Cyber Security Architecture Risk Assessm

May I suggest you download entire document as it does not display well on Academia.
This document will help

you to baseline your risk position to create a SABSA study and it will help you build any type of cyber security
architecture program. Please call me at 804-855-4988 if you need me to walk you through this project.
You can also link this to the Risk Management Framework (RMF) and the Cybersecurity Framework (CSF) process.
Please note that we added the "completed RA" example to this document. The example only shows the RA for
the technical features.
Please rememeber you cna add and subtract any type or system or process when creating your own end-to-end
RA matrix process
Good hunting
Bill
Common Security Product or process description
Architecture and
Procedures
Technical solutions
Data Loss Prevention (for Data loss prevention solution is a system that is designed to
databases/storage, the detect potential data breach / data ex-filtration transmissions
network, and endpoints and prevent them by monitoring, detecting and blocking
e.g. Symantec Vontu) sensitive data while in-use (endpoint actions), in-motion
(network traffic), and at-rest (data storage). In data leakage
incidents, sensitive data is disclosed to unauthorized
personnel either by malicious intent or inadvertent mistake.
Such sensitive data can come in the form of private or
company information, intellectual property (IP), financial or
patient information, credit-card data, and other information
depending on the business and the industry.
Account provisioning In general, provisioning means "providing" or making

tools used locally and something available. Account provisioning is providing user
across the enterprise account services such as account creation/deletion and
account support services.
Anti virus software Antivirus software consists of computer programs that
attempt to identify, thwart and eliminate computer viruses
and other malicious software (malware). Several
techniques are generally used to accomplish this: 1.
Examining (scanning) files to look for known viruses
matching definitions in a virus dictionary 2. Identifying
suspicious behavior from any computer program which
might indicate infection.
Application code security Understanding common application security errors—

test scanners including backdoors, exception handling and failure
notification, ID/Password and user account handling,
information-leak, data tampering, parameter/variable
tampering, SQL injection, buffer-overflow, client-side
handling/mishandling, crossite scripting, timing, initial
defaults and other errors.
Application testing tools Provides an easy-to-use, consistent and cost-effective way
of testing web sites, web servers, and intranet applications.
To test and analyze the performance characteristics under
various load conditions to find bottlenecks of your web
applications.
Certificate authority A certificate authority (CA) is an authority in a network that
issues and manages security credentials and public keys for
message encryption. As part of a public key infrastructure
(PKI), a CA checks with a registration authority (RA) to
verify information provided by the requestor of a digital
certificate. If the RA verifies the requestor's information, the
CA can then issue a certificate. Depending on the public
key infrastructure implementation, the certificate includes
the owner's public key, the expiration date of the certificate,
the owner's name, and other information about the public
key owner.
Compliance management Process incorporating operational reporting, proper

tool and process notification and escalations, and keeping track of users,
what they are doing, as well as certifying minimum access
rights required to be able to perform their job functions, etc.,
used to ensure compliance of Sarbanes-Oxley and other
governmental regulations.
Configuration Configuration management (CM) is the detailed recording

management tools and updating of information that describes an enterprise's
computer systems and networks, including all hardware and
software components
Code Security Understanding common application security errors—

Analysis (manual and including backdoors, exception handling and failure
leveraging automated notification, ID/Password and user account handling,
scanning tools)_x000D_ information-leak, data tampering, parameter/variable
Content filtering (inbound The blocking, or "filtering" of undesirable Internet content.

and outbound) Blocking content can be based on traffic type or filtered by
category through the use of URL lists that are cataloged by
content (these catalogs are subscription based and updated
frequently).
Data Base Security Database security concerns the use of a broad range of
information security controls to protect databases
(potentially including the data, the database applications or
stored functions, the database systems, the database
servers and the associated network links) against
compromises of their confidentiality, integrity and availability.
It involves various types or categories of controls, such as
technical, procedural/administrative and physical.
Denial of Service A denial-of-service attack (DoS attack) is an attempt to

protection make a computer resource unavailable to its intended
users. Although the means to, motives for and targets of a
DoS attack may vary, it generally comprises the concerted,
malevolent efforts of a person or persons to prevent an
Internet site or service from functioning efficiently or at all,
temporarily or indefinitely.
Encrypted file system The Encrypting File System (EFS) is a feature of the
Windows 2000 and newer operating system that lets any file
or folder be stored in encrypted form and decrypted only by
an individual user and an authorized recovery agent. EFS is
especially useful for mobile computer users, whose
computer (and files) are subject to physical theft, and for
storing highly sensitive data.
Encrypted storage Data encryption of removable media prevents data visibility

devices on device and in the event of its unauthorised access or theft, is
removable media increasingly recognised as an optimal method for protecting
data at rest.
Encryption and Key Cryptographic transformation of data (called "plaintext") into

Management (whole disk, a form (called "cipher text") that conceals the data's original
file-level, network, meaning to prevent it from being known or used.
database, PGP, MS
Certificate Services, and
backup tapes)
Encryption (data at rest) Data encryption, which prevents data visibility in the event
of its unauthorised access or theft, is commonly used to
protect Data in Motion and increasingly recognised as an
optimal method for protecting Data at Rest
Expired account removal The primary goal of expired account removal is to identify
processes that target and manage user accounts that meet
certain inactivity thresholds and/or account properties.
Email Filtering (e.g., Anti- Email filtering is the processing of email to organize it
virus, Anti-Spam, Content according to specified criteria. Most often this refers to the
Filtering)_x000D_ automatic processing of incoming messages, but the term
also applies to the intervention of human intelligence in
addition to anti-spam techniques, and to outgoing emails as
well as those being received.
Email encryption Email encryption is encryption of email messages to protect

the content from being read by other entities than the
intended recipients. Email encryption may also include
authentication.
Endpoint Protection (e.g., Antivirus and personal firewall products centrally managed
Anti-Virus, Personal corporate environments provide reduce risks by improving
Firewall, and Application security for servers and workstations for attacks that have
Executable Control from penetrated other layers of a Defense-In-Depth (DiD)
security architecture.
vendors such as
Symantec and
McAfee)_x000D_
External to internal External scanning device used to discover web facing
scanning tools devices and applications, identify network security
vulnerabilities, measure and manage overall security
exposure and risk, ensure compliance with internal policies
and external regulations
Forensics A branch of digital forensic science pertaining to evidence

found in computers and digital storage media.
Firewalls, Routers, and Secure configurations provide High Availability (HA), traffic
Load-Balancers optimization, resource utilization, and bandwidth efficiency.
Fraud management Fraud is any intentional act committed to secure an unfair or

unlawful gain. Misconduct refers to violations of law,
regulations, internal policies, and expectations of ethical
business conduct.
Hard disk encryption for Hard-drive encryption is a technology that encrypts the data
lap tops stored on a hard drive using sophisticated mathematical
functions. Data on an encrypted hard drive cannot be read
by anyone who does not have access to the appropriate key
or password. This item will refer to full volume encryption.
Honeypots A honey pot is a computer system on the Internet that is

expressly set up to attract and "trap" people who attempt to
penetrate other people's computer systems. (This includes
the hacker, cracker, and script kiddy.)
Intrusion detection (host) A host-based intrusion detection system (HIDS) consists of
an agent on a host which identifies intrusions by analyzing
system calls, application logs, file-system modifications
(binaries, password files, capability/acl databases) and
other host activities and state.
Intrusion detection Intrusion detection and prevention systems (IDPS), are
(network) network security appliances that monitor network and/or
system activities for malicious activity. The main functions of
intrusion prevention systems are to identify malicious
activity, log information about this activity, attempt to
block/stop it, and report it.
Intrusion detection Intrusion detection and prevention systems (IDPS), are

(wireless) network security appliances that monitor network and/or
Identity management Identity management involves the following essential areas:
management of identities, access control and directory
services. Regarding management of identities (accounts
and user access),
Identity management Identity Federation comprises one or more systems that

(Federated) federate user access and allow users to login based on
authenticating against one of the system participating in the
federation.
Information Risk IT organization’s risk assessment framework that measures
Management Framework. the impact of risks according to qualitative and quantitative
criteria, using inputs from different areas including, but not
limited to, management brainstorming, strategic planning,
past audits and other assessments.
Internal pen testing Provides insight to internal vulnerabilities and remediation

requirements.
Identity and Access Identity management involves the following essential areas:
Control Management (e.g., management of identities, access control and directory
LDAP, Sun Access services. Regarding management of identities (accounts
Manager, MS Active and user access),
Directory, Sun Identity
Manager, Tivoli Access
Manager, and Unix
Account Centralization
tools such as Power
Broker and other PAM-
based tools)_x000D_
Incident Response and A branch of digital forensic science pertaining to evidence

Forensic Analysis Support found in computers and digital storage media.
Intrusion prevention An intrusion prevention system is a security device that

technology exercises access control to protect computers from
exploitation. Intrusion prevention technology is considered
by some to be an extension of intrusion detection (IDS)
technology but it is actually another form of access control,
like an application layer firewall. The latest Next Generation
Firewalls leverage their existing deep packet inspection
engine by sharing this functionality with an Intrusion-
prevention system
Log Monitoring (e.g., Logging and review is a fundamental security control used
Windows, Unix, Linux, for the identification of potential or actual security incidents.
Networking, and Third-party tools may increase efficiency and overhead in
Applications leveraging correlating large quantities of data into actionable events.
tools such as Kiwi, Snare,
Arcsight, and LogLogic)
Logging and Auditing Logging and review is a fundamental security control used
for the identification of potential or actual security incidents.
Network and Host-based External monitoring integration or utilization of 3rd-party log

Intrusion Detection and correlations products may dramatically increase the
Prevention (e.g. external efficiency and use of NIPS and HIPS log data.
monitoring integration as
well as Cisco Mars)
Network intrusion A network intrusion detection system (NIDS) is an
detection independent platform which identifies intrusions by
examining network traffic and monitors multiple hosts.
Network Intrusion Detection Systems gain access to
network traffic by connecting to a hub, network switch
configured for port mirroring, or network tap.
Operating System and Operating System and Application Vulnerabililty scans are
Application Vulnerability an essential component of a secure environment identifying
and Patch Analysis and assuring the timeliness of patch management and
Vulnerability Scanning implementation of secure application code.
and Penetration Testing
Tools (Tripwire,
Foundstone, etc)
Operating System Configuration management (CM) is a systems engineering

