Framework, Policies,

Controls and Procedures

CHAPTER 11
Security Framework
An information security framework is a series of documented processes that are used to define
policies and procedures around the implementation and ongoing management of information
security controls in an enterprise environment.
These frameworks are basically a "blueprint" for building an information security program to
manage risk and reduce vulnerabilities. Information security pros can utilize these frameworks
to define and prioritize the tasks required to build security into an organization
Frameworks are often customized to solve specific information security problems, just like
building blueprints are customized to meet their required specifications and use. There are
frameworks that were developed for specific industries as well as different regulatory
compliance goals. 

CYBERSECURITY ANALYSIS - UCC

NIST SP 800 Series
The U.S. National Institute of Standards and Technology has been building an extensive
collection of information security standards and best practices documentation. The NIST Special
Publication 800 series was first published in 1990 and has grown to provide advice on just about
every aspect of information security.
Although not specifically an information security framework, NIST SP 800-53 is a model that
other frameworks have evolved from. U.S. government agencies utilize NIST SP 800-53 to
comply with the Federal Information Processing Standard's (FIPS) 200 requirements.
Even though it is specific to government agencies, the NIST framework could be applied in any
other industry and should not be overlooked by companies looking to build an information
security program.
As of writing this review, NIST 800-171 is required for all contractors who may do business with the US Government.

CYBERSECURITY ANALYSIS - UCC

NIST SP 800-53
SP 800-53 (Security and Privacy Controls for Federal Information Systsms and Organizations),
currently is in its fourth edition. IT outlines controls that agencies need to put in place to be
compliant with the Federal Information Processing Standards (FIPS).
The control categories (families) are the management , operational and technical controls
prescribed for an information system to protect C.I.A of the systems and its information.
Government auditors use 800-53 to ensure that agencies are complaint with government
oriented regulations.

CYBERSECURITY ANALYSIS - UCC

NIST Cybersecurity Framework
Example
NIST Cybersecurity Framework
ISO Series
ISO 27000 Series
The ISO 27000 series was developed by the International Standards Organization. It provides a
very broad information security framework that can be applied to all types and sizes of
organizations. It can be thought of as the information security equivalent of ISO 9000 quality
standards for manufacturing, and even includes a similar certification process. It is broken up
into different sub-standards based on the content.
For example, ISO 27000 consists of an overview and vocabulary, while 
ISO 27001 defines the requirements for the program. ISO 27002, which was evolved from the
British standard BS7799, defines the operational steps necessary in an information security
program.
There are many more standards and best practices documented in the ISO 27000 series. ISO
27799, for example, defines information security in healthcare, which could be useful for those
companies requiring HIPAA compliance.

CYBERSECURITY ANALYSIS - UCC

COBIT
The COBIT framework is published by the IT Governance Institute and the Information Systems Audit
and Control Association (ISACA). The goal of the framework is to provide a common language for
business executives to communicate with each other about goals, objectives and results. The original
version, published in 1996, focused largely on auditing. The latest version, published in 2013,
emphasizes the value that information governance can provide to a business' success. It also
provides quite a bit of advice about enterprise risk management.
This framework started out primarily focused on reducing technical risks in organizations, but has
evolved recently with COBIT 5 to also include alignment of IT with business-strategic goals. It is the
most commonly used framework to achieve compliance with Sarbanes-Oxley rules.
COBIT 5 is based on five key principles for governance and management of enterprise IT:
   Principle 1: Meeting Stakeholder Needs
   Principle 2: Covering the Enterprise End-to-End
   Principle 3: Applying a Single, Integrated Framework
Principle 4: Enabling a Holistic Approach
 Principle 5: Separating Governance From Management

CYBERSECURITY ANALYSIS - UCC

COBIT
COBIT enables clear policy development and good practice for IT control throughout
organizations. COBIT emphasizes regulatory compliance, helps organizations to increase the
value attained from IT, enables alignment and simplifies implementation of the enterprises' IT
governance and control framework.

