Categories Topics
Acceptable Use
Overview
: An Acceptable Use policy and procedures should be documented that outline the rules and appropriate process that individuals must follow when handling the organization's assets (e.g. information, software, and hardware) and communication.
Access Control
Overview
: Access to systems and applications should be controlled to ensure access is commensurate with job and security requirements. Access should be consistent with a user's role in the organization and should define specific access rights authorized on systems, networks and applications. Access controls should also include periodic review of role membership, segregation of duties, monitoring of access and formal access authorization process.
Account Lockout
Overview
: Accounts used to access systems, applications or devices should be locked out after a defined number of unsuccessful login attempts to help reduce the risk of unauthorized access to sensitive systems and data. Accounts should be locked out until reset by an approved service. If no lockout threshold is set, intruders can attempt to guess the password many times to include malicious tools at their disposal (e.g. dictionary attacks). The account lockout control should complement other access control measures to include longer password lengths, password complexity, password history, and monitoring to name a few.
Application Security
Overview
: Security needs to be included in the design of every application. Application Security is most effective when planned and implemented throughout the development lifecycle of the application. This process is often referred to as SDLC or "Secure Development Lifecycle" and ensures application code is developed securely to meet security requirements. Application vulnerabilities should be addressed prior to release to production or customer use. Since web applications are often outward facing to the public, insecure applications offer one of the best means for an attacker into an organization.
Asset Management
Overview
: Organizational assets should be appropriately protected to include asset ownership, inventory, data classification and acceptable use of assets. Assets consist of physical systems, removable media, software, information (such as databases or data files), services and people.
Audit of Information Systems
Overview
: There should be a formal audit plan and assessment process to evaluate the organization's effectiveness of it's information security policies and controls. The assessment (or audit) process should be part of the overall security program and should be performed periodically.
Authentication
Overview
: Authentication is the process to verify the identity of an individual, originator or receiver of information. Authentication will require at least identity (such as user login ID) and one more mechanism to prove your identity (such as passwords and/or tokens).
Authorization
Overview
: Authorization defines what users or identities can do after authentication to a resource. Methods of authorization include process to approve new user membership to a role or to approve access to a system, application or data resource.
Biometric Devices
Overview
: Biometric devices are used to improve physical access controls to identify users, to include fingerprint scanner, hand geometry, retina patterns or facial recognition devices. Biometric devices are also are more resistant to couterfeiting.
Business Continuity Plan (BCP)
Overview
: Business Continuity Plan (BCP) is part of an organization's service continuity program to ensure predictable levels of service in the event of a business disruption. Business Continuity ensures business services will be available as needed.
Change Control and Management
Overview
: Change Management is the process to manage and control changes in the environment to ensure confidentiality, integrity and availability to sensitive systems and data. Change management process should ensure changes to systems or applications are carefully documented, reviewed and approved prior to implementing in the production environment.
Cloud Computing Security
Overview
: Cloud computing can be described as a shared pool of configurable computing resources (e.g., servers, applications, networks, storage, etc.) that is scalable and can be rapidly provisioned and released with minimal management effort or service provider interaction.  Although Cloud computing offers many advantages, organizations should also understand there are cloud computing risks and implement appropriate security procedures to protect their information.
Configuration Management
Overview
: Configuration Management standards for platforms (e.g. UNIX/Windows systems, network devices, databases) should be documented, implemented and maintained to ensure systems are configured securely and consistently to protect sensitive information.
Data Backup and Restoration
Overview
: Data backup and restoration is the process of ensuring system availability by backing up systems, applications and data onto tape or physical media in the event information may need to be restored after a disaster or unintended errors.
Data Loss Prevention (DLP)
Overview
: Data Loss Prevention (DLP) is a tool or process used to identify, monitor or restrict sensitive information from leaving an organization (i.e. "data leakage") or from being accessed by unauthorized sources. Many DLP commercial solutions focus on monitoring and protection of data leakage to include data in motion (e.g. copying sensitive data to removable media, through e-mail, via internet web proxies and webmail) and data at endpoints (e.g. data discovery and quarantine of files on insecure systems). The main objective of DLP is to ensure information is protected and is not stored on insecure sources. DLP should be part of a defense-in-depth strategy to protect information.
Data Privacy
Overview
: Data privacy addresses the confidentiality of customer or entity data that is processed in a system or application.  There are numerous international, country or state regulations in place to ensure customer privacy is protected.  Organizations may face potential legal and liability concerns if data privacy requirements are not adhered to.  Data privacy should also be an ethical concern.
