Service Level Agreement

centralized Agreement

describes IT service, documents service level targets, and specified the responsibilities of the IT service provider and the customer

Service-level Requirements

Often precedes an SLA

requires for a service from a client viewpoint.  Evolves into a draft SLA.

NIST Special Publication 800-161

Supply Chain Risk Management Practices for Federal Information Systems and Organizations

Visual representations based on Data Flow Diagrams

- PASTA

- TRIKE

Visual representations based on Flow Diagrams

- VAST

5 step process

1. Identify security objectives

2. Survey the application/system

3. Decompose it

4. Identify threats

5. Identify vulnerabilities

- Confidentiality

- Integrity

- Availability

Oversight, and guidance from senior leadership

Policy, standards, baselines, guidelines, and procedures are included

- Strategic - longer (5 years0

- Tactical - mid/short (6 months to 1 year)

- Operational - shortest (days to weeks)

Risk Management Framework

NIST SP 800-37R1

1. Categorize Information System

2. Select security controls

3. Implement security controls

4. Assess security controls

5. Authorize information system

6. Monitor security controls

- Operationally Critical Threat Asset and Vulnerability Evaluation

- qualitative methodology

- people, hardware, software, information, and systems

- self-directed & easily modified

- a risk management framework

 - Factor Analysis of Information Risk 

 - designed to address security practice weakness

- allows organizations to speak the same language about risk and talk about risk in a consistent manner

Threat Agent Risk Assessment  (created by intel)

- distills an immense number of possible information security attacks into a digest

- predictive framework to prioritize areas of concern

The process of identifying, evaluating, and preventing or reducing risk

The process by which risk management is achieved and includes analyzing an environment for risks, assessing the cost of various countermeasures for each risk, and creating a cost/benefit report for safeguards to present to upper management

 - Awareness

 - Training

 - Education

Single Loss Expectancy (SLE)

 an element of quantitative risk analysis

 the cost associated with a single realized risk against a specific asset

 SLE = asset value (AV) * exposure factor (EF)

Exposure Factor (EF)

quantitative risk

percentage of loss that an organization would experience if a specific asset were violated by a realized risk

Annualized Loss Expectancy

quantitative risk

the possible yearly cost of all instances of a specific realized threat against a specific asset

ALE = Single Loss Expectancy (SLE) * Annualized Rate of occurrence (ARO)

or   ALE = SLE * ARO

Annualized Rate of Occurrence (ARO)

quantitative risk

The expected frequency with which a specific threat or risk will occur within a single year

enables you to calculate risk and take proper precautions

ALE for the asset if safeguard is implemented

(ALE 1) - (ALE 2) - ACS

ALE before safeguard - ALE after safeguard - Annual Cost of Safeguard = value of the safeguard to the company

- reduce risk or risk mitigation

- assign risk, or transfer risk

- accept risk

The amount of risk an organization would face if no safeguards were implemented

total risk = threats * vulnerabilities * asset value

The risk that management has chosen to accept rather than mitigagte.

total risk - controls gap = residual risk

The difference between total risk and residual risk

The amount of risk that is reduced by implementing safeguards

- Preventative

- Detective

- Corrective

- Deterrent

- Recovery

- Directive

- Compensation

- Administrative

- Logical

- Physical

- Acts as a reference point

- Provides a common language for communication (culture)

- Allows us to share information and create relevance (also culture)

- Information Security governance best practices within an organization

- Control Objectives for Information and Related Technologies

- 4 Domains:

  -- Plan and Organize

  -- Acquire and Implement

  -- Deliver and Support

  -- Monitor and Evaluate

- Security Management

- Critical business applications

- Computer installations

- Networks

- Systems Development

  -- Systems Development Life Cycle (SDLC)

  -- Software Development Life Cycle (also SDLC)

