Cybersecurity: The Essential Body of Knowledge Chapter 2 A Global Roadmap for Security At a Glance Instructor’s Manual Table of Contents Overview Chapter Topics Teaching Tips Quick Quizzes Class Discussion Topics Additional Projects Additional Resources Key Terms 1-1 Cybersecurity: The Essential Body of Knowledge 1-2 Lecture Notes Overview This chapter introduces the EBK framework and discusses the logical relationship of the elements of security within it. The roles, competency areas, and functions within the EBK are explored. Chapter Topics In this chapter, your students learn about: Narrowing the Search: More Questions EBK Competency Areas Getting Real: Focusing on Implementation Roles in the EBK Organization of Roles in the EBK Framework Common Functions The Story Continues: It’s Never As Easy As It Seems The Story Evolves: Learning How to Make Adjustments Adapting the EBK to the Actual Situation Teaching Tips Narrowing the Search: More Questions 1. Explain that the CEO was concerned that the EBK would remain a viable model for the organization’s information security program. 2. Explain that the EBK is based on the expert opinions of subject matter experts and represents a best practice in most security situations. 3. Discuss that the most important task ahead of the study team was to develop a methodology for applying the EBK to the specific needs of the organization. EBK Competency Areas 1. Explain that there are fourteen competency areas in the EBK, and that each competency area represents a required component of good security practice. 2. Discuss that by using the detailed specification of practices that the EBK provides, a company can model its own tangible security infrastructure. Cybersecurity: The Essential Body of Knowledge 1-3 Fifty-Three Critical Work Functions 1. Explain that the experts who formulated the EBK included the specific behaviors that they deemed necessary to ensure correct security practice within each competency area. 2. Discuss that the standards for these behaviors became the 53 critical work functions (CWF), and that each of the critical work functions encompasses multiple tasks. 3. Explain that each of the competency areas were given a functional definition in section 4.0 of the EBK. 4. Explain that there are four standard types of functional activity, and those activities are to manage, design, implement, and evaluate. Fourteen Competency Areas 1. Describe the fourteen competency areas a. Data Security—techniques aimed at ensuring electronic data b. Digital Forensics—techniques aimed at evidence collection after an adverse event c. Enterprise Continuity—techniques aimed at ensuring the continuing functioning of the enterprise after an adverse event d. Incident Management—techniques specifically aimed at responding to incidents as they occur e. IT Security Training and Awareness—techniques aimed at ensuring the competency of the members of the organization f. IT Systems Operations and Maintenance—techniques aimed at ensuring continuous secure functioning of the enterprise g. Network Security and Telecommunications—techniques aimed at ensuring the continuing secure functioning of all information communications h. Personnel Security—techniques aimed at ensuring secure practice by the employees of the organization i. Physical and Environmental Security—techniques aimed at ensuring secure physical practice within a secure space j. Procurement—techniques aimed at ensuring that purchased goods and services are delivered in a secure state k. Regulatory and Standards Compliance—techniques aimed at ensuring that the enterprise does not violate a regulation, standard, or law related to security l. Risk Management—techniques for ongoing assessment and assurance of identified risk m. Strategic Security Management—strategic methods for ensuring that the organization maintains a secure infrastructure n. System and Application Security—techniques for ensuring that the operating environment of the machine and all of its associated applications remains secure Cybersecurity: The Essential Body of Knowledge Teaching Tip 1-4 Provide and discuss examples of the fourteen competencies. Quick Quiz 1 1. What is the competency aimed at ensuring secure practice by the employees of the organization? Answer: Personnel Security 2. Which competency area ensures the continuing functioning of the enterprise after an adverse event? Answer: Enterprise Continuity 3. True or False: There are 10 competency areas in the EBK. Answer: False Getting Real: Focusing on Implementation 1. Explain that the EBK is role-based rather than based on a static implementation process like ISO 27000. 2. Discuss the issue that the EBK is not a certifiable information security management system (ISMS. 3. Explain that the essence of the implementation was to translate the generic security activities in the EBK into an explicit policy and procedure framework for the various existing roles in the company. Roles in the EBK 1. Explain that the 10 roles in the EBK represent job functions rather than job titles. 2. Discuss that job titles can vary but roles are a generic approach to defining jobs in any organization. 3. Explain the mapping process of roles and existing job titles in an organization is accomplished by examining the tasks associated with the roles. Cybersecurity: The Essential Body of Knowledge 1-5 Organization Roles in the EBK Framework 1. Explain that the ten roles in the EBK fall into one of three groups: executive, functional, and corollary. 2. Discuss that security is complete if all of the job functions associated with security can be mapped to an EBK role and work requirement, and that all role and work requirements in the EBK are satisfied by the mapping. 3. Remind students that the EBK was developed from a broad set of frameworks, including, COBIT, ISO 27000 series, the CISSP body of knowledge, and the many best practices in the NIST 800 series special publications. Executive Roles 1. Explain the three executive roles in the EBK, which are typically single positions, are the chief information officer, information security officer, and IT security compliance officer. 2. Describe the function of the CIO and explain that it is probably the easiest role to satisfy as the executive leader for IT operations. 3. Explain that the information security officer can have many titles, that the most common title is chief information security officer, and that this role is the strategic manager of the IT security operation. 4. Describe the primary responsibility of the IT security compliance officer as one of ensuring that the IT function has all the necessary security controls in place and that those controls are operating properly. Functional Roles 1. Describe the responsibilities of the functional roles, which are the digital forensics professional, IT security engineer, IT systems operations and maintenance professional, and the IT security professional. 2. Define the digital forensics professional as a highly specialized role that is expressly oriented toward the collection and analysis of digital evidence. 3. Explain that the IT security engineer is typically the architect of the IT security solution. 