134 ◾ Official (ISC)
2
® Guide to the ISSMP® CBK®
© 2011 by Taylor & Francis Group, LLC
new domain has and will continue to aect the way we live, work, buy, communi-
cate, express ourselves, socialize, make friends, form contracts and agreements, and
perform transactions, e.g., banking deposits, transfers, and bill paying. e cyber
domain provides a tremendous amount of benets, as well as introduces new risks.
ese risks include technical failures of the infrastructure and systems we use to
operate within the cyber domain as well as from those people looking to exploit this
new domain for their own gain … both legitimately and illegitimately.
Many businesses now both dene and use the cyber domain to interact with ven-
dors, suppliers, partners, employees, and customers. Continued operation within the
cyber domain is critical for business to survive and thrive. erefore, examining threats,
vulnerabilities, and risks to the cyber domain in business terms is good business prac-
tice. Moreover, identifying, enumerating, articulating, and addressing cyber domain
risk is not only good business practice, but may be a legislative compliance mandate.
A key dierentiating characteristic of the cyber domain from the other domains
is physical proximity. Traversing land, sea, air, and space requires a physical pres-
ence; the cyber domain is virtual, and access to an end point across the globe is but
a few keystrokes away. Safeguarding assets in the other domains was largely accom-
plished via physical safeguards (e.g., nondisclosure of location, lock and key, barbed
wire, safes, trusted personnel to transport the asset, and armed guards). Moreover,
wealth took the form of physical assets like jewels, currency, or gold. Now, bits on
a hard drive represent wealth and access to wealth is via remote means and faceless
transactions (e.g., automated teller machines, banking by phone, direct deposit of
paychecks, and on-line bill paying). While the cyber domain provides many conve-
niences, it also presents a new domain for crime, espionage, terrorism, and warfare.
e focus of the material in this chapter is on legislative mandates governing the
protection of data (bits on a hard drive) and enterprise guidance for implementa-
tion and enforcement of legislative compliance in the form of policies, standards,
and procedures. Additionally, this chapter will address the complement to legislative
compliance, which is good business practice, to optimize the interests of stakeholders.
Business Perspective
e business perspective boils down to two aspects: cost and revenue. e cyber
domain either contributes to revenue or helps to manage costs. If you cannot express
cyber activity in these terms, then step back and seriously question the validity of
that cyber activity. Another way to look at this is business need drives investments in
technology. Moreover, business risk drives investment in security.
Likewise, security boils down to the same two aspects of cost and revenue.
Either security contributes to revenue or helps manage costs:
◾ Revenue
− Revenue generation
− Revenue stream protection
Overseeing Compliance of Security Operations ◾ 135
© 2011 by Taylor & Francis Group, LLC
◾ Cost
− Cost maintenance
− Cost reduction
◾ Cost avoidance
Security may contribute directly to revenue generation by oering security
services or mechanisms for a fee. Security may protect revenue streams, e.g.,
security mechanisms protecting an e-commerce site that accepts customer
orders. Security may contribute to cost maintenance, i.e., ensuring costs do not
go up, e.g., security mechanisms protecting cyber devices that would otherwise
require manual labor and increase in payroll. Security may contribute to cost
reduction by replacing manual labor with automated services; security may also
reduce costs by adding protective measures that reduce insurance premiums (e.g.,
sprinkler systems). Security also contributes to cost avoidance. is is the main
area for compliance management, e.g., adherence to external legislative mandates
avoids nes and potential jail time for ocers.
Risk Posture, Security Posture, and Risk Exposure
Risk posture is an intentionally assumed position on dealing with potential negative
impact; the risk posture is a formal declaration of how to address risk: accept, ignore,
share, transfer, or mitigate. Formally declaring a risk posture requires awareness
prior to preparation. is implies a that change in awareness results in changes to
the risk posture. For example, awareness of a newly discovered vulnerability in the
operating system (OS) that runs your enterprise desktops increases the risk exposure
of the organization. You must then review your risk posture in light of this new
awareness. e risk posture must change to reect how to address this new vulner-
ability, e.g., mitigate the risk by installing an OS patch. Installing the OS patch
modies the security posture to return the risk exposure to an acceptable level.
e security posture is an intentionally assumed position to protect against danger
or loss. e implementation of security services and security mechanisms make up
the security posture. Risk posture establishes the acceptable level of dealing with
potential negative impact, including that risk which is acceptable. Security posture
is the safeguards that mitigate risk to reduce risk exposure to an acceptable level.
e bottom line for security is the same as any other business function: revenue
and cost management. Security should contribute directly to one or more of the
following: revenue generation, revenue preservation, cost reduction, and cost avoid-
ance in terms of stakeholder currency, i.e., optimize stakeholder value. Stakeholder
currency is not always literal money; at times, stakeholder currency may be lives
(e.g., the military commander) or votes (e.g., the politician). In any instance, money
is still a factor, but it may not be the primary factor in decision making.