- ISO 27001 Information Security

- ISO 27002 Code or practice

- ISO 15408 Terminology

- Motive

- Opportunity

- Means

- a framework that can be used to develop the following architecture types

  -- Business architecture

  -- Data architecture

  -- Applications architecture

  -- Technology architecture

Failure modes and effects analysis (FMEA)

- a method for determining failure, identifying functional failures, and assessing the causes of failure and their effects through a structured process

- The application of this process to a chronic failure enables one to determine where exactly the failure is most likely to occur

Maximum Tolerable Outage (MTO)

Maximum Tolerable Downtime (MTD)

- maximum length of time a business function can be inoperable without causing irreparable harm to the business

Business Continuity Planning (BCP)

- quick, calm and efficient response in the event of an emergency

Recovery Time Objective (RTO)

- The amount of time you think you can feasibly recover the function in the event of disruption

Business Impact Assessment (BIA)

- Identifies the resources that are critical to an organization's ongoing viability and the threats posed to those resources

- Also assess the likelihood that each threat will actually occur and the impact those occurrences will have on the business

- Strategy development

- Provisions and process

- Plan approval

- Plan implementation

- Training and education

p112

Business Impact Assessment (BIA)

1. Gather requirements / information

2. Vulnerability Assessment(s)

3. Analysis

  -- Quantitative (ALE = SLE * ARO)

  -- Qualitative

4. Communicate findings (consider audience)

- Encryption

- Traffic Padding

- Strict Access Controls/Authentication

- Data Classification

- Awareness Training

- Strict access controls / authentication

- IDS
- encryption

- hashing

- interface restrictions / controls

- input / function checks (validation)

- Strict access controls / authentication

- continuous monitoring

- firewalls & routers to prevent DoS / DDoS attacks

- redundant system design

- periodic testing of backup systems

Capabilities Maturity Model

Level 1 - Initial

Level 2 - Managed

Level 3 - Defined

Level 4 - Quantitatively Managed

Level 5 - Optimizing

Sherwood Applied Business Security Architecture.

Provides a framework for developing risk-driven enterprise information security and information assurance architectures. It also aids in delivering security infrastructure solutions that support critical business initiatives.

- Change control for data

- no unauthorized modification without knowledge and consent of data owner

1. preventing unauthorized subjects from making modifications

2. preventing authorized subjects from making unauthorized modifications

3. maintaining consistency of objects so that they are true and accurate

- Related concepts

  -- Accuracy

  -- Authenticity

  -- Validity

  -- Nonrepudiation - user cannot deny having performed an aciton

- Keeping good data away from bad actors

- data must be protected in a network, data must be protected at rest, in use, and on the wire

- Related concepts

  -- Sensitivity

  -- Discretion

  -- Criticality

  -- Concealment 

  -- Isolation

- Authorized subjects can access objects in a timely manner without interruption

- Related concepts

  -- Usability

  -- Accessibility

  -- Timeliness

- Responsible for data classification

- Responsible for implementing the protections called out by the security policy at the behest/direction of the data owner. 

- Performs all activities necessary to provide CIA protection.

- Any person who has access to a secured system

Anything within the organization that has value and should be afforded CIA protections

Dollar value assigned to an asset

A potential occurrence that may cause an undesirable outcome vis-a-vis an asset

weakness to be exploitedted

degree to which you are susceptible to asset loss due to a threat

- The possibility or likelihood that a threat will exploit a vulnerability to cause harm to an asset

- Risk = threat * vulnerability

The exploitation of a vulnerability by a threat agent (bad actor)

- A countermeasure being bypassed or rendered ineffective

1. Exposure Factor (EF) - % of loss experienced IF a specific asset were attacked

2. Single Loss Expectancy (SLE) - the cost associated with a single realized risk against a single asset

3. Annualized Rate of Occurrence (ARO) - frequency at which a specific risk will be realized over a single year

4. Annualized Loss Expectancy (ALE) - potential yearly cost of all instances of specified threat

5. Asset Value (AV) - $$ amount of asset is worth to the organization

- Identification

- Authentication

- Authorization

- Auditing

- Accountability

- Mean Time Between Failures (MTBF)

- Mean Time To Restore/Repair

- How long it will take to get a failed product running again

- Recovery Point Objective (RPO)

- The maximum acceptable amount of data loss measured in time.

