Where can a security administrator go to find information on established security frameworks?

Where can a security administrator go to find information on established security frameworks?

Wiki User

∙ 10y ago


Best Answer

Copy

governance framework in order to effectively implement security governance, the corporate governance task force( CGTF) recommends that organizations follow an established frameworks as the ideal framework,which is described in the document information security governance. Call to Action, define the responsibilities.

Where can a security administrator go to find information on established security frameworks?

Wiki User

∙ 10y ago

This answer is:

Where can a security administrator go to find information on established security frameworks?

Study guides

Add your answer:

Earn +20 pts

Q: Where can a security administrator find information on established security frameworks?

Write your answer...

Submit

Still have questions?

Where can a security administrator go to find information on established security frameworks?

Related questions

People also asked

1. How can a security framework assist in the design and implementation of a security infrastructure?

Designing a working plan for securing the organization s information assets begins by creating or validating an existing security blueprint for the implementation of needed security controls to protect the information assets. A framework is the outline from which a more detailed blueprint evolves. The blueprint is the basis for the design, selection, and implementation of all subsequent security policies, education and training programs, and technologies. The blueprint provides scaleable, upgradeable, and comprehensive security for the coming years. The blueprint is used to plan the tasks to be accomplished and the order in which

…show more content…
Call to Action, define the responsibilities and Information System Audit and Control Association (ISACA

Who in the organization should plan for it?

In order to effectively implement security governance, the Corporate Governance Task Force (CGTF) recommends that organizations follow an established framework, such as the IDEAL framework from the Carnegie Mellon University Software Engineering Institute. This framework, which is described in the document “Information Security Governance: Call to Action,” defines the responsibilities of (1) the board of directors or trustees, (2) the senior organizational executive (i.e., CEO), (3) executive team members, (4) senior managers, and (5) all employees and users. This important document can be found at the Information Systems Audit and Control Association (ISACA) Web site at www.isaca.org/ContentManagement/ContentDisplay.cfm?ContentID=34997.

2. Where can a security administrator find information on established security frameworks?

A security administrator can look to the Information Technology- Code of Practice for Information Security Management, ISO 17799/BS 7799 as well as ISO 17799/BS 7799, the NIST Security Models including the SP 800-12, 14, 18, 26, and 30, and the VISA International Security Model are just a few of the established security frameworks available.

3. What is the ISO 27000 series of standards? Which

The Security pillar includes the security pillar encompasses the ability to protect data, systems, and assets to take advantage of cloud technologies to improve your security.

Table of Contents

  • Best Practices
  • Identity and Access Management
  • Infrastructure Protection
  • Data Protection
  • Incident Response
  • What is framework in security?
  • What benefit can a private for profit agency derive from best practices designed for federal agencies?
  • What is the ISO 2700 series of standards which individual standards make up the series?
  • Who is ultimately responsible for managing a technology who is responsible for enforcing policy that affects the use of a technology quizlet?

The security pillar provides an overview of design principles, best practices, and questions. You can find prescriptive guidance on implementation in the Security Pillar whitepaper.

  • Implement a strong identity foundation: Implement the principle of least privilege and enforce separation of duties with appropriate authorization for each interaction with your AWS resources. Centralize identity management, and aim to eliminate reliance on long-term static credentials.

  • Enable traceability: Monitor, alert, and audit actions and changes to your environment in real time. Integrate log and metric collection with systems to automatically investigate and take action.

  • Apply security at all layers: Apply a defense in depth approach with multiple security controls. Apply to all layers (for example, edge of network, VPC, load balancing, every instance and compute service, operating system, application, and code).

  • Automate security best practices: Automated software-based security mechanisms improve your ability to securely scale more rapidly and cost-effectively. Create secure architectures, including the implementation of controls that are defined and managed as code in version-controlled templates.

  • Protect data in transit and at rest: Classify your data into sensitivity levels and use mechanisms, such as encryption, tokenization, and access control where appropriate.

  • Keep people away from data: Use mechanisms and tools to reduce or eliminate the need for direct access or manual processing of data. This reduces the risk of mishandling or modification and human error when handling sensitive data.

  • Prepare for security events: Prepare for an incident by having incident management and investigation policy and processes that align to your organizational requirements. Run incident response simulations and use tools with automation to increase your speed for detection, investigation, and recovery.

  • Definition

    There are six best practice areas for security in the cloud:

    • Security
    • Identity and Access Management
    • Detection
    • Infrastructure Protection
    • Data Protection
    • Incident Response

    Before you architect any workload, you need to put in place practices that influence security. You will want to control who can do what. In addition, you want to be able to identify security incidents, protect your systems and services, and maintain the confidentiality and integrity of data through data protection. You should have a well-defined and practiced process for responding to security incidents. These tools and techniques are important because they support objectives such as preventing financial loss or complying with regulatory obligations.