Security Configurations process for establishing and maintaining consistency of a
(Windows, Unix (HPUX product's performance, functional and physical attributes
and AIX), and Linux) with its requirements, design and operational information
throughout its life.
Password strength A strong password is sufficiently long, random, or otherwise
enforcement producible only by the user who chose it, such that
successfully guessing it will require too long a time. The
length of time deemed to be too long will vary with the
attacker, the attacker's resources, the ease with which a
password can be tried, and the value of the password to the
attacker.
Patch management tools Patch management is an area of systems management that

involves acquiring, testing, and installing multiple patches
(code changes) to an administered computer system.
Personal firewalls on A personal firewall (sometimes called a desktop firewall) is a

laptops software application used to protect a single Internet-
connected computer from intruders. Personal firewall
protection is especially useful for users with "always-on"
connections such as DSL or cable modem. Such
connections use a static IP address that makes them
especially vulnerable to potential hackers.
PKI architecture A PKI (public key infrastructure) enables users of a basically
insecure public network such as the Internet to securely and
privately exchange data and money through the use of a
public and a private cryptographic key pair that is obtained
and shared through a trusted authority
Proxy for messaging like Proxy servers are systems established to act on behalf of
Ironport other systems providing a layer of protection and anonymity.
Proxy for user web access The blocking, or "filtering" of undesirable Internet content.
control like Blue Coat Blocking content can be based on traffic type or filtered by
frequently).
Remote Access Remote access services provide centralized Authentication, Authorization, and Accounting (AAA
Authorization and
Authentication (RADIUS,
Secured, IPSEC and SSL
VPN)
Risk Assessments, IT organization’s risk assessment framework that measures

methodologies, and the impact of risks according to qualitative and quantitative
compensating controls criteria, using inputs from different areas including, but not
Rogue Device Detection Rogue Detection tools implement network scanning to
detect unauthorized access of a network infrastructure.
Methods include verifying detected devices and creating
asset inventory. Successive scans attempt to discover
previously unidentified devices
Rogue device A set of technologies and solutions built into the network
identification when placed infrastructure enforcing security policy compliance on all
in environment devices seeking to access network computing resources,
thereby limiting damage from emerging security threats.
Security Incident and Logging and review is a fundamental security control used
Event Management (SIEM) for the identification of potential or actual security incidents.
Third-party tools such as SIEMS may increase efficiency
and reduce overhead in correlating large quantities of data
into actionable events.
Security Operations A SOC provides fundamental security operations
Center management and serves as the threat management alerting
and analysis nerve center for company. Large companies
like generally have an in place SOC or outsource the
function.
Scheduled recertification Must ensure that the server build is not corrupted and that
new vulnerabilities have not been introduced.
Secure File Transfers Secure file transfers allow the sending and receiving of non-
(e.g., Sterling, Forum public data across untrusted insecure network segments.
Systems, Ipswitch, sftp,
ftps, https, and ftp with
PGP)
Security event manager A Security Event Manager (SEM) is a computerized tool

used on enterprise data networks to centralize the storage
and interpretation of logs, or events
Security segmentation Break the Network into Common Areas of Functionality for
planning Security. Segmenting a network can most readily be
accomplished by setting up virtual LANs on a network.
VLANs enable you to create separate networks regardless
of the physical location of a user or system. Select a
Segmentation Model from the following Job responsibilities,
Threat level, Risk level, Service types, Business needs
Self help password reset Password Self Service provides customers with a fast and
secure method to restore user access to business-critical
resources. Once the solution is deployed, users may enroll
in the service by completing a set of configurable security
questions.
Server hardening process Server hardening is the first line of defense against a
possible intrusion. The process ensures that all non-
essential services are shut down and a strict access control
policy is put in place. All relevant security updates are
applied to the system to safeguard against all known
vulnerabilities.
Server platform hardening Server hardening refers to the activities that are performed
to help secure an operating system platform and bring it into
compliance with security standards in an effort to reduce the
server's exposed surface and vulnerability to attack.
Server recertification Servers must be recertified on a scheduled basis to

guarantee that the servers have not drifted form the gold
and standard builds.
Single sign on Single sign-on (SSO) is a property of access control of
multiple related, but independent software systems. With
this property a user logs in with a single ID to gain access to
a connected system or systems without being prompted for
different usernames or passwords, or in some
configurations seamlessly sign on at each system. This is
typically accomplished using the Lightweight Directory
Access Protocol (LDAP) and stored LDAP databases on
servers.[1] A simple version of single sign-on can be
achieved over IP networks using cookies but only if the sites
share a common DNS parent domain.[2]
Conversely, single sign-off is the property whereby a single

action of signing out terminates access to multiple software
systems.
As different applications and resources support different

authentication mechanisms, single sign-on must internally
translate and store credentials for the different mechanisms,
from the credential used for initial authentication.
Spam filtering Email filtering is the processing of email to organize it

according to specified criteria. Most often this refers to the
automatic processing of incoming messages, but the term
Threat management Threat management function is a series of processes

function utilizing a management framework, multiple security tools,
and diversified intelligence sources in order to create
efficiency in an organizations ability to prevent, identify,
react, and learn from threats to security and business
continuity.
Two factor authentication Two-factor authentication is a security process in which the
user provides two means of identification, one of which is
typically a physical token, such as a card, and the other of
which is typically something memorized, such as a security
code. In this context, the two factors involved are
sometimes spoken of as something you have and
something you know. A common example of two-factor
authentication is a bank card: the card itself is the physical
item and the personal identification number (PIN) is the data
that goes with it.
UNIX compliance tool like eTrust Access Control provides an independent security
SeOS management system which complements the native
operating system (OS) model and enables a
strong defense-in-depth security practice.
VPN Architecture A virtual private network (VPN) is a private communications

network implemented to communicate confidentially over a
public network.
Vulnerability management Tool to allow both internal and external scanning used to
tools discover web facing devices and applications, identify
network security vulnerabilities, measure and manage
overall security exposure and risk,
ensure compliance with internal policies and external
regulations
Web Proxies and The blocking, or "filtering" of undesirable Internet content.

URL/Content Filtering Blocking content can be based on traffic type or filtered by
(e.g., products from category through the use of URL lists that are cataloged by
WebWasher, and the ICAP content (these catalogs are subscription based and updated
frequently).
protocols)
Wireless Security (e.g., Wireless security is the prevention of unauthorized access

802.1x, Cisco and Aruba or damage to computers using wireless networks. The
Wireless) current standard is WPA2; some hardware cannot support
WPA2 without firmware upgrade or replacement. WPA2
uses an encryption device that encrypts the network with a
256-bit key.
Windows (AD, OU, GPO Active Directory (AD) is Microsoft's trademarked directory
etc service, an integral part of the Windows 2000 architecture.
Like other directory services, such as Novell Directory
Services (NDS), Active Directory is a centralized and
standardized system that automates network management
of user data, security, and distributed resources, and
enables interoperation with other directories. Active
Directory is designed especially for distributed networking
environments.
Advanced Persistent An advanced persistent threats are a set of stealthy and
Threat (APT) continuous computer hacking processes, often orchestrated
by human(s) targeting a specific entity.
Asset Management Suite Asset management, broadly defined, refers to any system
that monitors and maintains things of value to an entity or
group. It may apply to both tangible assets such as
buildings and to intangible assets such as human capital,
intellectual property, and goodwill and financial assets.
Change detection Change detechtion complements Change Management as

an approach to transition individuals, teams, and
organizations to a desired future state
Change management Change management is an approach to transition

individuals, teams, and organizations to a desired future
state
Cloud Computing Cloud computing security or, more simply, cloud security is
Security an evolving sub-domain of computer security, network
security, and, more broadly, information security. It refers to
a broad set of policies, technologies, and controls deployed
to protect data, applications, and the associated
infrastructure of cloud computing.
Control Compliance Suite Control compliance suites utilize a group of security and
vulnerability management technologies such as scanners,
standards/comliance assessments and monitoring in a
centralized interface.
Database Security Database security concerns the use of a broad range of
Mobile Security Mobile security also refers to the means by which a mobile
device can authenticate users and protect or restrict access
to data stored on the device through the use of passwords,
personal identification numbers (PINs), pattern screen locks
or more advanced forms of authentication such as
fingerprint readers, eye scanners and other forms of
biometric readers.
Multifactor Multi-factor authentication is a security process in which the
Authentication user provides two means of identification, one of which is
that goes with it.
Network Access Control Network Access Control (NAC) is an approach to computer

(NAC) security that attempts to unify endpoint security technology
(such as antivirus, host intrusion prevention, and
vulnerability assessment), user or system authentication
and network security enforcement.
Risk/Policy Management IT organization’s risk assessment framework that measures

tool like Archer the impact of risks according to qualitative and quantitative
SIEM Logging and review is a fundamental security control used
SSL Certificates Certificates are an important component of Transport Layer
Security (TLS, sometimes called by its older name SSL,
Secure Sockets Layer), where they prevent an attacker from
impersonating a secure website or other server.
User Authentication User authentication is a sub-portion of access management.
User monitoring - User monitoring is a passive monitoring technology that

privileged user records all user interaction with a website or client
interacting with a server or cloud-based application.
Vulnerability assessment Tool to allow both internal and external scanning used to
tool discover web facing devices and applications, identify
regulations
Web Content Filtering The blocking, or "filtering" of undesirable Internet content.

Blocking content can be based on traffic type or filtered by
frequently).
Process and
procedures
Audit and Regulatory
Issues (e.g., SOX)
Application and Web (e.g., Web 2.0, SOAP, SOA, Secure Messaging)
Layer Security
Develop Master Unified threat management (UTM) refers to a
Vulnerability and comprehensive security product that includes protection
against multiple threats. A UTM product typically includes a
Compliance Scan/Audit firewall, antivirus software, content filtering and a spam filter
Plans Procedure in a single integrated package
Disaster Recovery
Process
Firewall and IDS-IPS
Management Process
Identity and access ma In computer security, access control includes authentication,
authorization and audit. It also includes measures such as
physical devices, including biometric scans and metal locks,
hidden paths, digital signatures, encryption, social barriers,
and monitoring by humans and automated systems.
Security Incident
Response Center
Vulnerability
Assessment Program
(Scheduled for annual
release)
A framework of security The practice of applying a comprehensive method for
policy and standards describing a current and/or future structure and behavior for
an organization's security processes, information security
systems, personnel and organizational sub-units, so that
they align with the organization's core goals and strategic
direction. Although often associated strictly with information
security technology, it relates more broadly to the security
practice of business optimization in that it addresses
business security architecture, performance management
and security process architecture as well.
Account provisioning
process
Asset classification and Conducting a detailed assessment and inventory of an
organization's information infrastructure and information
assets to determine an appropriate level of security.
Business continuity Planning for disasters--natural and man-made--and
management: . recovering from them
Compliance Complying with any applicable regulatory and legal

management process requirements, such as the Health Insurance Portability and
Accountability Act (HIPAA), the Gramm-Leach-Bliley Act
(GLBA) and cryptography export controls.
Defense in-depth
processes to include
preventive, detective,
and response functions
fully deployed
integrating all defense
in-depth technologies
and services
Enterprise An enterprise authentication management framework is the

authentication holistic approach to authentication management across the
network and computer platforms. The framework is the
management framework strategic approach to authentication management done in
an effort to provide uniform authentication services for an
enterprise.
Enterprise Security
Logging
External pen testing At least once a year, an organization needs to hire an
process external company to pen test against its applications and
infrastructure.
Firewall Administration
process
Incident response plan Defines processes and procedures need to react to and
and documentation manage security incidents
Information Risk IT organization’s risk assessment framework that measures