- Recovery Time Objective (RTO)

- The maximum tolerable amount of time needed to bring all critical systems back online. 

- Work Recovery Time (WRT)

-  The maximum tolerable amount of time that is needed to verify the system and/or data integrity

- Systems are restored after a crisis.  WRT is the amount of time necessary to verify things are working correctly.

- Maximum Toleratable Downtime (MTD)

- The total amount of time that a business process can be disrupted without causing any unacceptable consequences.

- Used for efficiency

- Similar elements are put into groups, classes, or roles that are assigned security controls, restrictions, or permissions as a collective.

- Simplifies security by enabling you to assign security controls to a group of objects collected by type or function

- Confidential

- Private

- Sensitive

- Public

- Top Secret  (Exceptionally Grave Damage)

- Secret (Serious Damage)

- Confidential (Damage)

- Unclassified (No Damage)

- Senior Manager - Management (Ultimately responsible)

- Security Professional - Information Security Team

- Data Owner - Classifies Data

- Data Custodian - Takes care of Day-to-day activities

- User - End User

- Auditor - Responsible for reviewing the data

- Threat model developed by Microsoft

- Spoofing

- Tampering

- Repudiation

- Information Disclosure

- Denial of Service

- Escalation of privilege

- Threat Model

- Designed to provide a flexible rating solution that is based on the answers of 5 main questions

- Damage potential (How severe the damage likely to be if the threat is realized)

- Reproducibility (How complicated it is for the attacker to reproduce the exploit)

- Exploitability (How hard it is to perform the attack)

- Affected users (How many users are likely to be affected)

- Discoverability (How hard it is for an attacker to discover the weakness)

- Process for Attack Simulation and Threat Analysis (PASTA)

- Threat modeling.  Risk centric approach that aims at selecting or developing countermeasures in relation to the value of the assets to be protected.

STEPS

Stage I. Definition of the Objectives (DO) for the Analysis of Risks

Stage II. Definition of the Technical Scope (DTS)

Stage III. Application Decomposition and Analysis (ADA)

Stage IV. Threat Analysis (TA)

Stage V. Weakness and Vulnerability Analysis (WVA)

Stage VI. Attack Modeling & Simulation (AMS)

Stage VII. Risk Analysis & Management (RAM)

M - Mitigate

A - Accept

A - Avoid

T - Transfer

Technical, Physical or Administrative.

Preventative, Detective, Corrective, Deterrent, Directive, Compensating, Recovery

-----------------------------------------------------------

- Technical or logical - implemented with technology - passwords, permissions

- Physical - elements you can physically touch; door lock, CCTV

- Administrative - written security policies

-----------------------------------------------------------

- Deterrent - Dogs

- Preventative - attempt to prevent incidents before they occur.  Firewalls, guard, audit train

- Detective - IDs security violations after they occur. Reviewing logs, audit train

- Corrective - modify environment after an incident. Anti-virus, fire extinguisher

- Deterrent - Discourage someone from taking an action. A high fence with lights, strict security policy, proxy server

- Directive - Administrative controls that provide direction or guidance

- Compensating - controls used as alternatives to the recommended controls

- Recovery - controls provide methods to recover from an incident

- Risk Management Framework (RMF), NIST SP 800-37

- CSIAAM - Cousin Say I Am Ass Master

1. Categorize information systems

2. Select security control

3. Implement Security Control

4. Assess security control

5. Authorize information system

6. Monitor security controls

[image]

- Risk assessment

- identify your assets
- evaluate them
- look at threats and vulnerability
- potential for loss
- mitigation strategy
- implement mitigation strategy
- test mitigation strategy
- document mitigation strategy

