Overseeing Compliance of Security Operations ◾ 249
© 2011 by Taylor & Francis Group, LLC
NIST SP 800-53 Physical and Environmental Protection
NIST SP 800-53 Rev. 3
*
provides 19 physical and environment protection controls:
1. Physical and Environmental Protection Policy and Procedures
2. Physical Access Authorizations
3. Physical Access Control
4. Access Control for Transmission Medium
5. Access Control for Output Devices
6. Monitoring Physical Access
7. Visitor Control
8. Access Records
9. Power Equipment and Power Cabling
10. Emergency Shuto
11. Emergency Power
12. Emergency Lighting
13. Fire Protection
14. Temperature and Humidity Controls
15. Water Damage Protection
16. Delivery and Removal
17. Alternate Work Site
18. Location of Information System Components
19. Information Leakage
ese physical access controls correspond closely with HIPAA, but not exactly.
HIPAA calls for contingency operations under physical safeguards, whereas NIST
SP 800-53 provides an entire control section on contingency planning. Similarly, SP
800-53 provides a separate section on maintenance controls that includes mainte-
nance records. e use of SP 800-53 as a foundation for the ESS and ESF provides
for the planning, implementation, and tracking of a comprehensive security pro-
gram and may trace to various compliance requirements, including HIPAA. Even
though the compliance requirements may call a safeguard something dierent or
categorize it dierently from SP 800-53, there is usually a mapping from SP 800-53
to the legislative compliance requirement. Moreover, if the legislative compliance
requirement contains a safeguard not in SP 800-53, then add that to your ESS and
ESF to customize your situation.
Government Standards
Some government standards will prescribe physical security for sites where top-secret
activities occur. Often, site congurations will be rated for secret activities, top-
*
NIST SP 800-53 Rev. 3, Appendix D.
250 ◾ Official (ISC)
2
® Guide to the ISSMP® CBK®
© 2011 by Taylor & Francis Group, LLC
secret activities, or beyond. Seek out relevant government standards that may apply
to your particular situation. Or, if your organization is a high visibility target for cor-
porate espionage or organized crime, you may benet from researching government
standards and incorporating them into your own security management program.
e big focus here is on information leakage from paper documents, cyber data, and
conversations in house, on a phone, or on video-conference equipment. e methods
to illicitly obtain information are many and varied; likewise, so are the safeguards.
Managed Security Services
If you use managed security services (MSSs), then you must also consider the envi-
ronment of the outsourcer. Your operations, data, reputation, and survivability now
also depend on ecient and secure outsourcer operations. is means that you
need to understand and inuence their operations to ensure that they represent
your organization’s best interests.
Address MSS physical security requirements in the business partner agreement
and SLAs. Also, provide the ability for you to assess the MSS environment for com-
pliance with the business agreement.
Local and Distributed
If your organization transports data o site, then physical security requirements
apply to physical transportation. is includes the type of media, protection of data
on media, protection of media in transport vehicles, procedures for the driver, and
media checkout/check-in procedures. Be aware that your domestic laws may vary
from foreign laws where you have operations; the use of encryption may be ne in
the United States, but not ne at all in some Eastern countries. is applies to both
businesses operations in the local country as well as organization employees travel-
ing in that country.
Mission Assurance
In a given environment, people perform processes using technology to produce results.
e results are the achievement of the business purpose and the fulllment of the
business mission. e successful execution of a software program may contribute to
the fulllment of the business mission, but successful execution is not the business
mission. Safeguarding the data center may contribute to the business mission, but
a safe data center is not the business mission.
e traditional focus on information assurance (IA) or computer security is
on the technology, i.e., ensuring the software application runs and the data center
is safe. As the material herein shows, technology is certainly important but is far
from the only consideration. Another habitual focus of information assurance and
Overseeing Compliance of Security Operations ◾ 251
© 2011 by Taylor & Francis Group, LLC
security is on information technology, or IA and security for their own sake—a
build it and they will come approach to developing software and purchasing hard-
ware. In other words, if we produce a wonderful solution, surely there is a problem
out there that needs us. e amount of time and money wasted on this misconcep-
tion is huge. Worse, the credibility of IT and security professionals is far less than
it should be for lack of proposing solutions and budgets in terms of business value.
Enterprise operations exist to produce a result, the bottom line of which is to opti-
mize stakeholder interests. Business need drives the need for technology; business
risk drives the need for security. ere is no justication for investment in security
without a corresponding business risk that it addresses. e enterprise mission is
not to be more secure; being more secure ensures the ability to fulll the mission.
Mission assurance involves safeguarding the fulllment of a specic task with
which an individual or group is charged and accepts as their main purpose. Mission
assurance is an emerging formal practice to identify key people, process, technol-
ogy, and environment that fulll the mission and then to align security operations
with these key resources. Understanding the mission will help you as a security
manager to prioritize the following: security investments, operations decisions,
budget allocations, hiring decisions, incident response, and overall security man-
agement in the context of the mission. is will help you articulate the business
value of security and provide you with the ability to make intelligent resource allo-
cations for security in terms of business value. Mention of mission assurance here is
to make you aware of the concept and to spark your personal research into current
mission assurance practices.
