Sample/practice exam 1 January 2018, questions and answers PDF

Preview

Summary

Download Sample/practice exam 1 January 2018, questions and answers PDF

Description

SAMPLE EXAMINATION QUESTIONS FOR PART B 1. Describe the CNSS security model. What are its three dimensions? CNSS Security Model: Committee on National Security Systems, formerly known as the National Security Telecommunications and Information Systems Security Committee (NSTISSC). CNSS presents a comprehensive model of InfoSec known as the McCumber Cube. The McCumber Cube serves as the standard for understanding many aspects of InfoSec in 3 dimensions around the discussion of information characteristics, information location and security control categories. If you expend the relationship among the three dimensions that are represented by the axe in the figure, you end up with a 3x3x3 cube with 27 cells. Each cell represents an area od intersection among these three dimensions which must be addressed to secure information. When using this model, you must ensure each of the 27 cells is properly addressed by each of these three dimensions. For example: the cell representing the intersection of the technology, integrity. Storage criteria could include controls or safeguards addressing the use of technology to protect the integrity of information while in storage. The main purpose of the model is to identify the gaps in the coverage of an InfoSec program. The weakness of this model emerges when it is viewed from a single perspective. Leaving out the concern of the broader IT (a wholistic view). In practice, good risk reduction require the creation and control of all three dimensions to reflect the balancing act that each organisation faces. Three dimensions: 1. Policy i. Computer security (confidentiality) ii. Data security (integrity) iii. Network security (Availability) iv. Storage v. Processing vi. Transmission 2. Education i. Computer security (confidentiality) ii. Data security (integrity) iii. Network security (Availability) iv. Storage v. Processing vi. Transmission 3. Technology i. Computer security (confidentiality) ii. Data security (integrity) iii. Network security (Availability) iv. Storage v. Processing vi. Transmission

1

Above those 3 dimensions, there is a policy, the framework is called ‘Management of Information Security’ this is sitting under the roof of ‘Information Security’ and ‘Governance’ 2. Discuss the different stages and objectives in the Security Systems Development Life Cycle (SecSDLC).

A formal approach to designing information security programs that follows the methodology of a traditional information systems development life cycle (SDLC), including a recursive set of phases such as investigation, analysis, logical design, physical design, implementation, and maintenance and change. SecSDLC uses a traditional waterfall model, it consists of 6 phases:  Investigation It begins with the directive from upper management specifying the process, outcomes, and goals of the project, as well as its budget and other constraints. Frequently, this phase begins with the affirmation or creation of security policies on which the security program of the organisation is or will be found. Teams of managers, employees or consultants are involved to investigate the problems, define the scope, specify goals and objectives, and identify any additional constraints not covered in the enterprise security policy. Prior to carrying out the next step, it will finally need to conduct a feasibility analysis to determine if the organisation have the valid resources and commitments to conduct a successful security analysis and design.  Analysis During this phase, the team studies the documents from the investigation phase. The team that was assembled during the investigation phase conducts a preliminary analysis of existing security policies or programs along with documented current threats and associated controls. This phase also includes an analysis of relevant legal, issues that could affect the design of the security solution. Increasingly, privacy laws are a major consideration when 2

making decisions about information systems that manage personal information and or state legislations in relation to computer related activities. The risk management task also begins in this stage. Risk management is the process of identifying, assessing and evaluating the levels of risk and organisation faces-specifically, the threats to the organisation’s security and to the information stored and processed by the organisation. The next task in the analysis phase is to assess the relative risk for each of the information assets via a process called risk assessment or risk analysis, both of which are risk components. Risk management helps to identify the vulnerabilities in an organisation to assure the confidentiality, integrity and availability of all components in the organisation’s information systems.  Design The design phase continues with the formulation of the controls and safeguards used to protect information from attacks by threats. The terms control and safeguard are often used interchangeably. There are three categories of controls: managerial controls, operational controls, and technical controls. Managerial controls cover security processes that are designed by the strategic planners and executed by the security administration of the organization. They set the direction and scope of the security process and provide detailed instructions for its conduct. Managerial controls address the design and implementation of the security planning process and security program management. They also address risk management and security controls reviews. Management controls further describe the necessity and scope of legal compliance and the maintenance of the entire security systems life cycle. Operational controls deal with the operational functionality of security in the organization. They cover management functions and lower-level planning, such as disaster recovery and incident response planning (IRP). In addition, these controls address personnel security, physical security, and the protection of production inputs and outputs. Operational controls also provide structure to the development of education, training, and awareness programs for users, administrators, and management. Finally, they address hardware and software systems maintenance and the integrity of data. Technical controls address technical approaches used to implement security in the organization. Operational controls address specific operational issues, such as control development and integration into business functions, while technical controls must be selected, acquired (made or bought), and integrated into the organization’s IT structure. Technical controls include logical access controls, such as those used for identification, authentication, authorization, and accountability. Incident response, disaster recovery, business continuity, and crisis management are all components of Contingency Planning (CP). o Logical design In the logical design phase, team members create and develop the blueprint for security, and they examine and implement key policies that influence later decisions. At this stage, critical contingency plans for incident response are developed. Next, a feasibility analysis determines whether the project should continue in-house or should be outsourced. o Physical design Team members evaluate the technology needed to support the security blueprint, generate alternative solutions, and agree on a final design. The security blueprint may be revisited to keep it synchronized with the changes needed when the physical design is completed. Criteria for determining the definition of successful solutions are also prepared during this phase, as are designs for physically securing the technological solutions. At the end of this phase, a feasibility study should determine the readiness of the organization for the proposed project, and then the champion and users should be presented with the design. At that point, the interested parties have a chance to approve (or not approve) the project before implementation begins.  Implementation The SecSDLC implementation phase is similar to the corresponding phase of the traditional SDLC. Security solutions are acquired (made or bought), tested, implemented, and retested. Personnel issues are evaluated and specific training and education programs are conducted.

