Explain the relationship between frameworks, common policies, controls, and procedures.CompTIA Cybersecurity Analyst (CySA+) Certification Exam Objectives Version 3.0
Security analysts must be aware of the regulations for the countries and industries in which their organization operates.
- Sarbanes-Oxley Act (SOX/SARBOX): Officially the Public Company Accounting Reform and Investor Protection Act of 2002, Sarbanes-Oxley, affect any publicly traded company in the United States. It regulates accounting methods and financial reporting for the organizations. Failure to comply can result in penalties and even jail time for executive officers.
- Health Insurance Portability and Accountability Act (HIPAA): Also known as the Kennedy-Kassebaum Act, HIPAA regulates all healthcare facilities, insurance companies and others that deal with protected health information (PHI). Enforcement is done by the Office of Civil Rights of the Department of Health and Human Services. It defines standards and procedures for storing, using, and transmitting PHI.
- Gramm-Leach-Bliley Act (GLBA): GLBA affects financial institutions and provides for securing all financial information and prohibits sharing of it to third parties.
- Computer Fraud and Abuse Act (CFAA): The CFAA was enacted in 1986 and affects any entities that engaged in hacking of “protected computers”. It was amended several times including by the USA PATRIOT Act and the Identity Theft Enforcement and Restitution Act. A “protected computer” is defined as a computer used exclusively by a financial institution, the US Government or one that is used in interstate or foreign commerce.
- Federal Privacy Act of 1974: The Federal Privacy Act affects any computer that contains records used by a federal agency. It provides guidelines on the use and dissemination of PII.
- Federal Intelligence Surveillance Act (FISA) of 1978: FISA gives law enforcement and intelligence agencies guidelines for the collection of electronic evidence related to foreign powers and agents.
- Electronic Communications Privacy Act (ECPA) of 1986: ECPA extended wiretap laws to include transmission of electronic data by computer. It has been amended by CALEA, USA PATRIOT ACT, and the FISA Amendments.
- Computer Security Act of 1987: The Computer Security Act of 1987 has been superseded by the Federal Information Security Management Act (FISMA). This was the first law to require a written computer security plan.
- United States Federal Sentencing Guidelines of 1991: These guidelines provide the sentencing for cyber crimes and other felonies.
- Communications Assistance for Law Enforcement Act (CALEA): CALEA requires telecommunications carriers and equipment manufacturers to ensure that they have built-in surveillance capabilities for federal agencies.
- Personal Information Protection and Electronic Documents Act (PIPEDA): A Canadian regulation to protect PII.
- Basel II: Basel II affects financial businesses. It addresses minimum capital requirements, supervisory review and market discipline.
- Federal Information Security Management Act (FISMA) of 2002: FISMA affects all federal agencies and requires them to develop, document and implement an information security program.
- Economic Espionage Act of 1996: Covers the protection of trade secrets.
- USA PATRIOT Act: The USA PATRIOT Act enhances the investigation tools for law enforcement.
- Health Care and Education Reconciliation Act of 2010: This act increased some security measures for PHI.
- Employee Privacy Issues and Expectation of Privacy: This act provided for notification to employees of monitoring done by their employer.
- European Union: The EU has implemented several regulations on security and privacy including the Principles on Privacy, Data Protection Directive and the General Data Protection Regulation.
- Safe Harbor – an entity that conforms to all EU Principles on Privacy
- Data Haven – A country that fails to legally protect personal data.
National Institute of Standards and Technology (NIST)
NIST SP 800-53 is the security controls framework from NIST. It divides the controls into technical operational and management. The control families are as follows:
|Access Control (AC)||Technical|
|Awareness and Training (AT)||Operational|
|Audit and Accountability (AU)||Technical|
|Security Assessment and Authorization (CA)||Management|
|Configuration Management (CM)||Operational|
|Contingency Planning (CP)||Operational|
|Identification and Authentication (IA)||Technical|
|Incident Response (IR)||Operational|
|Media Protection (MP)||Operational|
|Physical and Environmental Protection (PE)||Operational|
|Program Management (PM)||Management|
|Personnel Security (PS)||Operational|
|Risk Assessment (RA)||Management|
|System and Services Acquisition (SA)||Management|
|System and Communication Protection (SC)||Technical|
|System and Information Integrity (SI)||Operational|
NIST Cybersecruity Framework focuses on IT security.
- Framework Core: Presents five cybersecurity functions which are divided into subfunctions.
- Implementation tiers: Tiers are levels of sophistication for organizations to try to reach. They are Partial, Risk Informed, Repeatable, and Adaptive.
- Framework profiles: Profiles are used to compare current state to a target state.
