DHS IT Security EBK Response

From ScribbleWiki: Security Catalyst Community

This project is to provide guidance and feedback to the DHS relating to their Information Technology (IT) Security Essential Body of Knowledge (EBK)[1] draft.

Please provide guidance related to the following sections.

[edit] Introduction

<Don C. Weber> In section 1.1, 1.5, and the Review Cycle sections there are references to "academia, industry, and government" experts who provided guidance for this document. Knowing who contributed to this document would help substantiate that the guidance came from industry respected sources.

[edit] IT Security Competency Areas

<Don C. Weber> I believe that a competency area for "Security Researcher" should be added here. After reading through each, Security Researcher does not really fit directly into Procurement, System and Application Security, or Risk Management. Or does it?

<Ron W> What's your definition of "Security Researcher?" How does it relate to intelligence?

<Don C. Weber> This document is not related to the "intelligence" community. See Section 1.4 "EBK is a resource that can be used by organizations for workforce development and planning..." To address the definition question I have added a draft description to the Security Research section below.

<Ron W> Two other areas missing: Policy and Vulnerability Management. I believe it's because those areas are components of many other areas. Their importance may require they be brought forward into their own areas.

[edit] 2. 1 Data Security

<Don C. Weber> in 2.1.1 add "Mediate interdepartmental processes and procedures involving data transfer and distribution."

<Don C. Weber> in 2.1.1 There needs to be a statement about physical security of data. Although it can be implied, I think there needs to be stronger wording to ensure that the management of data security is not centered around technology. Not sure of what to say though.

<Don C. Weber> in 2.1.2 add "Establish methods to locate, protect, and securely remove protected data in electronic and hardcopy forms."

<Don C. Weber> in 2.1.3 add "Perform training specifically designed to enable end-users to security interact, protect, and dispose protected data in electronic and hardcopy forms."

[edit] 2.2 Digital Forensics

<Ron W> in 2.2.1 add, "Maintain currency on forensic tools and processes," "Collaborate with Incident Management, IT and Security Operations teams on forensic processes," and "Maintain all documentation associated with forensic processes as well as the results of forensic investigations."

<Don C. Weber> in 2.2.3 add, "Safely investigate the functions of software to include security and attack tools, viruses, worms, spyware, bots, and other types of malware."

<Ron W> in 2.2.4 add, "Ensure the effectiveness of forensic processes used by digital forensic examiners and implement changes as required" and "Review all documentation associated with forensic processes or results for accuracy, applicability, and completeness."

[edit] 2.3 Enterprise Continuity

[edit] 2.4 Incident Management

<Don C. Weber> in 2.4.3 - add "Coordinate, integrate, and lead team responses with internal and external groups according to applicable policies and procedures."

<Don C. Weber> in 2.4.4 - add "Analyze open and closed source software, that can be utlized as security or attack tools, for performance and identifying behaviors."

[edit] 2.5 IT Security Training and Awareness

<Rebecca Herold> Change line 464 to “2.5 Information Security Training and Awareness”

<Rebecca Herold NOTE> Organizations possess information in many forms beyond digital forms, which “IT” implies. “IT” will indicate to many readers that the training and awareness is only for IT issues. Information on printed paper, and also information discussed in public must also be protected. Include all types of information, as well as the IT issues, by changing “IT” to “Information.”

<Rebecca Herold> Change line 465 to, “Refers to the principles, practices, and methods required to raise employee and contracted staff awareness about basic”

<Rebecca Herold NOTE>Anyone who is accessing an organization’s network and computer systems, and/or accessing personally identifiable information (PII) should receive training and ongoing awareness messages.

<Rebecca Herold> Change line 466 to, “information security, and to train individuals with information security responsibilities to increase their”

<Rebecca Herold NOTE> All personnel that have access to network and computer systems and PII should receive information security training, even if they do not have an explicit information security role. Such personnel all have a responsibility to protect their network, computer and PII access capabilities.

<Rebecca Herold> Change line 468 to “responsibilities and teach them about information security policies and related requirements, along with the supporting information security processes and procedures so duties are”

<Rebecca Herold NOTE> It is important for all personnel to know the information security policies and understand that they are requirements and not optional.