Management the impact of risks according to qualitative and quantitative
Framework. limited to, management brainstorming, strategic planning,
Integrated security
management system
such as seen in ISO
27001
Internal pen testing Penetration testing is the process of attempting to gain
process access to resources without knowledge of usernames,
passwords and other normal means of access. User
workstation: legitimate access to critical assets, connects
the internet with internal network
Intrusion prevention Intrusion prevention is a preemptive approach to network

framework security used to identify potential threats and respond to
them swiftly. (IPS) can include firewalls or anti-virus
software.
IT security plan process The IT security plan is updated to reflect the security
requirements and usage roles within the organization. The
security plan reflects changes in the IT environment as well
as the unique security requirements of security
requirements of specific systems.
Governance monitoring Must have tool to define and segment compliance to
pertinent audit and compliance tools
Key performance
indicators
Messaging Virus
Protection Process
Patch management proc end to end metric-based functionality used to ensure that all
system patches as related to business infrastructure and
functionality are deployed within the SLA timelines
established by an organization.
Personnel security Making security a key component of the human resources
and business operations. This includes writing security
expectations in job responsibilities (IT admins and end
users), screening new personnel for criminal histories, using
confidentiality agreements when dealing with sensitive
information and having a reporting process for security
incidents.
Physical and Establishing a policy that protects the IT infrastructure,
environmental security: physical plant and employees. This includes controlling
building access, having backup power supplies, performing
routine equipment maintenance and securing off-site
equipment.
Regulatory Support
plan such as HIPPA
Risk Acceptance. A formal documentation and acceptance of residual risk with
related offsets, including adequate insurance coverage,
contractually negotiated liabilities and self-insurance.
Management manages risk mitigation through a formal
documented process
Scheduled user account On a regular basis, process performed to ensure that user
recertification accounts with privileged access are recertified by owners
Secure remote access

with VPN
Security annual self Fundamental planning tool for properly managing security
assessment functions throughout the organization. Ususally base don
the organizations core security standards.
Security Architecture/StrEstablishes the entire scope and boundaries for all aspects
of an organizational information security program.
Security Forensics
Investigations
Security lifecycle Defines specific process by which each phase of a Software
management process or Infrastructure project incorporates security within the
project
(SLCMP)
Security Lifecycle NIST strongly recommends all organizations have a security
Management Process process that integrates security into all phases of the
system development lifecycle (SDLC) process
(SLCMP) for project
management
Security metrics Defines the measurable business process conducted by the
program Information Security Team. Used to measure success of
processes and security Slaps
Security organization Having a management structure for security, including
appointing security coordinators, delegating security
management responsibilities and establishing a security
incident response process. The data protection function
must adhere to IT and compliance governance principles
such as ITIL and SOX. Data protection must be integrated
into all phases of the project lifecycle.
Security organization chaFundamental planning tool for properly managing security

functions throughout the organization.
Security policy and Adopting a security process that outlines an organization's
standards expectations for security, which can then demonstrate
management's support and commitment to security.
Security self
assessments
Security SLA
management
Security training/Human Dynamic process focused on ensuring employees are
firewall sensitized to all aspects of risk management and data
protection.
Server Antivirus
Server build hardening
Server HIDS
Unified threat
management system
Vulnerability
assessment program
Workstation Firewall
and IDS
Workstation Hard Drive
Encryption
Business and IT Security requirement for Organization tool Per cent
product or service name deployed
Describe business Risk type. IT, Vulnerabilities, CIA FIPS Confidentiality,
and or IT Security Data, Exposures and Exploits Integrity and Availability
risk of not having Operational, mitigated by product or 199 Impact Rating of
this product or Strategic, service high, medium and low
service Reputational,
Regulatory
High, Medium and Low Likelihood event could Applicable NIST Business impact
Risk levels if product or happen (L,M.H) given the Control if risk or
service not deployed at Organization deployed vulnerability is
Organization (consider tool and procedure exploited.
other defense in depth
tools and procedures)
Residual risk given Solution description
Organization
deployed tool or
compensating
controls
Residual Risk Level Risk level Risk Acceptance or Cost to plan, build,
(L,M,H) based on SOLUTION buy new tool or deploy, operate
DESCOrganizationPTION service (maintain)
Total cost of Return on Remediate Ownership
ownership 1, 3, 5 investment decision = yes or
year trend no
Common Security Architecture and
Procedures
Data Loss Prevention (for databases/storage,

the network, and endpoints e.g. Symantec
Vontu)
Account provisioning tools used locally and

across the enterprise
Anti virus software

Application code security test scanners
Application testing tools
Certificate authority
Compliance management tool and process

Configuration management tools
Code Security Analysis (manual and

leveraging automated scanning
tools)_x000D_
Content filtering (inbound and outbound)

Data Base Security
Denial of Service protection
Encrypted storage devices on device and

removable media
Encryption and Key Management (whole disk,
file-level, network, database, PGP, MS
Certificate Services, and backup tapes)
Encryption (data at rest)
Expired account removal
Email Filtering (e.g., Anti-virus, Anti-Spam,

Content Filtering)_x000D_
Email encryption
Endpoint Protection (e.g., Anti-Virus,

Personal Firewall, and Application Executable
Control from vendors such as Symantec and
McAfee)_x000D_
External to internal scanning tools
Forensics
Firewalls, Routers, and Load-Balancers
Fraud management
Hard disk encryption for lap tops
Honeypots
Intrusion detection (host)
Intrusion detection (network)

Intrusion detection (wireless)
Identity management
Identity management (Federated)
Information Risk Management Framework.
Internal pen testing

Identity and Access Control Management
(e.g., LDAP, Sun Access Manager, MS Active
Directory, Sun Identity Manager, Tivoli Access
Manager, and Unix Account Centralization
tools such as Power Broker and other PAM-
based tools)_x000D_
Incident Response and Forensic Analysis

Support
Intrusion prevention technology
Log Monitoring (e.g., Windows, Unix, Linux,

Networking, and Applications leveraging
tools such as Kiwi, Snare, Arcsight, and
LogLogic)
Logging and Auditing
Network and Host-based Intrusion Detection

and Prevention (e.g. external monitoring
integration as well as Cisco Mars)
Network intrusion detection
Operating System and Application

Vulnerability and Patch Analysis Vulnerability
Scanning and Penetration Testing Tools
(Tripwire, Foundstone, etc)
Operating System Security Configurations

(Windows, Unix (HPUX and AIX), and Linux)
Password strength enforcement
Patch management tools
Personal firewalls on laptops
PKI architecture
Proxy for messaging like Ironport
Proxy for user web access control like Blue

Coat
Remote Access Authorization and

Authentication (RADIUS, Secured, IPSEC and
SSL VPN)
Risk Assessments, methodologies, and

compensating controls
Rogue Device Detection
Rogue device identification when placed in

environment
Security Incident and Event Management

(SIEM)
Security Operations Center
Scheduled recertification
Secure File Transfers (e.g., Sterling, Forum

Systems, Ipswitch, sftp, ftps, https, and ftp
with PGP)
Security event manager
Security segmentation planning
Self help password reset
Server hardening process
Server platform hardening

Server recertification
Single sign on
Spam filtering
Threat management function
Two factor authentication
UNIX compliance tool like SeOS
VPN Architecture
Vulnerability management tools
Web Proxies and URL/Content Filtering (e.g.,

products from WebWasher, and the ICAP
protocols)
Wireless Security (e.g., 802.1x, Cisco and

Aruba Wireless)
Windows (AD, OU, GPO etc
Advanced Persistent Threat (APT)

Asset Management Suite
Change detection
Change management
Cloud Computing Security
Control Compliance Suite

Database Security
Mobile Security
Multifactor Authentication
Network Access Control (NAC)
Risk/Policy Management tool like Archer
SIEM
SSL Certificates
User Authentication
User monitoring - privileged user
Vulnerability assessment tool
Web Content Filtering

Product or process description
Data loss prevention solution is a system that is designed to

detect potential data breach / data ex-filtration transmissions
and prevent them by monitoring, detecting and blocking
sensitive data while in-use (endpoint actions), in-motion
(network traffic), and at-rest (data storage). In data leakage
incidents, sensitive data is disclosed to unauthorized
personnel either by malicious intent or inadvertent mistake.
Such sensitive data can come in the form of private or
company information, intellectual property (IP), financial or
patient information, credit-card data, and other information
depending on the business and the industry.
In general, provisioning means "providing" or making

something available. Account provisioning is providing user
account services such as account creation/deletion and
account support services.
Antivirus software consists of computer programs that

attempt to identify, thwart and eliminate computer viruses
and other malicious software (malware). Several
techniques are generally used to accomplish this: 1.
Examining (scanning) files to look for known viruses
matching definitions in a virus dictionary 2. Identifying
suspicious behavior from any computer program which
might indicate infection.
Understanding common application security errors—
including backdoors, exception handling and failure
Provides an easy-to-use, consistent and cost-effective way

of testing web sites, web servers, and intranet applications.
To test and analyze the performance characteristics under
various load conditions to find bottlenecks of your web
applications.
A certificate authority (CA) is an authority in a network that

issues and manages security credentials and public keys for
message encryption. As part of a public key infrastructure
(PKI), a CA checks with a registration authority (RA) to
verify information provided by the requestor of a digital
certificate. If the RA verifies the requestor's information, the
CA can then issue a certificate. Depending on the public
key infrastructure implementation, the certificate includes
the owner's public key, the expiration date of the certificate,
the owner's name, and other information about the public
key owner.
Process incorporating operational reporting, proper

notification and escalations, and keeping track of users,
what they are doing, as well as certifying minimum access
rights required to be able to perform their job functions, etc.,
used to ensure compliance of Sarbanes-Oxley and other
governmental regulations.
Configuration management (CM) is the detailed recording
and updating of information that describes an enterprise's
computer systems and networks, including all hardware and
software components
Understanding common application security errors—

including backdoors, exception handling and failure
The blocking, or "filtering" of undesirable Internet content.

frequently).
Database security concerns the use of a broad range of
A denial-of-service attack (DoS attack) is an attempt to

make a computer resource unavailable to its intended
users. Although the means to, motives for and targets of a
DoS attack may vary, it generally comprises the concerted,
malevolent efforts of a person or persons to prevent an
Internet site or service from functioning efficiently or at all,
temporarily or indefinitely.
Data encryption of removable media prevents data visibility

in the event of its unauthorised access or theft, is
increasingly recognised as an optimal method for protecting
data at rest.
Cryptographic transformation of data (called "plaintext") into
a form (called "cipher text") that conceals the data's original
meaning to prevent it from being known or used.
Data encryption, which prevents data visibility in the event

of its unauthorised access or theft, is commonly used to
protect Data in Motion and increasingly recognised as an
optimal method for protecting Data at Rest
The primary goal of expired account removal is to identify

processes that target and manage user accounts that meet
certain inactivity thresholds and/or account properties.
Email filtering is the processing of email to organize it

Email encryption is encryption of email messages to protect
the content from being read by other entities than the
intended recipients. Email encryption may also include
authentication.
Antivirus and personal firewall products centrally managed

corporate environments provide reduce risks by improving
security for servers and workstations for attacks that have
penetrated other layers of a Defense-In-Depth (DiD)
security architecture.
External scanning device used to discover web facing

devices and applications, identify network security
vulnerabilities, measure and manage overall security
exposure and risk, ensure compliance with internal policies
and external regulations
A branch of digital forensic science pertaining to evidence

