August 2018

Article

30 Aug

Posted at 21:21h in Uncategorized by

A business impact assessment (BIA) identifies an organization’s most critical resources and the threats against those resources.  The BIA is one of four phases of the business continuity planning (BCP) process. The assessment evaluates each threat in terms of the probability of an event occurring and the impact of an event should it occur.  The outputs of the BIA provide quantitative measures that help to prioritize the allocation of business continuity resources. Business impact assessments are an important component of an effective security program.  If you are preparing for the CISSP, Security+, CySA+, or another security certification exam, you will need to understand the role of the business impact assessment in the business continuity planning process.  You need to make sure you understand the quantitative formulas associated with the BIA process and the concepts of asset value, exposure factor, annualized rate of occurrence, single loss expectancy, and annualized loss expectancy. Quantitative versus Qualitative Analysis There are two types of analyses used in making business impact assessments. Quantitative decision-making is based on data that can be measured or counted and is driven by the use of numbers and calculations. The results of a quantitative analysis are often in the form of dollar values. Qualitative decision-making is based on data that is descriptive in nature, answering questions such as “What would be the potential impact of an employee theft of data.”  It is frequently based at least in part on the opinions of members of the security team and other subject matter experts on topics like reputation, investor/customer confidence, or workforce stability.  The results of a qualitative analysis are often in the form of categories of prioritization such as high, medium, and low. Determining Asset Value and Exposure Factor Determining the value of the organization’s assets is fundamental to establishing the business priorities of the BCP and is typically the first step in the quantitative assessment of the business impact assessment.  In determining value, the BCP team creates a list of the organization’s assets and then assigns an asset value (AV) to each one. In addition to the asset value list, the BCP also compiles a list of risks to the organization.  This list should be as comprehensive as possible and includes both natural and man-made events. A few examples include earthquakes, violent storms, fire, power failures and theft. The exposure factor (EF) is a measure of the potential damage that a specific risk poses to a specific asset.  EF is expressed as a percentage of an asset’s value. For example, the theft of a laptop might have an EF of 100% because the laptop would be a complete loss, while a hurricane making a direct hit on the building might have an EF of 60% if the BCP team concludes that a hurricane would only destroy 60% of the building. Computing the Single Loss Expectancy The single loss expectancy (SLE) is the financial loss that is expected each time a risk is realized. The SLE is calculated using the following formula: SLE = AV × EF Continuing with the previous examples.  If a laptop’s AV is $1,500 and its EF from theft is 100% then: SLE = $1,500 x 100% = $1,500 Likewise if the facility’s AV is $1,000,000 and its EF from hurricane is 60% than: SLE = $1,000,000 x 60% = $600,000. Computing the Annualized Loss Expectancy A likelihood assessment evaluates the probability of risks becoming realized.  Some events are more likely than others to occur. Earthquakes, for example, are rare in New England but rather common in Southern California. For each of the events that have been identified as potential risks to the organization, the BCP makes a determination as to how likely it is that the risk will be realized.  The likelihood is generally stated in terms of an annualized rate of occurrence (ARO) reflecting how many times an organization expects to experience the event each year.  Best practices for determining the ARO for an event include referencing historical data, the experience of the BCP members and others in the organization, and advice from outside experts. The annualized loss expectancy (ALE) is the financial loss that an organization expects to suffer as the result of realized risks harming assets over the course of one year.  The ALE is calculated using the ARO, which tells us the likelihood of an event impacting an asset, and the SLE, which tells us what the loss will be if the event occurs. The ALE formula itself is simple: ALE = SLE × ARO As an example consider that a magnitude 4 earthquake impacting a facility in New York has been given an SLE of $450,000 and an ARO of 2%: ALE = $450,000 x 2% = $9,000 Having made the ALE calculation the BCP now has an a quantifiable dollar value to assign to the associated risk of an earthquake impacting the facility.  The ALE can be used to understand risk and help set priorities for the protection of assets. Understanding the business impact assessment is an important component of your preparation for a variety of security certification programs.  If you’re interested in earning your next security certification, sign up for the free CertMike study groups for the CISSP, Security+, SSCP, or CySA+ exam....

