Let's get started: Securing the Infrastructure: • Framework for Governance • Risk Management • The Security Program • Data Protection • System and Data Management • Security Awareness Training • User Provisioning • Monitoring and Enforcement • Incident Response
NIST: • NIST 800-12 NIST Handbook Intro to Computer Security • NIST 800-13 Telecomm Security Guidelines for Telecomm • NIST 800-14 Generally Accepted Principles and Practices • NIST 800-18 AUP / Rules of Behavior • NIST 800-30 Risk Management/Assessments • NIST 800-34 Contingency Planning • NIST 800-37 Risk Management Framework • NIST 800-40 Creating a Patch and Vulnerability Management • NIST 800-41 Guidelines on Firewalls and Firewall Policy • NIST 800-44 Guidelines on Securing Public Web Servers • NIST 800-45 Guidelines on Electronic Mail Security • NIST 800-47 Security Guide for Interconnecting IT Systems • NIST 800-48 Guide to Securing Legacy IEEE 802.11 Wireless • NIST 800-50 Building an IT Security Awareness • NIST 800-53 Security and Privacy Controls for Federal IS • NIST 800-54 Border Gateway Protocol Security • NIST 800-55 Security metrics IS • NIST 800-57 Recommendation for Key Management • NIST 800-60 Guide for Mapping Types of Information • NIST 800-61 Computer Security Incident Handling • NIST 800-63 Electronic Authentication • NIST 800-64 Security Considerations in SDLC • NIST 800-66 Healthcare privacy issues • NIST 800-86 Guide to Integrating Forensic Techn. into IR • NIST 800-82 Guide to Industrial Control Systems (ICS) • NIST 800-83 Guide to Malware Incident Prevent and Handling • NIST 800-86 Guide to Integrating Forensic Tech. into IR • NIST 800-88 Media Sanitization • NIST 800-94 IDS/1PS • NIST 800-115 IS Security Testing and Assessment • NIST 800-119 Guidelines for Secure Deployment of IPv6 • NIST 800-122 Protect PII • NIST 800-137 Information Security Continuous Monitoring • NIST 800-145 Cloud computing
ISO 7498: OSI Model • ISO 27000: ISMS-Overview and Vocabulary • ISO 27001: ISMS-Requirement • ISO 27002: Code of practice • ISO 27003: ISMS implementation • ISO 27004: Measurement and metrics framework • ISO 27005: Risk management • ISO 27006: Certification body requirements • ISO 27007: ISMS-Auditing • ISO 27008: Information Security Control • ISO 27011: ISMS guideline telecom organization • ISO 27014: Governance of information security • ISO 27017: Use of cloud services • ISO 27018: Cloud privacy protection overview • ISO 27031: Communications technology readiness for BC • ISO 27032: Cyber Security Resilience • ISO 27034: Security applications • ISO 27035: Security incident management• ISO 27037: Covers identifying, gathering, and preserving DE• ISO 27799: Directives on protecting personal health information• ISO 31000: Risk Management Framework• ISO 22301: BCM - Business continuity• ISO 15408: Common Criteria• ISO 28000: Supply Chain Management• ISO 42010: Systems and Software Engineering Architecture• ISO 14443: Smart card standardization
Protect Sensitive Information: Some information may require special care and handling in your application to protect users. Identify any information that is sensitive, and apply appropriate controls to ensure it remains private. A good place to start is to always consider all personally identifiable information (PII) sensitive, as it can be used to establish a person's identity and might be used to cause them substantial harm, embarrassment, inconvenience, or unfairness. Refer to privacy guidelines for your country, municipality, or organization for specific lists of PII you may be legally required to protect. A typical list is provided here. • User name • Email address • Home address • Phone number • Social Security number (even if it's just the last 4 digits) • Driver's license or state ID# • Passport number • Alien registration number • Financial account number • Biometric identifiers • Citizenship or immigration status • Medical information • Ethnic or religious association • Sexual orientation • Account passwords • Date of birth • Criminal history • Mother's maiden name.
Frameworks: • Zachman Framework - not specific to security architecture • Sherwood Applied Business Security Architecture (SABSA) Framework - Chain of traceability • IT Infrastructure Library (ITIL) - service strategy, service design, service transition, service operations, and continuous service improvement. Processes to allow for IT service management developed by the United Kingdom’s Office of Government Commerce • TOGAF: Model and methodology for the development of enterprise architectures developed by The Open Group • Six Sigma: Business management strategy that can be used to carry out process improvement • Capability Maturity Model Integration (CMMI): Organizational development for process improvement developed by Carnegie Mellon
Data Discovery Approaches • Big data: A way of analyzing very large data sets to extract information • Real-time analytics: Looking for patterns of usage • Agile analytics: Freeform adaptive analysis that focuses on a single problem and doesn't analyze all of the data • Business intelligence: Analyzing data and presenting useful information to help decision-makers Data Discovery Techniques: • Metadata: Information about the file (owner, size, create date, etc.) • Labels: Labels assigned to data by the owner • Content analysis: Analyzing data content, looking for keywords Multi-factor Authentication (MFA): Use multiple factors to authenticate. These factors are based on • What they know (password, PIN) • What they have (token, card, Yubikey) • What they are (biometrics) One-time passwords fall under MFA and are highly encouraged for use with first-time logins. Step-up authentication is also used for MFA when accessing a high-risk transaction or violations have occurred in the transaction: • Challenge questions • Out-of-band authentication (SMS, text, phone call, etc.) • Dynamic knowledge-based authentication.
Data Collection Limitations: • Data collection only for legal and fair means. • Data collection with the knowledge and approval of the subject. • Do not use personal data for other purposes. • Collection of personal data should be relevant for the purpose. • Collected data to be accurate and kept up to date. • Do not disclose personal data with other parties without the permission of the subject. • Secure personal data against intentional or unintentional access, use, disclosure, destruction, and modification. Note: The following are some of the important privacy-related practices and rules across the world that provide frameworks and limitations relating to personal data. • General Data Protection Regulation (European Union) • Data Protection Directive (EU) • Data Protection Act 1998 (U.K) • Data Protection Act, 2012 (Ghana) • Data protection (privacy) laws in Russia • Personal Data Protection Act 2012 (Singapore) • Privacy Act (Canada)
The goal of Incident Handling and Response Planning: • Detects compromises as quickly and efficiently as possible. • Responds to incidents as quickly as possible. • Identifies the cause as effectively as possible.
Data Classification Scheme: • Identify custodian • Specify evaluation criteria • Classify and label each resource • Document any exceptions • Select security controls • Specify the procedures for declassifying • Create enterprise awareness program.