Cybersecurity
Learn Fast How to Become an InfoSec Pro
3 Books in 1
Book 1
How to Establish Effective Security Management Functions
Book 2
How to Apply the NIST Risk Management Framework
Book 3
How to Manage Risk, Using the NIST Cybersecurity Framework
John Knowles
All rights reserved.
All rights reserved.
No part of this book may be reproduced in any form or by any electronic, print or mechanical means, including information storage and retrieval systems, without permission in writing from the publisher.
Copyright 2020 John Knowles
Disclaimer
Professionals should be consulted as needed before undertaking any of the action endorsed herein. Under no circumstances will any legal responsibility or blame be held against the publisher for any reparation, damages, or monetary loss due to the information herein, either directly or indirectly. This declaration is deemed fair and valid by both the American Bar Association and the Committee of Publishers Association and is legally binding throughout the United States. There are no scenarios in which the publisher or the original author of this work can be in any fashion deemed liable for any hardship or damages that may befall the reader or anyone else after undertaking information described herein. The information in the following pages is intended only for informational purposes and should thus be thought of as universal. As befitting its nature, it is presented without assurance regarding its continued validity or interim quality. Trademarks that are mentioned are done without written consent and can in no way be considered an endorsement from the trademark holder.
Contents of Book 1
Contents of Book 2
Contents of Book 3
Introduction
You must have heard about data breaches and information technology incidents in the news right? Have you been thinking about how these incidents happen and why sometimes people just don't look after their networks properly? It could be a security flaw in the system, but most times you can find the problem related to a lack of security management within the business. Book 1 covers how you can establish and manage security management functions within your organization. We're going to talk about things you need to know in order to effectively manage all of the aspects of information security within your company or business. Some of the major topics that we will cover include establishing a security management function, security roles and responsibilities, risk management, and organizational resilience. By the end of this book you'll understand what goes into managing information security in a business and how critical that role is in protecting data and systems from a variety of potential security risks. Before beginning this book, you should be familiar with basic security concepts and terminology such as confidentiality, integrity, and availability, as well as authentication and authorization concepts.
In book 2, you will learn the fundamentals of risk management with security, and how to deploy the RMF to efficiently deal with compliance and risk within your business. You will comprehend how to categorize systems based on impact and criticality, select suitable Information Security controls, as well as how to deploy them. After that, you will understand how to conduct risk and control assessments. Lastly, you will comprehend system authorization procedures and how to monitor these controls using constant assessments and reauthorization methods. By the end of this book, you will be knowledgeable in the NIST RMF and how it can benefit you with both security and compliance.
The Risk Management Framework is a methodology that an organization can use to manage risk in association with its IT assets such as data and systems. Moreover, the Risk Management Framework or RMF can help you in compliance with governance and to help you secure your assets. In the first few chapters, we are going to cover three terms; compliance, security, and risk, and we talk about them separately because they are not the same thing, while a lot of people think they are, but they are all three very important things that you have to be concerned about when you are managing your IT assets. First of all, we're going to talk about compliance and what it is and why it's important in your dealing with governance. We'll also cover security, which we know day to day is how we protect our information assets. Risk is a function of both likelihood and impact when we're talking about a negative event that may affect your assets. We'll talk about risk and how it affects you as well. We'll also talk about compliance versus security. We'll compare these two terms and tell you how they are similar and how they are different and what they are what they're not. But we'll also talk to you about how we can be compliant and secure at the same time, and finally, we'll discuss the RMF itself. This will be just an introductory discussion on the RMF, because we're going to talk about the Risk Management Framework through this entire book.
In book 3, we're going to learn what it takes to manage risk in your organization specifically risk that has to do with information with information systems, with data, and so on. We're going to take a look at a wide variety of topics. We're going to talk about assets and what they are. We're going to talk about the elements of risk, risk analysis, risk assessments, managing and monitoring risk. Managing Organizational Information Assets is very important. Risk management starts with our assets what we have, and what we want to protect. What we're going to discuss first is regarding managing information assets. First of all, we have to figure out what our information assets are. What are they? Therefore we have to identify them. We also have to understand what value an asset has to us. We'll also discuss classifying information assets according to levels of sensitivity, criticality, cost, and dependency. Then we'll discuss information asset and risk ownership. We'll need to know who owns an asset and who owns the risk associated with that asset. Finally, we'll talk about assigning these information assets value, and sometimes this value could be in terms of cost with dollars attached or in terms of qualitative types of measurements, such as high, low or moderate.