Develop
- Plan and Research
- Write
- Approve
- Authorize

Publish
- Communicate
- Educate

Adopt -
- Implement
- Monitor
- Enforce

Review -
- feedback
- annual

- Business Continuity Management

- Import/Export of encrypted goods

- US Privacy Law, 4th Amendment

- unlawful to search private property without search warrant

- Law giving directive outlining privacy measures that must be in place for protecting personal data processed by an information system

- Criteria to be met:

1. Consent

2. Contract

3. Legal Obligation

4. Vital interest of the data subject

5. Balance between the interests of the data holder and the interests of the data

- European Union Global Data Protection Regulation (GDPR)

- Law applies to all organizations that collect data from EU residents or process that information on behalf of someone who collects it

a. Breaches should be informed within 72 hours

b. Centralized data protection authorities

c. Individuals will have access to their own data

d. Data portability to facilitate the transfer of personal information between service providers

e. Right to be forgotten - delete information if it's no longer required

- The ability of a system to suffer a fault but continue to operate.

- RAID, multiple power supplies

- Having multiple redundant systems that enable zero downtime or degradation for a single failure.

- Cluster systems, active/standby

- ISO 27002 is a supplementary standard that provides advice on how to implement the security controls listed in Annex A of ISO 27001

- Focus on controls

- Provides a code of practice for use by individuals within an organization

"Information Technology-Security Techniques-Information Security Management Systems- Requirements"

-  central framework of the ISO 27000 series

- The Standard contains the implementation requirements for an Information Security Management System (ISMS)

"Information Technology - Security Techniques - Code of Practice for Information Security Management"

1. Policy

2. Organization of Information security

3. Asset Management

4. Human Resources security

5. Physical and environmental security

6. Communications and operations management

7. Access Control

8. Information Systems acquisition, development, and maintenance

9. Information security incident management

10. Business Continuity management

11. Compliance

The ISO/IEC 270001 family of standards, also known as the ISO 27000 series, is a series of best practices to help organizations improve their information security. It does this by setting out ISMS (information security management system) requirements.

- Supply Chain Risk Management practices for federal information systems and organizations

Guide for conducting risk assessment

Risk Management Framework (RMF) for information systems and organizations

A systems lifecycle approach for security

Risk Management Guidelines

Risk Assessment Techniques

- Information Technology Infrastructure Library (ITIL)

- Shows how controls can be implemented for the service management IT processes.  5 lifecycle phases:

1. Service Strategy

2. Service Design

3. Service Transition

4. Service Operation

5. Continual Service Improvement (CSI)

- Risk Framework

- examines the effectiveness, efficiency, confidentiality, integrity, availability, compliance, and reliability aspects of the high-level control objectives

- Governance -- Risk -- Compliance

- Risk Framework (financial)

- Identifies 5 areas necessary to meet financial reporting and disclosure objects.  These include:

a. Control Environment

b. Risk Assessment

c. Control Activities

d. Information and Communication

e. Monitoring

1. Seek approval

2. Form a risk assessment team

3. analyze data

4. calculate risk

5. countermeasure recommendations

In Order

1. Reconnaissance

2. Enumeration

3. Vulnerability Analysis

4. Execution / exploitation

5. Document findings

a. vulnerability

b. penetration

c. application

d. DoS / DDoS

e. WAR.. driving, walking, dialing, etc.

f.  Wireless

g.  Social Engineering

h.  telephone

Step 1 - prepare for assessment

Step 2 - Conduct assessment

    a. ID threat source and events

    b. ID vulnerabilities and predisposing conditions

    c. determine likelihood of occurrence

    d. determine magnitude of impact

    e. determine risk

Step 3 - communicate results

Step 4 - Maintain assessment

NIST SP 800-30

pg 23

Remaining risk(s) after all countermeasures/controls have been applied

(control)