    The AWS Shared Responsibility Model enables organizations that adopt the cloud to achieve their security and compliance goals. Because AWS physically secures the infrastructure that supports our cloud services, as an AWS customer you can focus on using services to accomplish your goals. The AWS Cloud also provides greater access to security data and an automated approach to responding to security events.

    Best Practices

    Security

    To operate your workload securely, you must apply overarching best practices to every area of security. Take requirements and processes that you have defined in operational excellence at an organizational and workload level, and apply them to all areas.

    Staying up to date with AWS and industry recommendations and threat intelligence helps you evolve your threat model and control objectives. Automating security processes, testing, and validation allow you to scale your security operations.

    The following questions focus on these considerations for security.

    In AWS, segregating different workloads by account, based on their function and compliance or data sensitivity requirements, is a recommended approach.

    Identity and Access Management

    Identity and access management are key parts of an information security program, ensuring that only authorized and authenticated users and components are able to access your resources, and only in a manner that you intend. For example, you should define principals (that is, accounts, users, roles, and services that can perform actions in your account), build out policies aligned with these principals, and implement strong credential management. These privilege-management elements form the core of authentication and authorization.

    In AWS, privilege management is primarily supported by the AWS Identity and Access Management (IAM) service, which allows you to control user and programmatic access to AWS services and resources. You should apply granular policies, which assign permissions to a user, group, role, or resource. You also have the ability to require strong password practices, such as complexity level, avoiding re-use, and enforcing multi-factor authentication (MFA). You can use federation with your existing directory service. For workloads that require systems to have access to AWS, IAM enables secure access through roles, instance profiles, identity federation, and temporary credentials.

    The following questions focus on these considerations for security.

    Credentials must not be shared between any user or system. User access should be granted using a least-privilege approach with best practices including password requirements and MFA enforced. Programmatic access including API calls to AWS services should be performed using temporary and limited-privilege credentials such as those issued by the AWS Security Token Service.

    AWS provides resources that can help you with Identity and access management. To help learn best practices, explore our hands-on labs on managing credentials & authentication, controlling human access, and controlling programmatic access.

    Detection

    You can use detective controls to identify a potential security threat or incident. They are an essential part of governance frameworks and can be used to support a quality process, a legal or compliance obligation, and for threat identification and response efforts. There are different types of detective controls. For example, conducting an inventory of assets and their detailed attributes promotes more effective decision making (and lifecycle controls) to help establish operational baselines. You can also use internal auditing, an examination of controls related to information systems, to ensure that practices meet policies and requirements and that you have set the correct automated alerting notifications based on defined conditions. These controls are important reactive factors that can help your organization identify and understand the scope of anomalous activity.

    In AWS, you can implement detective controls by processing logs, events, and monitoring that allows for auditing, automated analysis, and alarming. CloudTrail logs, AWS API calls, and CloudWatch provide monitoring of metrics with alarming, and AWS Config provides configuration history. Amazon GuardDuty is a managed threat detection service that continuously monitors for malicious or unauthorized behavior to help you protect your AWS accounts and workloads. Service-level logs are also available, for example, you can use Amazon Simple Storage Service (Amazon S3) to log access requests.

    The following questions focus on these considerations for security.

    Log management is important to a Well-Architected workload for reasons ranging from security or forensics to regulatory or legal requirements. It is critical that you analyze logs and respond to them so that you can identify potential security incidents. AWS provides functionality that makes log management easier to implement by giving you the ability to define a data-retention lifecycle or define where data will be preserved, archived, or eventually deleted. This makes predictable and reliable data handling simpler and more cost effective.

    Infrastructure Protection

    Infrastructure protection encompasses control methodologies, such as defense in depth, necessary to meet best practices and organizational or regulatory obligations. Use of these methodologies is critical for successful, ongoing operations in either the cloud or on-premises.

    In AWS, you can implement stateful and stateless packet inspection, either by using AWS-native technologies or by using partner products and services available through the AWS Marketplace. You should use Amazon Virtual Private Cloud (Amazon VPC) to create a private, secured, and scalable environment in which you can define your topology—including gateways, routing tables, and public and private subnets.

    The following questions focus on these considerations for security.

    Multiple layers of defense are advisable in any type of environment. In the case of infrastructure protection, many of the concepts and methods are valid across cloud and on-premises models. Enforcing boundary protection, monitoring points of ingress and egress, and comprehensive logging, monitoring, and alerting are all essential to an effective information security plan.

    AWS customers are able to tailor, or harden, the configuration of an Amazon Elastic Compute Cloud (Amazon EC2), Amazon EC2 Container Service (Amazon ECS) container, or AWS Elastic Beanstalk instance, and persist this configuration to an immutable Amazon Machine Image (AMI). Then, whether triggered by Auto Scaling or launched manually, all new virtual servers (instances) launched with this AMI receive the hardened configuration.