Secure configurations provide High Availability (HA), traffic

optimization, resource utilization, and bandwidth efficiency.
Fraud is any intentional act committed to secure an unfair or

unlawful gain. Misconduct refers to violations of law,
regulations, internal policies, and expectations of ethical
business conduct.
Hard-drive encryption is a technology that encrypts the data
stored on a hard drive using sophisticated mathematical
functions. Data on an encrypted hard drive cannot be read
by anyone who does not have access to the appropriate key
or password. This item will refer to full volume encryption.
A honey pot is a computer system on the Internet that is

expressly set up to attract and "trap" people who attempt to
penetrate other people's computer systems. (This includes
the hacker, cracker, and script kiddy.)
A host-based intrusion detection system (HIDS) consists of

an agent on a host which identifies intrusions by analyzing
system calls, application logs, file-system modifications
(binaries, password files, capability/acl databases) and
other host activities and state.
Intrusion detection and prevention systems (IDPS), are

network security appliances that monitor network and/or
Intrusion detection and prevention systems (IDPS), are
network security appliances that monitor network and/or
Identity management involves the following essential areas:

and user access),
Identity Federation comprises one or more systems that
federate user access and allow users to login based on
authenticating against one of the system participating in the
federation.
IT organization’s risk assessment framework that measures

the impact of risks according to qualitative and quantitative
Provides insight to internal vulnerabilities and remediation

requirements.
Identity management involves the following essential areas:
and user access),
A branch of digital forensic science pertaining to evidence

An intrusion prevention system is a security device that

exercises access control to protect computers from
exploitation. Intrusion prevention technology is considered
by some to be an extension of intrusion detection (IDS)
technology but it is actually another form of access control,
like an application layer firewall. The latest Next Generation
Firewalls leverage their existing deep packet inspection
engine by sharing this functionality with an Intrusion-
prevention system
Logging and review is a fundamental security control used

Third-party tools may increase efficiency and overhead in
correlating large quantities of data into actionable events.
External monitoring integration or utilization of 3rd-party log

correlations products may dramatically increase the
efficiency and use of NIPS and HIPS log data.
A network intrusion detection system (NIDS) is an

independent platform which identifies intrusions by
examining network traffic and monitors multiple hosts.
Network Intrusion Detection Systems gain access to
network traffic by connecting to a hub, network switch
configured for port mirroring, or network tap.
Operating System and Application Vulnerabililty scans are

an essential component of a secure environment identifying
and assuring the timeliness of patch management and
implementation of secure application code.
Configuration management (CM) is a systems engineering

process for establishing and maintaining consistency of a
product's performance, functional and physical attributes
with its requirements, design and operational information
throughout its life.
A strong password is sufficiently long, random, or otherwise
producible only by the user who chose it, such that
successfully guessing it will require too long a time. The
length of time deemed to be too long will vary with the
attacker, the attacker's resources, the ease with which a
password can be tried, and the value of the password to the
attacker.
Patch management is an area of systems management that

involves acquiring, testing, and installing multiple patches
(code changes) to an administered computer system.
A personal firewall (sometimes called a desktop firewall) is a

software application used to protect a single Internet-
connected computer from intruders. Personal firewall
protection is especially useful for users with "always-on"
connections such as DSL or cable modem. Such
connections use a static IP address that makes them
especially vulnerable to potential hackers.
A PKI (public key infrastructure) enables users of a basically

insecure public network such as the Internet to securely and
privately exchange data and money through the use of a
public and a private cryptographic key pair that is obtained
and shared through a trusted authority
Proxy servers are systems established to act on behalf of
other systems providing a layer of protection and anonymity.

frequently).
Remote access services provide centralized Authentication, Authorization, and Accounting (AAA) management for users who co

Rogue Detection tools implement network scanning to
detect unauthorized access of a network infrastructure.
Methods include verifying detected devices and creating
asset inventory. Successive scans attempt to discover
previously unidentified devices
A set of technologies and solutions built into the network

infrastructure enforcing security policy compliance on all
devices seeking to access network computing resources,
thereby limiting damage from emerging security threats.

A SOC provides fundamental security operations

management and serves as the threat management alerting
and analysis nerve center for company. Large companies
like generally have an in place SOC or outsource the
function.
Must ensure that the server build is not corrupted and that
new vulnerabilities have not been introduced.
Secure file transfers allow the sending and receiving of non-

public data across untrusted insecure network segments.
A Security Event Manager (SEM) is a computerized tool
used on enterprise data networks to centralize the storage
and interpretation of logs, or events
Break the Network into Common Areas of Functionality for

Security. Segmenting a network can most readily be
accomplished by setting up virtual LANs on a network.
VLANs enable you to create separate networks regardless
of the physical location of a user or system. Select a
Segmentation Model from the following Job responsibilities,
Threat level, Risk level, Service types, Business needs
Password Self Service provides customers with a fast and

secure method to restore user access to business-critical
resources. Once the solution is deployed, users may enroll
in the service by completing a set of configurable security
questions.
Server hardening is the first line of defense against a

possible intrusion. The process ensures that all non-
essential services are shut down and a strict access control
policy is put in place. All relevant security updates are
applied to the system to safeguard against all known
vulnerabilities.
Server hardening refers to the activities that are performed

to help secure an operating system platform and bring it into
compliance with security standards in an effort to reduce the
server's exposed surface and vulnerability to attack.
Servers must be recertified on a scheduled basis to
guarantee that the servers have not drifted form the gold
and standard builds.
Single sign-on (SSO) is a property of access control of

multiple related, but independent software systems. With
this property a user logs in with a single ID to gain access to
a connected system or systems without being prompted for
different usernames or passwords, or in some
configurations seamlessly sign on at each system. This is
typically accomplished using the Lightweight Directory
Access Protocol (LDAP) and stored LDAP databases on
servers.[1] A simple version of single sign-on can be
achieved over IP networks using cookies but only if the sites
share a common DNS parent domain.[2]
Conversely, single sign-off is the property whereby a single

action of signing out terminates access to multiple software
systems.
As different applications and resources support different

authentication mechanisms, single sign-on must internally
translate and store credentials for the different mechanisms,
from the credential used for initial authentication.
Email filtering is the processing of email to organize it

Threat management function is a series of processes
utilizing a management framework, multiple security tools,
and diversified intelligence sources in order to create
efficiency in an organizations ability to prevent, identify,
react, and learn from threats to security and business
continuity.
Two-factor authentication is a security process in which the

that goes with it.
eTrust Access Control provides an independent security

management system which complements the native
operating system (OS) model and enables a
strong defense-in-depth security practice.
A virtual private network (VPN) is a private communications

network implemented to communicate confidentially over a
public network.
Tool to allow both internal and external scanning used to
discover web facing devices and applications, identify
regulations

frequently).
Wireless security is the prevention of unauthorized access

or damage to computers using wireless networks. The
current standard is WPA2; some hardware cannot support
WPA2 without firmware upgrade or replacement. WPA2
uses an encryption device that encrypts the network with a
256-bit key.
Active Directory (AD) is Microsoft's trademarked directory

service, an integral part of the Windows 2000 architecture.
Like other directory services, such as Novell Directory
Services (NDS), Active Directory is a centralized and
standardized system that automates network management
of user data, security, and distributed resources, and
enables interoperation with other directories. Active
Directory is designed especially for distributed networking
environments.
An advanced persistent threats are a set of stealthy and

continuous computer hacking processes, often orchestrated
by human(s) targeting a specific entity.
Asset management, broadly defined, refers to any system
that monitors and maintains things of value to an entity or
group. It may apply to both tangible assets such as
buildings and to intangible assets such as human capital,
intellectual property, and goodwill and financial assets.
Change detechtion complements Change Management as

an approach to transition individuals, teams, and
organizations to a desired future state
Change management is an approach to transition

individuals, teams, and organizations to a desired future
state
Cloud computing security or, more simply, cloud security is

an evolving sub-domain of computer security, network
security, and, more broadly, information security. It refers to
a broad set of policies, technologies, and controls deployed
to protect data, applications, and the associated
infrastructure of cloud computing.
Control compliance suites utilize a group of security and

vulnerability management technologies such as scanners,
standards/comliance assessments and monitoring in a
centralized interface.
Database security concerns the use of a broad range of
Mobile security also refers to the means by which a mobile

device can authenticate users and protect or restrict access
to data stored on the device through the use of passwords,
personal identification numbers (PINs), pattern screen locks
or more advanced forms of authentication such as
fingerprint readers, eye scanners and other forms of
biometric readers.
Multi-factor authentication is a security process in which the
that goes with it.
Network Access Control (NAC) is an approach to computer

security that attempts to unify endpoint security technology
(such as antivirus, host intrusion prevention, and
vulnerability assessment), user or system authentication
and network security enforcement.


Certificates are an important component of Transport Layer

Security (TLS, sometimes called by its older name SSL,
Secure Sockets Layer), where they prevent an attacker from
impersonating a secure website or other server.
User authentication is a sub-portion of access management.
User monitoring is a passive monitoring technology that

records all user interaction with a website or client
interacting with a server or cloud-based application.
Tool to allow both internal and external scanning used to

discover web facing devices and applications, identify
regulations

frequently).
Business and IT Security requirement for Describe business Risk type. IT,
product or service and or IT Security Data,
risk of not having Operational,
this product or Strategic,
service Reputational,
Regulatory
Designated DLP solutions detect and prevent Financial loss, customer Data, IT,
unauthorized attempts to copy or send sensitive data, loss, employee PII loss, Reputational,
intentionally or unintentionally, without authorization, strategy compromised, Strategic
mainly by personnel who are authorized to access the intellectual capital
sensitive information. In order to classify certain compromised, easier
information as sensitive, these solutions use network enumeration,
mechanisms, such as exact data matching, structured reputational
data fingerprinting, statistical methods, rule and regular
expression matching, published lexicons, conceptual
definitions, and keywords.
User account provisioning is a critical component for Excessive account Operational,

enterprises to decrease administrative burdens of administration overhead, Reputational,
account management, while also trying to reduce risk. poor permissions Regulatory
User provisioning software may include one or more of management, access
the following processes: change propagation, self- control may become
service workflow, consolidated user administration, unenforceable.
delegated user administration, and federated change
control.
Anti-virus/anti-malware/anti-spyware software Multiple forms of malicious Operational,

protection are requirements of numerouse security software(malware) Regulatory
management frameworks, best practice models, and reaching a vulnerable
regulated compliance audits. machine will have potential
to compromise a host and
perform its functions (theft,
proliferation, monitoring,
control) unimpeded.
Secure application development should be enhanced Applications (type Operational,
by applying security checkpoints and techniques at dependent) vulnerable to: Reputational,
early stages of development as well as throughout the Cross-site scripting, SQL Regulatory
software development lifecycle. Special emphasis injection, path disclosure,
should be applied to the coding phase of development. Denial-of-service attack,
Arbitrary code execution,
Memory corruption, Cross-
site request forgery, Data
breach, (information
disclosure), Arbitrary file
inclusion, Local file
inclusion, Remote file
inclusion, Buffer overflow,
code injection, Others

by applying security checkpoints and techniques at dependent) vulnerable to: Reputational,
early stages of development as well as throughout the Cross-site scripting, SQL Regulatory
(CAs) are a critical component of PKIs which manage Digital encryption becomes Operational,
the lifecycle of all digital certificates within a PKI. The a manual process with the Reputational,
CA is the party which both the owner of the certificate potential for human error, Regulatory
and the party using the certificate trusts. Because of increasing administrative
this critical dependency, CAs underpin the security of overhead, and a lack of
not only the PKI, but of all transactions and exchanges reporting functionality.
that are protected by the certificates that they issue.
Many industries have specific and multiple compliance Achieving and maintaining Data, Operational,
requirements in order to maintain competiveness or compliance can cause high Regulatory
perform functions within the law. Compliance levels of administrative
management tools streamline the process and assist in overhead with potentially
maintenance of compliance as environments and large fines and loss of
regulations change. reputation due to loss of
compliance.
When applied over the life cycle of a system, provides Lack of automation IT, Operational,
visibility and control of its performance, functional and introduces: Risk of human Regulatory
physical attributes. CM verifies that a system performs error in creating and
as intended, and is identified and documented in maintaing known secure
sufficient detail to support its projected life cycle. The configuration or coding
CM process facilitates orderly management of system practice, Lack of
information and system changes for such beneficial configuration change
purposes as to revise capability; improve performance, auditing, Potential for
reliability, or maintainability; extend life; reduce cost; compliance failure
reduce risk and liability; or correct defects.

