Overseeing Compliance of Security Operations ◾ 169
© 2011 by Taylor & Francis Group, LLC
PII may result in a lawsuit against the owner and custodian of the data. e data
owner may be your organization and the business agreement may be with a custo-
dian of the data. e custodian may take possession of the data for processing (e.g.,
medical billing outsourcer).
To limit liability for your organization, you want to show due diligence for the
protection of your data by having business agreements that state responsibilities on
the part of data custodians. A business agreement may include the following sections:
◾ Denition of Terms
◾ Permitted Uses and Disclosures
◾ Nondisclosure
◾ Safeguards and Reporting
◾ Mitigation and Enforcement
Your legal department will have nal say on the structure and content of the busi-
ness agreement. e sections above are exemplary to spark discussion between you
as the security professional and the legal department to ensure that the business
agreement conveys the intent to secure your organization’s data.
Dene all terms for a common understanding. Explicitly state the permitted
business use of data and the permitted disclosure of data. For example, an out-
sourcer for human resource (HR) services may need to share employee information
with a subcontractor who processes payroll. e HR services company will have
to share employee information with the payroll company, so it makes no sense to
prohibit them from sharing the data with anyone. Likewise, provide specics for
nondisclosure, even if it’s a simple statement of anything not explicitly listed as per-
missible disclosure is prohibited.
e safeguard section does not have to enumerate specics, but simply state
expectations that the data custodian will provide appropriate administrative, physi-
cal, and technical safeguards to prevent unauthorized disclosure according to X,
where X may be an industry standard or legislative compliance requirement. e
reporting section of the business agreement may require the data custodian to report
security incidents, their eect, and the outcome of the incident and subsequent
investigation. Additionally, the reporting section may require the data custodian to
report within X days any unauthorized disclosure of your organization’s data.
e mitigation section addresses the need for security practices that minimize
risk to your organization’s data. e enforcement section gives you the right to
examine the custodian for compliance with the business agreement. Other business
agreement sections may be necessary according to circumstances.
Incident Response Policy
An incident response policy will establish the need for preparation and planning
to monitor for, detect, categorize, and respond to incidents. In addition to the
170 ◾ Official (ISC)
2
® Guide to the ISSMP® CBK®
© 2011 by Taylor & Francis Group, LLC
standard policy sections, the incident response policy will include details for initial
reporting, triage, escalation, mitigation and containment, investigation (e.g., root
cause analysis), restoration, and ongoing reporting.
A single incident response policy makes more sense than multiple incident
response policies. ere will be a lot of information in common among all inci-
dents. e single incident response policy may address multiple types of incidents,
including the following:
◾ Denial of service
◾ Malicious code
◾ Unauthorized access
◾ Inappropriate use
◾ Forensics
Some organizations are only concerned with maintaining eective operations,
and the focus of incident response is to restore operations and also to minimize
the potential of incident recurrence. Other organizations may wish to pursue pros-
ecution in the event of an attack, disgruntled employee, or corporate espionage.
Successful prosecution will include forensic activities that establish and preserve the
chain of evidence. If this is the case for your organization, ensure that the incident
response policy includes the need to engage qualied cyber forensics expertise. If
seeking prosecution, in order to preserve the potential to submit valid evidence for
legal proceedings, specic preparations are necessary prior to touching the aected
system. e cyber forensics experts will be aware of these preparations.
e section on Incident Response provides more details on incident response
that implement and enforce the incident response policy.
Digital Policy Management
Digital policy management consists of the following:
◾ Digital policy infrastructure
◾ Digital policy manager
◾ Policy repository
◾ Digital policy client
◾ Policy decision point (PDP)
◾ Policy enforcement point (PEP)
e discussion of security policies to this point has referred to documents.
Digital policy management (DPM) is the automated enforcement of policy on the
network. A digital policy infrastructure is the collection of policy managers, policy
clients, PDPs, and PEPs. e DPM administrator translates written policy into
digital policy and reects that written policy in parameters within the digital policy
Overseeing Compliance of Security Operations ◾ 171
© 2011 by Taylor & Francis Group, LLC
manager. Digital policy takes the form of being either rule based or role based and
uses attributes associated with users and objects to make decisions based on policy
(e.g., authorization decisions).
e digital policy manager provides direction to the digital policy clients that
are distributed throughout the enterprise network. For example, the DPM admin-
istrator may enter in parameters to a rewall policy manager that reect the enter-
prise policy on Internet trac. at policy manager then disseminates the digital
policy to all rewalls containing the digital policy client throughout the enterprise
to ensure consistent and expedient enforcement of the Internet access policy.
Policy enforcement points (PEPs) enforce policy decisions made by the policy
decision points (PDPs), i.e., PDPs decide yes or no and the PEP enforces that deci-
sion and informs the user. e PEP is a software process running on the system
attempting to be accessed. When a user tries to access a le, database, application,
or service on the system, the PEP passes the user attributes on to the PDP. e
PDP compares the user attributes to the permissions described in the digital policy
repository and makes an authorization decision, yes or no, for access. e PDP
passes the decision to the PEP, which in turn informs the user.