Mechanism applied to minimize risk

minimize = mitigate

What a threat will cost

(quantitative/qualitative)

chance something might happen

1. Avoid

2. Accept

3. Transfer

4. Mitigate

- Cost

- Effectiveness

- Appropriateness

1. Protect society, the commonwealth, and the infrastructure

2. Act honorably, honestly, justly, responsibly, and legally

3. Provide diligent and competent service to principals

4. Advance and protect the profession

pg 862

- International traffic in arms regulations (ITAR): regulated specifically designed military and defense items--US Munitions List (USML)

- Export Administration Regulations (EAR): commercial use, but military applications--commerce control list (CCL)

- Export Controls to Nuclear proliferation countries

- Encryption submitted to Commerce Dept beofre export

- Organization for Economic Cooperation and Development (OECD)

- 8 Core Principles

1. Collection Limitation

2. Data Quality

3. Purpose specification

4. Use limitation

5. Security safeguards

6. Openness

7. Individual participation (Opt in)

8. Data controller accountability

- Protects published or unpublished original works 

- Author's life plus 50 years

- Rights:

1. Reproduce work in any form

2. Adapt or derive more works from it

3. Make and distribute copies

4. Perform it in public

5. Display or exhibit in public

- A set of exclusive rights granted by a sovereign state for a limited time (typically 20 years from the date of application)

- Exclusive rights for a time period 

- Making "secret" information public

an occurrence or event that has a negative outcome

Some sort of occurrence or event

- Prudent man rule - doing what a reasonable person would do in a given situation

- Oversight, guidance

- The management of Due Care

- Doing the right thing at the right time for the right reason

- Payment Card Industry Data Security Standard (PCI DSS)

- Install/Maintain firewall for cardholder data

- Do not use vendor-supplied system passwords

- Protect cardholder data

- Encrypt

- Protect all systems

- Develop and maintain secure systems/applications

- Restrict access

- ID and authenticate access

- Track and monitor access

- Test security

- 1998

- Crime to steal identity

- 15 year and $250,000

- Family Educational Rights and Privacy Act (FERPA)

- Specialized privacy bill for schools that receive federal funding

- Privacy rights for parents and 18 y/o students

    -- Right to inspect education records

    -- Right to request corrections of errors

- Schools may not release information from student records without authorization

- 2001 

- Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism (USA PATRIOT) Act

- Response to 911

- Broadened powers if kaw enforcement and intelligence agencies

- Wiretapping blanket authorizations

- ISP may volunteer information subpoena for user info

- Amended CFAA with more severe penalties

- USA Freedom Act - June 2015

- Gramm-Leach-Bliley Act (GLBA) 1999

- Reduced barriers between banks, insurance comp and credit providers

- Relaxed standards created a new privacy concern

- Defined how -  what data will be shared

- Children's Online Privacy Protection Act (COPPA) 1998

- Requires web owners to display notice of types of information it collects and what it does with it

- Parents opportunity to review

- Parents consent for under 13

- Health Information Technology for Economic and Clinical Health Act (HITECH) 2009

- Updated HIPAA privacy and security

- New regulations for business associates

    -- Business Associate Agreement (BAA)

- Data breach notification

- Health Insurance Portability and Accountability Act (HIPAA) 1996

- Governed health care privacy and security

    -- Health maintenance org (HMO)

    -- Hospitals, physicians, insurance

- Rights of individual

- Extends definition of property to include proprietary economic information

- Theft considered industrial or corporate theft

- 1996

- Communications Assistance for Lw Enforcement Act (CALEA) 1994

- Required communications carriers to make wiretaps possible for law enforcement with court orders

- Electronic Communications Privacy Act (ECPA) 1986

- Crime to invade the privacy of an individual

    -- Email, voicemail, cell phone conversations

- Contractual licensing agreement - written contract often for high-price or specialized software