by applying security checkpoints and techniques at dependent) vulnerable to: Regulatory , Data
early stages of development as well as throughout the Cross-site scripting, SQL
Content filtering controls can block malware and other Unauthorized disclosure of Operational,
content that is or contains hostile, intrusive, or information, Disruption of Regulatory,
annoying material including adware, spam, computer computer services, Loss of Reputational
viruses, worms, trojan horses, and spyware. productivity, Financial loss
due to compromised
workstations and servers,
reputation loss due to
security breach
Database Security is integral to the design and function Unauthorized or IT, Data, Operational,
of a database. There are three important pieces to unintended activity or Regulatory
database security; Physical, User, and Network. These misuse by authorized
pieces work in conjunction with policies, standards, and database users, database
procedures. Policies are directions that support a goal. administrators, or
Standards describe the minimum that must be done on network/systems
a goal. Performance and tasks can also be scored to a managers, or by
standard to verify how well they meet the standard. unauthorized users or
hackers; Malware
infections causing
incidents such as
unauthorized access,
leakage or disclosure of
personal or proprietary
data, deletion of or
damage to the data or
programs, interruption or
denial of authorized access
to the database, attacks on
other systems and the
unanticipated failure of
database services;
overloads, performance
constraints and capacity
issues resulting in the
inability of authorized users
to use databases as
intended; Design flaws and
programming bugs in
databases and the
associated programs and
systems, creating various
security vulnerabilities ,
data loss/corruption,
performance degradation
etc.; Data corruption and/or
loss caused by the entry of
A DoS is an attack against "Data availability", a term Constant risk of DDoS Data, IT,
used by computer storage service providers (SSPs) to extortion, backscatter, and Reputational
describe products and services that ensure that data numerous methods of DoS
continues to be available at a required level of attacks.
performance in situations ranging from normal through
"disastrous." Any loss of data availability can have
detrimental effects to an organization.
The encryption of data at rest should only include Any data stored on devices Data, Operational,
strong encryption methods such as AES, RSA, and lost or within physical Regulatory
SHA-256. Encrypted data should remain encrypted access of attackers is lost.
when access controls such as usernames and
password fail. Increasing encryption on multiple levels
is recommended.
Key management is the management of cryptographic Vulnerability of keys from Data, Operational,
keys in a cryptosystem. This includes dealing with the outside hackers/malicious Regulatory
generation, exchange, storage, use, and replacement insiders.
of keys. It includes cryptographic protocol design, key
servers, user procedures, and other relevant protocols.
The encryption of data at rest should only include Because of its nature Data Data, Operational,
strong encryption methods such as AES, RSA, and at Rest is of increasing Regulatory
SHA-256. Encrypted data should remain encrypted concern to businesses,
when access controls such as usernames and government agencies and
password fail. Increasing encryption on multiple levels other institutions. Mobile
is recommended. Data encryption keys should be devices are often subject
updated on a regular basis. Encryption keys should be to specific security
stored separately from the data. Periodic auditing of protocols to protect Data at
sensitive data should be part of policy and should Rest from unauthorised
occur on scheduled occurrences. Store the minimum access when lost or stolen
amount of sensitive data as possible. and there is an increasing
recognition that database
management systems and
file servers should also be
considered as at risk; the
longer data is left unused
in storage, the more likely
it might be retrieved by
unauthorized individuals
outside the network.
Account security parameters must be set and centrally Stale accounts can be IT, Operational,
managed such as auto-lockout and expiration dates via exploited to gain Regulatory
group policy or standardized base images. unauthorized access to
sensitive company
resources by internal and
external attackers.
A filtering solution applied to your email system uses a Increased risk of social Operational,
set of protocols to determine which of your incoming engineering attacks, Reputational,
messages are spam, fradulent messages, contain phishing, spam, malware, Regulatory, strategic.
malicious software, and which do not. Email filtering trojans, account credential
software inputs email. For its output, it might pass the theft, and other attacks.
message through unchanged for delivery to the user's
mailbox, redirect the message for delivery elsewhere,
or even throw the message away. Some mail filters are
able to edit messages during processing.
Email encryption can rely on public-key cryptography, Email is prone to Data, Operational,
in which users can each publish a public key that disclosure of information. Regulatory
others can use to encrypt messages to them, while Most emails are currently
keeping secret a private key they can use to decrypt transmitted in the clear (not
such messages or to digitally encrypt and sign encrypted). By means of
messages they send. some available tools,
persons other than the
designated recipients can
read the email contents
Endpoint clients are kept current with automatic Anti-malware, anti-spam, Data, Operational,
updates and regulated communications content anti-virus clients are Regulatory
providers. regulatory requirements of
multiple security
frameworks. Vulnerable
systems have no defense
against known threats that
have penetrated other
layers of defense.
Scans are typically an initial phase of a network-based A software attack on a Operational,

attack or penetration test. Regular scans emulating an computer system looks for Reputational,
external attacker with remediation of results are a best security weaknesses, to Regulatory
practice for maintaining an effective security posture. potentially gain access to
the computer's features
and data may be the result
of a successful scan.
The goal of computer forensics is to examine digital Lack of ability to Data, Operational,
media in a forensically sound manner with the aim of investigate security Regulatory
identifying, preserving, recovering, analyzing and incidents, service outages,
presenting facts and opinions about the digital compliance audits, suspect
information. employee behavior, errors,
and other events that may
require legal proceedings.
Secure configuration and configuration management, Increased risk of data Data, IT, Operational,
auditing capabilities, patch/firmware management. availability and service Reputational,
outage. Regulatory
Understand fraud and misconduct risks that can Increased risk of policy or Operational,
undermine business objectives, reduce expore to legal abuse by internal and Reputational
corporate liability, sanctions, and litigation. external parties.
Require pre-boot authentication and centralized Any data stored on devices Data Operational,
management. should only include strong encryption lost or within physical Reputation,
methods such as AES, RSA, and SHA-256. Encrypted access of attackers is lost. Regulatory
data should remain encrypted when access controls
such as usernames and password fail. Increasing
encryption on multiple levels is recommended.
Production honeypots are placed inside the production Lack of knowledge of IT, Strategic
network with other production servers by an external attack surface and
organization to improve their overall state of security. vulnerabilities.
Provides signature-based, heuristics-based, and Applications (type Data, IT, Operational

protocol analysis of traffic patterns transmitted and dependent) vulnerable to:
received on a host. Centralized management and Cross-site scripting, SQL
reporting to be required, blocking attacks optional. injection, path disclosure,
Denial-of-service attack,
Provides signature-based, heuristics-based, and Applications (type Data, IT, Operational,

protocol analysis of traffic patterns transmitted and dependent) vulnerable to: Regulatory
Provides signature-based, heuristics-based, and Applications (type Data, IT, Operational,
protocol analysis of traffic patterns transmitted and dependent) vulnerable to: Regulatory
IdM covers issues such as how users gain an identity, High administrative IT, Operational,
the protection of that identity and the technologies overhead - account Regulatory
supporting that protection (e.g., network protocols, management, lack of audit
digital certificates, passwords, etc.). and compliance visibility
regarding Authentication,
Authorization, Accounting,
Roles, and data
interchange.
FIdM, or the "federation" of identity, describes the High administrative IT, Operational,
technologies, standards and use-cases which serve to overhead - account Regulatory
enable the portability of identity information across management, lack of audit
otherwise autonomous security domains. and compliance visibility
Roles, and data
interchange.
RMF provides a disciplined and structured process that Lack of auditory IT, Strategic
integrates information security and risk management compliance. IT System and
activities into the system development life cycle. Risk management become
ad-hoc and inefficient.
Penetration testing is really a form of QA that looks for Lack of knowledge of Regulatory,
flaws in network architecture and design, operating external attack surface and Reputational
system and application configuration, application vulnerabilities.
design, and even human behavior as it relates to
security policies and procedures.
IdM covers issues such as how users gain an identity, High administrative IT, Operational,
the protection of that identity and the technologies overhead - account Regulatory
supporting that protection (e.g., network protocols, management, lack of audit
digital certificates, passwords, etc.). and compliance visibility
Roles, and data
interchange.
The goal of computer forensics is to examine digital Lack of ability to Data, Operational,
media in a forensically sound manner with the aim of investigate security Regulatory
identifying, preserving, recovering, analyzing and incidents, service outages,
presenting facts and opinions about the digital compliance audits, suspect
information. employee behavior, errors,
and other events that may
require legal proceedings.
Network security appliances that monitor network and/orNetwork-based

system activities
attacks
for malicious
and Data,
activity.
IT, Operational,
The main functions of intrusion
other forms of malicious Regulatory
traffic having penetrated
other security devices can
compromise vulnerable
systems.
Servers, application, network and security devices Lack of ability to Operational,

generate log files. Errors, problems, and more investigate security Reputational,
information is constantly logged and saved for analysis. incidents, service outages, Regulatory
In order to detect problems automatically, security compliance audits, suspect
events, outages, forensics, compliance reporting, and employee behavior, errors,
other events useful logs must be securely stored and and other events that may
reviewed. require legal proceedings.
Servers, application, network and security devices Lack of ability to IT, Operational,
Respone systems integrate an understanding of Inefficiency in log data Data, IT, Operational,
multiple technologies and individual components of a correlation of multiple Regulatory
Defense-In-Depth (DiD) architecture. security products. Difficultly
in discerning actionable
events.
Respone systems integrate an understanding of Inefficiency in log data IT, Operational,

