164 ◾ Official (ISC)
2
® Guide to the ISSMP® CBK®
© 2011 by Taylor & Francis Group, LLC
competitive marketplace. e desire to save millions of dollars on research and
development and to accelerate time to market by years if not decades is a strong
motivation to compromise competitor security. e use of personally owned devices
makes theft of information easy.
Again, you as a security professional have a dicult balance of restricting
behavior to protect stakeholder interests, but empowering employees to use the best
tools available for the greatest level of productivity.
Software Management Policy
e software management policy covers software procurement, tracking, and
audits. e purchase of software includes two components: the physical media
and the number of licenses. e physical media may be used many times; however,
each installation receives a unique license. Good software procurement ensures
that the organization receives the appropriate number of licenses and optimizes
software costs including initial purchase and ongoing maintenance fees. A large
organization often enters into multiple separate agreements for the purchase of the
same software. is leads to multiple contracts, multiple purchase orders, and a
premium fee for separate purchase and maintenance agreements. Consolidating all
these into a single contract optimizes costs.
e procurement process also ensures the appropriate purchase of server licenses
as well as client licenses that connect to the server. e number of client licenses
may be for installations or for simultaneous connections. is calculation can be a
bit tricky, but it is necessary to optimize costs to the organization.
Have your legal department review software license agreements to ensure that you
and your organization understand the implications of accepting the license. Inad vert-
ently agreeing to a software vendor’s right to monitor or audit software use or install
spyware may impose unacceptable risk to the organization. If the license agreement is
too restrictive on your organization or too liberal to the vendor, you may attempt to get
the vendor to modify its license agreement with you, or you can nd a new vendor.
Tracking software installations is necessary to ensure that all installations are
indeed being used and that software licenses are not exceeded. If a user receives a
new PC and needs software moved from the old PC to the new one, the software
is installed on the new PC and the use of the seat license is recorded. e soft-
ware should also be uninstalled from the old PC and the seat license returned to
the license pool; otherwise, the organization is paying for a license that is no longer
in use. Software tracking should maintain records of the location of the physical
media as well as the licenses.
Software auditing provides a validation of the software packages installed.
e data from a software audit shows what software packages are installed and if
the software is approved software that is provided by the organization, or if it is
unapproved software that was inadvertently or illegally installed by the end user.
Overseeing Compliance of Security Operations ◾ 165
© 2011 by Taylor & Francis Group, LLC
Additionally, the software audit will validate the number of licenses currently in
use as well as the versions of software in use. Older versions may contain vulner-
abilities taken care of by patches or later releases.
Media Disposal Policy
Planning for the disposal of media via policy, standards, and procedures is more
about the data on the media than the media asset itself. e purpose of the media
disposal policy is twofold: rst, to ensure that any sensitive data is not disclosed
during or after disposing of the media; and second, to ensure that the data may
indeed be discarded and that it is not primary data necessary to retain under legisla-
tive compliance requirements.
Media disposal addresses how to discard old, outdated, or broken media that
store data. A standard delete process only removes a pointer and does not remove
the actual information from the media. Even reformatting a disk may leave ghost
images of previous data that may be recovered. e media disposal policy should
address all media, but especially media that stores sensitive information. Sensitive
information includes any information whose unauthorized disclosure may cause
harm to the enterprise, its ocers, or its stakeholders. is includes proprietary
information as well as information that may be protected under litigation, e.g.,
personal health information (PHI).
Consider the use of an authorized service to handle the disposal of media. e
service understands the procedures and the appropriate steps to take to degauss (the
process of eliminating a magnetic eld), reformat, or physically destroy the media.
e disposal process should be formal and include the assignment of roles, respon-
sibilities, and accountability handling media disposal. is means that employees
do not take it upon themselves to dispose of media, but rather transfer the media
to the in-house personnel responsible for media disposal and document the trans-
fer. e media disposal personnel then document the media handling from receipt
through actual disposal.
If your organization does business with third parties that store your sensitive
data, business agreements should include provisions for secure handling and appro-
priate disposal of the storage media.
Contracts and Business Agreement Policy
A contract is a meeting of the minds for the exchange of promises to perform or
refrain from performing some act. e result of a contractual agreement may be
a product or service. e contract may also specify certain characteristics that the
product or service must possess. ese characteristics may include an operational
feature or operational performance parameters. e following are examples of con-
tracts and agreements:
166 ◾ Official (ISC)
2
® Guide to the ISSMP® CBK®
© 2011 by Taylor & Francis Group, LLC
◾ Service Level Agreements (SLAs)
◾ Contractor agreements
◾ Business partner agreements
◾ Vendor agreements
◾ Managed Security Service Providers
e Contracts and Business Agreement Policy species certain attributes that
must appear within any contract or business agreement. e motivation behind
these attributes may be good business practice or to comply with a legislative direc-
tive. e HIPAA FSR is one law that species the need for business agreements to
address the protection of PHI.
Service Level Agreements
An SLA is an agreement between a service provider and a service consumer, or
between service providers. e SLA records common understanding about the ser-
vices provided and the performance parameters within which to provide the services.
