Skip to content

Chapter 1 Security Governance Through Principles and Policies

Cover Domain 1 and 3.

Security 101

Why security is important?
Security helps to ensure that an organization is able to continue to exist and operate in spite of any attempts to steal its data or compromise its physical or logical element. Security should be viewed as an element of business management rather than an IT concern. Security is the business management tool that ensures the reliable and protected operation of IT/IS. Security exists to support the objectives, mission, and goals of the organization.

How can an organization control its security?
Generally, a security framework should be adopted that provides a starting point for how to implement security.
1. Initiation 2. Finetuning through evaluation.
Three types of of security evaluation: risk assessment, vulnerability assessment, and penetration testing.

What are the features of security?
1. Security should be cost-effective. Thus, you should select security controls that provide the greatest protection for the lowest resource cost.

  1. Security should be legally defensible. The laws of your jurisdiction are the backstop of organizational security. When intruders' activities are illegal, prosecution in court may be the only available response for compensation or closure.

  2. Since our deployed technology is changing by the passage of time, by the users, and by the adversaries discovering flaws and developing exploits. The defenses that were sufficient yesterday may not be sufficient tomorrow. As new vulnerabilities are discovered, as new means of attack are crafted and new exploits ae built, we have to respond by reassessing our security infrastructure and responding appropriately.

Understand and Apply Security Concepts

The CIA Triad

Confidentiality
Confidentiality protections prevent disclosure while protecting authorized access.
Many unauthorized disclosure of sensitive information are the result of human error, oversight, or ineptitude.
Confidentiality violations can result from the actions of an end user or a system administrator. They can also occur because of an oversight in a security policy or a misconfigured security control.
Numerous countermeasures can help ensure confidentiality against possible threats. These include encryption, network traffic padding, strict access control, rigorous authentication procedures, data classification, and extensive personnel training.

Organizations should evaluate the nuances of confidentiality they wish to enforce. Tools and technology that implement one form of confidentiality might not support or allow other forms.

Integrity
Integrity is the concept of protecting the reliability and correctness of data. Integrity protection prevents unauthorized alterations of data.

Numerous attacks focus on the violation of integrity. These include viruses, logic bombs, unauthorized access, errors in coding and applications, malicious modification, intentional replacement, and system backdoors.

Availability
Availability means authorized subjecta are granted timely and uninterrupted access to object. Often, availability protection controls support sufficient bandwidth and timeliness of processing as deemed necessary by the organization or situation.

Availability includes efficient uninterrupted access to objects and prevention of denial-of-service (DoS) attacks.

There are numerous threats to availability. These include device failure, software errors, and environmental issues (heat, static electricity, flooding power loss, and so on.)

DAD, Overprotection, Authenticity, Non-repudiation, and AAA Services

DAD triad consists of three pillars: disclosure, alteration, and denial. It's the opposite of the CIA triad. The DAD triad represents the failures of security protections in the CIA triad.

Overprotecting confidentiality or Overprotecting integrity can result in a restriction of availability. Overproviding availability can result in a loss of confidentiality and integrity.

Authenticity is related to verifying that data is from a claimed origin and it did not change in transit or storage.

Nonrepudiation ensures that the subject of an activity or who caused an event cannot deny that the event occurred.

AAA services is a core security mechanism of all security environments. AAA stands for authentication, authorization, and accounting (or sometimes auditing). It consists of five elements: identification, authentication, authorization, auditing, and accounting.

Protection Mechanisms

Some common examples of Protection Mechanisms are defense in depth, abstraction, data hiding, and using encryption.

Defense in depth, also known a layering, is the use of multiple controls in a series. No one control can protect against all possible threats. When security solutions are designed in layers, a single failed control should not result in exposure of systems or data.

Using layers in a series rather than in parallel is important.

Serial configurations are very narrow but very deep.

Abstraction is used for efficiency. Similar elements are put into groups, classes, or roles that are assigned security controls, restrictions, or permissions as a collective.

Data hiding prevents data from being discovered or accessed by a subject by positioning the data in a logical storage compartment that is not accessible or seen by the subject.

Encryption is the science of hiding the meaning or intent of a communication from unintended recipients.

Security Boundaries

Due diligence is establishing a plan, policy, and process to protect the interests of an organization.

Due care is practicing the individual activities that maintain the due diligence effort.

Written Lab

  1. Discuss and describe the CIA Triad.

    CIA Traid consists of three components: confidentiality, integrity, and availability. Confidentiality is the principle of keep sensitive information away from unathorized subjects. Integrity is the principle that objects retain their veracity and are intentionally modified only by authorized subjects. Availability is the principle that authorized subjects are granted timely and uninterrupted access to objects.

  2. What are the requirements to hold a person accountable for the actions of their user account?

    The requirements of accountability are identification, authentication, authorization, and auditing. Each of these components needs to be legally supportable to truly hold someone accuntable for their actions.

  3. Name the six primary security roles as defind by (ISC)2 for CISSP.

    Senior manager, security professional (IT/security staff), assets owner, custodian, user, auditor.

  4. What are the four components of a complete organizational security policy and their basic purpose?

    The four components of a organizational security policy are policies, standards, guidelines and procedures. Policies are broad security statements. Standards are definitions of hardware and software security compliance. Guidelines are used when there is not an appropriate procedure. Procedures are detailed step-by-step instructions for performing work tasks in a secure manner.