<Rebecca Herold> Change line 470 to “information security concepts to the workforce on an ongoing basis in order to keep personnel aware of security issues and as a result positively change user behavior to better protect information assets.”

<Rebecca Herold NOTE> Awareness communications must be an ongoing process. Personnel must continually be reminded of the security threats, vulnerabilities and resulting risks related to the information they handle and the computers and networks they use. These communications must be provided in many different ways to be best understood and applied by the three types of learners: visual, auditory, and kinesthetic.

<Rebecca Herold> Change line 472 to “Identify business requirements and establish the enterprise-wide policy for the information security”

<Rebecca Herold> Change line 474 to “Acquire and manage the necessary resources, including financial resources, to support the information”

<Rebecca Herold> Change line 476 to “Set operational performance measures for training, awareness and delivery and ensure that they are met”

<Rebecca Herold> Change line 477 to, “Ensure the organization complies with information security awareness and training

<Rebecca Herold> Change line 482 to, “Define the goals and objectives of the information security awareness and training program

<Rebecca Herold> Change line 484 to, “accuracy of the security training and awareness program”

<Rebecca Herold> Change line 485 to, “Establish a tracking and reporting strategy for information security training and awareness

<Rebecca Herold> Change line 496 to, “Communicate the management commitment and importance of the information security awareness"

<Rebecca Herold> Change line 499 to, “Assess and evaluate the information security awareness and training program for compliance with”

<Rebecca Herold> Change line 500 to, “corporate policy and applicable laws, regulations and contractual requirements and measure performance of the program against objectives”

<Rebecca Herold NOTE> There are many laws and regulations that require information security awareness and training. It is also increasingly common for business partner contracts to include information security awareness and training requirements.

<Rebecca Herold> Change line 501 to, “Review the information security awareness and training program materials then recommend and implement”

<Rebecca Herold> Change lines 503 and 504 to, “Audit the awareness and training program to ensure that it meets not only the organization’s stakeholder needs, but that it is effective and covers all current information security issues and legal requirements.”

<Rebecca Herold> Change lines 505 and 506 to, “Ensure that all personnel that use the information systems and/or have access to PII are receiving the appropriate level and type of training”

<Rebecca Herold NOTE> Personnel outside the information security area also need targeted training. For example, call center staff need training to know how to properly confirm the identity of callers and to identify social engineering attempts; marketers need training to know what they can and cannot do with regard to sharing and using customer PII; and so on.

<Rebecca Herold> Change Section 3.5 to, “Refers to the principles, practices, and methods required to raise employee awareness about basic information security, and to train individuals with access to information systems and to sensitive information such as PII to increase their information security knowledge, skills and abilities. Training activities are designed to instruct workers about their security responsibilities and teach them about information security processes and procedures so duties are performed effectively, efficiently and securely within related environments. Awareness activities present essential information security concepts to the workforce on an ongoing basis in order to change user behavior.

• Awareness

• End User Security Training

• IT Security Awareness Program

• Information Security Awareness Program

• Instructor Led Training (ILT)

• Computer Based Training (CBT)

• Curriculum

• Learning Objectives

• IT Security Training Program

• Information Security Training Program

• Role-Based Training

• Training

• Instructional Systems Design (ISD)

• Web Based Training (WBT)

• Learning Management System (LMS)

• Needs Assessment

• Visual Learners

• Auditory Learners

• Kinesthetic Learners"

[edit] 2.6 IT Systems Operations and Maintenance

< Andy Willingham> In the description (lines 509 - 511) Add "or passing through it" between "residing on it" and "during the operations...."

< Andy Willingham> Add "and maintain" to line 518 so it reads "Establish and maintain communications between the security administration team and other security related personnel (e.g., technical support, incident management)

< Andy Willingham> Add to 2.6.2 Design "Develop a plan to measure the effectiveness of security controls, processes, policies, and procedures."

