1. Security and Risk management

[rainit2006]

///

[rainit2006]

[rainit2006]

Types of evidence:

• Real Evidence: Tangible and Physical objects, in IT Security: Hard Disks, USB Drives – NOT the data on them.

• Direct Evidence: Testimony from a first hand witness, what they experienced with their 5 senses.

• Circumstantial Evidence: Evidence to support circumstances for a point or other evidence.

• Collaborative Evidence: Supports facts or elements of the case, not a fact on its own, but support other facts.

• Hearsay: Not first and knowledge – normally inadmissible in a case. Computer generated records and with that Log Files were considered hearsay, but case law and updates to the Federal Rule of Evidence have changed that. Rule 803 provides for the admissibility of a record or report that was “made at or near the time by, or from information transmitted by, a person with knowledge, if kept in the course of a regularly conducted business activity, and if it was the regular practice of that business activity to make the memorandum, report, record or data compilation.”

• Best Evidence Rule The courts prefer the best evidence possible. Evidence should be accurate, complete, relevant, authentic, and convincing.

• Secondary Evidence – This is common in cases involving IT. Logs and documents from the systems are considered secondary evidence.

• Evidence Integrity – It is vital that the evidence’s integrity cannot be questioned. We do this with hashes. Any forensics is done on copies and never the originals. We check hash on both original and copy before and after the forensics.

• Chain of Custody – This is done to prove the integrity of the data; that no tampering was done. Who handled it? When did they handle it? What did they do with it? Where did they handle it?

When Computer file be admissible?

When the computer output is done during regular business hours

[rainit2006]

分類	説明	例
1	Controls (管理・統制)	情報セキュリティ管理・実施方針	ISO 17799/27002, NIST 800-53
2	Control Objectives (管理・統制方針)	管理・統制目標	COBIT, ITIL/ISO 20000, CMM
3	Governance Framework (ガバナンスフレームワーク)	ガバナンス（訳すなら統治）全体のフレームワーク	COSO, OCEG
4	Regulations (規制)	業種ごとの法規制・ガイドラインなど	SOX, HIPAA, GLBA, FISMA, PCI-DSS

業種	法規制・ガイドライン	補足
政府・公共	FISMA (連邦情報セキュリティマネジメント法)	IPA - 情報セキュリティ向上のための米国の取り組み
金融	GLBA (Gramm-Leach-Bliley Act)、US SEC Compliance (US証券取引所)
ヘルスケア・医療	HIPAA (医療保険の携行性と責任に関する法律)、HITECH法 – 個人情報対策
エネルギー・社会インフラ	NERC/CIP (北米電力信頼性評議 / 重要インフラ保護サイバーセキュリティ基準)
クレジットカード関連・流通	PCI DSS (PCI データセキュリティスタンダード)

ISO31000:2009 リスクマネジメント規格

ISO31000は組織体のどのレベル・規模であっても適用可能な「リスクマネジメントの考え方」を示していると言えます。ISO31000はあくまでもリスクマネジメントに関するガイドラインであり、認証を目的としたものではありません。 https://www.newton-consulting.co.jp/bcmnavi/guideline/iso31000_2009.html

GLBA（Graham-Leach-Bliley Act）

すべて金融機関は消費者に対して、個人情報（プライバシー）に関する方針や慣例を伝えなければならないというアメリカの法律のことです。 The Gramm-Leach-Bliley Act (GLBA) contains provisions regulating the privacy of customer financial information.

SOX(Sarbanes-Oxley Act of 2002 )

• Directly related to the accounting scandals in the late 90’s.
• Regulatory compliance mandated standards for financial reporting of publicly traded companies.