Sections of the SLA include the following:
◾ Service Denition
◾ Warranties and Performance Measurements
◾ Problem Management
◾ Customer Duties
◾ Disaster Recovery
◾ Termination
Performance measurements include time of initial response, time to produce
result, and billing details. Performance measurements also include service availabil-
ity specied as up time (e.g., no less than 99.9%) or down time (no more than X
minutes per year). e SLA should clearly specify penalties for falling below expected
performance and termination given repeated or sustained performance violations.
Problems will occur; this is a given. Preplanning for problem management is
good business practice. Problem management includes notication, evaluation,
escalation, adjudication, resolution, and follow-up action to implement the reso-
lution. e service provider has the duty to provide the service within acceptable
performance; however, this may only be possible if the service consumers fulll
their own duties. Clearly specify these duties to help with problem resolution, i.e.,
the root cause is more clearly identiable to be with the provider or the consumer.
Part of the benet of engaging an outside service is the responsibility of guar-
anteeing that the service resides with the provider. In the event of disaster, the con-
sumer doesn’t care from whom or from where the service is provided so long as the
consumer receives the result within acceptable performance parameters. Specify
Overseeing Compliance of Security Operations ◾ 167
© 2011 by Taylor & Francis Group, LLC
these performance expectations as part of disaster recovery, including acceptable
down time to allow for service swap from one location to another.
As the last paragraph alludes to, the use of an outside service transfers responsi-
bility from the enterprise to a supplier. To be successful at this, the enterprise needs
good Outsourcing Relationship Management (ORM). Outsourcing may include any
activity that is not the core expertise of the organization. For example, Small Tools,
Inc., likely has a core expertise in the manufacturing of handheld tools. eir
expertise is not likely to include information security. Hence, they may outsource
to a managed security service provider.
Managed Security Service Providers
With the complexity of technical security coupled with the increase in cyber threats,
many companies have opted to outsource security to managed security services pro-
viders (MSSPs). MSSPs oer security services that would otherwise be unaordable
to medium and small companies due to cost, or be unattainable due to resource
limitations like qualied security personnel. Many companies view security as a
core need, if not a core capability, and hesitate to turn over so much control to
a vendor. However, the economies of scale make the cost of using an MSSP very
attractive, and the proliferation and sophistication of attackers require highly spe-
cialized personnel, infrastructure, and procedures.
As competent and as trusted as the MSSP may be, good business practice dic-
tates that no company yields complete control of its networks to another orga-
nization. ere is still a need to maintain in-house expertise to ensure that the
organization’s interests are accurately conveyed to the MSSP and that the MSSP
acts accordingly to protect those interests. In-house eorts are still necessary to
produce security policies that govern MSSP activities and performance.
Develop condentiality agreements with the MSSP. e MSSP will have
intimate knowledge of your operations and condential information. Moreover,
your organization should develop incident response policies and procedures that
inuence the specics of the MSSP business agreement. is is still your net-
work and your responsibility. Operations, monitoring, detection, notication,
and resolution may be outsourced, but the security responsibility is only shared,
not abdicated.
e Cumulus Assessment Module (CAM) assists with the evaluation of SLA
fulllment, i.e., it veries that the MSSP lives up to the performance agreements
with your organization. Figure3.2 shows the CAM architecture with inputs of
SLA details, data distribution parameters, and statistical probe measurements, as
well as output of Cumulus Point (CP) balance over time. Every service will have
measurable, quantitative properties such as amount of resource usage, number of
resource accesses, and the length of time it may be used; these quantitative proper-
ties are known as parameters. e service agreement species expected performance
168 ◾ Official (ISC)
2
® Guide to the ISSMP® CBK®
© 2011 by Taylor & Francis Group, LLC
in terms of these parameters as well as specied acceptable deviations from expecta-
tions; acceptable performance and acceptable performance deviations are described
as the corridor. Deviations outside of the acceptable range (i.e., leaves the corridor)
result in a penalty as determined by the penalty function.
CAM also uses measurements from the operating environment that may include
a full set of measurements over a period of time, statistical probes, or statistically
prepared values. e data distribution parameters describe how to interpret the
measurement data. e CP output describes how the SLA has been fullled.
Contractor Agreements
A contractor is not a direct employee of the organization, but has the same respon-
sibilities as employees, including the need for awareness and compliance with
security-related policies. e policies will make contractors aware of relevant legis-
lation and regulation with which they also must comply. e same policy reposi-
tory should be available to both direct employees and contractors to ensure full
access to all relevant policies at all times.
Business Agreements
Business agreements are appropriate for vendors, suppliers, original equipment man-
ufacturers (OEMs), and contractors. A chain is as strong as its weakest link. is
is a sentiment that HIPAA FSR reects in its requirement for business agreements
that include the safeguarding of personal health information (PHI); PHI is a spe-
cial case of personally identiable information (PII). PII is the general term for data
that may disclose the identity of an individual; PII is the main concern in privacy-
related legislation and regulation. PHI is PII with respect to any medical details,
including billing, treatments, and prescriptions. Unauthorized disclosure of PHI or
SLA
(parameter, corridor,
penalty function)
Data Distribution
Parameters
CAM
CP Balance
Measurements
(Statistical Probes)
Figure 3.2 CAM architecture.
..................Content has been hidden....................
You can't read the all page of ebook, please click here login for view all page.