As a security professional, part of your job is to determine the acceptable risk
posture of the enterprise. ere will always be risk; there is just no way to identify
136 ◾ Official (ISC)
2
® Guide to the ISSMP® CBK®
© 2011 by Taylor & Francis Group, LLC
100% of vulnerabilities and protect 100% of assets from 100% of threats 100%
of the time. e presence of threats, vulnerabilities, and risk in the enterprise is like
the presence of weeds in a garden. No amount of weed killer or manual eort will
permanently eliminate weeds from a garden. Likewise, we must recognize, social-
ize (manage expectations), and deal with the reality that no amount of safeguards
will permanently eliminate threats, vulnerabilities, and risk.
e point of security operations is to anticipate the risks and prepare the enter-
prise via enterprise policies, standards, procedures, and guidelines; defend against
them using security services and mechanisms; monitor for anomalies; and respond to
anomalies to discern the degree of business risk and how to best deal with that risk.
Security Core Principles
Nine security core principles
*
provide a foundational framework to implement and
run security operations:
1. Condentiality
2. Integrity
3. Availability
4. Possession
5. Utility
6. Authenticity
7. Nonrepudiation
8. Authorized Use
9. Privacy
e traditional information security triad consists of condentiality, integrity,
and availability. Condentiality is the protection against the risk of unauthorized
disclosure; integrity is the protection against unauthorized modication; and avail-
ability is the protection against the risk of denial of service. Don Parker then added
possession, utility, and authenticity. Possession is the protection against the risk of loss
or theft; utility is the protection against the loss of the ability to use for the intended
purpose; and authenticity is the protection against the risk of not conforming to
reality. Nonrepudiation, authorized use, and privacy round out the nine core prin-
ciples. Nonrepudiation is the protection against the risk of deniability; authorized
use is the protection against the risk of unauthorized use of cost incurring services;
and privacy is protection against the risk of disclosing personal information.
e fundamental rationale for compliance activities is traceable to these nine
principles, e.g., protect the privacy of customers, avoid the disclosure of proprietary
data, and avoid the theft or misplacement of valuable assets. We will next examine
the perspectives of compliance, and then present a framework within which to plan
for and implement compliance activities in a disciplined, consistent, and repeatable
*
Originally articulated in Information Assurance Architecture as the nine IA Core Principles.
Overseeing Compliance of Security Operations ◾ 137
© 2011 by Taylor & Francis Group, LLC
manner using an enterprise security standard (ESS) and an enterprise security
framework (ESF). e remainder of the chapter presents compliance in the context
of security operations by decomposing operations into people, process, technology,
and environment and elaborating on security services, mechanisms, and activities
within each of these categories.
Compliance Perspectives
ere are two sides to the compliance coin: one side is legislative mandates (what
you have to do) and the other side is good business practice (what you should do). e
term legislative mandates herein is generic and intended to include the spectrum of
legislation, regulation, directives, instructions, or other compliance requirements
generated outside the enterprise. Good business practice includes those compliance
requirements generated inside the enterprise with the intent of enabling or protect-
ing enterprise people, process, technology, and environment.
Legislative mandates may drive security operations. Likewise, enterprise policy
may drive security operations. e security department also generates policy, stan-
dards, procedures, and guidelines that contribute to the set of internally generated
compliance requirements. Security imposes these compliance requirements on the
enterprise and those connecting to the enterprise technology or otherwise doing
business with the enterprise. Others within the enterprise and doing business with
the enterprise are then subject to comply with these security requirements.
ese internally imposed security compliance requirements may nd root in exter-
nal requirements (e.g., legislation) and internal requirements (Figure3.1). e internal
requirements govern the behavior of both internal security operations and other enter-
prise internal operations; additionally, these internal requirements inuence relation-
ships with partners, vendors, customers, contractors, suppliers, and outsourcers.
Security Compliance Management Program
e enterprise compliance management program (ECMP) considers all compliance
requirements on the enterprise. e enterprise security compliance management
program (ESCMP) is a subset of the ECMP. e following functions apply to both
ECMP and ESCMP:
◾ Governance
◾ Adjudication
◾ Planning
◾ Development
◾ Implementation and Deployment
◾ Enforcement
− Disciplinary Action
138 ◾ Official (ISC)
2
® Guide to the ISSMP® CBK®
© 2011 by Taylor & Francis Group, LLC
◾ Discovery
◾ Analysis
◾ Reporting
◾ Correction
e ESCMP considers compliance from two perspectives: compliance of
enterprise security guidance and compliance with enterprise security guidance.
Compliance of enterprise security guidance is concerned with authoritative inu-
ences to enterprise security policies, standards, and procedures. Authoritative
inuences include legislation, regulation, instruction, directives, etc. Compliance
with enterprise security guidance is concerned with the production, dissemina-
tion, awareness, understanding, and use of security guidance within the enter-
Enterprise
Enterprise Security Management
Compliance Requirements
Legislation
Regulation
Etc.
Security Compliance Requirements
Enterprise Security Compliance Requirements
Policies Standards Procedures Guidelines
Enterprise Internal Operations
Security Operations Other Operations
Enterprise External Operations
Partners Vendors Customers Contractors
Suppliers Outsourcers Etc.
External Requirements
Internal Requirements
Figure 3.1 Compliance management.
..................Content has been hidden....................
You can't read the all page of ebook, please click here login for view all page.