• Intentional violations can result in criminal penalties.

  tips GLBA = protecting consumers' money from bad banks SOX = protecting investors' money from bad corporations

Federal Information Security Management Act （FISMA）

連邦政府機関、および連邦政府機関の民間委託先に適用される法律で、情報や情報システムのセキュリティ強化が義務付けられています。 FISMA specifically applies to government contractors。

EEA（Economic Espionage Act）

営業秘密を保持している者に対し、知的財産の保護を求める法律です。 米国企業から営業秘密を不正に外部に漏えい等させた場合、本法に基づき罰金や懲役刑が課されます。

Federal Sentencing Guideline（連邦量刑ガイドライン）

連邦法上の犯罪に対する量刑裁量の基準を明確化・公平化するために作成されたガイドラインです。 1991年、情報セキュリティ関連の問題に対する”prudent man rule”が本ガイドラインに適用されました。 1991年，针对白领犯罪，规定了senior manager的责任，提倡实现security policies和security programs，due care

電子通信プライバシー法（ECPA：Electronic Communication. Privnacy Act）

Protection of electronic communications against warrantless wiretapping。

CALEA

The Communications Assistance to Law Enforcement Act (CALEA) requires that all communications carriers make wiretaps possible for law enforcement officials who have an appropriate court order.

COPPA

COPPA（Children's Online Privacy Protection Act）とは、2000年4月21日から米国で施行された、子供向けサイトに規制を課すことで子供のインターネット上の安全を守ろうとする法律です。 COPPAでは、商用サイトが、12歳以下(under the age of 13)の子供の個人情報を収集する場合に、次のようなこと(詳細略)を義務づけています。 COPPA requires that websites obtain advance parental consent for the collection of personal information from children under the age of 13.

prudent person rule (思慮深い投資家の原則)

、年金の運用など、他人のために資金の運用を行う受託者に課せられる義務で、「受託者は、専門知識を持った思慮深い投資家であれば、当然そうするように経済状況やリスクなどさまざまな要因を考慮して、思慮深く運用を行わなければならない」というものです。

de facto standard

「事実上の標準」を指す.

Others

• Family Educational Rights and Privacy Act (FERPA): 学生の個人識別情報（PII）と、学生教育記録に保存されている学生に直接関係する情報 を保護する連邦法です。
• GISRA： The Government Information Security Reform Act (GISRA) was the precursor to FISMA and expired in November 2002.
• The export of encryption software to certain countries is regulated under US export control laws.
• The Code of Federal Regulations (CFR) contains the text of all administrative laws promulgated by federal agencies.
• The United States Code contains criminal and civil law.
• Supreme Court rulings contain interpretations of law and are not laws themselves.
• The Fourth Amendment directly prohibits government agents from searching private property without a warrant and probable cause.

[rainit2006]

COBIT

COBITは、ISACA（以前の情報システム監査管理統制）とITガバナンス研究所（ITGI）によって策定されたフレームワーク。 本質的には、COBITは「達成すべきこと」に対応し、ITILは「達成する方法」のフレームワーク。

COBIT specifies 17 enterprise and 17 IT-related goals that take the guesswork out of ensuring we consider all dimensions in our decision-making processes.

A majority of the security compliance auditing practices used today in the industry are based off of COBIT.

COSO

COSOは、コーポレートガバナンスのモデルのひとつ。（金融系） COBITは、COSOフレームワークから派生したもの。COSOの内容をほぼ内包する。 COBITとCOSOの違いは、COBITは、ITの観点から見ている点。

Difference

While CobiT helps a company define risk goals at an operational level, COSO helps a company define organizational risks at a business level. While CobiT is a model for IT governance, COSO is a model for corporate governance. CobiT was derived from the COSO framework

CobiT is a framework that defines goals for the controls used to properly manage IT and ensure that IT maps to business needs. It is broken down into four domains: Plan and Organize, Acquire and Implement, Deliver and Support, and Monitor and Evaluate. Each category drills down into subcategories.