[edit] 2.7 Network Security and Telecommunications

<James Costello> 2.7.1 Modify "Establish a network security and telecommunications performance measurement program" to "Establish a network security and telecommunications performance measurement and monitoring program" to reflect the need for ongoing monitoring of security rather than just the gathering of statistics.

<James Costello> Add "Develop a risk-based assessment methodology to identify critical infrastructure and utilize this methodology" - similar to NERC Standard CIP-002-1

<James Costello> Add "Develop change management policy, process and procedure for network infrastructure in line with enterprise policy and security goals"

<James Costello> 2.7.2 Add "Develop network security and telecommunications monitoring and alerting processes and procedures"

<James Costello> Add "Develop electronic security perimeters for identified critical infrastructure." - similar to NERC Standard CIP-005-1

<James Costello> 2.7.3 Question the appropriateness of "Determine whether or not antivirus systems are in place and operating correctly" as a part of Network Security and Telecommunications and would not be more appropriate for section 2.6.3 in IT Systems Operations and Maintenance. Changing this to indicate network related systems would allow for it to also stay in this section

<James Costello> If "Determine whether or not antivirus systems are in place and operating correctly" is to remain in this section, change antivirus to antimalware to reflect the changing nature of threats.

<James Costello> Add "Follow process and procedure of network change management policy"

<James Costello> Add "Implement electronic security perimeters for identified critical infrastructure"

<James Costello> 2.7.4 Add "Perform policy, process, and procedure review to ensure that each is effectively utilized and appropriate (e.g. Are logs and other monitoring data being reviewed in a timely manner to allow for applicable responses)

[edit] 2.8 Personnel Security

[edit] 2.9 Physical and Environmental Security

[edit] 2.10 Procurement

[edit] 2.11 Regulatory and Standards Compliance

<Ron W> Section 2.22.1:

Add, "Identify and stay current on all external laws, regulations, standards, and best practices applicable to the organization."

Add, "Monitor all compliance gaps that are a regulatory risk"

Lines 778 & 779: Delete the first bullet. It's not specific to compliance. It's

Line 781: Third bullet. Shouldn't budget be an activity for all functions?

Line 786 add, "in cooradination with the Security Awareness function."

Line 789, add to the end, "and maintain compliance with laws, regulations, and policies."

<Ron W> Section 2.22.2:

Add, "Design a methodology to determine and monitor compliance gaps"

Line 807 & 808: What is this trying to say?

<Ron W> Section 2.11.3:

Add, "Maintain a list of all external laws, regulations, and standards requiring compliance"

[edit] 2.12 Risk Management

<Don C. Weber> Description - "to identifying and assessing risks to personnel, data, and information technology assets and to manage"

<Ron W> Section 2.12.1,

Add, "Coordinate with other organizational risk management programs"

Add, "Manage the risk assessment process to capture threats and vulnerabilities associated with specific information systems or assets"

Add, "Direct the risk exception process for accepted residual risk" [may be redundant with line 833]

Line 834, shouldn't this be in section 2.12.4?

<Ron W> Section 2.12.2,

Add, "Create the facility to capture all risks and risk mitigation plans"

<Ron W> Section 2.12.3,

Add, "Use the facility designed to capture the risks, risk mitigation plans, and risk exceptions"

[edit] 2.13 Strategic Management

<Ron W> in 2.13.1 add "Manage the Enterprise Information Security Architecture(EISA) function and process"

<Ron W> in 2.13.2 add "Establish the Enterprise Information Security Architecture program to create the appropriate security infrastructure for the organization"

[edit] 2.14 System and Application Security

<Ron W> I recommend changing SDLC to SLC: System Life Cycle. SDLC refers only to a project and does not reflect the entire life of a system. SDLC tends to ignore ongoing maintenance and management.

