CompTIA CASP+ CAS-004 – Chapter 01 – Understanding Risk Management Part 2
- Integrating Diverse Industries
There are a lot of cases today where companies are integrating business models that are significantly different from one another. So we’ve got the integration of diverse industries. In some cases, these organizations are entering new fields, sometimes they’re going into new areas. So you’ve got different cultures, different regulatory requirements, and that can open up a lot of new business opportunities, but it also can introduce a number of security weaknesses. And so these are some of the considerations that we need to take into account as it relates to the integration of diverse industries. So one of the challenges is going to be with respect to rules. Most organizations have the goal of standardization, and that’s a great goal in the organization.
But it may be that forcing an unfamiliar set of rules on one part of the business ends up causing user resistance, user morale problems. One unit, one business unit long standing culture may be one of trusting users to manage their own computers, to have local admin rights, while the other unit is opposed to giving users that kind of control, and they’re much more restrictive. You have to realize it may be unavoidable to make rules that are standard across an entire business. And you shouldn’t do that unless you have fully considered the possible benefits and drawbacks. The benefits need to be balanced against any sort of resistance that might be met, any sort of productivity losses that may occur. But it might be necessary to have a few different rules just because of localized issues.
Really, senior management working alongside with security professionals can best make those calls. Policies may be a little bit easier to standardize than rules and regulations because policies are less likely to prescribe specific solutions. A lot of times, policies have pretty loosely defined language in them, and that language provides flexibility for every department to define exactly what is and what is not confidential. But it’s still something we need to be reviewing in detail when an acquisition or merger occurs, because we want to make sure that they’re still relevant, they still provide the proper safeguards, and they’re not overly burdensome to any one unit within the organization.
Regulations, it’s a little bit different because those are often established by government entities, FCC, DHS, Dot, they make sure that certain aspects of an industry are regulated. So if you have a company that is in a very heavily regulated industry and they’re combining with those from less heavily regulated industries, there’s obviously going to be some major differences in the levels of regulation that exists for every business unit. So that’s really a situation where we kind of just accept it as normal, and we don’t look at that as a lack of standardization because we’ve got just businesses that are under different regulatory requirements.
Export controls are going to be rules and regulations that govern the shipment or the transmission of items from one country to another. That includes the disclosure of transfers of data to persons outside the country. Both the United States and the European Union have laws and regulations that govern those exports. And really, the concerns over these arise for three primary reasons. One, the characteristics of the item itself to the destination of the item, and then three, the suspected end use of the item. And we do have export controls that are implemented.
They are there to protect security. They’re there to implement foreign policy. They’re there for countries to maintain a military and economic edge with one another. So organizations that have questions regarding export controls to the United States can contact the Office for Export Controls Compliance. The OECC was actually part of Northwestern University to kind of decide or understand what controls are in place for them. There are legal requirements as well.
Legal compliance is a big part of every organization’s security initiative, and so we need to make sure that we’re ensuring legal compliance. And in order to do that, organizations are going to have to understand the laws that apply to their particular industries. So some industries like financial, health care, industrial production, they’re going to have a lot of federal, state, and local laws to consider. And so those are things to think about and things to be aware of, depending on your industry.
- Common Regulations
Let’s talk briefly about some of these common regulations. These are just ones that you don’t have to memorize these laws and regulations, but you do need to generally be familiar with how they affect organizations, because you’re going to have to be able to assess some scenarios that you see on the CASP exam. So first one is Socks or Sarbanes Oxley. This was also officially called the Public Company Accounting Reform and Investor Protection Act back in 2002. It affects any organization that’s publicly traded in the US. And it just regulates accounting methods and financial reporting. Of course, HIPAA is one that most are familiar with. The Health Insurance Portability and Accountability Act. It affects all healthcare facilities. It affects health insurance companies, healthcare clearing houses. It provides standards and procedures for the storage, the usage, and the transmitting of medical information and healthcare data. HIPAA overrides state laws.
The only exception to that would be if the state laws are stricter. The Graham Leach Bliley act or GLBA back in 1099. That affects all financial institutions. That’s going to include banks, loan companies, insurance companies, investment companies, credit card providers. It provides guidelines for securing all the financial information. It also prohibits the sharing of financial information with third parties, which affects the security of PII, personally identifiable information.
You have the Computer Fraud and Abuse Act CFAA. This is all the way back in 1986. Essentially affects any entities that may engage in hacking of protected computers as defined in the act. It was amended a few times as late as 2001, and in 2001, it was actually amended and became the USA Patriot Act. A protected computer is just a computer that’s used exclusively by a financial institution or a computer that’s used exclusively by the US. Government. And so this is just a regulatory act that’s in place for those. Federal Privacy Act back in 1974.