Database Security
Overview
: Database security is the practice of implementing security controls to protect databases, to include database systems and applications used to store, process or access data.  Databases often store the most sensitive information in the organization so should be part of defense-in-depth security program to ensure confidentiality, integrity and availability of critical data.
Diagnostic Tools (security of)
Overview
: Diagnostic tools include network diagnostic, monitoring and scanning tools used to diagnose or troubleshoot applications, systems or networks to ensure confidentiality, integrity and/or availability of critical applications or systems. Since many diagnostic utilties have powerful functionality that could expose vulnerabilties on the network or system, they should be carefully controlled and limited to only authorized personnel in accordance with his or her job responsibilities.
Disaster Recovery Plan
Overview
: Disaster Recovery Plan (DRP) is part of the overall Business Continuity Plan (BCP) and includes process to recover technology that support business processes and services. Typically each critical business application will include a detailed DRP that describes the process to fail over and restore applications, databases, and data to support the organization's BCP.
Electronic Messaging Security
Overview
: Information pertaining to Electronic Messaging should be protected.  Forms of electronic messaging include, but not limited to e-mail, instant messaging, and social networking forums.
Encryption
Overview
: Encryption is a form of cryptography used to code a message such that it's meaning is concealed. The message is transformed from plain text to ciphertext using a mathematical formula (i.e., algorithm). The message can then be read by authorized individuals or systems by transforming the encrypted message back to original plain text (i.e., decryption). The primary objectives of encryption are to ensure Confidentiality, Data Integrity, Authentication and Non-repudiation (i.e., prove sender of message and message has not been falsified or altered).
Exception Management
Overview
: The exception process should ensure non-compliant items can be documented, approved and tracked to ensure remediation of security gaps to an information security policy or standard. An exception should also not be frequent but may be required if longer time period (e.g. need for budget approval, testing, etc.) is needed to implement action plan in order to meet policies and standards.
Hard Drive and Removable Media Destruction
Overview
: Hard drives, devices and removable media should be disposed of in accordance to the organization's data classification and handling policy and asset management policy and standards. Hard drives and removable media can contain sensitive information that will have to be destroyed when the asset is no longer needed.
Incident Management
Overview
: Incident Management is the process to ensure information security events and weaknesses (or "incidents") with information systems and processes are reported, investigated and resolved in a timely manner. Individuals should be made aware of their responsibilities and procedures to report information security incidents as soon as possible.
Information (Data) Classification, Labeling and Handling
Overview
: Data Classification is the process of classifying information into high level categories based on sensitivity and value to the organization. The higher the level of data classification (e.g. Secret), the higher level of security controls and focus should be in place to protect the sensitive information. Data classification policy and procedures should also be in place that will include how sensitive information will be classified, handled, retained and disposed of.
Information Backup and Restoration
Overview
: Information (to include tape) backup and restoration is the process to ensure system and application availability by backing up key information onto physical or tape media in the event information may need to be restored after a disaster or unintended errors.
Information Security Objectives
Overview
: The primary objectives of Information Security include Confidentiality, Integrity and Availability of information. Also known as "CIA", Confidentiality, Integrity and Availability should be three critical drivers for every organization's information security program and strategy
Information Security Policies
Overview
: Information Security Policies are higher level statements or rules that employees, contractors or third parties must follow to ensure the protection and security of the organization's assets and information. Policies should also be approved by management, be published, reviewed annually, executed and communicated to personnel.
Information Security Program
Overview
: An Information Security Program oversees the establishment and maintenance of information security policies, standards, and initiatives. In order to meet business objectives, the Security Program will establish security roles and provide oversight to security activities across the organization to meet regulations, reduce risk to threats and enforce policies. The Program should also be approved by management, published and communicated appropriately.
Information Security Standards
Overview
: Information security standards are more detailed security requirements and guidelines that will help organizations meet information security policies.
Intrusion Detection System (IDS) - Host or Network
Overview
: Intrusion Detection System (IDS) are devices or software controls used to monitor network traffic and/or systems for malicious activities and log and report them. IDS comes in two primary categories Network IDS (NIDS) or Host based (HIDS).
Key Management
Overview
: Key Management is the practice of protecting cryptographic keys from unauthorized modification or disclosure. Key management consists of the infrastructure, software, storage and tools used to securely manage cryptographic keys through it's entire lifecycle.
Legal, Regulatory and Compliance
Overview
: Over the past number of years, multiple state, federal and international regulations have been passed that require information protections.  Organizations must avoid breaches of such regulations by designing, operating and using information systems in accordance with regulatory, contractual and security standard requirements.