Zachman框架：是一个二维模型，它使用了6个基本的疑问词（什么、如何、哪里、谁、何时、为何）和不同的视知观点（计划人员、所有者、设计人员、建设人员、实施人员和工作人员）二维交叉，它给出了企业的一个整体性理解。

开放群组架构框架（The Open Group Architecture Framework，TOGAF）：它由美国国防部开发并提供了设计、实施和治理企业信息架构的方法。架构允许技术架构设计师从企业的不同视角（业务、数据、应用程序和技术）去理解企业，以确保开发出环境及组件所必需的技术，最终实现业务需求。

舍伍德的商业应用安全架构（Sherwood Applied Business Security Architecture，SABSA）：是一个分层模型，它在第一层从安全的角度定义了业务需求。

COBIT（Control Objectives for Information and related Technology，信息及相关技术的控制目标）：是一组由国际信息系统审计与控制协会（ISACA）和IT治理协会（lTGI）制定的一个治理与管理的框架。

COSO内部控制整合框架：是由反欺诈财务报告全国委员会发起组织委员会（Committee of Sponsoring Organizations，COSO）于1985年开发的，是用来处理财务欺诈活动并汇报。

ISO/IEC 27000系列： ISO和IEC联合开发的关于如何开发和维护信息安全管理体系的国际标准。

ITIL：作为一种以流程为基础、以客户为导向的IT服务管理指导框架，它摆脱了传统IT管理以技术管理为焦点的弊端，实现了从技术管理到流程管理，再到服务管理的转化。

能力成熟度模型集成（Capability Maturity Model Integration，CMMI）：由Carnegie Mellon大学开发，以此作为确定组织流程成熟度的一种方式。

[rainit2006]

NIST outline some self testing techniques:

• War dialing
• Log review
• Password cracking
• Penetrating testing
• Vulnerability testing
• Network mapping

[rainit2006]

Information warfare

味方の情報及び情報システムを防護し、かつ敵のそれを攻撃・攪乱・妨害する敵味方相互の情報活動をいう。

[rainit2006]

• USPTO: The United States Patent and Trademark Office (USPTO) bears responsibility for the registration of trademarks.
• Copyright: Written works, such as website content, are normally protected by copyright law
• Trademarks protect words and images that represent a product or service and would not protect computer software.

[rainit2006]

BCP

• The Service Organizations Control audit program includes business continuity controls in a SOC 2, but not SOC 1, audit.
• Vital record program: バイタルレコードには、災害に遭った時、組織を再建するか継続するために必要な情報が含まれている。それらは、企業の法的・財務的地位を回復し、企業とその従業員、顧客と株主の権利を守るために必要である。
• Everyone in the organization should receive a basic awareness training for the business continuity program. Those with specific roles, such as first responders and senior executives, should also receive detailed, role-specific training.

[rainit2006]

SLA

SLAs do not normally address issues of data confidentiality. Those provisions are normally included in a nondisclosure agreement (NDA).

[rainit2006]

Reduction analysis

In reduction analysis, the security professional breaks the system down into five key elements: trust boundaries, data flow paths, input points, privileged operations, and details about security controls.

[rainit2006]

NISP SP 800 Series

Special Publications in the 800 series present documents of general interest to the computer security community.

• 800-12The NIST Handbook。Intro to Computer Security。
• 800-34: Business Contingency Planning
• 800-64 Security Considerations in the SDLC
• 800-37 Comprehensive set of security Controls Risk Framework
• 800-30 Guide for conducting risk Assessments
• 800-53 Security Control Baselines as list of security Controls
• 800-18 Responsibilities of Information Owner
• 800-122 Guide to Protecting Confidentiality of PII

[rainit2006]

Security and Risk Management

Security terminology and principles

CIA: confidentiality, integrity, and availability.

• A vulnerability is a weakness in a system that allows a threat source to compromise its security.
• A threat is any potential danger that is associated with the exploitation of a vulnerability.
• threat agent
• risk: is the likelihood of a threat source exploiting a vulnerability and the corresponding business impact.
• exposure: an instance(实例) of being exposed to losses.
• A control, or countermeasure

  Protection control types

• Administrative controls （also called “soft control”）
• Technical controls (also called logical controls)
• Physical controls

Control functionalities：

• Preventive Intended to avoid an incident from occurring
• Detective Helps identify an incident’s activities and potentially an intruder • Corrective Fixes components or systems after an incident has occurred
• Deterrent Intended to discourage a potential attacker
• Recovery Intended to bring the environment back to regular operations
• Compensating Controls that provide an alternative measure of control