International Organization for Standardization (ISO)
Created the ISO/IEC 27000 series with the International Electrotechnical Commission (IEC).
Control Objectives for Information and Related Technology (COBIT)
Divides IT into four domains.
- Plan and Organize (PO)
- Acquire and Implement (AI)
- Deliver and Support (DS)
- Monitor and Evaluate (ME)
COBIT aligns with ITIL, PMI, IOS and TOGAF and is used in the private sector.
COBIT’s security controls development framework has five principles:
- Meeting stakeholder needs
- Covering the enterprise end-to-end
- Applying a single integrated framework
- Enabling a holistic approach
- Separating governance from management
These principles drive the control objects that are seven enablers:
- Principles, policies and frameworks
- Organizational structures
- Culture, ethics and behavior
- Services, infrastructure and applications
- People, skills and competencies
Sherwood Applied Business Security Architecture (SABSA)
SABSA is an enterprise security architecture using the six questions of what, where, when, why, who, and how. These intersect with the layers of operational, component, physical, logical, conceptual and contextual.
The Open Group Architecture Framework (TOGAF)
An enterprise architecture framework. The latest version is TOGAF 9.1. It is based on four interrelated domains:
- Business architecture
- Applications architecture
- Data architecture
- Technical architecture
Information Technology Infrastructure Library (ITIL)
ITIL is a process management standard developed by the US Government’s Office of Management and Budget. It does have a security component, but that is only a part of it.
Password policies rely on some basic terminologies around passwords.
- Standard word passwords: A single word, easy to crack or break.
- Combination passwords: mix of multiple dictionary words with mixed case and numbers.
- Static passwords: Stay the same for each login (opposite of OTP)
- Complex passwords: Forces a mixture of upper, lowercase, numbers and special characters. Hard to crack, but harder to remember and enter correctly.
- Passphrase passwords: A long phrase that is easier to remember and harder to attack.
- Cognitive passwords: Security questions, used to validate who you are.
- One-Time Passwords (OTP): Dynamic passwords used only once.
- Graphical Passwords: Completely Automated Public Turing test to tell Computers and Humans Apart (CAPTCHA)
- Numeric passwords: PINs
- Password life: How long a password is valid.
- Password history: How long before a password can be reused.
- Authentication period: How long a user can remain logged in.
- Password complexity: How a password is structured.
- Password length: How many characters a password must have.
Acceptable Use Policy (AUP)
AUPs let users know what is allowed and not allowed and how violations will be handled.
Data Ownership Policy
The data owner is the person that is responsible for the data. Often this is the creator, but the policy could set a department head or other individual. This is often combined with a data classification policy as the owner is often the one that does the classification.
Data Retention Policy
Details how data is stored and how long. Regulatory environments may dictate and type of data that must be stored. This policy often interacts with the data classification policy.
- What are the legal/regulatory requirements and business needs for the data?
- What are the types of data?
- What are the retention periods and destruction needs of the data?
Account Management Policy
It is important to have a policy that determines how new accounts are created, how current ones are maintained and when accounts should be deleted. Some questions to ask:
- Is there a current list of authorized users and is it maintained and approved?
- Are passwords changed at least every 90 days?
- Are inactive user accounts disabled after a period?
Proper management of accounts includes:
- A formal MAC-D procedure for accounts.
- Periodic audits.
- Implement a process for tracking access authorizations.
- Periodic re-screening for sensitive positions.
- Periodically verify the legitimacy of accounts.
Data Classification Policy
Data should be classified based on sensitivity and value to the organization. Assigning value helps evaluate the resources used to protect the data.
Sensitivity and Criticality: Sensitivity measures how freely or not freely data can be handled and by whom. This may be subject to regulation and corporate policies. Criticality is the importance of the data. Part of that determination includes will you be able to recover it in a disaster, how long will it take to recover and what is the effect of this inaccessibility?
Commercial Business Classifications: Generally business classifications are divided into four levels.
- Confidential: examples are trade secrets and intellectual data
- Private: examples are data, medical records salary information
- Sensitive: examples are organizational financial information
- Public: data that would not negatively impact if disclosed
Military and Government Classifications:
- Top Secret: weapon blueprints, spy satellite information, national security information, aliens
- Secret: troop deployment plans, missile placement
- Confidential: patents, trade secrets
- Sensitive but unclassified: medical or personal data
- Unclassified: All other data. Accessible under FOIA.
Controls are countermeasures to vulnerabilities and are divided into categories.
- Compensative: Compensative controls are there to mitigate risks as a substitute for a primary access control. Examples would be requiring two keys owned by different people to open a safety deposit box.
- Corrective: Corrective controls reduce the effect of an attack. Examples include new firewall rules and restoring services using images to a previous state.
