174 ◾ Official (ISC)
2
® Guide to the ISSMP® CBK®
© 2011 by Taylor & Francis Group, LLC
◾ Backup storage; legislative requirements for retaining transaction data
◾ Pre-hire procedures; e.g., background and reference check
◾ New hire procedures; e.g., establish unique identity for access control
Security Guidelines
Security guidelines are less formal than procedures, but provide a general idea of
intent and how to achieve that intent. If the enterprise security department has a
particular goal in mind, but doesn’t really have a specic manner in which it desires
to see that goal achieved, meaning that leaving the means to achieve the end is up
to the individual, then capture that intent in a guideline.
Security Practice
Despite all the enterprise policies, standards, procedures, and guidelines, there
remains a dierence between what the organization prescribes to do (documents)
and what the organization actually does (practice). Evaluating the documents to
ensure that the right directives exist to motivate behavior is critically important for
good business practice and to show due diligence for an eective security program
(remember the need for both legislative and litigation management). Even after
evaluating the documents, there still remains the need to evaluate actual behavior
to ensure it complies with the documents.
Evaluating behavior means interviews, observations via shoulder surng (i.e.,
looking over the shoulder of an employee to verify secure practice), and hands-on
verication that security measures exist, are being used, and are being used accord-
ing to policy. e sections on Vulnerability Management and Penetration Testing
provide more detail on evaluating security practice.
Compliance Document Dissemination
Dissemination of these compliance documents is a challenge for many organiza-
tions. Factors to consider are the number of people to receive the documents, the
physical location of the people, the duration (eective shelf-life) of the documents
(i.e., how often they change), and the access to technology of the people to receive the
documents. Printing and physically mailing the documents is not likely to be a good
choice, unless you have a nontechnical workforce without access to computers.
e most cost-eective method is to place the documents on a document server
with a Web interface and provide access information via e-mail. Now that people
know where to get them, they need to know when they need them. An awareness
campaign is one method that will work well for general security information like
preparing people to be aware of social engineering. Other documents may be situa-
tion specic and require more focused communication with managers and require
the managers to engage the appropriate personnel for awareness and training.
Overseeing Compliance of Security Operations ◾ 175
© 2011 by Taylor & Francis Group, LLC
For dissemination purposes, consider the usefulness of the following for
your organization:
◾ Compliance resource center
◾ Compliance management system
◾ Record-specic employee access
− Note: consider nonrepudiation and the nondeniability principle
◾ Record employee reading and acceptance
A compliance resource center is a single point to store the latest version of all
policies, standards, procedures, and guidelines. A compliance management system
will help with version control, keep records of old compliance documents, and
be able to track who checks out or otherwise downloads compliance documents.
is latter will help with recording specic employee access, which is necessary
to prove that employees are indeed aware of a particular policy that all employees
may be required to read. Further, the compliance management system may support
recording digital signatures to verify employee reading and acceptance of enterprise
compliance documents.
Metrics
e purpose of metrics is the objective evaluation of value to the organization in
terms of business need, and solution existence, eectiveness, and eciency. at
is, dene what we need, discover if the things we need exist, determine if they
are producing the results we expect, and analyze if they are producing the results
we expect within acceptable performance parameters. Determination of what we
need is the baseline of comparison for all other metrics. Dening what we need
includes the type of safeguards (determined from a risk assessment/analysis), the
depth of safeguards (e.g., perimeter and core safeguards), placement of safeguards
(e.g., number and location), and performance parameters (e.g., bandwidth utili-
zation, bandwidth throughput, mean time between failures, and annual down
time allowance).
Existence Metrics
Examine the risks, threat space, asset space, and the vulnerability space to deter-
mine what safeguards the organization needs. e enterprise risk posture expresses
the manner in which to address each risk: accept, ignore (which is really implicit
acceptance), share, transfer, or mitigate. e safeguards necessary to implement
and enforce the risk posture consist of a to-be security posture. e discovery of
security services and mechanisms the organization currently has in place provides
an as-is security posture. Comparing as-is to to-be provides the security posture gaps.
Establishing safeguard priorities via a business impact analysis (BIA) and assigning
176 ◾ Official (ISC)
2
® Guide to the ISSMP® CBK®
© 2011 by Taylor & Francis Group, LLC
budget and schedule to priorities is the gap closure plan. An eective gap closure
plan is an intelligent allocation of resources to establish an enterprise security pos-
ture that balances empowerment to fulll the mission with risk mitigation to ensure
legislative compliance, employee safety, and optimize stakeholder interests.
e gap closure plan will include what to purchase, implement, test, deploy, and
operate for users to perform tasks that achieve the enterprise mission and fulll the
enterprise vision. Existence metrics compare the as-is posture to the to-be posture.
Existence metrics may track how many safeguards are in the budget, how many are
ordered, and how many are received, tested, deployed, and in current operations.