  Security frameworks, models, standards, and best practices • Computer laws and crimes

  Security Program Development:

  • ISO/IEC 27000 series International standards on how to develop and maintain an ISMS developed by ISO and IEC

  Enterprise Architecture Development:

  Zachman Framework Model:

• for the development of enterprise architectures developed by John Zachman.
• two-dimensional, six basic communication interrogatives, different perspectives, give a holistic understanding of the enterprise.
• The goal of this framework is to be able to look at the same organization from different viewpoints)

TOGAF Model and methodology:

• for the development of enterprise architectures developed by The Open Group
• which has its origins in the U.S. Department of Defense.
• can be used to develop architecture types: Business architecture， Data architecture，Applications architecture，Technology architecture
• Architecture Development Method (ADM)：架构开发方法是TOGAF针对企业架构建设方法的论述，它以一个循环迭代模型为基础将企业架构的建设过程划分为前后衔接的若干步骤，并对每个步骤的输入、输出以及所采用方法都进行了详尽的阐述。

DoDAF: • DoDAF U.S. Department of Defense architecture framework that ensures interoperability of systems to meet military mission goals

MODAF: • MODAF Architecture framework used mainly in military support missions developed by the British Ministry of Defence

SABSA （Sherwood Applied Business Security Architecture ）:

• SABSA model Model and methodology for the development of information security enterprise architectures
• similar to the Zachman Framework
• SABSA包括6层，其中安全服务管理架构层纵向贯穿其他5层

For an enterprise security architecture to be successful in its development and implementation, the following items must be understood and followed:

• strategic alignment
• business enablement
• process enhancement
• security effectiveness.

Security Controls Development:

COBIT

• A business framework to allow for IT enterprise management and governance that was developed by Information Systems Audit and Control Association (ISACA)

NIST SP 800-53

• Set of controls to protect U.S. federal systems developed by the National Institute of Standards and Technology
• NIST SP 800-53 uses the following control categories: technical, management, and operational.

COSO IC

• COSO Internal Control-Integrated Framework Set of internal corporate controls to help reduce the risk of financial fraud developed by the Committee of Sponsoring Organizations (COSO) of the Treadway Commission。
• The COSO IC framework is a model for corporate governance, and COBIT is a model for IT governance. COSO IC deals more at the strategic level, while COBIT focuses more at the operational level.

SOX

• Protect investor's money from bad corporation.
• a U.S. federal law
• SOX is based upon the COSO model, so for a corporation to be compliant with SOX, it has to follow the COSO model

Process Management Development:

• ITIL Processes to allow for IT service management developed by the United Kingdom’s Office of Government Commerce • Six Sigma Business management strategy that can be used to carry out process improvement • Capability Maturity Model Integration (CMMI) Organizational development for process improvement developed by Carnegie Mellon University

Enterprise Architecture Development

Intellectual property

Organisation for Economic Co-operation and Development (OECD) :

• Guidelines on the Protection of Privacy and Transborder Flows of Personal Data.

GDPR: The GDPR defines three relevant entities: • Data subject The individual to whom the data pertains • Data controller Any organization that collects data on EU residents • Data processor Any organization that processes data for a data controller Key provisions of the GDPR include • Consent • Right to be informed • Right to restrict processing • Right to be forgotten • Data breaches (report a data breach within 72 hours)

Types of Legal Systems

• Civil (Code) Law System: rule-based law not precedent-based

• Common Law System: Based on previous interpretations of laws.

• Criminal:Based on common law, statutory law, or a combination of both.

• Administrative (regulatory):

• Customary Law System

• Religious Law System

• Mixed Law System

• Trade Secret

• Copyright: the 70 years start counting after the death of the last surviving one.

