Summary of Exam Objectives

The key principles of information security are system accountability, multifactor authentication, and least privilege. These principles all help control access to the systems within an organization and keep users accountable. System accountability is the concept of keeping users accountable for their actions by utilizing logging and auditing functions. Their identity is verified via the appropriate authentication method or a combination thereof. There are three commonly used forms of authentication: something you know, something you are, and something you have. The more methods of authentication utilized, the more assurance that the user is really who they claim to be. User access is limited through the concept of least privilege. Least privilege states that a user is granted only enough access to the system as is required to perform their job duties.

Information security specifically attempts to address the CIA of critical information within an organization. Confidentiality is the protection against unauthorized disclosure of sensitive or private information. Integrity is defined as the protection of information against unauthorized or accidental manipulation. Availability ensures that the information in a data system remains available when it is needed by the organization. The security goals of information security are obtained through a process called the security life cycle. Security life cycle models start with the analysis of current systems to determine the need in regard to information security. Once the needs have been determined, the development of a security implementation plan is completed and executed. The plan is then tested and feedback is given back into the cycle so that it can begin again from the top. Through this model, security becomes a constantly evolving process versus a one time process.

Key definitions were discussed that define the steps of obtaining assurance that a system is secure and ready for use on an operational system. Acceptance means that a system meets all security and functional requirements and can be adopted into an operational environment. Accreditation designates a system as safe to use in an operational environment because all security concerns about the system have been addressed adequately. Certification is the end result of an in-depth evaluation of the system in question to determine if it operates securely. The certification process also details how well the security measures that are in place address security concerns. Assurance defines the levels of confidence an organization has that the security characteristics of a system are complete and will protect the critical information within. Systems with better security controls in place are said to have a higher level of assurance.

The security process should be involved with the development process from the very beginning. Functions such as quality assurance, auditing, and security controls help ensure that a product functions as required and protects the information within the system. All policies, laws, regulations, and contract obligations are taken into account and a certification process determines the validity of both security and functional requirements in the product. When the system is deemed to have met all requirements, it is given an operational test to ensure the system performs as expected.

The separation of duties within an organization limits the effect that any one person within the organization can have on a system or the information in that system. Organizations perform certain processes to meet their mission objectives each day. These processes are segmented into pieces and assigned to different individuals. No single entity has control of the process from beginning to end, and thus, will not have access to all pertinent information within the process. An information leak from any piece of the process will not inadvertently give away all of the sensitive information in the process.

Separation of duties also applies to the development and security processes. Developers and security administrators should not be allowed to officially test and evaluate systems or applications that they have a personal interest in. Third parties whose opinions can be considered truly objective should be brought in to test and evaluate the system or product. This eliminates the concern that an individual is in the position to approve his or her own work as secure and functional.

The risk assessment process is used to define the actual security posture of an organization in contrast to the assumed security posture of the organization. It begins by identifying the criticality of all information types within the organization and the risks that exist towards these information types. Recommended solutions are given based on financial, operational, or legal constraints, to mitigate the risks to the information. An organization will rarely be able to eliminate a risk entirely, so it must define an acceptable level of loss of the information. The final product from the risk assessment process is the security plan that defines a step-by-step process to engage the risk to each critical information system within the organization.

Potential vulnerabilities that affect organizations include malicious code, data problems, and access problems. Malicious code consists of viruses, worms, Trojan horses, and logic bombs. These are pieces of code that affect the information on a data system or the access to that data system in a harmful manner. Data problems are those things that cause more information to be known or inferred by an intruder than is intended. Uncontrolled memory spaces within the system can cause leakage of information or the corruption of information within the system. In some instances, an intruder can infer larger strategies or make valid guesses about the overall information in a system based on a large number of smaller and seemingly irrelevant pieces of information that are not controlled. Access problems include back doors to operational systems, covert channels of communication within an operational system, or physical access issues that do not adequately control access to system hardware.

System architecture provides models for operational systems containing multiple levels of classified information. Each system model protects the critical information within the system based on the authority or "need to know" that individuals have on the system. System High mode means that all users on a system have the authority and clearance levels required to view the information in the system, but may not necessarily have the required "need to know." In compartment mode, all users have the required authority and the clearance levels, but also have some "need to know" for the information in the system. Multi-level secure mode operates in a manner where not all users on the system have the approval or the "need to know" for every piece of information in the system.

The change control process is used to protect operational systems from accidental breakdown resulting from a poor configuration change. This process is utilized for both software and hardware systems. Each proposed configuration change goes through an approval process that helps ensure that changes to one system do not break that particular operational system or have a negative impact on other operational systems within the environment. The organization should be able to roll back to the last known configuration that worked. Some methods for controlling configurations include checksums, digital signatures, host-based IDSs, and SCM applications.

System security architecture concepts define how to prevent the intentional or unintentional tampering with data within a system or the processes that manipulate the data. Hardware segmentation protects data in one process from interfering with the data in another process. The kernel controls the memory allocated to each process to ensure that memory segments are segregated from each other and are released and cleared when the process completes. The reference monitor within the system controls access to data and objects based on the authority of the entity trying to access them. High security mode controls access to various levels of classified information to ensure that only individuals that meet certain access requirements can utilize processes and data within the system. Data protection mechanisms are intended to protect sensitive operations from interference or manipulation from common processes on the system. These mechanisms also ensure that data in one process is hidden and protected from the prying eyes of other processes through the use of data abstraction and data hiding.

Data classification levels help organizations label the information in their systems based on the sensitivity of that information. Top Secret is most often used to designate information that, if leaked or divulged, could cause catastrophic damage to an organization. Secret is the designation used for information that is less sensitive than Top Secret, but still meant for use only within organizational boundaries. The unauthorized disclosure of secret information would have a serious impact on the organization. Confidential information is usually information of a personal nature that, while it might impact the organization, would cause some damage to the organization, but not to the level of Secret or Top Secret classification levels. Unclassified information is all other information within the organization. Disclosure of this type of information will not greatly impact the organization.

Employees are the weakest link in the security process. Organizations control exposure to risks associated with employees through the use of policies and practices. Background checks are utilized to verify the information given by potential employees and to uncover past history that could cause problems for the organization. Separation of duties ensures that no single employee has all the information within a process or system. If the employee leaks their piece of the information, the impact to the organization will be less. Employment agreements such as non-compete agreements, NDAs, security policies acknowledgement, and account tracking forms, protect the assets of a company and give legal recourse in the event of breach of contract by an employee. Termination policies reiterate these concerns when an employee is leaving an organization and ensures that all access to the organization, both physical access and information system access, is revoked.

Security awareness training ensures that individuals within an organization understand the security policies and practices required during their time at the organization. It begins with the hiring process and is endorsed at the highest levels of management within the organization. Management leads by example and ensures that training on the organizational security policies and practices is given to workers on an annual basis. Random spot checks are practiced to ensure that employees are following the security requirements.

Security management planning defines the mission of the organization and determines priorities for security processes within the organization. Managers determine the risks and threats that apply specifically to their organization and devise a plan to address these concerns in a step-by-step fashion. Costs, benefits, and feasibility of all pieces of the security plan are taken into account and agreement from upper management within the organization is sought to ensure the plan can be implemented and enforced.