129
© 2011 by Taylor & Francis Group, LLC
Chapter 3
Overseeing Compliance
of Security Operations
Keith D. Willett
Contents
Introduction ......................................................................................................132
Chapter Objectives .......................................................................................133
Key Areas of Knowledge ...........................................................................133
e Cyber Domain .......................................................................................133
Business Perspective .................................................................................134
Risk Posture, Security Posture, and Risk Exposure ........................................135
Security Core Principles ................................................................................136
Compliance Perspectives ...................................................................................137
Security Compliance Management Program .................................................137
Governance ..............................................................................................139
Adjudication ............................................................................................139
Planning...................................................................................................139
Development ...........................................................................................139
Implementation and Deployment ............................................................140
Enforcement ............................................................................................140
Discovery .................................................................................................140
Analysis ....................................................................................................141
Reporting .................................................................................................141
Correction ................................................................................................141
Legislation Management ...............................................................................142
130 ◾  Ofcial (ISC)
2
® Guide to the ISSMP® CBK®
© 2011 by Taylor & Francis Group, LLC
Legislation Awareness ...............................................................................142
A View of the HIPAA Final Security Rule ................................................142
A View of Sarbanes-Oxley ........................................................................144
Litigation Management ................................................................................145
Enterprise Security Standard .............................................................................145
Enterprise Security Framework .....................................................................148
Enterprise Use of ESF ..............................................................................148
A View of NIST SP 800-53 as an ESS and ESF ............................................150
ESF as a Common Alignment Structure ...................................................152
People ...............................................................................................................152
People and Compliance ................................................................................154
Enterprise Role of Policies, Standards, Procedures, and Practice ....................154
Security Policies ............................................................................................154
Policy Structure and Content ...................................................................155
Security Policy General Practices ..............................................................156
Access Policy ............................................................................................157
Wireless Policy .........................................................................................161
Portable Media Policy ...............................................................................162
Software Management Policy ...................................................................164
Media Disposal Policy ..............................................................................165
Contracts and Business Agreement Policy ................................................165
Incident Response Policy ..........................................................................169
Digital Policy Management ...........................................................................170
Security Standards ........................................................................................171
Security Management Standards...............................................................173
Security Procedures .......................................................................................173
Security Guidelines .......................................................................................174
Security Practice ...........................................................................................174
Compliance Document Dissemination .........................................................174
Metrics .........................................................................................................175
Existence Metrics .....................................................................................175
Eectiveness Metrics ................................................................................176
Eciency Metrics .....................................................................................176
Process ..............................................................................................................176
Conguration Management ..........................................................................177
Library Management ................................................................................177
Patch Management...................................................................................178
Patch Management, Risk Posture, and Security Posture ............................179
Change Control .......................................................................................180
Records Management ...................................................................................183
Records ....................................................................................................183
Records Management Process ...................................................................184
Physical and Virtual Records ....................................................................189
Overseeing Compliance of Security Operations ◾  131
© 2011 by Taylor & Francis Group, LLC
Vulnerability Management ............................................................................189
Advisory Services ......................................................................................189
Vulnerability Testing ................................................................................190
Vulnerability Management Metrics ..........................................................192
Outsourcing .................................................................................................193
Outsourcing Misconceptions ...................................................................193
Managing Outsourcing ............................................................................194
Outsourcing Performance Standards ........................................................195
Outsourcing and Compliance ..................................................................195
Outsourcing Best Practices .......................................................................196
Managed Security Service Providers .........................................................198
Incident Management ...................................................................................198
Types of Incident Management and Anomaly Types .................................199
Prepare .....................................................................................................199
Prevent .....................................................................................................202
Protect .....................................................................................................203
Respond ...................................................................................................207
Sustain .....................................................................................................211
Violations and Breaches ...........................................................................211
Incident Response ....................................................................................212
Evaluating Incident Response Capabilities ....................................................221
Incident Response Metrics .......................................................................221
Problem Management .................................................................................. 222
Prioritization Techniques ..............................................................................224
Backups ........................................................................................................225
Data ........................................................................................................ 226
System .....................................................................................................227
Cryptographic Key Management .............................................................227
Auditing .......................................................................................................229
Security Audit Process ..............................................................................229
Technology ........................................................................................................231
Inventory Management ................................................................................232
Hardware .................................................................................................232
Software ...................................................................................................233
Conguration Settings .............................................................................235
Virtual Machines ......................................................................................236
Information Inventory .............................................................................237
Inventory Management Good General Practice ........................................237
Access Control ..............................................................................................238
Anti-Malware................................................................................................240
Botnet Awareness .....................................................................................241
Outbound Trac and Exltration ........................................................... 244
Web Application Firewalls ....................................................................... 244
132 ◾  Official (ISC)
2
® Guide to the ISSMP® CBK®
© 2011 by Taylor & Francis Group, LLC
Introduction
In a given environment, people perform processes using technology to produce results.