• Patent: 20 years from the date of approval

Privacy: personally identifiable information (PII)

• Federal Privacy Act of 1974
• FISMA: NIST SP 800-53 is used to help ensure compliance with FISMA.
• HIPAA
• HITECH
• USA PATRIOT Act
• GLBA: financial. protect consumer from bank
• PCI DSS

  Data breaches

  Policies, Standards, Baselines, Guidelines, and Procedures

  Security policy: an overall general statement produced by senior management (or a selected policy board or committee). Types of Policies:

• Regulatory: specific industry regulations (HIPAA, GLBA, SOX, PCI DSS, etc.)
• Advisory: strongly advises employees as to which types of behaviors and activities should and should not take place within the organization.
• Informative: informs employees of certain topics

Standards: refer to mandatory activities, actions, or rules. Standards can give a policy its support and reinforcement in direction.

Baselines: A baseline results in a consistent reference point. also used to define the minimum level of protection required Guidelines: Guideline are recommended actions and operational guides to users, IT staff, operations staff, and others when a specific standard does not apply. Procedure: Procedures are detailed step-by-step tasks that should be performed to achieve a certain goal. ## Risk management NIST SP 800-39 defines three tiers to risk management: - Organizational tier: Concerned with risk to the business as a whole. - Business process tier: Deals with the risk to the major functions of the organization (e.g. the information flows between the organization and its partners or customers.) - Information systems tier: Addresses risk from an information systems perspective. ### Risk Management Process - Frame risk - Assess risk - Respond to risk - Monitor risk ## Threat modeling Threat Modeling Methodologies: Attack Trees: - The terms “attack chain” and “kill chain” are commonly used. - Reduction analysis: 1.to reduce the number of attacks we have to consider. 2. to reduce the threat posed by the attacks. ### Risk analysis has four main goals: • Identify **assets** and their **value** to the organization. • Determine the **likelihood** that a threat exploits a vulnerability. • Determine the business **impact** of these potential threats. • Provide an economic **balance** between the impact of the threat and the cost of the countermeasure. Risk analysis provides a cost/benefit comparison. A risk assessment must be supported and directed by senior management. ### Risk Assessment Team ### Identifying Vulnerabilities and Threats ### Methodologies for Risk Assessment 1. NIST SP 800-30 (1). Prepare for the assessment. (2). Conduct the assessment: a. Identify threat sources and events. b. Identify vulnerabilities and predisposing conditions. c. Determine likelihood of occurrence. d. Determine magnitude of impact. e. Determine risk. (3). Communicate results. (4). Maintain assessment. 2. FRAP (Facilitated Risk Analysis Process) - The crux of this qualitative methodology is to focus only on the systems that really need assessing, to reduce costs and time obligations. - This methodology does not support the idea of calculating exploitation probability numbers or annual loss expectancy values. The criticalities of the risks are determined by the team members’ experience 3. OCTAVE (Operationally Critical Threat, Asset, and Vulnerability Evaluation) - a team-oriented risk management methodology that employs workshops and is commonly used in the commercial sector. 4. AS/NZS ISO 31000 - While NIST, FRAP, and OCTAVE methodologies focus on IT security threats and information security risks, AS/NZS ISO 31000 takes a much broader approach to risk management. - This risk methodology is more focused on the health of a company from a business point of view, not security. 5. ISO/IEC 27005 ISO/IEC 27005 is an international standard for how risk management should be carried out in the framework of an information security management system (ISMS). 6. Failure Modes and Effect Analysis (FMEA) - determining functions, identifying functional failures, and assessing the causes of failure and their failure effects through a structured process. - commonly used in product development and operational environments. - use failure modes (how something can break or fail) and effects analysis (impact of that break or failure). - most useful as a survey method to identify major failure modes in a given system, the method is not as useful in discovering complex failure modes that may be involved in multiple systems or subsystems 7. fault tree analysis - proves to be a more useful approach to identifying failures that can take place within more complex environments and systems. - Fault trees are then labeled with actual numbers pertaining to failure probabilities. 8. CRAMM (Central Computing and Telecommunications Agency Risk Analysis and Management Method) - which was created by the United Kingdom, and its automated tools are sold by Siemens. - It works in three distinct stages: define objectives, assess risks, and identify countermeasures ### Risk Analysis Approaches ## Business continuity and disaster recovery ## Personnel security ## Security governance