<Ron W> under 2.14.1 add, "Understand the risk posture for the organization" and "Collaborate with IT Project Management to instegrate security functions into the project management process"

<Ron W> in 2.13.3, first bullet add after policies, "standards and best practices"

Add as a bullet, "Perform the processes and procedures to identify and reduce threats associated with the engineering process"

Change sixth bullet to, "Reengineer security controls to mitigate threats and vulnerabilities identified during the operations phase"

<Ron W> in 2.14.4 add, "Assess all project documentation to ensure inclusion and accuracy of security information"

[edit] Security Researcher

<Don C. Weber> Description Draft

Refers to the knowledge, understanding, and application of software and ahardware analysis techniques used for research into the ways that software and hardware respond to normal and anomalous activity generated by users and other technologies, usually with the intent to locate vulnerabilities that can be exploited to adversely affect the confidentiality, integrity, and availability of data interacting with the technologies being researched.

[edit] The IT Security Essential Body of Knowledge

[edit] 3.1 Data Security

<Don C. Weber> If you have confidentiality don't you have privacy? Is having these is the same sentence redundant?

<Don C. Weber> Where are the common definitions for all these terms maintained? You cannot list them here and not provide a definition guide. If you do then different people and organizations will have different definitions.

<Don C. Weber> Add terms: Spyware, Malware, Privacy Statement, Mission Critical Information, Security Banner, Acceptable Use, P2P, Bit Torrent, Obfuscation, covert channel, application firewall, data layer protection, extrusion.

[edit] 3.2 Digital Forensics

<Don C. Weber> Add terms: write blocker, log analysis, master boot record, ext2, ext3, NTFS, FAT32, (insert more file systems here)

" <Ron W> Add "Documentation"

[edit] 3.3 Enterprise Continuity

[edit] 3.4 Incident Management

[edit] 3.5 IT Security Training and Awareness

[edit] 3.6 IT Systems Operations and Maintenance

[edit] 3.7 Network Security and Telecommunications

<Don C. Weber> I find it odd that "data encryption technigues" is listed in the description of this area. Data encryption should be address in the Data Security area. Albeit secure transport will probably be addressed in the Design and Implementation breakdown, I do not think it is necessary to mention secure transport in the description of this area.

<Don C. Weber> Although telecommunications does traverse data networks it is not always necessarily the case. You have lumped it into the network area but only work networking into the description. Unless you are only speaking to VOIP which I believe is severely limiting the scope of telecommunications.

<Don C. Weber> I recommend "defense-in-depth strategies" be changed to "deployment strategies" as defense-in-depth is limiting and open to discussion and controversy.

<Don C. Weber 2.7.1 add "Establish a network security and telecommunication change management program that integrates with the organization's enterprise change management structure.

[edit] 3.8 Personnel Security

[edit] 3.9 Physical and Environmental Security

[edit] 3.10 Procurement

[edit] 3.11 Regulatory and Standards Compliance

<Ron W> Add to Standards, "Payment Card Industry (PCI), Data Security Standard (DSS)"

[edit] 3.12 Risk Management

<Ron W> Add "Residual Risk"

[edit] 3.13 Strategic Management

[edit] 3.14 System and Application Security

<Ron W> Add "Program and Project Management"

[edit] Security Researcher

[edit] IT Security Roles, Compentencies and Functional Perspectives

[edit] 4.2 Digital Forensics Professional

[edit] 4.3 Information Security Officer / Chief Security Officer

[edit] 4.4 IT Security Compliance Professional

[edit] 4.5 IT Security Engineer

[edit] 4.6 IT Systems Operations and Maintenance Professional

[edit] 4.7 IT Security Professional

[edit] 4.8 Physical Security Professional

[edit] 4.9 Privacy Professional

<Rebecca Herold> Change line 1173 to, “governance model to assure the appropriate handling of Personally Identifiable Information (PII) as well as any other information that could jeopardize the privacy of customers or employees.”

<Rebecca Herold NOTE> Privacy can be compromised in more ways beyond just mishandling items formally defined as PII. The organization’s privacy professional must understand this and address it appropriately with policies, procedures, training and ongoing awareness.

<Rebecca Herold> Change line 1174 to, “The privacy professional ensures PII and associated personal information is managed securely throughout the information life cycle, from”

<Rebecca Herold> Change line 1179 to, “• Information Security Training and Awareness: Design, Evaluate”

[edit] 4.10 Procurement Professional

[edit] Security Researcher

[edit] IT Security Role, Competency, and Functional Matrix