Any computer that contains records used by a federal agency is affected by this act. It provides guidelines on how to collect, maintain, use, and disseminate PII about individuals that’s maintained in the system of records by the federal agencies. The Computer Security Act of 1987. This was actually superseded by the Federal Information Security Management Act, or FISMA of 2002. This act, Computer Security Act, was the very first law to require a formal security plan.
It was written to protect and try to defend any sensitive information in the federal government systems and to provide security for that information. You have the Personal Information, Protection and Electronic Documents Act puppet if you want to pronounce, that affects our private sector organizations collect, use, and disclose personal information in the course of commercial business.
This is in Canada. It was technically written to address some European Union concerns about the security of PII in Canada. Basel Two affects financial institutions addresses minimum capital requirements, supervisory review, market discipline, et cetera. Main purpose is to protect against the risk that banks and other financial institutions will face you have the payment card Industry data Security Standard, PCI, DSS, any organization that handles cardholder information for major credit card companies. The latest version of that one is 3. 2, as mentioned, the federal information security management act, which I don’t have on the slide. Then we’ve got the US. Patriot act that affects law enforcement and intelligence agencies. Its purpose was to enhance the investigation tools that they could use. It includes email communications, telephone records, internet communication, medical records, financial records, and it amended many previous laws that were out there. And some believe that it it went too far in some cases. But regardless, it’s out there. The healthcare and education reconciliation act of 2010 affects healthcare and educational organizations. So, as I said, you don’t really need to know all the details of these regulations, but you do want to know the businesses that are affected by them in order to be able to correctly answer scenario questions on the exam.
- Geographic Differences
Another thing that can play a large role in making a merger or demerger as seamless as possible is going to be geographic differences in addition to language barriers that may exist. In a lot of cases, there’s different types of technologies that are available in different parts of the world. While it may be that an enterprise has companywide policies, but using certain technologies to protect data, it could be that hardware and software that are required to support those technologies may be unavailable in other countries or other regions consider like the Africa or the Middle East. And so it might be necessary to make adjustments and exceptions to policies.
If that’s not acceptable, then the organization may have to find other ways to try to achieve the long term goal, like not allowing certain types of data to be sent from one location where the needed technologies are not available. Another issue is that countries may have different legal or regulatory requirements. One country may have significant requirements in respect to, say, data archival or data security, but another one that has nearly none of those same requirements.
And so the decision again becomes one of how standardization across countries makes sense. And it could be that the cost of standardization exceeds the benefits derived in some of those scenarios. Data sovereignty is a concept that data stored in a digital format is subject to the laws of the country in which the data is located.
And affecting that concept is going to be differing privacy laws, differing regulations that are issued by nations and the governing bodies. And it’s further complicated through the deployment of cloud solutions. So you have to keep in mind these things. The laws of multiple countries may affect data. Another factor would be the type of data being stored. Different types of data regulated differently. Health care data, consumer data, they have completely different laws that regulate the transportation and the storage of those data. So really, you just have to have some flexibility, okay? And so changes to policies and or exceptions are going to often need to be made.
- Data Sovereignty
So a bit more in the concept of data sovereignty. We already said it’s the data stored in digital format, subject to the laws of the country in which the data is located. So laws and regulations of different countries may apply. It’s increasingly difficult to follow the rule of locating the data within the same country as the customer. And so in many cases, there’s going to be different regulations. We got to consider who has jurisdiction.
And so the answers that are required for designing governance policy to deal with data sovereignty are this where’s the data stored? Who has access to the data? Where is the data backed up? And how is the data encrypted? Just remember, the responsibility to meet data regulations falls on both the organization that owns the data as well as the vendor that’s pro providing the data storage service, if any.
- Internal and External Influences
Security policies just like It infrastructures aren’t created in a vacuum. And so we have to balance security performance usability. It’s difficult enough when you don’t have the influence of competing constituencies, but in reality we have both internal and external forces that have to be considered and they have to be reconciled. So we want to consider some of those forces. So first is competitors. Enterprise always need to be looking at what competitors are doing when it comes to security. Not every company’s security is going to be unique in some sense, but one concern that everybody has is protecting the company’s reputation. Almost every day we see stories in the news of companies that have had their digital information compromised and therefore their digital reputation tarnished by that security breach. It’s almost become another business differentiator to tout the security of a company’s network. And so it’s extremely important to understand the experiences of other companies and it’s extremely important to identify what others are doing.
Auditors and audit findings are another important point. Accountability is impossible if you don’t have a record of the activity that’s happening and review of those activities. So we want the level and the amount of auditing to reflect the security policy of the company. Now these audits can be self audits in that they are internal or they’re performed by a third party. Self audits have the danger of being subjective to the process, regardless of the way that the audits are tested perform. There can be some question as to that subjective nature.
