CISSP Study Notes: Security Governance through Principles and Policies

#Chapter 1 Security Governance through Principles and Policies

1.1 Understand and apply confidentiality, integrity and availability

The main goals of security, CIA triplet Confidentiality, Integrity and Availability, the importance of each principle mainly depends on the security goals of the organization and the degree of threat to security

1.1.1 Confidentiality

• Confidentiality: Restricting unauthorized parties from accessing data, objects or resources provides a high level of assurance
• Attacks on confidentiality: capturing network traffic, stealing password files, social engineering, port scanning, shoulder surfing, eavesdropping, sniffing attacks, human error
• Countermeasures that contribute to confidentiality: encryption, network traffic stuffing, strict access controls, strict authentication procedures, data classification, and extensive personnel training
• Confidentiality and integrity depend on each other

1.1.2 Completeness

• Integrity: the object must maintain its own correctness and can only be intentionally modified by authorized subjects
• Violations of integrity: viruses, logic bombs, unauthorized access, coding and application errors, malicious modifications, attempted substitutions and system backdoors, human error
• Measures to protect integrity: strict access controls, strong authentication, intrusion detection systems, encryption, hash sum authentication, interface restrictions, input/function detection, and extensive personnel training
• Integrity relies on confidentiality. Without confidentiality, integrity cannot be maintained.

1.1.3 Availability

• Availability: Authorized subjects are granted timely and uninterrupted access to the object
• Threats to availability: equipment failures, software errors, environmental problems, DOS attacks, object corruption, and communication interruptions
• Availability relies on integrity and confidentiality. Availability cannot be maintained without integrity and confidentiality.

1.1.4 Other security concepts

1. Identity mark
   • Subjects identify themselves and enable accountability
   • Identity authentication: The process of authenticating or testing the legitimacy of a declared identity is identity authentication. Identity authentication requires that the subject's additional information must completely correspond to the stated identity.
2. Authorize
   • Ensure that the requested activity or object access can obtain the rights and privileges through authentication and assignment. Authorization is determined using concepts from the access control model, such as DAC, MAC or RBAC.
3. audit
   • Auditing is the process of detecting unauthorized or abnormal activities in the system. Logs provide an audit trail for reconstructing the history of events, intrusions and system failures. Auditing provides evidence for prosecution and generates problem reports and analysis reports.
   • Auditing is typically an inherent feature of operating systems and most applications and services, so configuring system capabilities to record information about specific types of time is straightforward.
4. Accountability
   • Only by supporting accountability can an organization's security policy be properly implemented
   • In order to have practical accountability, you must legally be able to back up your own security
5. non-repudiation
   • Non-repudiation ensures that the subject of an activity or event cannot deny what happened
   • Identification, authentication, authorization, accountability and auditing enable non-repudiation using digital certificates, session identifiers, transaction logs and many other transport and access control mechanisms to establish non-repudiation

1.1.5 Protection mechanism

Many controls protect confidentiality, integrity, and availability through the use of protection mechanisms

• layered
  • Simply use sequential multiple controls, also known as defense in depth, and sequential layering using serial layering.
  • Layering also includes the concept that a network is composed of multiple independent entities. There is synergy between all network systems that constitute a single security line of defense to jointly build a security line of defense.
• abstract
  • Used to improve efficiency by placing similar elements into groups, categories, or roles. Abstract concepts are used when classifying objects or assigning roles to subjects.
  • Abstraction can assign security control methods to object groups classified by security type or function, and abstraction simplifies security measures.
• Data hiding:
  • Prevent the subject from discovering or accessing the data by placing the data in a storage space that is inaccessible or invisible to the subject
  • Is it hiding to prevent unauthorized visitors from accessing the database? Is it hiding to restrict subjects with lower classification levels from accessing higher level data? Is it hiding to organize applications to directly access the hardware? Is data hiding?

1.2 Apply security governance principles

• Security governance is the collection of practices that support, define and guide an organization's security-related efforts
• The common goal of security governance is to safeguard business processes while striving for growth and resiliency
• Security governance also has compliance requirements. It is the implementation of security solutions and management methods. Security is managed and controlled by the entire organization at the same time, not just in the IT department.

