Management

What Is Information Systems Security?

Information Systems Security Management Life Cycle

What Is Information Assurance?

Confidentiality Integrity Nonrepudiation

What Is Governance?

Why Is Governance Important?

What Are Information Systems Security Policies?

Where Do Information Systems Security Policies Fit Within an Organization?

Why Information Systems Security Policies Are Important

Policies That Support Operational Success Challenges of Running a Business Without Policies Dangers of Not Implementing Policies Dangers of Implementing the Wrong Policies

When Do You Need Information Systems Security Policies?

Business Process Reengineering (BPR) Continuous Improvement Making Changes in Response to Problems

Why Enforcing and Winning Acceptance for Policies Is Challenging

CHAPTER SUMMARY

KEY CONCEPTS AND TERMS

CHAPTER 1 ASSESSMENT

7

CHAPTER 2 Business Drivers for Information Security Policies

Why Are Business Drivers Important?

Maintaining Compliance

Compliance Requires Proper Security Controls Security Controls Must Include Information Security Policies Relationship Between Security Controls and Information Security Policy

Mitigating Risk Exposure

Educate Employees and Drive Security Awareness Prevent Loss of Intellectual Property Protect Digital Assets Secure Privacy of Data Lower Risk Exposure

Minimizing Liability of the Organization

Separation Between Employer and Employee Acceptable Use Policies Confidentiality Agreement and Nondisclosure Agreement Business Liability Insurance Policies

Implementing Policies to Drive Operational Consistency

Forcing Repeatable Business Processes Across the Entire Organization Differences Between Mitigating and Compensating Controls Policies Help Prevent Operational Deviation

CHAPTER SUMMARY

KEY CONCEPTS AND TERMS

CHAPTER 2 ASSESSMENT

ENDNOTES

CHAPTER 3 U.S. Compliance Laws and Information Security Policy Requirements

U.S. Compliance Laws

What Are U.S. Compliance Laws? Why Did U.S. Compliance Laws Come About?

Whom Do the Laws Protect?

Which Laws Require Proper Security Controls to Be Included in Policies?

Which Laws Require Proper Security Controls for Handling Privacy Data?

Aligning Security Policies and Controls with Regulations

Industry Leading Practices and Self-Regulation

Some Important Industry Standards

Payment Card Industry Data Security Standard (PCI DSS)

8

Statement on Standards for Attestation Engagements No. 16 (SSAE16) Information Technology Infrastructure Library (ITIL)

CHAPTER SUMMARY

KEY CONCEPTS AND TERMS

CHAPTER 3 ASSESSMENT

ENDNOTES

CHAPTER 4 Business Challenges Within the Seven Domains of IT Responsibility

The Seven Domains of a Typical IT Infrastructure

User Domain Workstation Domain LAN Domain LAN-to-WAN Domain WAN Domain Remote Access Domain System/Application Domain

Information Security Business Challenges and Security Policies That Mitigate Risk Within the Seven Domains

User Domain Workstation Domain LAN Domain LAN-to-WAN Domain WAN Domain Remote Access Domain System/Application Domain

CHAPTER SUMMARY

KEY CONCEPTS AND TERMS

CHAPTER 4 ASSESSMENT

CHAPTER 5 Information Security Policy Implementation Issues

Human Nature in the Workplace

Basic Elements of Motivation Personality Types of Employees Leadership, Values, and Ethics

Organizational Structure

Flat Organizations Hierarchical Organizations

The Challenge of User Apathy

The Importance of Executive Management Support

9

Selling Information Security Policies to an Executive Before, During, and After Policy Implementation

The Role of Human Resources Policies

Relationship Between HR and Security Policies Lack of Support

Policy Roles, Responsibilities, and Accountability

Change Model Responsibilities During Change Roles and Accountabilities

When Policy Fulfillment Is Not Part of Job Descriptions

Impact on Entrepreneurial Productivity and Efficiency

Applying Security Policies to an Entrepreneurial Business

Tying Security Policy to Performance and Accountability

CHAPTER SUMMARY

KEY CONCEPTS AND TERMS

CHAPTER 5 ASSESSMENT

ENDNOTE

PART TWO Types of Policies and Appropriate Frameworks

CHAPTER 6 IT Security Policy Frameworks

What Is an IT Policy Framework?

What Is a Program Framework Policy or Charter?

Industry-Standard Policy Frameworks What Is a Policy? What Are Standards? What Are Procedures? What Are Guidelines?