But the other thing we could say is regardless of whether you use internal or external, the results are useless unless they’re incorporated into an update of the current policies and procedures. So most organizations are going to implement some sort of audit, internal audit periodically throughout the year and then they’re going to do external audits annually. Many organizations operate in a regulated environment, banking, healthcare, of course, just two industries, industry examples. The regulations introduce another influence on security. In many industries you get a third party that’s going to help to ensure that an organization complies with industry standards, government standards and regulations. And that third party is going to help to ensure that you have a thorough analysis of your operations within the organization as well as any other areas that might be dictated. The third party then reports all of its findings to the certifying or regulating organization.
And so the contract with the third party should stipulate that any findings or results should be communicated with the organization internally and then only with the regulating organization. That needs to be managed really by upper management so that only the appropriate level of access is given. And we also need process and policy review that’s going to focus on a single processor policy within the organization that helps to ensure that it follows the regulations. The reviews are meant to just uncover any deficiencies that need to be addressed and that’s not a one time thing. It’s an ongoing process. The frequency of that process can be determined by industry standards or regulations. But at a minimum, those kinds of reviews need to be done about every six months. Then we have internal and external client requirements. This is another factor that can play a role in determining the method of security to be deployed. When we talk about customers here, we’re talking about users who need to interact with the network in some way.
So internal customers would be those who operate within the local area network. External customers would be people who are outside, but they have to interact with the network. So they’re uploading data to a web server, they’re making a VPN connection, they’re downloading data, those kinds of things. And the sensitivity of the operations that they’re actually performing and the data that they’re actually handling, that’s going to help to determine the security measures that need to be deployed. In most cases, top level management brings the least security knowledge to the discussion.
These managers, however, will hold a disproportionate amount of influence on the decisions that are made concerning security. Now, you got to understand that their decisions are driven by business needs. They’re not fascinated with the latest security technologies. They’re not really, in some cases, even concerned with security concerns.
They think about security when there’s a breach, when there is an emergency. Their job is to take the budget and divide it up in a way that is most beneficial to the company’s bottom line. But it’s the job of us, as It security professionals to make the case for security measures and show how they bring value to the company. And so that means we need to demonstrate that money can be saved by preventing data breaches and losses and that that exceeds the money that can be spent on a particular security measure.
- De-perimeterization
At one time. Security professionals approach security by just kind of hardening the edges that is, the entrance or exits to the network. But there are new methods of working that have changed where the edges of that network are. In addition to that, the interior of most enterprise networks are divided into smaller segments and there are controls that are placed between the segments. You know, the introduction of wireless networks, the introduction of portable network devices, virtualization cloud service providers these have really rendered the network boundary and attack surface increasingly porous, having a lot of holes.
And so the evolution of security architecture has led to increased capabilities, the same amount of security risk and a higher total cost of ownership, but with smaller corporate data center, at least on average. So really the game has changed. And it’s changed because of this deprimeterization. That is the constant changing of network boundaries. And there are various concepts and changes that security professionals need to understand in this area.
- Understand Changes in Network Boundaries
So let’s talk about some of those developments and change. The first is telecommuting, and for a number of different reasons. Telecommuting is on the rise. It saves a lot of money spent on gas, it saves time commuting, it’s beneficial to the environment, it has a number of advantages. But despite all of that, it really wasn’t widely embraced until we had the technology to securely support it. Now, telecommuters can connect, connect with secure VPN connections. So it allows them to access resources and work as if they were sitting at the office. It has multiple effects on security though. We put different technologies in place, for instance, like network access control in order to ensure that the computers that are connecting that aren’t under the direct control of the It department can still be scanned for viruses, they can still be remediated before allowing them access to the land.
Cloud solutions can move the perimeter of the network as well, depending on how they’re implemented. Now, a private cloud doesn’t have any effect on the perimeter of the network, but your hybrid, your community, your public clouds will expand that perimeter and that’s going to increase challenges. The threats presented by the introduction of mobile devices to an organization’s network that includes smartphones, tablets, and having company data on them, devices that are missing security patches, the use of location services, insecure data storage, all of that. Okay? And so we just have to keep those things in mind.
The most common type of corporate information that’s stored on a mobile device still to this day is going to be corporate emails and company contact information. But you got to understand that in many cases these devices also have customer data, network login credentials, corporate data to access through business applications. And so all of that becomes very important. The increasing use of mobile devices in today’s networks, along with the fact that many of them are connecting using public networks that have little or no security, is going to present us with a set of unique challenges. And so we need to educate users on the risk associated with using mobile devices and we need to make sure that we’re implementing the appropriate security measures in order to guard against those. Of course, one of those is just mobile device management or MDM.