1.2.1 Alignment of security function strategy, goals, mission and vision

• A security management plan ensures that security policies are appropriately created, implemented and enforced
• The best way to prepare a security policy is from the top down. The top management or management department is responsible for initiating and defining the organization's security policy. The security policy points out the line of defense for lower-level personnel in the organization. The responsibility of the middle-level management department is to guide the security policy. Standards, baselines, guidelines and procedures are developed under the organization. Operations managers and security experts are responsible for implementing the configuration requirements specified in the security management documents. Users comply with the security policies established by the organization.
• Security management plan preparation includes: defining security roles; specifying how security will be managed, who is responsible for security, and how the benefits of security will be tested; developing security policies; executing risk exposure; and educating employees on security. Three plans developed by the security management plan
  team
• Strategic Plan: A fairly stable long-term plan that defines the goals of the organization. Long-term goals and vision are discussed in the strategic plan and also includes risk assessment.
• Tactical plan: A medium-term plan that provides detailed details for achieving the goals set forth in the strategic plan, including project plans, procurement plans, employment plans, budget plans, maintenance plans, support plans, and systems development plans
• Operational Plan: A highly detailed plan based on strategic and tactical plans that clearly describes how to accomplish the organization's goals, including: training plans, system deployment plans, and product design plans

1.2.2 Organizational process

• Security governance needs to take care of all aspects of the organization, including organizational processes such as acquisitions, divestitures, and governance committees
  Change Control/Change Management
• Changes in the security environment may introduce loopholes, overlaps, object losses and omissions that lead to vulnerability. In the face of changes, the only way to maintain security is to manage changes in the system.
• The purpose of change management is to ensure that any changes cannot reduce or compromise security, and to be able to roll back any changes to a previous safe state.
• Parallel change is an example of a change management process where the old system and the new system are run in parallel to ensure that the new system supports all necessary business functionality that the old system supports and provides Data
  Classification
• The main purpose of classification: assign labels to data according to importance and sensitivity, and standardize and hierarchize the data security protection process.
• Government/Military Classification: Top Secret, Secret, Confidential, Sensitive But Unclassified, Unclassified
• Commercial/Private Sector Classification: Confidential, Private, Sensitive, Public

1.2.3 Security roles and responsibilities

• Senior Manager: The person who is ultimately responsible for maintaining the security of the organization and most concerned with protecting its assets. Senior managers are responsible for the overall success or failure of the security solution and have appropriate attention and due diligence in establishing security in the organization.
• Security expert: The responsibility is to protect security, including formulating and implementing security policies. Security experts are not decision makers, but implementers. Decisions must be made by senior management.
• Data Owner: The person assigned the responsibility for classifying information in order to prevent and protect it within a security solution,
• Data Administrator: User responsible for implementing security policies and protection tasks specified by upper-level managers. These measures include: completing and testing data backups, confirming data integrity, deploying security solutions, and managing data storage according to classification
• User: Assigned to anyone with access to the secure system
• Auditors: Responsible for testing and certifying whether security policies are correctly implemented and whether the derived security solutions are appropriate, completing compliance reports and effectiveness reports, and senior managers review these reports

1.2.4 Control architecture

• A safety designation program must begin with planning the program, then planning for standards and compliance, and finally with actual program development and design
• Control Objectives for Information and Related Information (COBIT), which documents a set of excellent IT security practices

1.2.5 Due care and due responsibility

• Due care: protecting organizational interests through reasonable care and developing a standardized security structure
• Due diligence: Continuously practice and maintain due diligence activities and apply security structures to the organization's IT infrastructure
• Executives must exercise due care and due diligence to reduce their fault and liability in the event of a loss

1.3 Develop and document security policies, standards, guidelines and procedures

Maintaining security is an important part of business development

1.3.1 Security policy

• The highest level of standardization is security policy, and many organizations use multiple types of security policies to define or summarize their overall security policy.
• Regulatory strategies: safety measures used to get people to follow rules and regulations
• Advisory policy: Discussing acceptable behaviors and activities and defining the consequences of security violations, this policy explains senior management's expectations for security and compliance within the organization.
• Information security policy: designed to provide relevant information or knowledge to a specific subject

1.3.2 Safety standards, benchmarks and guidelines

• Standards define mandatory requirements for the unified use of hardware, software, technology, and security control methods. Standards are tactical documents that define the steps and methods to achieve the goals and overall direction specified by the security policy.