Chapter 1

Security Governance Through Principles and

Policies
 Understand and Apply
Concepts of Confidentiality,
Integrity, and Availability

• CIA Triad
• AAA Services
• Protection Mechanisms

overview
 CIA Triad
• Confidentiality
• Integrity
• Availability
 Confidentiality
• Sensitivity
• Discretion
• Criticality
• Concealment
• Secrecy
• Privacy
• Seclusion
• Isolation
 Integrity 1/3
• Preventing unauthorized subjects
from making modifications
• Preventing authorized subjects
from making unauthorized
modifications
• Maintaining the internal and
external consistency of objects
 Integrity 2/3
• Accuracy: Being correct and precise
• Truthfulness: Being a true reflection of
reality
• Authenticity: Being authentic or genuine
• Validity: Being factually or logically sound
• Nonrepudiation: Not being able to deny
having performed an action or activity or
being able to verify the origin of a
communication or event
 Integrity 3/3
• Accountability: Being responsible or
obligated for actions and results
• Responsibility: Being in charge or having
control over something or someone
• Completeness: Having all needed and
necessary components or parts
• Comprehensiveness: Being complete in
scope; the full inclusion of all needed
elements
 Availability
• Usability: The state of being easy to use
or learn or being able to be understood
and controlled by a subject
• Accessibility: The assurance that the
widest range of subjects can interact
with a resource regardless of their
capabilities or limitations
• Timeliness: Being prompt, on time,
within a reasonable time frame, or
providing low latency response
 AAA Services
• Identification
• Authentication
• Authorization
• Auditing
• Accounting/
Accountability
 Protection Mechanisms
• Layering/Defense in Depth
• Abstraction
• Data Hiding
• Security through obscurity
• Encryption
 Evaluate and Apply Security
Governance Principles
• Alignment of Security Function
• Security Management Plans
• Organizational Processes
• Change Control/Management
• Data Classification
• Organizational Roles and
Responsibilities
• Security Control Frameworks
• Due Care and Due Diligence overview
Alignment of Security Function

• Alignment to Strategy, Goals,

Mission, and Objectives
• Security Policy
• Based on business case
• Top-Down Approach
• Senior Management Approval
• Security Management:
• InfoSec team, CISO, CSP, ISO
 Security Management Plans

• Strategic
• Tactical
• Operational
 Organizational Processes
• Security governance
• Acquisitions and divestitures risks:
• Inappropriate information disclosure
• Data loss
• Downtime
• Failure to achieve sufficient return on
investment (ROI)
 Change Control/
Management 1/2
• Implement changes in a monitored and
orderly manner. Changes are always
controlled.
• A formalized testing process is included to
verify that a change produces expected
results.
• All changes can be reversed (also known as
backout or rollback plans/procedures).
• Users are informed of changes before they
occur to prevent loss of productivity.
 Change Control/
Management 2/2
• The effects of changes are systematically
analyzed to determine whether security
or business processes are negatively
affected.
• The negative impact of changes on
capabilities, functionality, and
performance is minimized.
• Changes are reviewed and approved by
a change approval board (CAB).
 Data Classification 1/2
• Determines: effort, money, and
resources
• Government/military vs.
commercial/private sector
• Declassification
 Data Classification 2/2
1. Identify the custodian, define
responsibilities.
2. Specify the evaluation criteria.
3. Classify and label each resource.
4. Document any exceptions.
5. Select the security controls for each level.
6. Specify declassification and external
transfer.
7. Create an enterprise-wide awareness
program.
 Organizational Roles and
Responsibilities
• Senior Manager
• Security Professional
• Data Owner
• Data Custodian
• User
• Auditor
 Security Control Frameworks
• COBIT (see next slide)
• Used to plan the IT security of an
organization and as a guideline for auditors
• Information Systems Audit and Control
Association (ISACA)
• Open Source Security Testing
Methodology Manual (OSSTMM)
• ISO/IEC 27001 and 27002
• Information Technology Infrastructure
Library (ITIL)
 Control Objectives for Information and
Related Technologies (COBIT)

• Principle 1: Meeting Stakeholder Needs

• Principle 2: Covering the Enterprise
End-to-End
• Principle 3: Applying a Single,
Integrated Framework
• Principle 4: Enabling a Holistic
Approach
• Principle 5: Separating Governance
From Management
 Due Care and Due Diligence

• Due care is using reasonable care

to protect the interests of an
organization.
• Due diligence is practicing the
activities that maintain the due
care effort.
 Develop, Document, and
Implement
Security Policy, Standards,
Procedures, and Guidelines

• Security Policies
• Security Standards, Baselines, and
Guidelines
• Security Procedures

overview
 Security Policies
• Defines the scope of security
needed by the organization
• Organizational, issue-specific,
system-specific
• Regulatory, advisory, informative
Security Standards, Baselines, and
Guidelines
• Standards define compulsory
requirements
• Baselines define a minimum level
of security
• Guidelines offer recommendations
on how standards and baselines
are implemented
 Security Procedures
• Standard operating procedure
(SOP)
• A detailed, step-by-step how-to
• To ensure the integrity of business
processes
Understand and Apply Threat
Modeling Concepts and
Methodologies
• Threat Modeling
• Identifying Threats
• Threat Categorization Schemes
• Determining and Diagramming
Potential Attacks
• Performing Reduction Analysis
• Prioritization and Response
overview
 Threat Modeling
• Microsoft’s Security Development
Lifecycle (SDL)
• “Secure by Design, Secure by Default,
Secure in Deployment and
Communication”
(also known as SD3+C)
• Proactive vs. reactive approach
 Identifying Threats
• Focused on Assets
• Focused on Attackers
• Focused on Software
Threat Categorization Schemes

• STRIDE
• Process for Attack Simulation and
Threat Analysis (PASTA)
• Trike
• Visual, Agile, and Simple Threat
(VAST)
 STRIDE
• Spoofing
• Tampering
• Repudiation
• Information disclosure
• Denial of service
• Elevation of privilege
 PASTA 1/2
• Stage I: Definition of the Objectives (DO) for the
Analysis of Risks
• Stage II: Definition of the Technical Scope (DTS)
• Stage III: Application Decomposition and
Analysis (ADA)
• Stage IV: Threat Analysis (TA)
• Stage V: Weakness and Vulnerability Analysis
(WVA)
• Stage VI: Attack Modeling and Simulation (AMS)
• Stage VII: Risk Analysis and Management (RAM)
PASTA 2/2
Determining and Diagramming
Potential Attacks
• Diagram the infrastructure
• Identify data flow
• Identify privilege boundaries
• Identify attacks for each
diagrammed element
Diagramming to Reveal Threat
Concerns
Performing Reduction Analysis

• Decomposing
• Trust boundaries
• Data flow paths
• Input points
• Privileged operations
• Details about security stance and
approach
 Prioritization and Response
• Probability × Damage Potential
ranking
• High/medium/low rating
• DREAD system
– Damage potential
– Reproducibility
– Exploitability
– Affected users
– Discoverability
 Apply Risk-Based Management
Concepts to the Supply Chain
• Resilient integrated security
• Cost of ownership
• Outsourcing
• Integrated security assessments
• Monitoring and management
– On-site assessment
– Document exchange and review
– Process/policy review
– Third-party audit (AICPA SOC1 and SOC2)
 Conclusion
• Read the Exam Essentials
• Review the Chapter
• Perform the Written Labs
• Answer the Review Questions