Business Considerations for the Framework

Roles for Policy and Standards Development and Compliance

Information Assurance Considerations

Confidentiality Integrity Availability

Information Systems Security Considerations

Unauthorized Access to and Use of the System

10

Unauthorized Disclosure of the Information Disruption of the System or Services Modification of Information Destruction of Information Resources

Best Practices for IT Security Policy Framework Creation

Case Studies in Policy Framework Development

Private Sector Case Study Public Sector Case Study Private Sector Case Study

CHAPTER SUMMARY

KEY CONCEPTS AND TERMS

CHAPTER 6 ASSESSMENT

CHAPTER 7 How to Design, Organize, Implement, and Maintain IT Security Policies

Policies and Standards Design Considerations

Architecture Operating Model Principles for Policy and Standards Development The Importance of Transparency with Regard to Customer Data Types of Controls for Policies and Standards

Document Organization Considerations

Sample Templates

Considerations for Implementing Policies and Standards

Building Consensus on Intent Reviews and Approvals Publishing Your Policies and Standards Library Awareness and Training

Policy Change Control Board

Business Drivers for Policy and Standards Changes

Maintaining Your Policies and Standards Library

Updates and Revisions

Best Practices for Policies and Standards Maintenance

Case Studies and Examples of Designing, Organizing, Implementing, and Maintaining IT Security Policies

Private Sector Case Study Public Sector Case Study

CHAPTER SUMMARY

KEY CONCEPTS AND TERMS

11

CHAPTER 7 ASSESSMENT

CHAPTER 8 IT Security Policy Framework Approaches

IT Security Policy Framework Approaches

Risk Management and Compliance Approach The Physical Domains of IT Responsibility Approach

Roles, Responsibilities, and Accountability for Personnel

The Seven Domains of a Typical IT Infrastructure Organizational Structure Organizational Culture

Separation of Duties

Layered Security Approach Domain of Responsibility and Accountability

Governance and Compliance

IT Security Controls IT Security Policy Framework

Best Practices for IT Security Policy Framework Approaches

What Is the Difference Between GRC and ERM?

Case Studies and Examples of IT Security Policy Framework Approaches

Private Sector Case Study Public Sector Case Study Critical Infrastructure Case Study

CHAPTER SUMMARY

KEY CONCEPTS AND TERMS

CHAPTER 8 ASSESSMENT

ENDNOTE

CHAPTER 9 User Domain Policies

The Weakest Link in the Information Security Chain

Social Engineering Human Mistakes Insiders

Seven Types of Users

Employees Systems Administrators Security Personnel Contractors Vendors

12

Guests and General Public Control Partners Contingent System

Why Govern Users with Policies?

Acceptable Use Policy (AUP)

The Privileged-Level Access Agreement (PAA)

Security Awareness Policy (SAP)

Best Practices for User Domain Policies

Understanding Least Access Privileges and Best Fit Privileges

Case Studies and Examples of User Domain Policies

Government Laptop Compromised The Collapse of Barings Bank, 1995 Unauthorized Access to Defense Department Systems

CHAPTER SUMMARY

KEY CONCEPTS AND TERMS

CHAPTER 9 ASSESSMENT

CHAPTER 10 IT Infrastructure Security Policies

Anatomy of an Infrastructure Policy

Format of a Standard

Workstation Domain Policies

LAN Domain Policies

LAN-to-WAN Domain Policies

WAN Domain Policies

Remote Access Domain Policies

System/Application Domain Policies

Telecommunications Policies

Best Practices for IT Infrastructure Security Policies

Case Studies and Examples of IT Infrastructure Security Policies

Private Sector Case Study Public Sector Case Study Critical Infrastructure Case Study

CHAPTER SUMMARY

KEY CONCEPTS AND TERMS

13

CHAPTER 10 ASSESSMENT

CHAPTER 11 Data Classification and Handling Policies and Risk Management Policies

Data Classification Policies

When Is Data Classified or Labeled? The Need for Data Classification Legal Classification Schemes Military Classification Schemes Business Classification Schemes Developing a Customized Classification Scheme Classifying Your Data

Data Handling Policies

The Need for Policy Governing Data at Rest and in Transit Policies, Standards, and Procedures Covering the Data Life Cycle

Identifying Business Risks Related to Information Systems

Types of Risk Development and Need for Policies Based on Risk Management

Risk and Control Self-Assessment

Risk Assessment Policies

Risk Exposure Prioritization of Risk, Threat, and Vulnerabilities Risk Management Strategies Vulnerability Assessments Vulnerability Windows Patch Management

Quality Assurance Versus Quality Control

Best Practices for Data Classification and Risk Management Policies

Case Studies and Examples of Data Classification and Risk Management Policies

Private Sector Case Study Public Sector Case Study Private Sector Case Study

CHAPTER SUMMARY

KEY CONCEPTS AND TERMS

CHAPTER 11 ASSESSMENT

CHAPTER 12 Incident Response Team (IRT) Policies

Incident Response Policy

What Is an Incident?