3

Perhaps the most important element of the implementation phase is the management of the project plan. Project management, as described in Chapter 5, is the process that underlies all phases of the SecSDLC. The execution of the project plan proceeds in three steps: 1. Planning the project 2. Supervising the tasks and action steps within the project plan 3. Wrapping up the project plan Many of the same skills needed to manage and implement security are needed to design it. Members of the development team fill the following roles: o Champion—A senior executive who promotes the project and ensures its support, both financially and administratively, at the highest levels of the organization o Team Leader—A project manager (perhaps a departmental line manager or staff unit manager) who understands project management, personnel management, and InfoSec technical requirements o Security Policy Developers—Individuals who understand the organizational culture, existing policies, and requirements for developing and implementing successful policies o Risk Assessment Specialists—Individuals who understand financial risk assessment techniques, the value of organizational assets, and the security methods to be used o Security Professionals—Dedicated, trained, and well-educated specialists in all aspects of InfoSec from both technical and nontechnical standpoints o Systems Administrators—Individuals with the primary responsibility for administering the systems that house the information used by the organization o End Users—The individuals whom the new system will most directly affect; ideally, a disparate group of users from various departments and levels, and with varying degrees of technical knowledge, to assist the team in applying realistic controls in ways that do not disrupt the essential business activities they seek to safeguard When implementing InfoSec in an organization, many human resource issues must be addressed. First, the entire organization must decide how to position and name the security function within the organization. Second, the InfoSec community of interest must plan for the proper staffing (or adjustments to the staffing plan) for the InfoSec function. Third, the IT community of interest must understand how InfoSec affects every role in the IT function and adjust job descriptions and documented practices accordingly. Finally, the general management community of interest must work with the InfoSec professionals to integrate solid InfoSec concepts into the personnel management practices of the organization as a whole. Senior management is the key component and vital force driving the successful implementation of an InfoSec program. Roles involved in InfoSec: o Chief information officer (CIO)—The senior technology officer responsible for aligning the strategic efforts of the organization and integrating them into action plans for the information systems or data-processing division of the organization o Chief security officer (CSO)—This job title may be used in lieu of “CISO”; however, when it is used to refer to a role that is superior to the CISO, the CSO is responsible for the protection of all physical and information resources within the organization o Chief information security officer (CISO)—The individual responsible for the assessment, management, and implementation of information-protection activities in the organization o Security managers—The individuals accountable for ensuring the day-to-day operation of the InfoSec program, accomplishing the objectives identified by the CISO and resolving issues identified by technicians o Security technicians—Technically qualified individuals who are tasked with configuring firewalls and intrusion detection systems (commonly referred to as IDSs), implementing security software, diagnosing and troubleshooting problems, and coordinating with systems and network administrators to ensure that security technology is properly implemented