Book 1
How to Establish Effective Security Management Functions
Chapter 1 Objectives of Security Management
This book is all about security management at its foundation, but it's meant for folks who are coming into the security management field. You might previously have been a technician or a manager in another field and now you've suddenly thrust into dealing with security. You're establishing a security management program so you need to know the fundamentals and how security interacts with everything in the organization and how it helps protect assets and we're going to talk about all of those things throughout various chapters of this book. So let's go ahead and get started. First, we will cover organizational security management. We'll cover some fundamentals that you need to know as a security manager and we'll talk about some basics of security theory. Moreover, we'll also talk about supporting security objectives. We're going to be looking at goals that all security programs should be striving to achieve. We'll also look at security management principles themselves, some things that a security manager needs to know and needs to have in their toolbox to help them manage a security program that protects assets throughout the organization. But first, we'll look at security controls. We'll explain what they are, the types of security controls, and we'll look at the different functions of security controls. First, let's define what security management is. Whether you're a technician or a manager or an executive, you may have a different view of what security management really is. Therefore, let's go ahead and define it. Security management is essentially a top-down formalized program. We're used to as technicians sometimes looking from the bottom up and configuring firewalls and making sure people have the right permissions and so forth, but security management is from the top down and as I said, it's a formalized program, bought into and established by management and it consists of policies, processes, and procedures that we use throughout the organization to oversee the protection of assets. When I say assets, we're generally talking about systems and data, but also people, facilities, equipment, reputation, and other intangibles that the company might hold valuable as assets. When we talk about assets we're talking about protecting all of those things. What purpose does security management really server for us? What does it do for us in the organization? First, it helps us manage the overall security posture for the organization. It gives us an over-arching ability to manage physical security, logical security, personnel security and so forth. We can manage the security aspects of the facilities, the people, and the information systems and the data, all from one focal centralized point. Security management also helps us develop the organization's security strategy and goals. Security strategy and goals are very important to us because they tell us what direction we're going in for the organization, what we need to be doing, now and in the future to help ensure security of our assets. We also help ensure that assets are protected. Information, data, systems, facilities, people, equipment, and so forth. An over-arching security management program helps ensure that those assets are protected by establishing policies, procedures, and so on. An over-arching security management program also prevents liability, both criminal and civil and unfortunately in today's world, liability is a big issue, especially in the security world. A company or organization could be liable for data breaches or data loss in the event of an attack or a malicious insider thus security management can help us lower the risk of liability or even prevent it altogether. And finally, a security management program, especially an effective one, demonstrates due diligence and due care from the organization and we'll discuss what due diligence and due care are in some later chapters. For now you need to know that it means that we have planned and acted responsibly. Let's talk about the goals of security management. The goals of the security management program are essentially the same goals of security that we have studied every time we've ever looked at a basic security and they're widely known as the CIA triad and those stand for confidentiality, integrity, and availability. Those are the three primary goals that security has and we're going to discuss all three of those and what they mean to you. First of all, let's look at confidentiality. Confidentiality essentially means that we're restricting access to data, information, and systems. We're restricting that access to only those folks who absolutely need it to do their jobs, but at the same time, we are denying access to folks who don't have a need to access it. In other words, we're keeping them out. Confidentiality can be assured through several different methods. Technical, logical, physical, administrative and so on. Some of those methods might include encryption or permissions on shared folders, for example. Now let's look at integrity. Integrity means that we make sure that while data is at rest, meaning in storage, or in transit, meaning that it's being transmitted over a network, there are no unauthorized changes to the data. In other words, no unauthorized modifications to it intentionally by malicious users or actors or even unintentionally through bad network connections for example. We typically ensure integrity through mechanisms such as hashing and md5-sums and checksums. What we want to make sure of is that what we stored or what we sent in data comes out on the other end or is used and it's exactly the way it was intended to be. There are going to be some changes to data during its use, but we're preventing unauthorized changes of data when we ensure integrity. The third part of our CIA triad is availability. With availability we're basically ensuring that these authorized users we talked about earlier have the access they need to systems and data whenever and however they need it and in the format they need it. We want to make sure that they have access to it and can use it 24/7. How do we ensure availability? Typically through mechanisms such as data backups, redundant servers, but we'll talk about some of these other ways we can ensure availability as we go through the book.