e results contribute to the fulllment of objectives, goals, and mission to achieve
the overall enterprise vision. ere are risks to the people, processes, technology,
and environment that interfere with the eective and ecient production of results.
Your job as a security professional is to identify those risks and address them in an
appropriate manner. One element of risk is compliance—compliance with external
legislative and regulatory mandates, as well as enterprise internal compliance with
policies, standards, and procedures including those for security.
Policies dene appropriate behavior within the organization. Standards are a
description of uniformity; they are a specication of commonality to implement
and enforce policy. Procedures are a specied sequence of actions to achieve a
desired end. Procedures describe a disciplined, repeatable manner for how to use
the standards to implement and enforce policy. An enterprise is a unity of activity,
e.g., a term to refer to the comprehensive business or business activities of a par-
ticular company, or a term to refer to the comprehensive activities of a government
unit (e.g., Federal Enterprise). Enterprise risk is the likelihood of potential negative
impact to a unity of activity.
As a security professional, you minimize enterprise risk in balance with achiev-
ing the enterprise mission by specifying security policies, standards, and proce-
dures. Security policies reect the compliance requirements externally imposed on
the organization (e.g., legislation and regulation) as well as the internal compliance
requirements self-imposed as good business practice (e.g., ISO 27001 or NIST SP
800-53). is chapter examines security operations and compliance with topics
organized by people, process, technology, and environment, including a perspective
Operating Systems ........................................................................................245
System Hardening ....................................................................................245
Environment .................................................................................................... 246
Physical Security ...........................................................................................247
HIPAA Physical Safeguard Requirements .................................................247
NIST SP 800-53 Physical and Environmental Protection ........................249
Government Standards .............................................................................249
Managed Security Services ............................................................................250
Local and Distributed ...................................................................................250
Mission Assurance .............................................................................................250
Summary ...........................................................................................................251
Review Questions ..............................................................................................252
References .........................................................................................................256
Overseeing Compliance of Security Operations ◾  133
© 2011 by Taylor & Francis Group, LLC
of security policies, standards, and procedures to implement and enforce compli-
ance requirements.
Chapter Objectives
Risk exposure is the degree of potential negative impact. Risk posture is an inten-
tionally assumed position to deal with potential negative impact. Security posture
is an intentionally assumed position to protect against danger or loss. Legislative
mandates increase risk exposure of the enterprise via increasing its liability for non-
compliance. e enterprise must decide how to position itself for compliance in bal-
ance with operational outcomes, i.e., the enterprise must dene its risk posture and
then implement safeguards to enforce the risk posture. Similarly, enterprise policy
describes appropriate behavior within the enterprise; policy is an internal compliance
requirement for enterprise employees and those doing business with the enterprise.
e objectives of this chapter are to present compliance and security operations.
is includes a look at external inuences on security operations (e.g., legislation, regu-
lation) as well as internal compliance requirements that are part of security operations.
Additionally, we will look at compliance from various perspectives to understand what
compliance is and to identify the specic compliance goals for your security depart-
ment. We will look at various examples of compliance in inventory control, auditing,
conguration management, penetration testing, and vulnerability testing.
Key Areas of Knowledge
Key areas of knowledge for compliance of security operations are as follows:
Security Compliance Management Program (SCMP)
Legislation management
Litigation management
Enterprise Security Standard (ESS)
Enterprise Security Framework (ESF)
Identication of external compliance requirements
Creation and management of internal compliance requirements
Security policies, standards, and procedures
Monitor for violations
Detection
Incident management; incident response
The Cyber Domain
ere is a new domain to life, the cyber domain, i.e., there is land, sea, air, space,
and now cyber. e cyber domain that most of us encounter is the Internet. is
..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
3.143.4.181