4

Data owners—Individuals who control, and are therefore responsible for, the security and use of a particular set of information; data owners may rely on custodians for the practical aspects of protecting their information, specifying which users are authorized to access it, but they are ultimately responsible for it o Data custodians—Individuals who work directly with data owners and are responsible for storage, maintenance, and protection of the information o Data users—Internal and external stakeholders (customers, suppliers, and employees) who interact with the information in support of their organization’s planning and operations  Maintenance InfoSec systems need constant monitoring, testing, modifying, updating, and repairing. Traditional applications systems that are developed within the framework of the SDLC are not designed to anticipate a vicious attack that requires some degree of application reconstruction as a normal course of operation. Once the InfoSec program is implemented, it must be operated, properly managed, and kept up to date by means of established procedures. If the program is not adjusting adequately to the changes in the internal or external environment, it may be necessary to begin the cycle again. The CISO determines whether the InfoSec group can adapt adequately and maintain the InfoSec profile of the organization. Therefore, for maintenance, the steps include investigation, analysis, design, and implementation. Whereas a systems management model is designed to manage and operate systems, a maintenance model is intended to complement a systems management model and focus those ongoing maintenance efforts that are needed to keep systems useable and secure. The model consists of five subject areas or domains, as described in the following sections. External Monitoring The objective of external monitoring within the maintenance model shown in Figure 3-12 is to provide early awareness of new and emerging threats, threat agents, vulnerabilities, and attacks, thereby enabling the creation of an effective and timely defense. Internal Monitoring The primary objective of internal monitoring is to maintain an informed awareness of the state of all the organization’s networks, information systems, and InfoSec defenses. This status must be communicated and documented, especially the sta- tus of the parts of information systems that are connected to the external network. Planning and Risk Assessment The primary objective of planning and risk assessment is to keep a wary eye on the entire InfoSec program. This is achieved in part by identifying and planning ongoing InfoSec activities that further reduce risk. Also, the risk assessment group identifies and documents risks introduced by both IT projects and InfoSec projects. Further- more, it identifies and documents risks that may be latent in the present environment. Vulnerability Assessment and Remediation The primary objective of vulnerability assessment and remediation is the identification of specific, documented vulnerabilities and their timely remediation. This is accomplished by: o Using documented vulnerability assessment procedures to safely collect intelligence about networks (internal and public-facing), platforms (servers, desktops, and process control), dial-in modems, and wireless network systems o Documenting background information and providing tested remediation procedures for the reported vulnerabilities o Tracking, communicating, and reporting to management the itemized facts about the discovered vulnerabilities and the success or failure of the organization to remediate them Readiness and Review The primary objectives of readiness and review are to keep the InfoSec program functioning as designed and, it is hoped, continuously improve it over time. This objective includes continually assessing the current state of the program and comparing it against a desired state. The result is a plan to move from the current state to the desired state. This current state could be the level of performance, results, and/or quality (quality assurance) of the program, as defined by the organization. Quality may mean different things to different people, but it is generally considered a descriptive characteristic or feature of value or worth. In many cases, quality is independent of cost. o

5

6

3. What is a disaster recovery plan and why is it important to the organization?   

Disaster recovery (DR): An organisation’s set of planning and preparation efforts for detecting, reacting to, and recovering from a disaster. Disaster Recovery Plan: the documented product of disaster recovery planning; a plan that shows the organisation’s intended efforts in the event of a disaster. Disaster Recovery Planning: the actions taken by senior management to develop and implement the DR policy, plan and recovery teams.

7

8

9

why is DRP important to the organization: Risk management for overall organisation. In the event of a disaster, continued operations of the company are heavily dependant on the ability to replicate the organisational IT systems and data. In order to do so, a seamless disaster recovery plan is vital. 4. Describe two approaches used to categorize access control methodologies. List the types of controls found in each. Access control is built on several key principles, including the followings: Least privilege: Can access the minimum amount of information for the minimum amount of time necessary to perform their required duties. Need to know: For example, a manager who needs to change a specific employee’s pay rate is granted access to read and update that data but is restricted from accessing pay data for other employees. Separation of duties: For example, in accounts payable situations, one person may set up a vendor, another may request payment to the vendor, and a third person may authorize the payment. Approach one: One approach depicts the controls by their inherent characteristics and classifies each control as one of the following: • • • • • • •

Directive—Employs administrative controls such as policy and training designed to proscribe certain user behaviour in the organization Deterrent—Discourages or deters an incipient incident; an example would be signs that indicate video monitoring Preventative—Helps an organization avoid an incident; an example would be the requirement for strong authentication in access controls Detective—Detects or identifies an incident or threat when it occurs—for example, anti-malware software Corrective—Remedies a circumstance or mitigates damage done during an incident— for example, changes to a firewall to block the reoccurrence of a diagnosed attack Recovery—Restores operating conditions back to normal—for example, data backup and recovery software Compensating—Resolves shortcomings, such as requiring the use of encryption for transmission of classified data over unsecured networks1

Approach two: A second approach, described in the NIST Special Publication series, categorizes controls based on their operational impact on the organization: •

•

Management—Controls that cover security processes designed by strategic planners, integrated into the organization’s management practices, and routinely used by security administrators to design, implement, and monitor other control systems Operational (or Administrative)—Controls that deal with the operational functions of security that have been integrated into the repeatable processes of the organization

10

•

Technical—Controls that support the tactical portion of a security program and that have been implemented as reactive mechanisms to deal with the immediate needs of the organization as it responds to the realities of the technical environment2

5. List and describe the three types of information security (InfoSec) policies. I.

II.

III.

E...