Logging (system, security, application)
Overview
: The recording (or logging) of system, application, user activities and information security events should be produced and kept for agreed period of time. Audit logging should be enabled on systems (and devices) to log user activity at the application or transaction level. Audit logs are critical to assist in incident response, future investigations, audit trail and troubleshooting to name a few. 
Malicious Software Controls
Overview
: Malicious software controls are critical to prevent malicious software (or malware) from being installed on systems and to protect sensitive data. The most common control, Antivirus (AV) software, is a common standard that should be installed on servers and workstations and is used to scan and remove malware from systems and removable media. Additional malicious software controls include network proxy or gateway (anti-malware) devices that can scan incoming e-mail for malware or internet traffic.
Mobile Device Security
Overview
: Mobile devices, such as cell phones, tablets and PDA's, have become invaluable tools for today's mobile work force.  Mobile devices make it easier to handle e-mail, store documents and remotely access data.  With this added flexibility comes an increasing need to implement security measures to protect mobile devices and data access mechanisms.
Network Access Control (NAC)
Overview
: Network Access Control (NAC) is a security control used to authenticate authorized devices to allow network access. NAC consists of a network and host-based agent solution used to allow authorized devices onto the network based on a predefined set of rules that each device or endpoint must have (e.g. machine certificate, NAC agent, Anti-virus, current patches). Unauthorized devices would be denied access to the network.
Network Security
Overview
: Network security ensures that the network and connections between systems and network devices are used to support business purposes.  Network security consists of network access control, monitoring, segregation, vulnerability management and secure device configuration and connectivity, to name a few.
Network Segregation
Overview
: Network segregation is the process to separate larger networks into smaller networks (also called "domains" or "security zones") based on data classification, sensitivity and/or key business functionality and value to the organization. The objective is to reduce the impact of a disruption of service to the organization and to control the data flow to and from those networks in order to protect information resources.
Password Management System
Overview
: Passwords are intended to not be shared and should be carefully controlled by Password Management Systems to prevent unauthorized access to senstive information. Password Management systems can include a number of mechanisms to include Active Directory (or LDAP) systems, Password Vaults and Identity and Access Control solutions to name a few. The primary objective is to control password usage and enforce the organization's password policy and to ensure authorized user or system authentication to resources (to include systems, applications, databases, or data).
Password Usage
Overview
: Password is a secret phrase or text used to authenticate and prove identity to gain access to a resource, such as system, application or data. Passwords are intended to not be shared and should be carefully controlled to prevent unauthorized access to sensitive information.
Patch Management
Overview
: Patch Management is a component of an effective Vulnerability Management and Configuration Management program. The main objective of Patch Management process is to ensure systems and devices are free of vulnerabilities to meet the organization's standards and to protect sensitive information. The process should have consistent procedures to ensure timely deployment of patches after vendor release. One of the most common threats to systems and devices is unpatched systems that can be exploited by malicious users to gain unauthorized access to vulnerable systems, applications and eventually sensitive data.
Penetration Testing
Overview
: A Penetration Test (also known as "Pentest") is the process of testing the effectiveness of an organization's security controls by simulating an "attack" from malicious outsiders or insiders. An organization will usually hire an independent company to analyze the organization's networks, applications, systems and procedures to find and exploit vulnerabilities, as a potential attacker would. The weaknesses found and potential impact, along with recommended mitigating controls to prevent such attacks in the future, would then be reported to the organization to improve overall security.
Physical (and Environmental) Security
Overview
: The main objective of Physical and Environmental Security is to protect facilities from environmental damage and unauthorized physical access.
Physical Access Security
Overview
: The objective of Physical Access Security includes mechanisms to detect, prevent and deter unauthorized access to facilities.
Privileged Access
Overview
: Privileged Access is the process of granting administrator or elevated privileges to information resources. Examples of administrator privileges can include access to systems to perform maintenance functions or to provide access to sensitive data or applications. Privileged Access to information resources should be limited using the "least privilege" concept: granting access to only minimum privileges required by the role to meet business and security requirements and no more.
Problem Management
Overview
: Problem Management (PM) is the process to document information related to system or application problems and appropriate workarounds for incidents. The primary objective is to prevent problems from recurring incidents to minimize impact to the business. The PM process should also include activities required to diagnose root cause of incidents and determine resolution. Problem resolution should be documented through a change management and release management process.
Proxy (Internet access)
Overview
: Internet Proxy devices are standard controls used to filter, block and log internet user access to websites. Many proxy vendors provide the capabilities to ensure certain types of websites are restricted by category or by specific URL that may not be commensurate with company policies. Such websites may also have a higher likelihood of users downloading malicious content to company systems. Many proxies have filtering capabilities to protect internet downloads of malicious software.
