Information Security Management Flashcards

1
Q

Implications of the Internet being very new

A

New uses continually developing

No time for Information Security to mature as a discipline.

  • Increased inter-connectivity
    • Increased complexity
    • Increased risk
  • External threats
    • Web sites, external interfaces coded for functionality, not security
    • Continued requirements to break the perimeter
  • Internal systems become increasingly high-value
    • Increased operational requirements
    • Increased cost of failure
    • Increased threat from internal actors
  • Business requirements don’t take into account security cost and risk
    • Bring Your Own Device
    • Mobile Working
    • Remote Access
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Current Issue with Information Security

A

Security is seen as a Non-Functional Requirement

  • No drive to resolve security issues
  • Functionality is prioritisedover security
  • Security is not given resource
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

What is needed to make security a priority?

A

Pressure is needed to make security a priority

  • Commercial Pressure
  • Customer Pressure
  • Legal Pressure
  • Regulatory Pressure
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

4 questions to start designing information security

A

What are we protecting?

  • Intellectual Property?
    • Pharmaceutical Company
    • Trading House
  • Customer Information?
    • Hospital
    • Bank
    • Government Ministry
  • Something with direct value?
    • Bank

Who are we protecting against?

  • External attackers?
  • Internal attackers?

What capability are we worried about?

  • Nation-State-level?
  • OrganisedCrime?
  • Individual actors?
  • Hackers?
  • Political activists?
  • Knowledgeable insiders?

Can we afford it?

  • Be reasonable!
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Possible Approaches to Increase Security

A
  • No remote access. If you need to work, come into the office
  • No Internet at the desktop
  • Highly visible Physical Security measures
  • No BYOD
  • Positive management support and attention for Security issues
  • Disaster Recovery
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Defense in Depth

A
  • Defend beyond your secure zone
  • Multiple Layers of Security
  • Different Forms of Defense
  • Protection against a weakness in any one layer
  • Each layer can protect against different types of attack
  • Weaken the enemy incrementally
  • Encourage them to attack points of strength
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Limitations of Defense in Depth

A
  • Increased complexity
  • Usability issues
  • Cost versus Reward not guranteed
  • Customer perrception may decline
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

3 requirements (strong rec.) for information security

A

1. Security Policy

  • Covers basic security requirements
  • Without a policy, you won’t get far
  • Typically fairly short – maybe 20 pages

2. Technical Documentation

  • Gives specifics on how to implement policy in different circumstances
  • Settings on systems
  • Design constraints
  • Processes and procedures that need to be in place

3. An organisationto support all this

  • Security changes rapidly
  • Nobody else cares about Security
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

12 things we need in a Security Organisation

A
  1. Security Engineering
  2. Identity and Access Management
  3. Logging and Monitoring
  4. Security Operations
  5. Security Architects
  6. Application Security
  7. Security Compliance
  8. Risk Management
  9. Physical security
  10. Data Protection
  11. Internal Audit
  12. Audit Response
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

1 Security Engineering

A

1. Security Engineering

  • Firewalls
  • Proxies
  • Secure Email Systems
  • Remote Access Systems
  • Intrusion Detection Systems
  • Problem – creates a set of ‘Super Users’
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

2 Identity and Access Management

A

2. Identity and Access Management

  • Create User Accounts (Joiners)
  • Allocate Privilege
  • Remove User Accounts (Leavers)
  • Data Classification
  • Revalidation of User Accounts
    • Privilege Revalidation
    • Employment Revalidation
    • Continued Business Need Revalidation
  • Problem – shifts the ‘Super User’ issue to IAM
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

3 Logging and Monitoring

A

3. Logging and Monitoring

  • Log collection – from everything
  • Identify unusual activity
  • Generate alerts
  • Validate alerts
  • Watch the Security Organisationand other Super-Users
  • This becomes a Big Data challenge very quickly
  • Problem – who watches the watchers?
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

4 Security Operations

A

4. Security Operations

  • Implement Separation of Duties
    • The team that ‘does things’ has privilege but no wide visibility
  • Run day-to-day security processes
    • Check security software is still running
    • Chase other teams to do their part
  • Respond to alerts
  • Set up User Accounts
  • Set up privileges
  • Incident Management?
  • Problem – SecOps is typically the junior team…
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

5 Security Architects

A

5. Security Architects

  • Ensure all solutions are in line with the Security Policy
    • Design solutions
    • Approve solutions
  • Advice and Guidance to the rest of the organisation
  • Focused on infrastructure, networks, platforms

Problems:

  • Who validates the advice and guidance?
  • Who makes sure the organisationfollows the advice?
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

6 Application Security

A

6. Application Security

  • Ensure Application Development is in line with Security Policy
  • Own any in-house security software solutions
  • Advice and guidance to Application Development Teams
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

7 Security Compliance

A

7. Security Compliance

  • Check that all the security requirements are being met
  • Patches
  • Vulnerabilities
  • Least Privilege
  • Guidance from architects
  • Any other requirements from the Policy
  • Problem – Separation of Duty
17
Q

8 Risk Management

A

8. Risk Management

  • Understand all the holes, all the outstanding issues
  • Rate risks
  • Prioritiseresolution
  • Communicate risks
  • Ensure that risks are owned and responded to

Problems:

  • How do we rate risks and get people to accept them?
  • What about operational risks?
18
Q

9 Physical Security

A

9. Physical Security

  • Guard the doors!
  • Security monitoring
  • Check that physical security policy is implemented
    • Clear desk
    • Confidential information
    • Hardware / software
  • Secure transportation
    • Hardware
    • Data
  • Executive protection
  • Problem – Trust, Separation of Duties
19
Q

10 Data Protection

A

10. Data Protection

  • Regulatory Requirement
  • Understand rules around PII, SPI
  • Ensure rules are enforced
  • Provide evidence to regulators
20
Q

11 Internal Audit

A

11. Internal Audit

  • Check that everybody is doing everything right
  • Provide evidence to executives
  • Spot problems before they become an external problem
    • Regulators
    • Customer impact
    • Security impact

Problems:

  • Separation of Duties
  • Understanding of the complicated environment
21
Q

12 Regulatory & Audit Response

A

12. Regulatory & Audit Response

  • Understand all other security-related regulations are in place
    • Sarbanes Oxley, J-Sox etc
    • Basel II / III, FSA, FED
    • HIPAA
  • Provide Internal / External Audit with required information
22
Q

Pros and Cons of Security Outsourcing

A

Pros:

  • May give you the skills you lack
  • Contracts give some security
  • Cost known up-front

Cons:

  • No gurantee that outsourcer will do as asked
    • regulators only care about responsibilities/accountablity
  • Anything you don’t include in the contract will cost you a lot of money later
  • Outsourcers are very good at doing what THEY want to do
    • Offshoring
    • Automating
  • Outsourcers have their own problems
    • Attrition
    • Doing stuff you couldn’t do for less money than they charge you
  • If you don’t have the skills to do the security work, how can you check?
    • A new team – Security Outsourcer Checking team!
23
Q

Conclusion and Predictions

A
  • This won’t get any easier
  • Security Organisations will get even bigger and better funded
  • Governance and compliance will become even more important
  • Risk Management will gain increasing focus
  • Outsourcing will become increasingly regulated
  • InfoSec Management will develop into a much more professional discipline
  • InfoSec skills will become increasingly sought-after