Effectiveness Metrics
e fact that the enterprise has a safeguard and it was deployed into the eld does
not necessarily imply that the safeguard is producing expected results. e safe-
guard may be inoperable, or it may not be providing what the end user or opera-
tions manager expected it to provide. Moreover, the safeguard of last year may have
been very eective, but a new threat has rendered the safeguard ineective. With
respect to technology and process, eectiveness metrics track the operational state
of the safeguard, and whether the safeguard is producing the expected results.
For example, with respect to security training, awareness, and education, eec-
tiveness metrics may track the dissemination, awareness, understanding, and use
of security policy, standards, procedures, services, and mechanisms. Dis sem i na tion
metrics may track how many e-mails went out notifying employees of a new policy
or safeguard. Awareness metrics may track how many employees opened up the
e-mail, with the assumption that if they opened it they are now aware. Follow-up
tests, quizzes, or surveys will measure employee understanding of the material. Audit
logs and transaction logs will provide measures of actual use.
Efficiency Metrics
A safeguard should produce a desired result, and it should do so within acceptable
operating parameters. Service level agreements (SLAs) reect these acceptable oper-
ating parameters and may include bandwidth utilization, response time, quality of
communications, error reporting, notice of performance degradation, and notice
of hard failure.
Process
In a given environment, people perform processes using technology to produce results.
Security operations processes subject to compliance or in support of compliance
management include the following:
Overseeing Compliance of Security Operations ◾ 177
© 2011 by Taylor & Francis Group, LLC
◾ Conguration Management
◾ Records Management
◾ Vulnerability Testing
◾ Outsourcing
◾ Incident Management
◾ Problem Management
− Error and problem control
◾ Prioritization Techniques
◾ Backups
◾ Auditing
Configuration Management
Conguration management (CM) is the process of managing changes in hardware,
software, rmware, and documents throughout the product lifecycle. e purpose
of CM is to enforce discipline around modications and provide the ability to roll
back to previous versions in the event of diculties in implementing the modica-
tion or adverse results stemming from the modication. Conguration manage-
ment consists of a combination of practices that include the following:
◾ Library Management
◾ Patch Management
◾ Change Control
Library Management
A library management system (LMS) provides enterprise resource administration
for a repository of artifacts that include the following:
◾ Software
◾ Source code
◾ User documentation
◾ System documentation
◾ Test data
◾ Project plans
e CM library management system should provide for the storage and retrieval
of library artifacts; provide for sharing of artifacts among individuals and groups
within the library; provide for the storage and recovery of archive artifacts (e.g.,
old versions); provide service functions to check artifact status, verify the pres-
ence of all built items, and integrate changes to form a new baseline; ensure the
creation of products from the baseline library; provide for the storage, update, and
178 ◾ Official (ISC)
2
® Guide to the ISSMP® CBK®
© 2011 by Taylor & Francis Group, LLC
retrieval of CM artifacts; produce CM reports; and support traceability require-
ments throughout the lifecycle.
Critical business decisions may ride on the integrity and accuracy of the library
artifacts. An important feature of the CM LMS is to ensure only authorized access
and authorized modication to library artifacts within the LMS. Similarly, the
LMS should also control the introduction of modied and new artifacts. One func-
tion of the LMS is to collect many artifacts that may be aggregated into larger
documents or larger software applications. Trust in the low-level artifacts to con-
tain the correct details and produce the correct results is very important. Multiple
libraries may be necessary to accommodate dierent types of artifacts like nancial
documentation or software development source code. Multiple libraries may also
be necessary to accommodate the diversity of material and to provide dierent
types of security controls.
Patch Management
Patch management involves methodically directing the administration of software
and hardware updates that intend to provide additional features, x bugs, or elimi-
nate vulnerabilities. Patches are modications to software to x bugs, design aws,
and close up security holes. Patches may cause problems as well as x problems,
especially when patches are applied to operating systems or system utilities upon
which other applications depend. e software applications (e.g., accounting soft-
ware) may have been developed to work around a particular operating system (OS)
aw. When the OS aw is xed, the application may no longer work because it
expects the aw that is no longer there. ese types of scenarios make uncondi-
tional installation of software patches problematic.
Good business practice is to create a test system, install the patch, and test criti-
cal applications to ensure they work with the patch installed. If they do not work,
this becomes part of the decision process to install a patch or not. If the patch xes
an egregious security hole but renders key applications unusable, the enterprise
must decide what takes precedence … operations or security—not always an easy
choice. e potential for negative eects of installing patches is the reason patch
management is associated with change control.
Patch management software may help in deploying patches within the enter-
prise. Examples of patch management software include the following: WSUS
(Windows), Up2date (Red Hat), aptitude (Debian), yum (CentOS), and Cisco
Trust Agent. Patch management software has four functions:
1. Facilitates patch download to a central location
2. Repository of patches
3. Patch testing
4. Patch database
..................Content has been hidden....................
You can't read the all page of ebook, please click here login for view all page.