4. Explain that the IT security professional role differentiates from the IT security engineer role in that the professional implements rather than designs. Corollary Roles 1. Describe the remaining roles that support the information security function, which do not necessarily execute the information security function directly. Cybersecurity: The Essential Body of Knowledge 1-6 2. Explain that the corollary roles are the physical security professional, privacy professional, and procurement professional. Common Functions 1. Explain that the roles and competencies are further broken down into functions, which are to manage, design, implement, and evaluate. 2. Define the manage functions as those related to the supervision and administration of the competency area. 3. Explain that the design functions are those that relate to the conceptualization and development of security-related functionality. 4. Describe the implementation functions as those that involve the tasks associated with the establishment of the operational security measures. 5. Remind students that the evaluation functions are equivalent to internal audit of security functionality. Teaching Tip Work with students to establish the conceptual boundaries between roles, competencies, and common functions. Quick Quiz 2 1. True or False: The executive role of the CIO is clearly defined in most organizations. Answer: True 2. The EBK defines ____ roles. a. 8 b. 9 c. 10 d. 11 Answer: C 3. The _____ roles are typically single positions. Answer: executive 4. The common function _____ group describes functions related to the conceptualization and development of security-related functionality. a. manage b. design c. implement d. evaluate Cybersecurity: The Essential Body of Knowledge 1-7 Answer: B 5. True or False: The privacy professional ensures that personally identifiable information (PII) is kept confidential. Answer: True The Story Continues: It’s Never as Easy as it Seems 1. Explain that even though the material defined for each role in the EBK is very straightforward, it is very difficult to map the operational duties of individuals in an organization to the intentionally generic definitions of the EBK. Converting Roles, Competencies, and Functions into an Actionable Plan 1. Explain that every organization must undergo a tailoring process to adapt the generic aims of the EBK or any standard generic model into a set of concrete actions. 2. Explain that the company-wide information security system, which a tailoring process eventually produces, integrates all necessary controls for all relevant recommendations into a single comprehensive solution. 3. Describe the aim of the tailoring process is to drill-down from the framework’s abstract view of the question, in order to define an explicit set of behaviors that align with the needs of the particular situation. 4. Explain that each control has to be documented individually in order to put it into practice. The Importance of Planning 1. Define the management plan as the plan that lays out the planned behaviors that the organization feels will satisfy the intent of the management functions described in the EBK. 2. Explain that the design and implementation plan defines the behaviors that the organization thinks will satisfy the EBK’s recommendations regarding the design and implementation of common functions that are a part of each competency area. 3. Describe how the evaluation plan documents how the company will assure performance, and that the evaluation plan is written to ensure the consistent execution of the behaviors that are specified in the management and the design and implementation plans. Cybersecurity: The Essential Body of Knowledge Teaching Tip 1-8 Discuss with students the importance of tailoring and the importance of the planning process that turns a generic framework into an implementable information security management system. The Story Evolves: Learning How to Make Adjustments 1. Describe to students how even the most detailed plans cannot encompass all possible implementations. Adapting the EBK to the Actual Situation 1. Explain that although the EBK was developed using the most authoritative sources available, it was never intended to provide the single monolithic definition of secure practice. 2. Explain that it is likely that an organization will need to add roles and competencies that are not in the basic model. 3. The EBK expands in two logical dimensions, beginning with additional roles and then by adding competencies to the role. Teaching Tip Discuss with students the complex process involved in adapting a generic framework to an organization and its processes. Quick Quiz 3 1. True or False: The tailoring process is a standard mechanism that the organization adopts to transform the general aims of any generic model into a set of concrete actions that will define, in each instance, how the work will be done. Answer: True 2. The _____ information security system, which a tailoring process eventually produces, integrates all necessary controls for all relevant recommendations into a single comprehensive solution. a. department b. master c. company-wide d. unit Answer: C Cybersecurity: The Essential Body of Knowledge 1-9 3. It takes a great deal of exhaustive _____ in order to establish the necessary controls to ensure company-wide security, particularly in a large and complex organization. Answer: planning 4. Which plan will plan document how the company will assure performance? Answer: evaluation plan Class Discussion Topics 1. What are some possible methods for adapting generic frameworks into operational plans? 2. Why is a generic framework like the EBK insufficient to meet all the information security needs of an organization? Additional Projects 1. Have students look at jobs in the information security field and try to assign those jobs to a role in the EBK. 2. Have students analyze a job description for an information security position to assign individual job duties to common functions. Additional Resources 1. CISSP CBK https://www.isc2.org/cissp/default.aspx 2. Security Process Map http://technet.microsoft.com/en-us/security/cc451907 3. The 20 Coolest Jobs in Information http://www.sans.org/20coolestcareers/ 4. What is a Chief Security Officer http://www.csoonline.com/article/221739/what-is-a-chief-security-officer- Key Terms Best practice: The commonly accepted best way to perform a task. Completeness: A state in which all necessary criteria and requirements have been satisfied. In the case of the EBK, it refers to the mapping requirements for competencies. Cybersecurity: The Essential Body of Knowledge 1-10 Design functions: In the EBK, these relate to the design of security related functionality; these can be technical, architectural, or work process related. EBK framework: The overall conceptual model for the EBK. Evaluate functions: In the EBK, these are equivalent to an internal audit of security functionality to assess the effectiveness of policies, procedures, programs, or controls in achieving security objectives. Implement functions: In the EBK, these involve tasks associated with the implementation of operational security measures, including programs, policies, and procedures. Manage functions: In the EBK, these are management activities such as overseeing technical and operational work from the highest levels. These functions ensure security system currency with the changing risk and threat environments. Mapping: Making an explicit and documented connection between two entities. Terminology: The terms used for a given purpose by a particular field, or in a specific context.
© Copyright 2024 Paperzz