- shrinkwrap license - written on outside of package

- click through - during install required to accept terms

- Cloud service - extreme version of click through

- Protects trade secrets

- stealing trade secrets = $500,000 fine and 15 years prison with intent to benefit foreign government or agent

    -- other circumstances $250,000 and 10 years

- Intellectual Property of inventors

    -- invention must be new, useful, and not obvious

- Patent trolls

- a recognized sign, device, slogan or logo used to identify a company or it's products

- Not similar to another trademark

- Not descriptive of the goods and services that you will offer

- Register with US Patent and Trademark Office (USPTO)

- 10 years, renew 10 years

- Digital Millennium Copyright Act (DMCA) 1998

- Complies with terms of 2 World Intellectual Property Organization (WIPO) treaties

- Prohibits attempts to circumvent copyright protection mechanisms (e.g. CD, DVD)

- Limits ISP liabilities

- Exempts caching, search engines, storage on network by individual user

- Backup copies are allowed

- Spells out application to streaming services

- 2014

- DHS charged to stand up National Cybersecurity and Communications Integration Center

- Interface between federal agencies and civilian organizations for sharing cyber security risks, incidents, analysis and warnings

- 2014

- NIST responsible for cybersecurity standards

  -- Produces 800 series special publications

  -- NIST SP800-53 Security and privacy control for federal information systems and organizations

  -- NIST SP 800-171 Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations

  -- NIST Cybersecurity Framework (CSF) voluntary risk based framework

- Confusing name... identical acronym

- Federal Information Systems MODERNIZATION Act (FISMA) [vice management]

- Centralized federal cybersecurity with DHS

  -- Except Defense-related and ODNI

- Confusing name... identical acronym

- Federal Information Systems MANAGEMENT Act (FISMA) [vice modernization]

- Federal agencies implement information security program

- Requires government to include contractors

- Replaced Computer Security Acto fo 1987 and Government Information Security Reform Act of 2000

- NIST responsible for FISMA guidelines

  -- Periodic assessment of risk, testing, and evaluation

  -- Risk addressed through lifecycle of information systems

  --  Training, continuity of operations

- Another amendment to CFAA

- Broadens to include computer systems used in international commerce

- Extends protections to portions of infrastructure: railroads, pipelines, electric grid

- Any act that causes damage treated as a felony

- Computer Abuse Amendments Act of 1994

- Makes Illegal:

  -- Creation of malicious code that damages computer systems

  -- Modified CFAA to cover any computer used in interstate commerce

  -- Allows imprisonment of offenders, regardless of intent

  -- Legal authorities for victims to pursue civil action

- Computer Fraud and Abuse Act (CFAA)

- Makes it a crime to:

  -- Access classified or financial information without authorization or in excess of authorization

  -- Access federal computer without authorization

  -- Use a federal computer to perpetrate fraud

  -- Cause malicious damage to federal computer

  -- Modify medical records when it slows treatement

  -- Traffic in passwords across state lines

  -- $5,000 in damages

- Criminal law

- Civil law

- Administrative Law

- Candidate screening and hiring

- Employment agreements and policies

- Onboarding and termination processes

- Vendor, consulting, and contractor agreements and controls

- Compliance policy requirements

- Privacy policy requirements

Job rotation, separation of duties, need to know, least priviledge, NDA

- Business Continuity

1. Develop and document scope and plan

  - Senior management support, scope, resources, timeline

2. Business Impact Analysis (BIA)

  - Determine impact of disrupting event

  - Criticality, estimated downtime (MTD)

  - Evaluate external and internal resources

Any passive data within the system: documents, physical paper, database, tables, text files, etc.

- an active entity on a data system

- Real evidence: tangible or physical objects

- Direct evidence: testimony provided by witnesses

- Circumstantial evidence

- Hearsay evidence constitutes second-hand evidence

- Secondary evidence consists of copies of original documents... computer logs might be this

4 Step Process

1. Project scope and planning

2. Business Impact Assessment (BIA)

3. Continuity Planning

4. Approval and implementation