    Data Protection

    Before architecting any system, foundational practices that influence security should be in place. For example, data classification provides a way to categorize organizational data based on levels of sensitivity, and encryption protects data by way of rendering it unintelligible to unauthorized access. These tools and techniques are important because they support objectives such as preventing financial loss or complying with regulatory obligations.

    In AWS, the following practices facilitate protection of data:

    • As an AWS customer you maintain full control over your data.

    • AWS makes it easier for you to encrypt your data and manage keys, including regular key rotation, which can be easily automated by AWS or maintained by you.

    • Detailed logging that contains important content, such as file access and changes, is available.

    • AWS has designed storage systems for exceptional resiliency. For example, Amazon S3 Standard, S3 Standard–IA, S3 One Zone-IA, and Amazon Glacier are all designed to provide 99.999999999% durability of objects over a given year. This durability level corresponds to an average annual expected loss of 0.000000001% of objects.

    • Versioning, which can be part of a larger data lifecycle management process, can protect against accidental overwrites, deletes, and similar harm.

    • AWS never initiates the movement of data between Regions. Content placed in a Region will remain in that Region unless you explicitly enable a feature or leverage a service that provides that functionality.

    The following questions focus on these considerations for security.

    AWS provides multiple means for encrypting data at rest and in transit. We build features into our services that make it easier to encrypt your data. For example, we have implemented server-side encryption (SSE) for Amazon S3 to make it easier for you to store your data in an encrypted form. You can also arrange for the entire HTTPS encryption and decryption process (generally known as SSL termination) to be handled by Elastic Load Balancing (ELB).

    Incident Response

    Even with extremely mature preventive and detective controls, your organization should still put processes in place to respond to and mitigate the potential impact of security incidents. The architecture of your workload strongly affects the ability of your teams to operate effectively during an incident, to isolate or contain systems, and to restore operations to a known good state. Putting in place the tools and access ahead of a security incident, then routinely practicing incident response through game days, will help you ensure that your architecture can accommodate timely investigation and recovery.

    In AWS, the following practices facilitate effective incident response:

    • Detailed logging is available that contains important content, such as file access and changes.

    • Events can be automatically processed and trigger tools that automate responses through the use of AWS APIs.

    • You can pre-provision tooling and a “clean room” using AWS CloudFormation. This allows you to carry out forensics in a safe, isolated environment.

    The following questions focus on these considerations for security.

    Ensure that you have a way to quickly grant access for your security team, and automate the isolation of instances as well as the capturing of data and state for forensics.

    What is framework in security?

    What is an IT security framework? An IT security framework is a series of documented processes that define policies and procedures around the implementation and ongoing management of information security controls. These frameworks are a blueprint for managing risk and reducing vulnerabilities.

    What benefit can a private for profit agency derive from best practices designed for federal agencies?

    What benefit can a private, for-profit agency derive from best practices designed for federal agencies? BE advised on widely accepted standards, practices, and policies. Modify them to suit individual needs. What Web resources can aid an organization in developing best practices as part of a security framework?

    What is the ISO 2700 series of standards which individual standards make up the series?

    The ISO/IEC 27001 family of standards, also known as the ISO 27000 series, is a series of best practices for improving an organization's information security policies and procedures, giving it a framework to address risks and capitalise on opportunities as it moves into the future.

    Who is ultimately responsible for managing a technology who is responsible for enforcing policy that affects the use of a technology quizlet?

    Policy has the ultimate responsibility for managing technology. System administrators and users are responsible for enforcing policy. Based on NIST Special Publication 800-14, there are three types of information security policies.

    Who is ultimately responsible for managing a technology who is responsible for enforcing policy that affects the use of a technology quizlet?

    Policy has the ultimate responsibility for managing technology. System administrators and users are responsible for enforcing policy. Based on NIST Special Publication 800-14, there are three types of information security policies.

    What is the ISO 27000 series of standards which individual standards make up the series?

    The ISO/IEC 27001 family of standards, also known as the ISO 27000 series, is a series of best practices for improving an organization's information security policies and procedures, giving it a framework to address risks and capitalise on opportunities as it moves into the future.

    What type of policy would be needed to guide use of the Web?

    An issue specific security policy would be needed to guide use of the web, e-mail, and office equipment for personal use. 11. What is contingency planning? How is it different from routine management planning?

    What are the differences between a policy a standard and a practice where would each be used?

    Policy - Written instructions that describe proper behavior. Standard - Detailed statement of what must be done to comply with policy. Practice - Examples of actions that would comply with policy. Who is ultimately responsible for managing technology?