multiple technologies and individual components of a correlation of multiple Regulatory
Defense-In-Depth (DiD) architecture. security products. Difficultly
in discerning actionable
events.
Scans are typically an initial phase of a network-based A software attack on a Data, Operational,
attack or penetration test. Regular scans emulating an computer system looks for Regulatory
external attacker with remediation of results are a best security weaknesses, to
Secure OS configurations and baselines provide a Lack of auditory Data, IT, Operational,
practical implementation of hardware and software in compliance. IT System Regulatory
computer systems enabling security and systems configuration and security
engineers to perform real time repair, enable security management become ad-
features, forensic investigations, as well as preventive hoc and inefficient.
maintenance and improvements.
Password strength is a measure of the effectiveness of Unauthorized disclosure of Operational,
a password in resisting guessing and brute-force information, Disruption of Regulatory
attacks. In its usual form, it estimates how many trials computer services, Loss of
an attacker who does not have direct access to the productivity, Financial loss,
password would need, on average, to guess it Legal implications, Lack of
correctly. The strength of a password is a function of compliance/auditability
length, complexity, and unpredictability.
Patch management is the process of using a strategy Exposure to vulnerabilities IT, Operational,
and plan of what patches should be applied to which steadily increase over time Regulatory
systems at a specified time in order to maintain proper as new vulnerabilties are
functionality and security posture. discovered on a daily
basis.
The per-computer scope of personal firewalls is useful Personal firewall clients Operational,
to protect machines that are moved across different are regulatory Regulatory
networks. Unlike network firewalls, many personal requirements of multiple
firewalls are able to control network traffic allowed to security frameworks.
programs on the firewalled computer. Vulnerable systems have
no defense against known
threats that have
penetrated other layers of
defense.
The purpose of a PKI is to facilitate the secure Digital encryption becomes Operational,
electronic transfer of information for a range of network a manual process with the Reputational,
activities such as e-commerce, internet banking and potential for human error, Regulatory, Strategy
confidential email. It is required for activities where increasing administrative
simple passwords are an inadequate authentication overhead, and a lack of
method and more rigorous proof is required to confirm reporting functionality.
the identity of the parties involved in the
communication and to validate the information being
transferred.
Content filtering controls including message filtering Unauthorized disclosure of Operational, IT,
can block malware and other content that is or contains information, Disruption of Reputational
hostile, intrusive, or annoying material including computer services, Loss of
adware, spam, computer viruses, worms, trojan productivity, Financial loss
horses, and spyware. due to compromised
security breach
Content filtering controls can block malware and other Unauthorized disclosure of Operational, IT,
content that is or contains hostile, intrusive, or information, Disruption of Reputational
annoying material including adware, spam, computer computer services, Loss of
due to compromised
security breach
Remote access solutions increase the productivity and Risk an attacker may: IT, Operational,
flexibility of users who work from home computers or intercept information as it Regulatory
from mobile devices such as laptops while working travels between the remote
remotely. user and your intranet;
make an unauthorized
remote access connection
by successfully
impersonating a legitimate
remote access user; gain
direct access to
information that is stored
on computers within
intranet
A stuctured disciplined methodology and the Lack of auditory IT, Strategic

implementation of compensating controls allow an compliance. IT System and
organization's security posture to improve to an Risk management become
acceptable state based on risk appetite. ad-hoc and inefficient.
Rogue device detection is implemented by using Rogue access points and Operational,
different techniques including but not limited to site computer-based threats Reputational,
survey, MAC address list checking, noise checking and allowing unauthorized Regulator
eventually wireless traffic analysis. access and use of
company resources as well
as staging ground for more
complex attacks.
Sensors utilize passive and active scans on both wired Rogue access points and Operational,
and wireless networks to identify unauthorized systems computer-based threats Reputational,
and report them to security administrators. allowing unauthorized Regulator
access and use of
company resources as well
as staging ground for more
complex attacks.
Servers, application, network and security devices Lack of ability to Operational,

An information security operations center is a location Decreased incident Operational,

where enterprise information systems (web sites, response and disaster Regulatory, Strategic
applications, databases, data centers and servers, recovery efficiency.
networks, desktops and other endpoints) are Business continuity efforts
monitored, assessed, and defended. become ad-hoc and
unorganized.
Certification in the context of information system Loss of system IT, Data, Regulatory
security means that a system has been analyzed to compliance, lack of secure
determine how well it meets all of the security configuration baselines,
requirements of the organization. reduced ability to examine
deviations from standards
hardware, software,
firmware, and testing
procedures.
Secure network protocols that provide file access, file Data transfer not IT, Data, Regulatory,
transfer, and file management over any reliable data trustworthy, all other Reputational
stream across insecure networks (internet). security mechanisms
potentially bipassed
including but not limited to
malware injection,
eavesdropping, data theft,
more..
Network segmentation in computer networking is the Overly permissive Operational,

act or profession of splitting a computer network into accessibility where nodes Regulatory
subnetworks, each being a network segment. and clients have no need
Advantages of such splitting are primarily for boosting to access, reduced
performance and improving security. performance and speed,
lack of redundancy
Self-service password reset (SSPR) is defined as any Reduced efficiency and Operational, Data,
process or technology that allows users who have ability to provide reliable Regulatory
either forgotten their password or triggered an intruder authentication of users.
lockout to authenticate with an alternate factor, and
repair their own problem, without calling other
employees.
The process of enhancing server security through a Server nodes are IT, Regulatory,
variety of means which results in a much more secure unnecessarily exposed to Reputational
server operating environmen due to the advanced multiple vulnerabilities due
security measures that are put in place during the to open ports, open
server hardening process protocols, unnecessary
software, and other
variables.
The process of enhancing server security through a Server nodes are Data, IT, Operational,
variety of means which results in a much more secure unnecessarily exposed to Regulatory
server operating environmen due to the advanced multiple vulnerabilities due
security measures that are put in place during the to open ports, open
server hardening process protocols, unnecessary
software, and other
variables.
Certification in the context of information system Loss of system IT, Data, Operational,
security means that a system has been analyzed to compliance, lack of secure Regulatory
determine how well it meets all of the security configuration baselines,
requirements of the organization. reduced ability to examine
deviations from standards
hardware, software,
firmware, and testing
procedures.
Single Sign-On enables Company XX to have an Access control may require IT and Operational.
enterprise-class secure single sign-on (SSO) and significant investment of
flexible identity access management so that Company time and resources. It will
XX can authenticate users and control access to Web prevent Company XX
applications and portals. Across Internet, intranet and customers from smoothly
cloud applications, it helps enable the secure delivery accessing applications due
of essential information and applications to Company to multiple accounts and
XX employees, partners, suppliers and customers via lack of integration. It could
secure single sign-on. possibly allow user and
application compromise.
A filtering solution applied to your email system uses a Increased risk of social Operational,
set of protocols to determine which of your incoming engineering attacks, Reputational,
messages are spam, fradulent messages, contain phishing, spam, malware, Regulatory
malicious software, and which do not. Email filtering trojans, account credential
software inputs email. For its output, it might pass the theft, and other attacks.
message through unchanged for delivery to the user's
mailbox, redirect the message for delivery elsewhere,
or even throw the message away. Some mail filters are
able to edit messages during processing.
Cyber Threat Management a management program Lack of auditory Data, IT, Operational,
enabling early identification of threats, data driven compliance. IT System and Regulatory,
situational awareness, accurate decision-making, and Risk management become Reputational,
timely threat mitigating actions. ad-hoc and inefficient. Strategic
The use of two-factor authentication to prove one's Unauthorized disclosure of Data, Operational,
identity is based on the premise that an unauthorized information, Disruption of Regulatory
actor is unlikely to be able to supply both factors computer services, Loss of
required for access. If in an authentication attempt at productivity, Financial loss
least one of the components is missing or supplied due to compromised
incorrectly, the user's identity is not established with workstations and servers,
sufficient certainty and access to the asset being reputation loss due to
protected by two-factor authentication then remains security breach
blocked.
SeOS is a host based access control utility that runs on Compliance tools assist to Data, Operational,
UNIX and Windows NT. It provides granular control to build default images with Regulatory
files and resources on the operating system based on protection in mind. Out of
access rules stored in a local database. Internally, box protection may be
SeOS operates by intercepting system calls at the improved.
kernel and checks the request against the local SeOS
database.
Remote access solutions such as VPN architectures Risk an attacker may: Data, IT, Operational,
increase the productivity and flexibility of users who intercept information as it Regulatory,
work from home computers or from mobile devices travels between the remote Reputational,
such as laptops while working remotely. user and your intranet; Strategic
make an unauthorized
remote access connection
by successfully
impersonating a legitimate
remote access user; gain
direct access to
information that is stored
on computers within
intranet
Scans are typically an initial phase of a network-based A software attack on a IT, Operational,
due to compromised
security breach
Wireless security provides access control, Risk of unauthorized Operational,

authentication, and potentially authorization and access, rogue systems, Regulatory,
accounting to corporate networks. stolen bandwidth, stepping Reputational
stone for external
attackers.
An AD domain controller authenticates and authorizes High administrative IT, Operational,

all users and computers in a Windows domain type overhead - account Regulatory
network—assigning and enforcing security policies for management, lack of audit
all computers and installing or updating software. and compliance visibility
Roles, and data
interchange.
APTs usually targets organizations and/or nations for Compromised systems and Strategic, Regulatory,
business or political motives. APT processes require a attackers undiscovered. Reputational
high degree of covertness over a long period of time. Loss of control.
All assets should be clearly identified, documented and Unidentified assets cannot Operational,
regularly updated in an asset register, shall have be protected if security Stragetic, Regulatory
designated owners and custodians listed in the asset controls are unaware of
register, have the respective CIA (Confidentiality, their precense. Loss of
Integrity and Availability) rating established in the asset CIA.
registe, all employees shall use company assets
according to the acceptable use of assets procedures,
all assets shall be classified according the asset
classification guideline of the company
Change Management can ensure standardized Change results and Operational,

methods, processes and procedures which are used outcomes not achieved, Regulatory
for all changes, facilitate efficient and prompt handling unexpected results, lack of
of all changes, and maintain the proper balance ability to restore services
between the need for change and the potential quickly.
detrimental impact of changes.
Change Management can ensure standardized Change results and Operational,

methods, processes and procedures which are used outcomes not achieved, Regulatory
for all changes, facilitate efficient and prompt handling unexpected results, lack of
of all changes, and maintain the proper balance ability to restore services
between the need for change and the potential quickly.
detrimental impact of changes.
Cloud security architecture is effective only if the Insecure cloud computing Operational,
correct defensive implementations are in place. An creates the risk of lack of Regulatory,
efficient cloud security architecture should recognize confidentiality during data Reputational
the issues that will arise with security management and transfer, MitM attacks, loss
utilize Deterrent, Preventative, Detective, and of integrity, risk of
Corrective controls. compromised hardware by
cloud service provider.
Provides a more solid framework on which to build an Lack of auditory Operational,