14

Incident Classification

The Response Team Charter

Incident Response Team Members

Responsibilities During an Incident

Users on the Front Line System Administrators Information Security Personnel Management Support Services Other Key Roles

Business Impact Analysis (BIA) Policies

Component Priority Component Reliance Impact Report Development and Need for Policies Based on the BIA

Procedures for Incident Response

Discovering an Incident Reporting an Incident Containing and Minimizing the Damage Cleaning Up After the Incident Documenting the Incident and Actions Analyzing the Incident and Response Creating Mitigation to Prevent Future Incidents Handling the Media and Deciding What to Disclose Business Continuity Planning Policies Dealing with Loss of Systems, Applications, or Data Availability

Response and Recovery Time Objectives Policies Based on the BIA

Best Practices for Incident Response Policies

Disaster Recovery Plan Policies

Disaster Declaration Policy Assessment of the Disaster’s Severity and of Potential Downtime

Case Studies and Examples of Incident Response Policies

Private Sector Case Study Public Sector Case Study Critical Infrastructure Case Study

CHAPTER SUMMARY

KEY CONCEPTS AND TERMS

CHAPTER 12 ASSESSMENT

15

PART THREE Implementing and Maintaining an IT Security Policy Framework

CHAPTER 13 IT Security Policy Implementations

Simplified Implementation Process

Target State

Distributed Infrastructure Outdated Technology Lack of Standardization Throughout the IT Infrastructure

Executive Buy-in, Cost, and Impact

Executive Management Sponsorship Overcoming Nontechnical Hindrances

Policy Language

Employee Awareness and Training

Organizational and Individual Acceptance Motivation Developing an Organization-Wide Security Awareness Policy Conducting Security Awareness Training Sessions Human Resources Ownership of New Employee Orientation Review of Acceptable Use Policies (AUPs)

Information Dissemination—How to Educate Employees

Hard Copy Dissemination Posting Policies on the Intranet Using E-mail Brown Bag Lunches and Learning Sessions

Policy Implementation Issues

Governance and Monitoring

Best Practices for IT Security Policy Implementations

Case Studies and Examples of IT Security Policy Implementations

Private Sector Case Study Public Sector Case Study

CHAPTER SUMMARY

KEY CONCEPTS AND TERMS

CHAPTER 13 ASSESSMENT

CHAPTER 14 IT Security Policy Enforcement

Organizational Support for IT Security Policy Enforcement

16

Executive Management Sponsorship Governance Versus Management Organizational Structure The Hierarchical Organizational Approach to Security Policy

Implementation Front-Line Managers’ and Supervisors’ Responsibility and Accountability Grass-Roots Employees

An Organization’s Right to Monitor User Actions and Traffic

Compliance Law: Requirement or Risk Management?

What Is Law and What Is Policy?

What Security Controls Work to Enforce Protection of Privacy Data?

What Automated Security Controls Can Be Implemented Through Policy?

What Manual Security Controls Assist with Enforcement?

Legal Implications of IT Security Policy Enforcement

Who Is Ultimately Accountable for Risk, Threats, and Vulnerabilities?

Where Must IT Security Policy Enforcement Come From?

Best Practices for IT Security Policy Enforcement

Case Studies and Examples of Successful IT Security Policy Enforcement

Private Sector Case Study Public Sector Case Study No. 1 Public Sector Case Study No. 2

CHAPTER SUMMARY

KEY CONCEPTS AND TERMS

CHAPTER 14 ASSESSMENT

CHAPTER 15 IT Policy Compliance and Compliance Technologies

Creating a Baseline Definition for Information Systems Security

Policy-Defining Overall IT Infrastructure Security Definition Vulnerability Window and Information Security Gap Definition

Tracking, Monitoring, and Reporting IT Security Baseline Definition and Policy Compliance

Automated Systems Random Audits and Departmental Compliance Overall Organizational Report Card for Policy Compliance