30 Aug

Posted at 21:14h in Uncategorized by

The security policy framework is the unifying structure that ties together an organization’s security documentation.  Ensuring security is multi-layered process that extends throughout a business, agency or institution. Accordingly, an organization’s security policy framework encompasses the vision of its senior leadership, the laws and regulations that apply to its operations, and all of the specific guidance necessary to successfully achieve the security goals. By giving structure to the variety of documents necessary for security, the framework helps to ensure that all of the important elements of a security process are in place, and that there is a vehicle for communicating these elements across the organization.  There is a general hierarchy of documentation that organizations follow when establishing security policy frameworks. The different levels of the hierarchy address specific types communication needs and focus on a category of information and issues. The security documentation hierarchy At the top of the hierarchy are security policies, followed by standards, guidelines and procedures.   If you are preparing for the CISSP, Security+, CySA+, or another security certification exam, you will need to have an understanding the security policy framework.  You should be able to explain each level in the hierarchy, the types of information communicated at that level, and the importance of that type of communication to providing comprehensive security. One important distinction to be made, is that compliance with policies, standards, and procedures is mandatory, guidelines are optional. Security Policies Security policies are high level documents that describe an organization’s security goals.  They provide an overview of security needs, discussing the scope of the security that is needed and the resources required to provide that security. There are three types of security policy: Organizational security policies Issue specific security policies System specific security policies Every organization should have an organizational (or master) security policy.  This policy is a strategic plan that presents the value of security to the organization and discusses the importance of security in all of the various activities within the organization.  Features of an organizational security policy include defining roles, audit requirements, enforcement procedures, compliance requirements, and acceptable risk levels. An issue-specific security policy focuses on a function or service within the organization that has distinct security requirements.  Examples of issue-specific policies include an email policy, a media disposal policy, or a physical security policy. A system-specific security policy is concerned with specific systems or types of system.  It describes hardware and software approved for that system and how that system is to be protected. In addition to the three focused types of security policy, there are three broad categories of policy: regulatory, advisory, and informative. As its name implies, a regulatory policy discusses compliance issues for any regulatory frameworks that might apply to an organization, such as the Sarbanes-Oxley Act (SOX) of 2002 for finance firms, the Health Insurance Portability and Accountability Act (HIPAA) of 1996 for healthcare organizations, or any number of state and federal regulations that guide the way an organization manages security. An advisory policy is used to communicate an organization’s internally driven standards for behaviors and activities.  It presents the security ideals of the organization’s leadership and the consequences of security violations. An informative policy is designed to enlighten employees about a specific security topic.  Informative policies frequently provide background information in support of other security policies without any prescriptive actions or requirements. Adherence to policies is mandatory. Security Standards Standards occupy the layer below policies in the hierarchy.  They add specificity to the guidance, defining the instructions or methods that are necessary to achieve the objectives articulated in the security policies.  Where policies are considered strategic documents, standards are tactical documents which provide a course of action. Compliance with standards is mandatory. Baselines are related to standards and are sometimes considered an additional layer in the hierarchy.  Baselines specify minimum levels of security that all systems must meet. They are often system specific and frequently refer to an industry or government standard.  Common standards include the Trusted Computer System Evaluation Criteria (TCSEC), the Information Technology Security Evaluation and Criteria (ITSEC), and the NIST (National Institute of Standards and Technology) standards. Security Guidelines Guidelines are recommendations and practical guidance to help staff implement standards and baselines.  Guidelines target all levels of staff including both security professionals and general users. They are intentionally flexible and are designed to be customized for new equipment and emerging situations. Guidelines are considered suggested actions and compliance is therefore optional. Security Procedures Procedures make up the bottom layer of the documentation hierarchy.  They are the most detailed and prescriptive of all the documentation.  Procedures provide step-by-step instructions which guide staff in exactly how to correctly implement specific security controls.  Procedures are very specific to the system or function they relate to and range from administrative duties to advanced hardware configuration.  Examples of procedures include detailed instructions for configuring a router, installing antivirus software or sending an encrypted email. Compliance with security procedures is mandatory. Understanding the security policy framework is an important component of your preparation for a variety of security certification programs.  If you’re interested in earning your next security certification, sign up for the free CertMike study groups for the CISSP, Security+, SSCP, or CySA+ exam....

27 Aug

Posted at 21:09h in Practice Test Questions by

Preparing for your next security certification exam?  After trying your hand at this practice test question, join the FREE CertMike Study Group for the CISSP, Security+, CySA+, or SSCP certification to receive new questions each week.  You'll also receive free access to my customized study strategies.   Randy wishes to segment his organization's network to enforce isolation between different classes of users. Users are scattered around the building and Randy must support each of these network segments anywhere within the facility. Which one of the following technologies will best meet Randy's needs?   A. VLANs B. Physical segmentation C. VPNs D. WAFs   Correct Answer: A   Virtual LANs (VLANs) provide the segmentation Randy desires at the logical level, allowing them to appear anywhere in the building. Physical segmentation is likely too costly and inflexible for these requirements. Virtual private networks (VPNs) are unwieldy and unnecessary in a fixed office environment. Web application firewalls (WAFs) do not provide the required segmentation functionality.   Would you like to receive free practice test questions on a weekly basis? Sign up for the free CertMike study groups for the CISSP, Security+, SSCP, or CySA+ exam....

In Archive