A security compliance management program establishes the association of com-
pliance drivers with enterprise policy. Digital policy management is a technical imple-
mentation and enforcement of enterprise policy. Capturing these relationships within
the ESF will show a clear association of compliance requirements and the implemen-
tation of services and mechanisms to enforce those compliance requirements.
Security Standards
Security standards are a description of uniformity to minimize enterprise risk in
balance with fullling the enterprise mission. Standards may reect a choice of tech-
nologies (e.g., a rewall standard may provide a choice of two vendors and two prod-
ucts); additionally, a standard may reect how to implement a particular technology
(e.g., congure the operating system in this manner, or set up packet ltering in the
rewall in this manner). Categories of security standards include the following:
◾ Hardware
− Computers
• Servers
• Desktop PCs
− Infrastructure
• Routers
• Switches
• Network interface cards (NICs)
• Cables
− Storage media
• CDs, DVDs, tapes, oppy disks, hard drives
172 ◾ Official (ISC)
2
® Guide to the ISSMP® CBK®
© 2011 by Taylor & Francis Group, LLC
◾ Software
− Operating system
− Applications
• Word processing, spreadsheet, presentation software
◾ Conguration
− Hardware
− Software
◾ Security mechanisms
◾ Firewall, antivirus, antispam, antispyware, intrusion detection system (IDS),
intrusion prevention system (IPS)
Standardized server congurations enable easy setup and integration into
the data center. Standard desktop congurations enable easy purchase, setup,
and installation of desktops for new employees. A standard desktop environment
enables the creation of software images with standard software applications. ere
is no need to test the applications because they are known to work eciently within
the standard desktop conguration.
Standards will address how to approach homogeneous versus heterogeneous
environments. A homogeneous environment uses all of the same type of hard-
ware and software, typically all from the same vendor; a heterogeneous envi-
ronment will vary hardware and software among dierent vendors. Benets to
a homogeneous environment are volume purchase agreements, site licensing,
help desk eciency, the ability to provide standard congurations, and ease
of creating a standard desktop image. A major drawback of a homogeneous
environment is once an attacker learns to exploit one vulnerability, he or she
may exploit the same vulnerability elsewhere in the enterprise. A heterogeneous
environment purchases the same functionality from multiple vendors, e.g., the
rewall used for Internet connectivity may vary from the rewall used to sepa-
rate business units, or routers from dierent vendors handle local area networks
(LANs) versus wide area networks (WANs). is increases the expenses to man-
age multiple vendor equipment and applications, but does provide an increase
in security.
Defense-in-depth is the use of multiple security devices from the edge of the
network to the core; defense-in-breadth is the use of multiple types of security
devices within each layer. A heterogeneous environment supports the concept of
defense-in-breadth. Another example is the use of multiple anti-malware applica-
tions because the anti-malware signature les may vary among vendors, and the
use of multiple anti-malware applications lters a wider variety of malware. Note:
Defense-in-breadth also includes extending security beyond the enterprise to ven-
dors, partners, contractors, etc.
Overseeing Compliance of Security Operations ◾ 173
© 2011 by Taylor & Francis Group, LLC
Security Management Standards
Many times people are in violent agreement because they are saying the same thing
in dierent words and do not understand each other. One method of overcoming
this is to introduce a common language. Speaking of security concepts and charac-
teristics can get quite confusing and frustrating when debates start over the deni-
tion of risk or the exact nuance of vulnerability. ere is emerging work by NIST
that provides standards for articulating security concepts and characteristics. is
work includes Common Vulnerabilities and Exposures (CVE) for common identi-
cation of vulnerabilities, Common Conguration Enumeration (CCE) to dene
secure congurations, Common Platform Enumeration (CPE) for a structured
information technology naming scheme, Common Vulnerability Scoring Systems
(CVSSs) for scoring all CVE vulnerabilities, eXtensible Conguration Checklist
Description Format (XCCDF) for specifying a language to write security check-
lists, and Open Vulnerability Assessment Language (OVAL) to provide an industry
standard for security content across all security tools.
e National Vulnerability Database (NVD) “is the U.S. government repository
of standards based vulnerability management data represented using the Security
Content Automation Protocol (SCAP). is data enables automation of vulnerabil-
ity management, security measurement, and compliance” (http://nvd.nist.gov/, last
accessed March 2009). e SCAP project within NVD has more details on CVE,
CCE, CPE, CVSS, XCCDF, and OVAL.
Awareness of such standards will help you decide what aspects of security moni-
toring, analysis, and reporting may take place automatically versus manually. e
ability to elicit conguration details from information technology may provide a
real-time feed into a view of the enterprise security posture and the enterprise risk
posture, and the details may support many audit eorts.
Security Procedures
Security procedures are a specied sequence of actions to achieve a desired end of
eective and ecient management of business risk. Security procedures describe a
disciplined, repeatable manner in which to use the security standards to implement
and enforce security policy. Some security procedures are explicitly for information
technology professionals and security professionals. Other security procedures are
for other enterprise personnel. Security procedures may include the following:
◾ Installing new PCs using the standard desktop image that includes operating
system congurations and applications explicitly for security purposes
◾ Discarding old PCs, hard drives, and other media
◾ Backups; type and frequency
..................Content has been hidden....................
You can't read the all page of ebook, please click here login for view all page.