CYBERSECURITY ANALYSIS - UCC

TOGAF Model
ITIL Service Lifecycle
Other Frameworks
ISO 27001
SABSA
TOGAF
ITIL
Policy Documents
Policies
Standards
Procedures
Guidelines

What are the level of permanence and obligation. Each differ in the intent.
Policies and Procedures
Policies and procedures are critical governance tools in every enterprise. Where policies dictate
the rules, procedures explain how these same rules are practically applied in real life. Taken as a
collective, policies and procedures set expectations for behaviors and activities, as well as
provide mechanisms to enforce these expectations.
Senior management needs to define the scope of security and identify and decide what must be
protected and to what extent.
Given the importance and relative "permanence" of policy and procedure documents, they
should be carefully and conscientiously crafted in order to withstand both time and scrutiny. The
goal of this Policies and Procedures Definition program is to provide the tools and guidance
necessary to construct these governing documents.
Senior management must also determine what is expected from employees and what the
consequences of noncompliance will be.

CYBERSECURITY ANALYSIS - UCC

Policy Library
Information security policy
Acceptable use policy
Data ownership policy
Data classification policy
Data retention policy
Account management policy
Password policy
Security policies
In business, a security policy is a document that states in writing how a company plans to
protect the company's physical and information technology (IT) assets.
A security policy is often considered to be a "living document", meaning that the document is
never finished, but is continuously updated as technology and employee requirements change.
A company's security policy may include an acceptable use policy, a description of how the
company plans to educate its employees about protecting the company's assets, an explanation
of how security measurements will be carried out and enforced, and a procedure for evaluating
the effectiveness of the security policy to ensure that necessary corrections will be made

CYBERSECURITY ANALYSIS - UCC

Data Classification
Data classification is the process of organizing data into categories for its most effective and
efficient use. 
A well-planned data classification system makes essential data easy to find and retrieve. This can
be of particular importance for risk management, legal discovery, and compliance.
Written procedures and guidelines for data classification should define what categories and
criteria the organization will use to classify data and specify the roles and responsibilities of
employees within the organization regarding data stewardship. Once a data-classification scheme
has been created, security standards that specify appropriate handling practices for each
category and storage standards that define the data's lifecyle requirements should be addressed.
The rationale in assigning classification levels to different types of data is that it enables an
organization to gauge the amount of funds and other resources that should go toward protecting
each.

CYBERSECURITY ANALYSIS - UCC

Sensitivity and Criticality
Commercial Business Classification
Confidential
Private
Sensitive
Public
Military and Government
Top Secret
Secret
Confidential
Sensitive but Unclassified
Unclassified

CYBERSECURITY ANALYSIS - UCC

Controls
Controls are implemented as a countermeasure to identify vulnerabilities.
Central to information security is the concept of controls, which may be categorized by their
functionality (preventive, detective, corrective, deterrent, recovery, and compensating, in this
order) and plane of application (physical, administrative, or technical).
Physical controls include doors, secure facilities, fire extinguishers, flood protection, and air
conditioning.
Administrative controls are the organization’s policies, procedures, and guidelines intended to
facilitate information security.
Technical controls are the various technical measures, such as firewalls, authentication systems,
intrusion detection systems, and file encryption, among others.

CYBERSECURITY ANALYSIS - UCC

Controls
Preventive Controls
Preventive controls are the first controls met by the adversary. Preventive controls try to prevent security violations
and enforce access control. Like other controls, preventive controls may be physical, administrative, or technical:
doors, security procedures, and authentication requirements are examples of physical, administrative, and technical
preventive controls, respectively.
Detective Controls
Detective controls are in place to detect security violations and alert the defenders. They come into play when
preventive controls have failed or have been circumvented and are no less crucial than detective controls. Detective
controls include cryptographic checksums, file integrity checkers, audit trails and logs, and similar mechanisms.
Corrective Controls
Corrective controls try to correct the situation after a security violation has occurred. Although a violation occurred,
not all is lost, so it makes sense to try and fix the situation. Corrective controls vary widely, depending on the area
being targeted, and they may be technical or administrative in nature.