Automating IT Security Policy Compliance

Automated Policy Distribution Configuration Management and Change Control Management Collaboration and Policy Compliance Across Business Areas Version Control for Policy Implementation Guidelines and Compliance

17

Compliance Technologies and Solutions

COSO Internal Controls Framework SCAP SNMP WBEM Digital Signing

Best Practices for IT Security Policy Compliance Monitoring

Case Studies and Examples of Successful IT Security Policy Compliance Monitoring

Private Sector Case Study Public Sector Case Study Nonprofit Sector Case Study

CHAPTER SUMMARY

KEY CONCEPTS AND TERMS

CHAPTER 15 ASSESSMENT

APPENDIX A Answer Key

APPENDIX B Standard Acronyms

Glossary of Key Terms

References

Index

18

To my wife, Lin, and my children

19

Preface

Purpose of This Book This book is part of the Information Systems Security & Assurance Series from Jones & Bartlett Learning (www.jblearning.com). Designed for courses and curriculums in IT Security, Cybersecurity, Information Assurance, and Information Systems Security, this series features a comprehensive, consistent treatment of the most current thinking and trends in this critical subject area. These titles deliver fundamental information-security principles packed with real-world applications and examples. Authored by Certified Information Systems Security Professionals (CISSPs), they deliver comprehensive information on all aspects of information security. Reviewed word for word by leading technical experts in the field, these books are not just current, but forward-thinking—putting you in the position to solve the cybersecurity challenges not just of today, but of tomorrow, as well.

Implementing IT security policies and related frameworks for an organization can seem like an overwhelming task, given the vast number of issues and considerations. Security Policies and Implementation Issues demystifies this topic, taking you through a logical sequence of discussions about major concepts and issues related to security policy implementation.

It is a unique book that offers a comprehensive, end-to-end view of information security policies and frameworks from the raw organizational mechanics of building to the psychology of implementation. This book presents an effective balance between technical knowledge and soft skills, both of which are necessary for understanding the business context and psychology of motivating people and leaders. It also introduces you in clear, simple terms to many different concepts of information security such as governance, regulator mandates, business drivers, legal considerations, and more. If you need to understand how information risk is controlled, or are responsible for oversight of those who do, you will find this book helpful.

Part 1 of this book focuses on why private and public sector organizations need an information technology (IT) security framework consisting of documented policies, standards, procedures, and guidelines. As businesses, organizations, and governments change the way they operate and organize their overall information systems security strategy, one of the most critical security controls is documented IT security policies.

Part 2 defines the major elements of an IT security policy framework. Many organizations, under recent compliance laws, must now define, document, and implement information security policies, standards, procedures, and guidelines. Many organizations and businesses conduct a risk assessment to determine their current risk exposure within their IT infrastructure. Once these security gaps and threats are identified, design and implementation of more-stringent information security policies are put in place. This can provide an excellent starting point for the creation of an IT security policy framework.

Policies are only as effective as the individuals who create them and enforce them within an organization. Part 3 of this book presents how to successfully implement and enforce policies

20

http://www.jblearning.com
within an organization. Emerging techniques and automation of policy enforcement are also examined.

This book is a valuable resource for students, security officers, auditors, and risk leaders who want to understand what a successful implementation of security policies and frameworks looks like.

Learning Features The writing style of this book is practical and conversational. Step-by-step examples of information security concepts and procedures are presented throughout the text. Each chapter begins with a statement of learning objectives. Illustrations are used both to clarify the material and to vary the presentation. The text is sprinkled with Notes, Tips, FYIs, Warnings, and sidebars to alert the reader to additional helpful information related to the subject under discussion. Chapter Assessments appear at the end of each chapter, with solutions provided in the back of the book.

Chapter summaries are included in the text to provide a rapid review or preview of the material and to help students understand the relative importance of the concepts presented.

Audience The material is suitable for undergraduate or graduate computer science majors or information science majors, students at a two-year technical college or community college who have a basic technical background, or readers who have a basic understanding of IT security and want to expand their knowledge.

21

Acknowledgments

I would like to thank Jones & Bartlett Learning for the opportunity to write this book and be a part of the Information Systems Security & Assurance Series project. I offer my deep appreciation to Lawrence Goodrich and Ruth Walker, who did an excellent job coordinating this book despite many challenges. Their guidance, patience, and support were instrumental to its success.

A special thank you goes to Mike Chapple, whose experience and debate on risk topics was very helpful. His thought-provoking challenges were much appreciated.