Comparing Security Roles and Security Controls

# Compare and Contrast Information Security Roles [[Principles of Security]] ## Information Security - CIA Triad - Confidentiality - Information should only be known to certain people - if broken leads to data disclosure - Integrity - Data is stored and transferred as intended and that any modification is authorized - Hashing - if broken leads to alteration - Availability - Information is accessible to those authorized to view or modify it - if broken leads to data destruction - Non-repudiation - Subjects cannot deny creating for modifying data ![[CIA Triad.png]] ## Cybersecurity framework NIST has made one for us. Some others too ## Information Security Competencies - Risk assessments and testing - Specifying, sourcing, installing, and configuring secure devices and software - Access control and user privileges - Auditing logs and events - Incident reporting and response - Business continuity and disaster recovery - Security training and education programs ![[Pasted image 20230626075159.png]] #review ## Information Security Business Units - Security Operations Center **(SOC)** - DevSecOps - Development, security, and operations - Incident response - Cyber incident response team **(CIRT)** - Computer security incident response team **(CSIRT)** - Computer emergency response team **(CERT)** # Compare and Contrast Security Control and Framework Types ## Security Control Categories Designed to make give a system or data asset the properties of the CIA triangle. Controls can be divided into 3 categories: - **Technical** -> implemented as a system (hardware, software, or firmware). Could be firewalls, anti-virus, OS access controls. - **Operational** -> implemented primarily by people. Security guards and training programs - **Managerial** -> oversight of the information system. For example: risk identification or a tool allowing the evaluation and selection of other security controls ## Security Control Function Types (1) - Physical - Controls such as alarms, gateways, and locks that deter access to premises and hardware - Deterrent - May not physically or logically prevent access, but psychologically discourages an attacker from attempting an intrusion - Compensating - Substitutes for a principal control - Preventive - Physically or logically restricts unauthorized access - permissions policy, encryption, firewall, barriers, locks - Operates before an attack - Detective - May not prevent or deter access, but it will identify and record any attempted or successful intrusion - alarms, monitoring, file verification - Operates during an attack - Corrective - Responds to and fixes an incident and may also prevent its reoccurrence - incident response, policies, data backup, patch management - Operates after an attack ## NIST Cybersecurity Framework - Free resources - Importance of frameworks - Objective statement of current capabilities - Measure progress towards a target capability - Verifiable statement for regulatory compliance reporting - National Institute of standards and Technology **(NIST)** - Cybersecurity Framework **(CSF)** - Risk management Framework **(RMF)** - Federal Information Processing Standards **(FIPS)** - Special Publications **(SP 800 series)** ## ISO and Cloud Frameworks - International Organization for Standardization **(ISO)** - 21K information security standards - 31K enterprise risk management (ERM) - Cloud Security Alliance - Security guidance for cloud service providers (CSPs) - Enterprise reference architecture - Cloud controls matrix - Statements on Standards for Attestation Engagements **(SSAE)** Service Organization Control **(SOC)** - SOC2 evaluates service provider - Type I report assesses system design - Type II report assesses ongoing effectiveness - SOC3 public compliance report ## Benchmarks and secure Configuration Guides - Center for Internet Security (CIS) - The 20 CIS Controls - CIS-RAM (Risk Assessment Method) - OS/network platform/vendor-specific guides and benchmarks - Vendor guides and templates - CIS benchmarks - Department of Defense Cyber Exchange - NIST National Checklist Program (NCP) - Application servers and web server applications - Client/server - Multi-tier—front-end, middleware (business logic), and back-end (data) - Open Web Application Security Project **(OWASP)** - owasp.org ## Regulations, Standards, and Legislation #review ![[Pasted image 20230626081453.png]] SOX -> prevent insider trading on publicly traded companies FISMA is a beefed up CSA. - FISMA governs the security of data processed by federal government agencies GDPR -> specific to Europe. regulates how data is collected and tracked by companies on users CCPA -> USA version of GDPR