Wednesday, August 14, 2013

CCSK Study - Domain 7: Traditional security, Business Continuity, & Disaster Recovery

Notes
  • Traditional Security
    • the measures taken to ensure the safety and material existence of data and personnel against theft, espionage, sabotage, or harm
  • Physical protection is the initial step
    • can render all logical controls ineffective if implemented incorrectly
  • Security programs flow from well-developed series of risk assessments, vulnerability analysis, bcp/dr policies, processes, and procedures
    • reviewed on a regular basis
  •  Cloud service providers need to be tested regularly
    • Use industry-standard guidelines such as TOGAF, SABSA, ITIL, COSO, or COBIT
  • Establishing a physical security function
    • Responsibility should be assigned to a manager
      • Should be high-up (have power / bite)
      • personnel should be trained and constantly evaluated
    • As with general security, adopt a layered approach
      • include both active and passive defence
      • 4D's (detect, deter, delay, deny)
    • Several forms of design
      • Environmental design 
      • Mechanical, electronic, procedural controls
      • detection, response, and recovery procedures
      • personnel identification, authentication, access control
      • policies and procedures, training
      • Many of the above are similar to what you would take in the virtual world... (it is my opinion that too many security systems were designed based on physical parameters and that is why they are somewhat easy to bypass)
  • Evaluating CSP traditional physical security setup
    • There may be limits in what you can do and you should balance how much of this is done with the risk of the data being stored in the environment
    • Location
      • Do an analysis on the location of the primary/secondary data centers
        • Consider things such as seismic zones and flood planes
        • Also consider human factors (political landscape, crime, etc)
    • Documentation Review
      • Review all the documentation that you would have had to do yourself if this project was in house
        • Risk analysis, risk assessments, BCP Plans, DR Plans, Physical and environmental policies, user termination policies, contingency plans and tests, .... (lots more)
        • Essentially, because this company will be handling your data/services/applications you want to make sure their policies match or exceed your own
        • Eg:  Do they do background checks on all employees?, do they have technical documents of their environment? etc (there is a large list in the csa document)
        • Things to check
          • Are they up to date?
          • Are the policies distributed to employees and accessible by them?
          • Do they do training on their policies?
    • Compliance with Security Standards
      • ensure compliance with global security standards (ask for confirmation)
      • Verify the compliance certificate
      • Look for verifiable evidence of resource allocation, such as budget/manpower, to the compliance program
      • verify internal audit
    • Visual Walkthrough
      • If you want to, make sure you know what you are doing.  There is a checklist here of things to look at
  • Security Infrastructure
    • Applies more when selecting a physical infrastructure provider
    • Basically, you are looking for best practices in data center setup and security
    • Checklist in this section (7.1.2) should be considered
  • Human Resource Physical Security
    • purpose is to minimize the risk of the personnel closest to the data disrupting operations and compromising the cloud
    • Consider
      • Roles and responsibilities are clearly defined
      • Background verification and screenings are done
      • Employment agreements (NDA's)
      • Employment terminations
      • Training (security, code of conduct, etc)
  • Assessing CSP Security
    • This section contains various checklists on areas to assess when selecting a CSP
    • I'm not going to list them all out, read the doc
    • Procedures
      • Basically, are their procedures documented and made available for inspection on demand
      • Things like NDAs, background checks, policies for information sharing, etc
    • Security Guard Personnel
      • Verify the instructions given to security personnel on what they should be checking, etc
    • Environmental Security
      • What protections are in place against environmental hazards (protection or detection)?
      • Maintenance plans, humidity controls, physically secure locations, impact of near-by (next-door) disasters in plans, asset control policies, methods for destroying data
  • Business Continuity
    • Provisions should be put in place should a major outage occur 
      • Financial compensation should the SLAs not be met
    • Review the existence of 
      • Emergency Response Team (ERT)
      • Crisis Management Team
      • Incident Response Team
    • Restoration Priorities
      • Discuss, incorporate, and quantify the RPO and RTO
      • Understand the information security controls needed
  • Recommendations
    • There is a lot in this section and I will go over some key points.  This is another section you will want to just read
    • Policy Recommendations
      • "Stringent security practices should prove to be cost effective and quantified by reducing risk to personnel, revenue, reputation, and shareholder value"
      •  Ensure that various policies meet or exceed the tenants current implementations
        • ie: background checks, least privilege, NDAs are enforced, etc
    • Transparency Recommendations
      • Perform an on-site visit (preferably unannounced)
      • Acquire documentation prior to visit in order to be able to conduct a mini-audit
    • Human Resources Recommendations
      • Ensure security team has industry certifications
    • Business Continuity Recommendations
      • Review BCP Plans of the CSP
    • Disaster Recovery Recommendations
      • plans should account for supplier(CSP) failure and have planned for the ability to switch providers
      • full-site, system, disk, and file recovery should be implemented via a user-drive, self-service portal
      • SLA should be properly negotiate
Summary

It is amazing how similar all of these topics are to things you would/should do in your own datacenter or organization.  There are all important points, however, to consider when migrating to the cloud.  As pointed out in the document, one must pay attention to BCP and DR issues.  There have been several notable instances where cloud service providers have "gone down" for hours at a time.  One should either protect against this via a cloud broker type tool that allows for service migration across different providers, or protect against the loss in financial terms via the SLA.

The other main point in this section is around the review of practices and documents provided by the CSP.  One of the key points here is that the CSP should be able to provide most of these documents "on-demand".  It should not come as a surprise to them that you are requesting to see their policies and procedures.  IT can be "expensive" when done properly, but that is only when you are ignoring the risk to the data and services that IT support.  As stated in the document, when done properly, security controls and IT in general can actually mitigate risk and save the company money in the event of unforeseen circumstances. 

The last point to note here is around the policies and procedures of the CSP.  Ultimately, you need to ensure they are following the same or better standards that you are following.  There has been a lot of discussion lately as to whether the cloud is "secure" or not. Some say that it is more secure than traditional IT because CSPs actually put money into the things mentioned in this document.  I think the argument is ultimately flawed.  If an IT organization was not aware of these best practices, chances are, they are not looking for it in their cloud provider... or not able to make sure that the cloud provider is doing what they say they are doing.  I guess what I am trying to say is that bad IT breeds bad IT and the problem is just worse in the cloud than it is in traditional IT that you can control.  IT organizations with strong and mature policies would probably be able to strategically use cloud resources (if they wanted to) knowing that they have processes and policies that work in-house.  They would take those lessons learned, and look for a partner (notice I didn't say CSP) that shares their same values and can provide them service at a reasonable (NOT "cheap") price.

There are quite a few good lists in this section, probably all good exam questions too.  This is going to be a section that I have to come back and review before the test.