This just reference to software that’s there that is allowing you to control that device, remediate that device, scan it, update it, and enforce some level of security BYOD is bring your own device. And it’s a very common challenge in every one of today’s networks. You get a lot of pressure from users because they want to use their personal computing devices, the smartphones, tablets, laptops, and they want to use them in the work environment. They want to use wireless networks and connect to enterprise data regardless of where they are. The effect that this has on security is similar to that of telecommuting in that we can use technologies like network access control.
And these might be necessary because we want to make sure that these personal devices which are not under our control, are able to be scanned and remediated, if required, before they’re able to connect to the network. So we need to keep in mind any sort of governmental regulations, any sort of legal requirements, and ensure that our mobile device management policies keep these devices in compliance. We want to make sure that they are restrictive enough BYOD initiatives are okay, but many of them fail because they’re not restrictive enough.
And so then we have to go back and update policies and disallow non company endpoint devices on the corporate network, et cetera. If we really do our due diligence and we plan it out, then we can allow for the advantage of using these devices while still maintaining a high level of security. Now, we mentioned outsourcing earlier. Anytime data is exchanged with a third party, the connection between the companies becomes a part of the perimeter. And so the security of that connection is extremely important. Outsourcing increases the importance of using measures like the Isas and contract language that specifically details security implementations and any process that’s being outsourced to a third party, third party, handling sensitive information or personal information is definitely going to affect security. And so it becomes a liability that many organizations don’t consider as a part of the risk assessment but need to we need an outsourcing agreement that ensures that information that’s entrusted to another organization is protected by the proper security measures. A couple of terms that go along with that are downstream liability, due diligence, and due care.
Downstream liability refers to the liability that an organization accrues due to partnerships with other organizations and customers. So, for instance, a contracted third party, we have to consider whether they have the appropriate procedures in place to make sure that an organization’s firewall has the security updates and needs. Because if an attacker were to later break into the network through a security hole and steal data and identities, then customers can sue the organization, necessarily the third party for negligence.
So that’s an example of downstream liability. We have to consider that due diligence and due care are two related terms that deal with liability. Due diligence just means the organization understands the security risk it’s facing and has taken reasonable measures to meet those risks. Due care means an organization takes all the actions it can reasonably take to prevent security issues or to mitigate damage if security breaches were to occur.
So due diligence is all about gathering information. We have to institute the appropriate procedures to try to determine any risk to organizational assets. Due care is all about action. We have to institute the appropriate protections and procedures for all our assets, especially intellectual property. So the two definitely have a dependent relationship. When due diligence is performed, an organization rec recognizes areas of risk and then can take action on them. And it’s certainly important as it relates to network parameters and especially with dealing with third party companies.
- Topic B: Policies and Procedures
In this next topic we’re going to be looking at policies and procedures. These are It governance documents that need to be implemented to make sure that organizational assets are protected as well as possible. We’re going to take a look at how process and policy life cycles are managed and also how to support legal compliance.
- Understanding Policies and Procedures
In a top down approach, we have upperlevel management that’s initiating, supporting and directing a security program. In a bottom up approach, you have staff members that develop a security program before they receive any direction or support from management. Top down approaches are usually more efficient than the bottom up approach because you have management support and that’s really one of the most important, important components of a security program. So if you use that top down approach, you can help ensure an organization’s policies align with its strategic goals. Now, in the context of organizational security, a policy is a course or principle of action that’s adopted by the organization.
A process is a series of actions that are taken to achieve a particular task or end. And a procedure is a series of actions that are conducted in a certain order or manner. These three are going to be used to determine all your major decisions and actions within an organization. And all the organizational tasks are going to operate within the boundaries that are set by policies, procedures and processes. So it’s helpful to understand the relationship between these three. And it is that policies are written first and they guide the creation of procedures and processes. Processes then give us a high level view of tasks within the process and then procedures are the detailed steps that are involved to complete a process.
- Policy Life Cycle
Policy should really be written based on a particular life cycle. And what follows here is a common policy lifecycle first develop the policy. Then we perform quality control. Step three would be to obtain approval of the policy. Step four would be to publish the policy once we’ve published the policy, at at that point, the organization needs to ensure that anybody who is affected by this would be educated on that new policy. And so that new policy should be incorporated into training that’s received by those personnel within the organization. Each policy should, at a minimum, be reviewed annually.
And then if they need to be changed, we would want some sort of version control to be implemented to make sure that the most current version of a policy is being used across the enterprise. And when a policy is outdated and no longer applicable, then it should be archived. Once the policy is written, the appropriate processes that go along with that policy should be written. So policies that should be considered are going to include password policies, data classification, wireless VPN policies, remote access, device access policies. Those kinds of those areas are what we’re looking at trying to define policies for.