- Detective: Detective controls detect an attack and report it. Examples would be IDS and log monitoring.
- Deterrent: Deterrent controls discourage attackers. Examples include user identification and authentication and security policies.
- Directive: Directive controls specify acceptable practices. They formalize policy to employees. An example is an AUP.
- Preventive: Preventive controls prevent attacks. Examples include IPS, AV and INFOSEC awareness training.
- Recovery: Recovery controls recover systems after an attack. Examples are DR plans, backups, and offsite backups.
Control Selection Based on Criteria
Controls are selected based on the way the vulnerability is to be addressed and the cost to mitigate versus the cost of an attack.
- Risk avoidance: Terminating the activity that causes the risk.
- Risk transfer: Pass the risk to a third party, insurance.
- Risk mitigation: define what acceptable risk the organization can take and reduce it to that level
- Risk acceptance: Understand the risk and accept it as well as potential damage.
Quantitative Risk Analysis
Quantitative Risk Analysis places numeric values on the risks faced.
SLE = AV x EF
ALE = SLE x ARO
- SLE: Single loss expectancy
- ALE: Annual loss expectancy
- AV: Asset Value
- EF: exposure factor
- ARO: annualized rate of occurrence
Qualitative Risk Analysis
Qualitative Risk Analysis does not assign monetary values. Instead a group is chosen to evaluate the risks and the likeliness of them occurring. The data is combined into a single report. The disadvantage is that this method is more subjective.
Countermeasure (Control) Selection
Cost-effectiveness is the most common reason to choose a safeguard. To calculate the cost-benefit analysis you use the equation (ALE before safeguard) – (ALE after safeguard) – (Annual cost of safeguard) = Safeguard Value
Total Risk vs. Residual Risk
Total risk is the risk if no safeguards are in place. Residual risk is the total risk minus the countermeasures.
Organizationally Defined Parameters
Most concepts apply to all organizations, but each environment will have unique situations that dictate unique approaches.
Physical controls include some of the following:
- Fire extinguisher
- Motion Detectors
- Data backups
Logical (Technical) Controls
Logical controls include some of the following:
- Configuration Standards
Administrative (Management) Controls
Management controls include some of the following:
- Personnel procedures
- Security policies
- Separation of duties
- DR Plan
- Background checks
Continuous monitoring requires that an organization know what the normal baseline is. These baselines must be updated when changes are made.
- Identify what type of system to seize
- Identify the search and seizure team members
- Determine the risk of the suspect destroying evidence
Patching procedures should go through a life cycle:
- Determine the priority of patches and schedule deployment.
- Test the patches prior to deployment.
- Install the patches in the live environment.
- Ensure patches are working properly.
Compensating Control Development
Developing compensating controls depends on the likelihood of the vulnerability being exposed, sensitivity of the resource and the cost of implementation vs the cost of an exploit.
Control Testing Procedures
Testing of controls can be manual or automated. Automated checks are preferred. SCAP is a method to enable automatic testing based on standards.
Any exceptions need to be made in a standard way and documented.
- Budget for security testing
- Streamline the testing and re-testing
- Train teams on secure coding
- Give information security the final call on application release
Characteristics of remediation plans:
Verifications and Quality Control
Audits done by a third party help to validate an enterprise’s security team is properly implementing policy and procedures. An audit plan should include the following:
- Minimum of annual audits
- Determine organizational objectives for audits
- Set ground rules before the audit including date and times.
- Choose auditors with security experience
- Involve business unit managers early and often
- Ensure the auditors have experience, not just checklists.
- Make sure the report reflects risk identified by the organization.
- Ensure the audit is performed properly
- The audit should cover all systems, policies and procedures.
The Statement on Standards for Attestation Engagements (SSAE) 16 is a standard for verification of controls and processes. It has multiple types of reports.
|Report Type||What it Reports||Who Gets the Report|
|SOC 1||Internal controls over financial reporting||Auditors and controller|
|SOC 2||Security, availability, confidentiality and privacy controls||Management, regulators|
|SOC 3||Security, availability, confidentiality and privacy controls||Publicly available|
Typically compare configuration settings and patch status with a security baseline checklist to ensure the organization is implementing what it set out to do.
Can be internal external and focus on the effectiveness of the current controls.
Capability Maturity Model Integration (CMMI) is a set of. guidelines for all phases of the software development life cycle.
Certification evaluates the technical system and accreditation is accepting the system security at a management level. One certification is the National Information Assurance Certification and Accreditation Process (NIACAP).
NIACAP has four phases: definition, verification, validation, and post accreditation. There are three types of accreditation: Type, System, and Site.
The ISO/IEC27001:2013 standard is the most popular for organizations to be certified for information security.