What is the objective of the external monitoring domain of the maintenance model?

The Security Maintenance ModelA maintenance model is intended to complement the chosenmanagement model and focus organizational effort on maintenance.oExternal monitoring: The objective of the external monitoring domain in the maintenance model isto provide early awareness of new and emerging threats, threat agents, vulnerabilities, and attacks sothat an effective and timely defense can be mountedoInternal monitoring: The objective of the internal monitoring domain is an informed awareness ofthe state of the organization’s networks, information systems, and information security defenses. Thesecurity team documents and communicates this awareness, particularly when it concerns systemcomponents that face the external network.Internal monitoring is accomplished by:Building and maintaining an inventory of network devices and channels, IT infrastructure andapplications, and information security infrastructure elementsActive participation in, or leadership of, the IT governance process within the organization tointegrate the inevitable changes found in all network, IT, and information security programsReal-time monitoring of IT activity using intrusion detection systems to detect and initiate responsesto specific actions or trends of events that introduce risk to the organization’s assetsPeriodic monitoring of the internal state of the organization’s networks and systemsoPlanning and risk assessment: The primary objective of the planning and risk assessment domain isto keep an eye on the entire information security program.by:Establish a formal information security program reviewInstitute formal project identification, selection, planning, & mgmt. processesCoordinate with IT for risk assessment and review for all IT projectsoVulnerability assessment and remediation:The primary objectives of the vulnerability assessmentand remediation domain are to identify specific, documented vulnerabilities and remediate them in atimely fashion. This is accomplished by:Using vulnerability assessment procedures that are documented to safely collect intelligence aboutnetwork, platforms, dial-in modems, and wireless network systemsDocumenting background information and providing tested remediation procedures for the reportedvulnerabilitiesTracking, communicating, reporting, and escalating to management the itemized facts about thediscovered vulnerabilities and the success or failure of the organization to remediate them

CSS 111 - Introduction to Information System Security

Chapter 12, Information Security Maintenance

Objectives:

This lesson discusses maintaining a security program. Objectives important to this lesson:

1. Ongoing maintenance
2. Management models
3. Monitoring the environment

Concepts:

Chapter 12

Chapter 12 closes the book, and discusses maintaining your IT security system and program once they are installed. The author points out that protection must be dynamic and fluid because threats, exploits, and risks are always changing and new ones are always emerging.

On page 511, the text has a list of seven events that may require a reaction or a change in a security program:

• adding or removing assets
• discovery of new vulnerabilities
• changes in priorities
• changes in partnerships (the text shows this as two bullets)
• loss of skilled personnel
• new personnel

The point in the text is that any or all of these events may occur while you are standing up your security program, which should lead you to start a cycle of reexamination and improvement. The text should point out that these events take place constantly, so staff who work in IT security should be watching for them. When these and other changes take place, IT security staff should take the actions that are required, whether those actions are to make improvements or to rebuild entire solutions.

The text spends the next twenty four pages discussing the application of a security management model from the NIST. Refer to the thirteen point list on page 575 (in the chapter review) to see an overview of this model. It is probably never used in its entirety.

Many organizations are very compartmented, and the interests of the security division may be addressed by mandated interactions between it and other departments, rather than by direct oversight. For instance, it seems very appropriate that the head of the security division should be involved in information security governance, security planning, and risk management. It seems less likely that such a person would be involved in system development, except for systems the security staff own or use. Security awareness and training? Sure. Capital planning and investment control? Not really, except to make proposals for spending in the security division. I think the author may have inserted this section on managing security simply because he had not used it yet in this book. It is useful background about things a company might do, but it does not fit in the chapter as well as we might like. Be aware that several of these concerns may fall under other organizational banners, for reasons that have to do with organizational structure, money and staffing, or both.

On page 536, the author returns to the topic of the chapter. He presents a list of five subject areas that all fit in the larger concept of security maintenance. Then the headings on the sections that follow make it difficult to know which pages are about which subject area.

• external monitoring (page 536) - We must watch for attacks that originate outside our organization, but this topic covers more than that; we must develop a network of sources to learn about possible threats, agents, vulnerabilities, and so on. The text recommends:
• vendor sites, announcements, and patches
• CERT (Computer Emergency Response Team) which sounds like one source, but nations, states, and organizations can each have their own CERT that can be a source of news, warnings, and remedial procedures
• blog sites, public information and reference sites, trusted information sites
  
• internal monitoring (page 541) - We should keep an inventory of our assets, monitor what they are used for, and monitor their performance. This subject area includes inventories, baselines, and intrusion detection and prevention.
  
• planning and risk assessment (page 544) - We need to audit new projects and installed systems to make recommendations or requirements for making them more secure. We might have security policies in place, for example, that call for an audit of each new server to determine whether it meets our company's standards for secure operation. This subject area includes determining risks whenever our environment changes.
• vulnerability assessment and remediation (page 550) - This subject area includes determining vulnerabilities, recommending or requiring remediation, and penetration testing to measure the effectiveness of our safeguards. This subject area and the previous one may be grouped together.
• readiness and review (page 562) - We can consider this subject area the quality improvement aspect of our security program. It includes reviews of the entire program, reviews of policies, and practice exercises to test our ability to use our solutions. We might practice the same scenarios used in penetration testing, but in this area we can tell the staff who are meant to react what they should be doing, to test new and old methods, and to look for areas to improve.
  

The chapter concludes with a discussion of forensics, gathering and preserving evidence when there is suspected wrongdoing.

A forensic investigation is typically one that concerns a crime. This section is about computer forensics, investigations into crimes that involve computers and other information system equipment. The text discusses five aspects of an investigation:

• secure the scene and determine what items are evidence - The team mentioned in the text may be called an Incident Response Team  a Forensics Response Team, a Digital Forensics Team, or another title that means the same thing. They are responsible for taking possession of devices that might hold any data that might contain evidence of the crime being investigated.
• acquire and preserve the evidence - This aspect is closely related to the first, in that the response team may have to take images of data in RAM that would be lost if not recorded before the power is turned off.
• establish (and maintain) the chain of custody - There must be a continuous documentation of who has had access to seized devices and data, who has done what with it, and who it is turned over to at each change in custody.
• examine for evidence - Although the other discussions have used the word "evidence" several times, this one brings up the point that not everything you find is actually evidence. At this stage, only things that indicate or prove a crime was committed can be considered as evidence that will be presented in court.
• report to proper authority - the proper authority will always include the people you work for, and may include police or court officers, depending on the type of investigation
  

Assignment 1: Chapter 12 Review Questions

1. Answer the following review questions for chapter 12, which start of page 575: 3. 8, 9, 15, and 20.
2. Turn in your answers on Blackboard or an email to me, saved in a doc or docx file.
   

What is main objective of external monitoring?

What are the primary objectives of the internal monitoring domain?

What are the five domains of the General information security maintenance Model?

What is the primary objective of the readiness and review domain of the maintenance model?