CYBERSECURITY ANALYSIS - UCC

Controls
Deterrent Controls
Deterrent controls are intended to discourage potential attackers and send the message that it is better not to
attack, but even if you decide to attack we are able to defend ourselves. Examples of deterrent controls include
notices of monitoring and logging as well as the visible practice of sound information security management.
Recovery Controls
Recovery controls are somewhat like corrective controls, but they are applied in more serious situations to
recover from security violations and restore information and information processing resources. Recovery
controls may include disaster recovery and business continuity mechanisms, backup systems and data,
emergency key management arrangements, and similar controls.
Compensating Controls
Compensating controls are intended to be alternative arrangements for other controls when the original
controls have failed or cannot be used. When a second set of controls addresses the same threats that are
addressed by another set of controls, the second set of controls are compensating controls

CYBERSECURITY ANALYSIS - UCC

Handling Risks
Risk Avoidance
◦ Terminating the activity that causes a risk or choosing an alternative that Is not as risky

Risk Transfer
◦ Passing on the risk to a third party, such as an insurance company

Risk Mitigation
◦ Defining the acceptable risk level the organization can tolerate and reducing the risk level

Risk Acceptance
◦ Understanding and accepting the level of risk as well as the cost of damages that can occur.

CYBERSECURITY ANALYSIS - UCC

Quantitative Risk Analysis
Quantitative analysis is about assigning monetary values to risk components. Let’s analyze the example
of hard drive failure to better understand how it works.

Let’s first describe the threat, vulnerability, and risk.

Threat—hard drive failure

Vulnerability—backups done rarely
Risk—loss of data
The asset is data. The value of the asset (AV) is assessed first—$100,000, for example.

Let’s discuss the single loss expectancy (SLE). It contains information about the potential loss when a
threat occurs (expressed in monetary values). It is calculated as follows: SLE = AV x EF, where EF is
exposure factor. Exposure factor describes the loss that will happen to the asset as a result of the
threat (expressed as percentage value). SLE is $30,000 in our example, when EF is estimated to be 0.3.

CYBERSECURITY ANALYSIS - UCC

Quantitative Risk Analysis
Let’s continue this case. Annualized rate of occurrence (ARO) is described as an estimated
frequency of the threat occurring in one year. ARO is used to calculate ALE (annualized loss
expectancy). ALE is calculated as follows: ALE = SLE x ARO. ALE is $15,000 ($30,000 x 0.5), when
ARO is estimated to be 0.5 (once in two years).

As we can see, the risk is about the impact of the vulnerability on the business and the
probability of the vulnerability to be exploited.

CYBERSECURITY ANALYSIS - UCC

Countermeasures
Let’s discuss the types of countermeasures (also called controls) that are implemented in the case of risk
reduction. There are three types of countermeasures:

Administrative (e.g., security awareness training should not be forgotten, because people are the weakest
point in the security chain)

Technical (e.g., firewall)

Physical (e.g., locks)

Countermeasures are implemented to reduce the risk. We talk about total risk when no countermeasure is
implemented. Let’s assume now that the countermeasure is implemented. Perfect security doesn’t exist
and there is some risk left. This is a residual risk.

CYBERSECURITY ANALYSIS - UCC

Data Ownership
Data ownership is primarily a data governance process that details an organization's legal
ownership of enterprise-wide data. A specific organization or the data owner has the ability to
create, edit, modify, share and restrict access to the data.
Data ownership also defines the data owner’s ability to assign, share or surrender all of these
privileges to a third party.
This concept is generally implemented in medium to large enterprises with huge repositories of
centralized or distributed data elements. The data owner claims the possession and copyrights
to such data to ensure their control and ability to take legal action if their ownership is
illegitimately breached by an internal or external entity.

CYBERSECURITY ANALYSIS - UCC

Data Retention
Data retention, also called records retention, is the continued storage of an organization's data for 
compliance or business reasons. 
An organization may retain data for several different reasons. One reason is to comply with state and
federal regulations. Another is to provide the organization with the ability to recover business critical data
in the event of a site-wide data loss, such as a fire or flood. Minimum records retention requirements
regulations vary by state and by data type, but typically they range from three years to permanent.
To ensure that all necessary data is stored properly, an organization's
IT administrators can work with the organization's legal team and
departmental business owners  to create a data retention policy.  
Such a policy is simply a set of guidelines that describes which data 
will be archived and how long it will be kept.

