Information Security (Infosec)

The protection of data resources from unauthorized access, attack, theft or damage

Data may be vulnerable because of the way it’s stored, transferred or processed

• Therefore, the systems used to store, transmit and process data must demonstrate the properties of security, also known as the CIA Triad

CIA (AIC) Triad

Confidentiality

Having specific information that only certain people know

(Ensures that there’s no unauthorized disclosure of data)

Integrity

The data is stored and transferred as intended and any modification is authorized

(Ensures that there’s no unauthorized modification of data)

Availability

The information is accessible to those authorized to view or modify it

(Ensures that there’s no unauthorized withholding of data)

Security Properties

Non-Repudiation

A subject cannot deny doing something, such as creating, modifying, or sending a resource

Cybersecurity Framework (CSF)

A CSF (Cybersecurity Framework) is a list of activities and objectives undertaken to mitigate risks

• CSFs allows an organization to

  • make an objective statement of its current cybersecurity capabilities, identify a target level of capability, and prioritize investments to achieve that target

  • create a structure for internal risk management procedures

  • provide an externally verifiable statement of regulatory compliance

  • save itself from building its security system on a foundation that fails to account for important security concepts and frameworks that correspond to its surroundings

There exist many different frameworks, each of which categorizes cybersecurity activities and controls in slightly different ways

• These frameworks are non-regulatory in the sense that they don’t attempt to address the specific regulations of a specific industry but represent “best practice in IT security governance generally

• Most frameworks are developed for an international audience, while some are focused on a domestic national audience

• Most frameworks are associated with certification programs to show that staff and consultants can apply the methodologies successfully

NIST’s Cybersecurity Framework

NIST’s Five Cybersecurity Framework's Functions

Cybersecurity tasks, as well as information security tasks, can be classified as five functions following the framework developed by the NIST (National Institute of Standard and Technology) (Source: NIST)

Identify

This function aims to develop an organizational understanding of managing cybersecurity risk to systems, people, assets, data and capabilities, as well as understanding the business context, the resources that support critical functions, and the related cybersecurity risks

• This enables an organization to focus and prioritize its efforts, consistent with its risk management strategy and business needs

In short:

• Develop security policies and capabilities

• Evaluate risks, threats, and vulnerabilities

• Recomment security controls to mitigate them

Protect

This function specifies appropriate safeguards to ensure the delivery of critical infrastructure services

• This function supports the ability to limit or contain the impact of a potential cybersecurity event

In short:

• Procure/develop, install, operate, and decommission IT hardware and software assets with security as an embedded requirement of every stage of this operations life cycle

Detect

This function defines the appropriate activities to identify the occurrence of a cybersecurity event

• This function enables timely discovery of cybersecurity events

In short:

• Perform outgoing and proactive monitoring to ensure that controls are effective and capable of protecting against new types of threats

Respond

This function includes appropriate activities to take action regarding a detected cybersecurity incident

• This function supports the ability to contain the impact of a potential cybersecurity incident

In short:

• Identify, analyze, contain and eradicate threats to systems and data security

Recover

This function identifies appropriate activities to maintain plans for resilience and to restore any capabilities or services that were impaired due to a cybersecurity incident

• This function supports timely recovery to normal operations to reduce the impact from a cybersecurity incident

In short:

• Implement cybersecurity resilience to restore systems and data if other controls are unable to prevent attacks

Common Information Security Competencies

• Participate in risk assessments and testing of security systems and make recommendations

• Specify, source, install, and configure secure devices and software

• Set up and maintain document access control and user privilege profiles

• Monitor audit logs, review user privileges, and document access controls

• Manage security-related incident response and reporting

• Create and test business continuity and disaster recovery plans and procedures

• Participate in security training and education programs

Security Policy

A formalized statement that defines how security will be implemented within an organization

• It describes the means the organization will take to protect the confidentiality, availability, and integrity of sensitive data and resources

Information Security Roles and Responsibilities

Security Roles and Responsibilities

• Internal responsibility for security might be allocated to a dedicated department run by a Director of Security, CSO (Chief Security Officer) or CISO (Chief Information Security Officer)

• Managers may have responsibility for a domain, such as building control, ICT (Information and Communications Technology), or accounting

• Technical specialist staff have the responsibility for implementing, maintaining and monitoring the policy

  • Security might be made a core competency of systems and network administrators, which would go under the job title of an ISSO (Information Systems Security Officer)

• Non-technical staff have the responsibility of complying with policy and with any relevant legislation

• External responsibility for security lies mainly with directors or owners

NIST's National Initiative for Cybersecurity Education (NICE) categorizes job tasks and job roles within the cybersecurity industry (nist.gov/itl/applied-cybersecurity/nice/nice-framework-resource-center)

Information Security Bu

Business Units

Security Operations Center (SOC)

A SOC is a location where security professionals monitor and protect critical information assets across other business functions, such as finance, operations, sales/marketing, etc.

• SOCs can be difficult to establish, maintain, and finance, which is why they’re usually employed by larger corporations, such as a government agency or a healthcare company

DevSecOps (Development, Security and Operations)

DevSecOps extends the boundary to security specialists and personnel, reflecting the principle that security is a primary consideration at every stage of software development and deployment, meaning that security considerations need to be made during requirements and planning phases, and not grafted at the end

• Automates the integration of security at every phase of a software’s development lifecycle, from initial design through integration, testing, deployment, and software delivery (Source: IBM)

Cyber Incident Response Team (CIRT) / Computer Security Incident Response Team (CSIRT) / Computer Emergency Response Team (CERT)

A CIRT, CSIRT or CERT is seen as a single point of contact for the notification of security incidents

• This function might be handled by the SOC or it might be established as an independent business unit

Security Control

Information security and cybersecurity assurance are met by implementing different security controls and cybersecurity frameworks that best suit the situation

Security control is something designed to give a system or data asset the properties of the CIA Triad

• Security controls can also refer to a company’s cybersecurity frameworks, procedures, activities and technologies that are in place

Security Control Categories

Security controls can be divided into three broad categories that illustrates different ways of implementing security control

Technical/Logical Security Control

The security control is implemented either as a hardware, software or firmware system

Operational Security Control

The security control is implemented primarily by people rather than systems

Managerial Security Control

The security control gives oversight of the information system

Security Control Functional Types

Security controls can also be classified in types according to their goal or function

Preventive

The security control’s goal is to eliminate or reduce the likelihood that an attack can succeed

• This security control operates before an attack can take place

  • Examples: ACLs, Firewalls, Filesystem objects, Anti-malware software, SOPs (Standard Operating Procedures), etc.

Detective

The security control’s function is to identify and record any attempted or successful intrusion

• This security control operates during the progress of an attack

  • Example: Activity logs

Corrective

The security control’s function is to reduce the impact of an intrusion even

• This security control is used after an attack

  • Examples: A backup system, a patch management system, etc.

Physical

This security control’s function is to deter and detect access to premises and hardware

• Examples: Security cameras, locks, security guards, etc.

Deterrent

This security control’s goal is to psychologically discourage an attacker from attempting an intrusion

• Example: Warning signs

Compensating

This security control’s function is to serve as a substitute for a principal control while offering the same or better level of protection through a different methodology or technology