IT Governance, Risk, and Compliance program. compliance. IT System and Regulatory
Risk management become
ad-hoc and inefficient.
Database Security is integral to the design and function Unauthorized or Data, Operational,
of a database. There are three important pieces to unintended activity or Regulatory
database security; Physical, User, and Network. These misuse by authorized
pieces work in conjunction with policies, standards, and database users, database
procedures. Policies are directions that support a goal. administrators, or
Standards describe the minimum that must be done on network/systems
a goal. Performance and tasks can also be scored to a managers, or by
standard to verify how well they meet the standard. unauthorized users or
hackers; Malware
infections causing
incidents such as
unauthorized access,
leakage or disclosure of
personal or proprietary
data, deletion of or
damage to the data or
programs, interruption or
denial of authorized access
to the database, attacks on
other systems and the
unanticipated failure of
database services;
overloads, performance
constraints and capacity
issues resulting in the
inability of authorized users
to use databases as
intended; Design flaws and
programming bugs in
databases and the
associated programs and
systems, creating various
security vulnerabilities ,
data loss/corruption,
performance degradation
etc.; Data corruption and/or
loss caused by the entry of
Mobile security is closely related to mobile device All smartphones, as Data, Operational,
management (MDM), which is a term that specifically computers, are preferred Regulatory
applies to protecting mobile devices in the enterprise or targets of attacks. These
business environments from loss or theft, as well as attacks exploit weaknesses
protecting the data on these devices. related to smartphones
that can come from means
of communication like
Short Message Service
(SMS, aka text
messaging), Multimedia
Messaging Service (MMS),
Wi-Fi networks, Bluetooth
and GSM.
The use of two-factor authentication to prove one's Unauthorized disclosure of Operational,
identity is based on the premise that an unauthorized information, Disruption of Regulatory
actor is unlikely to be able to supply both factors computer services, Loss of
required for access. If in an authentication attempt at productivity, Financial loss
least one of the components is missing or supplied due to compromised
incorrectly, the user's identity is not established with workstations and servers,
sufficient certainty and access to the asset being reputation loss due to
protected by two-factor authentication then remains security breach
blocked.
Network Access Control is a computer networking Risk of unauthorized IT, Operational,

solution that uses a set of protocols to define and access, rogue systems, Reputational,
implement a policy that describes how to secure stolen bandwidth, stepping Regulatory
access to network nodes by devices when they initially stone for external
attempt to access the network.[citation needed] NAC attackers.
might integrate the automatic remediation process.
Risk management tools such as Archer are software Inefficiency in RM Operational,

that enables organizations to deploy a systematic and processes. Regulatory
methodical approach to identify, assess, decision, treat,
and monitor risks and optimize the management of risk
consistent with the organization’s risk appetite.
generate log files. Errors, problems, and more investigate security Regulatory
information is constantly logged and saved for analysis. incidents, service outages,
The most common use of certificates is for HTTPS- Risk of lack of domain, Operational,
based web sites. A web browser validates that a TLS organization, and extended Regulatory,
(Transport Layer Security) web server is authentic, so validation of connecting Reputational
that the user can feel secure that his/her interaction host.
with the web site has no eavesdroppers and that the
web site is who it claims to be.
Access control or Access Management systems Unauthorized disclosure of IT, Data, Operational,
provide the essential services of authorization, information, Disruption of Regulatory
identification and authentication, access approval, and computer services, Loss of
accountability where authorization specifies what a productivity, Financial loss,
user can do, identification and authentication ensure Legal implications, Lack of
that only legitimate users can log on to a system, compliance/auditability
access approval grants access during operations, by
association of users with the resources that they are
allowed to access, based on the authorization policy,
accountability identifies what a user has done.
Monitoring actual user interaction with a website or an Without effective privileged Data, Regulatory
application is important to operators to determine if user monitoring, these
users are being served quickly and without errors and, users can cause immense
if not, which part of a business process is failing. damage without ever being
detected. In addition,
Industry and compliance
regulations including PCI
DSS, SOX and others,
require that privileged
users be closely monitored
and their activities
authorized.
Scans are typically an initial phase of a network-based A software attack on a Data, Operational,
due to compromised
security breach
Vulnerabilities, CIA FIPS Confidentiality, High, Likeliho Applicable NIST
Exposures and Exploits Integrity and Availability Medium od event Control
mitigated by product or 199 Impact Rating of and Low could
service high, medium and low Risk happen
levels if (L,M.H)
product given
or service the
not Compan
Infectious malware, virus, deployed y XX
Trojan Rootkit, Backdoor, at deploye
·Zombie computer, Man-in-the- Company d tool
middle, Man-in-the-browser, XX and
Man-in-the-mobile·
Clickjacking (consider procedu
other re
defense AC, AU, CM, RA,
H H L H M
in depth SI, MP
tools and
procedur
es)
Data loss, data theft, loss of

account management
efficiency, and the ability to
rapidly remove unneeded
privileges, removal of stale
accounts, access control
account settings automated. M M H H L AC, IA, PS
Viruses, worms, trojan horses,

backdoors, the inability to
prevent exposure to all
malware known (non-zero day)
classes of malware that
reaches the host cannot be
nuetralized and potentially
unknown threats as well if
heuristic detection functions
are present as it enters or M H H H L AU, CM, SC
leaves the host are not able to
be detected, learned from, or
base-lined.
Inability to identify known
application vulnerabilities pre-
production, post code changes,
and pre-compromise. Fraud
and e-commerce attacks, X-
site scripting, code injection,
security misconfiguration, many
others.
M H H H H AC, SA, SC, SI
Fraud and e-commerce

attacks, code injection, X-site
scripting, many others. Inability
to identFraud and e-commerce
scripting, many others.
CA, AC,
M H M H M CM,RA,SI, SC,
CM, PM
No control of data
confidentiality in unregulated
environment(internet), inability
to meet industry and
government regulations, no
safe harbor from breach
notification, privacy and data AC, IA, PS, SC,
H H H H L
assurance, or secure data SI
storage.
Inability to prevent loss of

reputation, business, and/or
fines due to failed audit
requirements. AT, AU, CM, PL,
M L L M L
RA, SA, SI,
Lack of configuration baselines
for information systems,
network, and other devices
dramitically increasing
workload and inefficiency.
Configuration management
tools can be employed to
measure the settings of the M H H H L CM, SC, SI, IR
installed software and to look
for deviations from the
standard image configurations
used by the organization.
Fraud and e-commerce

scripting, many others. Inability
to identFraud and e-commerce
scripting, many others.
AC, IA, CA, RA,

H H H H M
SC, PM
Applications (type dependent)

vulnerable to: Cross-site
scripting, SQL injection, path
disclosure, Denial-of-service
attack, Arbitrary code
execution, Memory corruption,
Cross-site request forgery,
Data breach, (information
H M M H L AC, AU, SC
inclusion, Local file inclusion,
Remote file inclusion, Buffer
overflow, code injection, Others
Dependent upon features
implemented. Potential of
reduction of residual risk in
all areas.
AC, AU, CM, IA,

M H H H M
SC, SI
Bandwidth inefficiency, risk of

loss of availability due to
broadcast storms, distributed
DoS, DDoS extortion, reflected
spoofing, application level CP, IR, PE, SC,
attacks, more. M M H H L
SI,
Loss data confidentiality for lost

devices, inability to meet
industry and government
regulations, no safe harbor
from breach notification, M H M M L CM, SI
privacy and data assurance, or
secure data storage.
Lack of ability to provide data
safe harbor from breach M H H H L AC, SI
notification, lack privacy and
data assurance, reduced or no

safe harbor from breach
M H L H M SC, SI
Inability to identify and quickly

disable inactive user accounts,
potentially serious security
breaches into the Windows
network which cannot be
H M M H L AC, AU
prevented both internally or
externally.
Email-based social
engineering, data loss, data
theft, spam, spear-phishing
attacks, compromised
workstations, and accounts.
H M L H L AT, SC, SI
Email-based social
engineering, data loss, data
theft, spam, spear-phishing
attacks, compromised
workstations, and accounts.
H M L H M SC
Inability to prevent exposure to

all malware known (non-zero
day) classes of malware that
heuristic detection functions H H M H L PL, SA, SC, SI
are present as it enters or
base-lined.
Lack of knowledge of attack

surface and publicly available
information to hackers. An
organization needs ideas of
malicious attack behavior
exposing vulnerabilites seen by L M M M L AU, RA, SI
3rd parties in order to provide
opportunity remediate prior to a
true attack.
Inability expose exploited

vulnerabilities, see the cycle of
an attack for aid in remediation
of attack; inability to prevent
future attacks, lack of ability to
pass audits. M H M H H AC, AU, IR
Lack of traffic optimization,

redundancy, or bandwidth
efficiency, DoS attacks, H M H H L AC, CM, SC
malicious scans, network-
based intrusions, more.
Inability to achieve higher
levels of business integrity
through corporate
governmance, internal control,
and transparency. Loss of
AU, IA
revenue and reputation.
safe harbor from breach H H L H L SC, SI

information to hackers. An
exposing vulnerabilites seen by L L L L L PL
true attack.

are present as it enters or CM, IR, PM, SC,
leaves the host are not able to H M M H H
be detected, learned from, or SI
base-lined.

passes through network
boundaries cannot be
heuristic detection functions CM, IR, PM, SC,
are present as it enters or H M M H H
leaves the host are not able to SI
base-lined.
heuristic detection functions CM, IR, PM, SC,
are present as it enters or H M M H H
leaves the host are not able to SI
base-lined.
Failure to identify users to

properly authenticate and
authorize correct permissions
exposing data, systems, and
resources to malicious parties.
Identity-management systems,
products, applications and
platforms manage identifying
and ancillary data about
entities that include individuals,
computer-related hardware and
applications. IdM covers issues
such as how users gain an H M H H H AC, IA, PL, SC
identity, the protection of that
identity and the technologies
supporting that protection (e.g.,
network protocols, digital
certificates, passwords, etc.).
Without proper IdMgt there is
no access control.
such as how users gain an H M H H H AC, IA, PL, SC
no access control.
Increased difficulty and

inefficiency in the security
control selection and
specification effectiveness,
efficiency, and constraints due AT, PL, PM, RA,
to applicable laws, directives, M H H H H
SA, SI
Executive Orders, policies,
standards, or regulations.
Lack of knowledge of internal

attack surface internally
available information to
malicious trusted parties. An
malicious attack behavior L L M M L CA, RA
exposing vulnerabilites seen by
true attack.
such as how users gain an H M H H H AC, AU, IA, SC
no access control.
Inability to expose exploited

vulnerabilities, see the cycle of
an attack for aid in remediation
of attack; inability to prevent
future attacks, lack of ability to
pass audits. M H M H H AC, AU, IR
Malware known (non-zero day)

to the selected vendor can be
are present before malicious
traffic reaches its M M H H H SC, SI
target/destination.
Inability to provide proactive

management, baselining, trend
analysis, or addressing issues
before they become problems,
assist forensics, or outage
investigation. M H L H H AC, AU, IR
analysis, or addressing issues
assist forensics, or outage
investigation. M H L H H AC, AU, IR
Reduced security administator

efficiency, inefficient incident
detection and response
capabilities leading to M H M H H AU, SC, SI
potentially alld NIDS
vulnerabilities.

unknown threats as well if M H M H H AU, SC, SI
are present as it enters or
base-lined.
Inability to identify known

application vulnerabilities pre-
production, post code changes,
and pre-compromise. Fraud
and e-commerce attacks, X-
site scripting, code injection, M H H H L CA, CM, RA, SI
security misconfiguration, many
others.
Lack of ability to define and

enforce formal policies and
procedures that govern asset
identification, status
monitoring, and auditing;
inability to utilize proactive,
preventative, and predictive AC, AC, CM, SC,
measures; less accurate M H H H H
analysis of the impact of SI
potential changes to hardware,
software, firmware,
documentation, testing
procedures, etc.
Password attacks, dictionary,
rainbow table, difficulty to
enforce appropriate access for
all staff, reduced effectiveness
of identity management and
access auditing; loss of AC, AU, IA, MA,
preservation and protection of M H H H L
RA
personal information entrusted
to organization's care.

information to hackers. Servers
and work stations can remain
unpatched causing
vulnerabilities to go
unmanaged and exposures to
increase over time. An AC, CM, IA, PL,
M H H H L
organization needs ideas of SI
true attack.
Infectious malware, virus,