Summary
At this point, you should be familiar with the following topics covered in this chapter:
◾ e dierences between and the complementary nature of Legislation Man-
age ment and Litigation Management
◾ e use of an ESS as a foundation for all enterprise security planning
◾ e use of an ESF as a common construct for planning, tracking, and assess-
ment documents
◾ External security compliance
◾ Internal security compliance
◾ Manage outsourcing
◾ Software compliance
◾ Incident management and incident response
◾ How to apply the concepts to operational security daily activities
e key take-away from this chapter is the need for a disciplined approach to
compliance management of security operations. is disciplined approach starts
252 ◾ Official (ISC)
2
® Guide to the ISSMP® CBK®
© 2011 by Taylor & Francis Group, LLC
with identifying an Enterprise Security Standard and developing an Enterprise
Security Framework from that standard. e ESF then becomes the outline within
which to record all security planning activities, development projects, and current
practices. Develop a traceability matrix from the ESF to compliance requirements.
Because the traceability is from the ESF structure, the content within the ESF inher-
its the traceable relationships. is is the best way to track a single activity that may
satisfy multiple compliance requirements. is is also the best way to identify gaps,
which is when an ESF area traces to a compliance requirement and that ESF area
has no current activity, no development activity, and no plan related to that area.
Review Questions
1. Cyber vulnerability testing consists of which of the following activities?
a. War driving and war dialing
b. Network probing and network scanning
c. Penetration testing
d. All of the above
2. Which of the following statements is true?
a. e main benet of using an MSSP is to turn over all responsibilities and
wash your hands of the entire enterprise security burden.
b. MSSP relationships can be more casual because most MSSPs are willing
and capable to take on the enterprise security responsibilities.
c. Operations, monitoring, detection, notication, and resolution may be
outsourced, but the security responsibility is only shared, not abdicated.
d. When using an MSSP, in-house security eorts are no longer necessary.
3. What is the intent of metrics?
a. Objective measurement of the enterprise risk posture
b. Objective evaluation of value to the organization in terms of business need
c. Determine if operations are performing within SLAs
d. Objective measurement of the enterprise security posture
4. An emerging formal practice to identify key people, process, technology, and
environment that fulll the mission and then to align security operations
with these key resources is known as what?
a. Enterprise risk management
b. Enterprise security management
c. Risk management
d. Mission assurance
5. Given the existence of enterprise security guidance, and that enterprise
employees, business partners, vendors, and other covered entities are aware
and understand the policies, standards, procedures, and guidelines, there is a
need to enforce compliance in daily operations. Enforcement requires which
of the following?
Overseeing Compliance of Security Operations ◾ 253
© 2011 by Taylor & Francis Group, LLC
a. Monitoring for noncompliance
b. Detecting and responding to noncompliance
c. Both a and b
d. None of the above
6. Which of the following statements is false about the Enterprise Security
Standard (ESS)?
a. You can develop an ESS from an industry security standard or from secu-
rity legislation or both.
b. e structure of the ESS becomes the foundation for the enterprise
security framework (ESF).
c. To save money, and since the ESS is unique to each organization anyway,
developing the ESS from sta experience, though somewhat arbitrary, is
an acceptable practice.
d. e enterprise security standard (ESS) is a list of all applicable security
controls grouped by families.
7. Which of the following statements is true about incident response?
a. Some potential members of an incident response team are senior manage-
ment, legal, corporate communications, and operations.
b. Incident response team (IRT) and cyber incident response team (CIRT)
are similar phrases for the same organizational function.
c. e news media will print what they want anyway, so it is okay for anyone
on the security team to speak to them about security incident details.
d. All cyber incidents are unique and upon detection are immediately esca-
lated to subject matter experts (SMEs).
8. Which of the following statements is false?
a. In a given environment, people perform processes using technology to
produce results.
b. Security is a support structure of safeguards for cost management and
never contributes to revenue generation.
c. A key dierentiating characteristic of the cyber domain from the other
domains is physical proximity.
d. e complement to legislative compliance is good business practice.
9. What is the purpose of a service level agreement (SLA)?
a. e SLA is only used as a formal agreement between the enterprise and
external service providers to establish services, performance parameters,
and nancial penalties for performance outside of specied parameters.
b. e SLA records common understanding about the services provided and
the performance parameters within which to provide the services.
c. e SLA species performance measurements in terms of thresholds, e.g.,
number of transactions per hour, available bandwidth, and down-time
tolerances.
d. e SLA is a formal agreement that species pay for performance within
operations departments.
..................Content has been hidden....................
You can't read the all page of ebook, please click here login for view all page.