CYBERSECURITY ANALYSIS - UCC

 Acceptable Use Policy
An acceptable use policy (AUP) is a document stipulating constraints and practices that a user must agree to for access
to a corporate network or the Internet.
Many businesses and educational facilities require that employees or students sign an acceptable use policy before
being granted a network ID. When you sign up with an Internet service provider (ISP), you will usually be presented
with an AUP, which states that you agree to adhere to stipulations such as:

Not using the service as part of violating any law

Not attempting to break the security of any computer network or user
Not posting commercial messages to Usenet groups without prior permission
Not attempting to send junk e-mail or spam to anyone who doesn't want to receive it
Not attempting to mail bomb a site with mass amounts of e-mail in order to flood their server
Users also typically agree to report any attempt to break into their accounts.

CYBERSECURITY ANALYSIS - UCC

Other Policies
Account Management Policy

Password Policy

What goes in these policies? How are they crafted to become a policy?

CYBERSECURITY ANALYSIS - UCC

Good Policy
Bad Policy
Bad Policy
Laws and Regulations
HIPAA
PCI DSS
GLBA
SOX
FERPA
Breach notification laws
Procedures
Procedures are step by step detailed task that should be performed to achieve a certain goal.
Continuous Monitoring procedures
NIST SP 800-137: Information Security Continuous Monitoring (ISCM) for Federal Information Systems and Organizations. continuous
monitoring strategy and the implementation of a continuous monitoring program providing visibility into organizational assets, awareness
of threats and vulnerabilities, and visibility into the effectiveness of deployed security controls. It provides ongoing assurance that planned
and implemented security controls are aligned with organizational risk tolerance as well as the information needed to respond to risk in a
timely manner should observations indicate that the security controls are inadequate.
Continuous monitoring can reveal actionable intelligence such as a threat or vulnerability , there should be a pre-establish process in place
to deal with this situation. The remediation plan describes the steps that an organization takes whenever its security posture worsens.
Evidence production procedures
Computer investigations require different procedures that regular investigations because the timeframe for the investigator is compressed.
Computer information is also intangible and often requires extra care to ensure that the data is retained in its original format.
After law enforcement has been informed of a computer crime, evidentiary rules must be addressed.
1. Identify what type of system is to be seized
2. Identify the search and seizure team members
3. Determine the risk of the suspect destroying the evidence.
Patching
Patching is a subset of configuration management. Software patches are updates released by
vendors that either fix functional issue or closes security loopholes in operating systems,
applications, and versions of firmware that run on network services.
The Patch Management Lifecycle includes the steps:
1. Determine the priority of the patches and schedule the patches for deployment.
2. Test the patches prior to deployment to ensure that they work properly and do not cause
system or security issues.
3. Install the patch in the live environment
4. After patches are deployed, ensure that they work properly.

CYBERSECURITY ANALYSIS - UCC

Compensating Controls Development
Developing controls that address vulnerabilities is an ongoing process that occurs every time a
new vulnerability is discovered.

The type of control you choose largely depends on the following:

The like hood that the vulnerability will be exposed
The sensitivity of the resource at risk
The cost of implementing the control vs. the cost of the vulnerability being exposed.

CYBERSECURITY ANALYSIS - UCC

Control-Testing Procedures

CYBERSECURITY ANALYSIS - UCC

Exception management procedures

CYBERSECURITY ANALYSIS - UCC

Remediation Plans

CYBERSECURITY ANALYSIS - UCC

Maturity Models
CMMI

NIACAP

ISO/IEC 27001

ISO/IEC 27002

CYBERSECURITY ANALYSIS - UCC

Standards
Guidelines
Guidelines provide best practices and recommendations.

Compliance is not mandatory, unlike the other policy framework documents.

Exceptions
Exceptions to policy should require a formal process.

Exceptions often require compensating controls.

Compensating Controls
Must meet the intent and rigor of the original requirement
Should provide a similar level of defense
Must be “above and beyond” other requirements