Trojan Rootkit, Backdoor,
·Zombie computer, Man-in-the-
middle, Man-in-the-browser,
Man-in-the-mobile·
Clickjacking H M H H L PL, SA, SC, SI
Failure to provide data

environment(internet), meet
industry and government
regulations, no safe harbor AC, IA, PS, SC,
from breach notification, no H H H H L
SI
privacy and data assurance, or
H M L H L AC, CM, SC, SI

H M H H H AC, CM, SC
Man-in-the-middle(MitM)
attacks, loss of data
confidentiality, loss of
credentials
H M H H L AC, IA, SC
Innefficiency or failure to
provide security control
selection and specification that
considers effectiveness, AT, PL, PM, RA,
efficiency, or constraints due to M H H H H
applicable laws, directives, SA, SI
Executive Orders, policies,
standards, or regulations.
Unathorized system access,
poor resource utilization, and
stepping stone entrances for
malicious third-parties.
H M M H L AC, CM, IA, SA
Unathorized system access,

poor resource utilization, and
stepping stone entrances for
malicious third-parties.
H H M H L AC, CM, IA, SA
Lack of data analytics that

would provide proactive
analysis, and the possibility of
addressing issues before they
become problems, assist M H L H H AC, AU, IR
forensics, outage investigation.
Reduced efficiencies to IR and
event management.
Inability to protect sensitive

data; Failure to comply with
industry rules such as PCI DSS AU, CP, IR, PE,
or with government rules, such H H H H ?
as CESG GPG53 CA
Inability to define and enforce

formal policies and procedures
that govern asset identification,
status monitoring, and
auditing;better utilize proactive,
preventative, and predictive
measures; reduced accuracy of
analysis of the impact of M H M H H CA,CM, IA, SI
software, firmware,
procedures, etc.
credentials
H H M H L AU, CM, SC, SI
Lack of data analytics that
would provide proactive
analysis, and the possibility of
addressing issues before they
become problems, assist M M L M L AC, AU, SC
forensics, outage investigation.
Reduced efficiencies to IR and
event management.
Bandwidth congestion, lack of

security through inability to
control endpoint access to
restricted networks, containing
network problems, controlling
visitor access, reduced M M H H M PL, SC
bandwidth utilization that would
assist in containing APTs.
Inability to expedite problem

resolution for user and thus
increaces help desk call
volume. Cannot ensure that
password problems are only
resolved after adequate user M M L M M AC, AU
authentication, reducing the
risk of social engineering
attacks.
Increased server attack surface

and decreased security posture
due to vulnerabilities such as
lack of local firewall, AU, CM, PL, RA,
unnecessary software and H M H H L
services, lack of account SI
management, and
adminstrative logins, more.
Increased server attack surface

and decreased security posture
due to vulnerabilities such as
lack of local firewall, AU, CM, PL, RA,
unnecessary software and H M H H L
services, lack of account SI
management, and
adminstrative logins, more.
Inability to define and enforce
formal policies and procedures
that govern asset identification,
status monitoring, and
auditing;better utilize proactive,
preventative, and predictive
measures; reduced accuracy of AU, CM, PL, RA,
analysis of the impact of M H M H H
SI
software, firmware,
procedures, etc.
Password compromise,
application compromise,
prevents numerous accounts
form being created, enhanced
monitoring and filtering.
H M H H H AC, IA, PL, SC
Email-based social
engineering, spear-phishing,
data loss, data theft,
compromised workstations,
and compromised accounts.
M M L M L AU, SI, SC
Inability to utilize automated
intelligence gathering and
threat analytics,
comprehensive methodologies
for real-time monitoring
including advanced techniques
such as behavioral modeling,
analytics to optimize
intelligence, generate security
intelligence, or provide
situational awareness,
technology and skilled people H H H H H AU, SA
leveraging situational
awareness to enable rapid
decisions and automated or
manual actions dictated by
policies and procedures. This is
vital to APT and IR initiatives.
Credential guessing/dictionary
attacks, identity theft, and other
online fraud and access
attempts. Systems with only
passwords increase the
likelihood to give a malicious M H M H L AC, IA, MA
3rd parties access to
organizational informatino or
resources.
Unnecessarily open ports,

unused and vulnerable
software, lack of automatic
patching configurations;
operating systems that employ
few security mechanisms with M M L M M CM, SI
default build favoring ease of
use and functionality over
security.
credentials
H M H H L AC, AU, SC
unpatched causing
increase over time. An
H H M H L AU, RA, SI
true attack.

confidentiality due to AC, AU, CM, SC,
eavesdropping, loss of H M M H L
credentials SI
Gaps in antivirus and

antimalware deployments,
Incomplete patching, Outdated
applications and operating
systems, Misconfiguration, AC, AU, CM, SC,
Lack of secure application H H H H L
SI
development practices, more
APTs, lack of rapid incident

reponse, reduced inter-team
communication during events,
poor efficiency. IR, especially
to APTs would involve a CIOC,
a well-planned security H H M H M AU, PL, RA, SI
architecture, Security
Inteligence Lifecycle, and
Common Control Frameworks.
Poor/reduced security posture
through lack of accurate
inventory assessments
regarding patch and account
management, security controls,
and unidentified system and H H H H ??? AU, PE, PL
data custodians.
Increased risk of unexpected

results of change and reduced
recovery efficiencies as well as
lessons learned. Required by M H M H H AU, CA, CM
multiple audit frameworks.
Increased risk of unexpected

results of change and reduced
recovery efficiencies as well as
lessons learned. Required by M H M H L AU, CM, SA
multiple audit frameworks.
Insecure data transfer,

insecure software interfaces,
insecure stored data, lack of
user access control, poor or no
data or security separation
H H M H H AC, CM, SC
from multiple tenants on
shared systems.
Inefficient procedures with

configuration assessments and
a lack of a unified view of
security controls and
vulnerabilities, no streamlining M M L M M AU, CM, SI
of vulnerability and risk
management tools or reporting.
Dependent upon features
implemented. Potential of
reduction of residual risk in all
areas.
AC, AU, CM, IR,

M H H H ???
MA, SI
Malware, password cracking,

attacks based on messaging,
OS vulnerabilities, software
vulnerabilities
Credential guessing/dictionary
attacks, identity theft, and other
online fraud and access
attempts. Systems with only
passwords increase the
likelihood to give a malicious M H M H L AC, IA, MA
3rd parties access to
organizational informatino or
resources.
Inability to prevent
unauthorized users or
workstations that lack antivirus,
patches, or host intrusion
prevention software from
accessing the network and
placing other computers at risk H M H H L AC, CM, IA, SC
of cross-contamination of
computer worms; Policy
enforcement; Increased
difficulty with identity and
access management.
Inefficiency in risk
Identification, assessment,
treatment and monitoring.
L M L M M AU, RA

analysis, addressing issues
reduced ability to assist
forensics, or assist with outage M H L H H AC, AU, IR
investigation.
Loss of data confidentiality in

unregulated
environment(internet), cannot
meet industry and government
regulations, no safe harbor
from breach notification, lack of
privacy and data assurance, H L L H L AU, SC
Data loss, data theft,
unauthorized access to
resources and lack of use of
information,
auditing/compliance/reporting/f
orensic requirements due to
lack of trust, no granular H M H H L AC, IA, SI
control of access to specific
users.
Misuse of system privileges,

regulatory compliance, identify
unauthorized privilege
changes, eliminate excessive
rights/permissions, implement
separation of duties and least
privilege
M H M H H AC, AU, CM, SI

unpatched causing
increase over time. An
M H H H L CA, CM, RA, SI
true attack.

M M H H L AU, AC
Business Residual risk
impact if risk given RI
or deployed tool
vulnerability or
is exploited. compensating
controls
H M
H L
M L
H H
H M
H M
M M
M L
H M
M L
M H
H L
H L
M L
M M
H L
H L
M L
L L
M L
H M
H L
H L
L L
H H
H L
H M
H L
H L
H M
L L
H L
H M
H H
H H
H L
H M
H L
H L
H H
H L
H L
H L
H M
H L
H L
H L
H M
H L
H L
H H
H ?
H M
H L
M L
M L
M L
H L
H L
H M
H L
M L
H H
H L
M M
H L
H L
H L
H L
H L
H M
H ???
H H
H L
H H
M M
H ???
H L
H L
H L
M M
H H
H L
H L
H H
H L
M L

Cyber Security Architecture Risk Assessm

Uploaded by

Copyright:

Available Formats

Cyber Security Architecture Risk Assessm

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Cyber Security Architecture Risk Assessm

Uploaded by

Copyright:

Available Formats

May I suggest you download entire document as it does not display well on Academia.

This document will help

Account provisioning In general, provisioning means "providing" or making

Application code security Understanding common application security errors—

Compliance management Process incorporating operational reporting, proper

Configuration Configuration management (CM) is the detailed recording

Code Security Understanding common application security errors—

Content filtering (inbound The blocking, or "filtering" of undesirable Internet content.

Denial of Service A denial-of-service attack (DoS attack) is an attempt to

Encrypted storage Data encryption of removable media prevents data visibility

Encryption and Key Cryptographic transformation of data (called "plaintext") into

Email encryption Email encryption is encryption of email messages to protect

Forensics A branch of digital forensic science pertaining to evidence

Fraud management Fraud is any intentional act committed to secure an unfair or

Honeypots A honey pot is a computer system on the Internet that is

Intrusion detection Intrusion detection and prevention systems (IDPS), are

Identity management Identity Federation comprises one or more systems that

Internal pen testing Provides insight to internal vulnerabilities and remediation

Incident Response and A branch of digital forensic science pertaining to evidence

Intrusion prevention An intrusion prevention system is a security device that

Network and Host-based External monitoring integration or utilization of 3rd-party log

Operating System Configuration management (CM) is a systems engineering

Patch management tools Patch management is an area of systems management that

Personal firewalls on A personal firewall (sometimes called a desktop firewall) is a

Risk Assessments, IT organization’s risk assessment framework that measures

Security event manager A Security Event Manager (SEM) is a computerized tool

Server recertification Servers must be recertified on a scheduled basis to

Conversely, single sign-off is the property whereby a single

As different applications and resources support different

Spam filtering Email filtering is the processing of email to organize it

Threat management Threat management function is a series of processes

VPN Architecture A virtual private network (VPN) is a private communications

Web Proxies and The blocking, or "filtering" of undesirable Internet content.

Wireless Security (e.g., Wireless security is the prevention of unauthorized access

Change detection Change detechtion complements Change Management as

Change management Change management is an approach to transition

Network Access Control Network Access Control (NAC) is an approach to computer

Risk/Policy Management IT organization’s risk assessment framework that measures

User Authentication User authentication is a sub-portion of access management.

User monitoring - User monitoring is a passive monitoring technology that

Web Content Filtering The blocking, or "filtering" of undesirable Internet content.

Compliance Complying with any applicable regulatory and legal

Enterprise An enterprise authentication management framework is the

Information Risk IT organization’s risk assessment framework that measures

Intrusion prevention Intrusion prevention is a preemptive approach to network

Secure remote access

Security organization chaFundamental planning tool for properly managing security

Data Loss Prevention (for databases/storage,

Account provisioning tools used locally and

Anti virus software

Application testing tools

Compliance management tool and process

Code Security Analysis (manual and

Content filtering (inbound and outbound)

Denial of Service protection

Encrypted storage devices on device and

Encryption (data at rest)

Expired account removal

Email Filtering (e.g., Anti-virus, Anti-Spam,