Remote Access (and Teleworking)
Overview
: Remote Access is the process of accessing an organization's network from a home office or while traveling in order to perform company business. Many organizations allow users to remotely access their networks from a home or remote office to improve their support coverage and to reduce facility or real estate costs (e.g., lower number of desks, phones, building space). The added flexibility and reduced overhead costs increase the need to secure remote access connectivity and home offices and establish Telecommuting policies for rules employees and contractors must follow to protect the organization's data.
Removable Media Security
Overview
: Removable Media Security is the process of controlling the usage of removable media devices (e.g., USB devices, CD/DVD media, backup tapes, etc.). Use of removable media should be controlled on systems to help prevent unauthorized transfer or disclosure of sensitive information and to minimize the propagation of malicious software.
Risk Asssessment and Management
Overview
: Risk Assessment (and Management) is the process to periodically review sensitive systems, business services, and applications to ensure they meet the organization's policies and standards. The Risk Assessment process should also include a frequency of review and risk mitigation strategy. Risk Assessments should include a broad range of reviews of the internal organization and third party business services to include: Information Security, Financial, and Business Continuity Risk to name a few. The goal is to reduce and mitigate risk of the organization.
Secure Development Lifecycle (SDLC)
Overview
: See Application Security
Security Awareness and Training
Overview
: Information Security Awareness is the process of training or making individuals aware of and understand security best practices as well as the organization's policies, standards and procedures. The main objective is to increase security awareness in order protect the organization's information from unauthorized disclosure.
Security Monitoring
Overview
: Information Security Monitoring is the process of continuously assessing and maintaining the effectiveness of security controls and the security posture of the organization. Monitoring includes automated real-time monitoring or audit logging of technical controls as well as manual reviews of management or operational controls.
Separation of Development and Production
Overview
: Separation of Development and Production is the practice of separating non-production (to include Development and testing) from Production environments. The objective is to ensure non-production activities do not impact confidentiality, integrity and availability of critical business services and sensitive information.
Separation of Duties
Overview
: Separation of Duties (SOD) is the concept of having more than one person perform activities in order to prevent fraud or errors.
Session Management
Overview
: Session Management is the process to ensure systems and user sessions are secure from session abandonment or when systems are no longer in use.  Examples of user sessions include:
  • Workstation sessions - for tracking state of open applications and user session during log on, log off and browser activities
  • Website sessions - to require user to re-login when session expires after certain time limit is surpassed of user inactivity.  Session information is also used to store information on the server-side using a session identifier (e.g. session ID) and the associated session data (e.g. account name, number, etc.).
Social Engineering (e.g., phishing)
Overview
: Social Engineering is the process of tricking a person into divulging sensitive information.  Various methods include, but not limited to:
  • Phishing - the process of sending out an electronic message that may mimic a fake website in order to lure unsuspecting users to enter sensitive information (e.g. bank login/password, credit card, etc.); phishing is also used to establish a presence on corporate user devices and then continue to search and expand for other target systems inside the network in order to steal data.
  • Malware - the process of persuading users to run malware-laden files sent in electronic messages.
  • Weak authentication methods - social engineers may attempt to call in, mimic a user, and trick help desk or call center employees to reset or gain password information based on information obtained through various methods (e.g. secret questions, social networking sites, sensitive papers in public trash).
Source Code Protection
Overview
: Source code protection is the practice of securing system files, program and application source code from unauthorized access or modification.
System ID Management
Overview
: A system ID (also known as service account) is primarily used for automation, authenticating system or application resources or services to name a few.  System ID's are differentiated from User ID's in that they are "faceless", but still require to be uniquely identified, tracked and associated to appropriate individual or information resource.
Third-party Security
Overview
: Vendors, partners, contractors or other third parties must manage and protect information in accordance with the organization's information security policies and standards. 
User ID Management
Overview
: Identity represents who someone is to include unique characteristics (such as user ID) that differentiate from other individuals. User ID's should be appropriately managed as critical component of the organization's Identity Management (and Access Control) program.  Identity Management is the practice of managing identities, their associated roles, authorization and privileges within the organization.
Vulnerability Management
Overview
: Vulnerability Management is the process to detect, analyze and remediate vulnerabilities on systems, devices, networks and applications in an ongoing manner. Vulnerability Management also includes the process to assess the likelihood of a vulnerability being exploited by external and internal threats and the impact to the organization.