11.1003 - Computer and Information Systems Security/Information Assurance (2017)

Plus Technical

Plus I. IDENTIFY
  Plus A. Asset Management
    1. Physical devices and systems within the organization are inventoried
    2. Software platforms and applications within the organization are inventoried
    3. Organizational communication and data flows are mapped
    4. External information systems are catalogued
    5. Resources (e.g., hardware, devices, data, and software) are prioritized based on their classification, criticality, and business value
    6. Cybersecurity roles and responsibilities for the entire workforce and third-party stakeholders (e.g., suppliers, customers, partners) are established
  Plus B. Business Environment
    1. The organization’s role in the supply chain is identified and communicated
    2. The organization’s place in critical infrastructure and its industry sector is identified and communicated
    3. Priorities for organizational mission, objectives, and activities are established and communicated
    4. Dependencies and critical functions for delivery of critical services are established
    5. Resilience requirements to support delivery of critical services are established
  Plus C. Governance
    1. Organizational information security policy is established
    2. Information security roles & responsibilities are coordinated and aligned with internal roles and external partners
    3. Legal and regulatory requirements regarding cybersecurity, including privacy and civil liberties obligations, are understood and managed
    4. Governance and risk management processes address cybersecurity risks
  Plus D. Risk Assessment
    1. Asset vulnerabilities are identified and documented
    2. Threat and vulnerability information is received from information sharing forums and sources
    3. Threats, both internal and external, are identified and documented
    4. Potential business impacts and likelihoods are identified
    5. Threats, vulnerabilities, likelihoods, and impacts are used to determine risk
    6. Risk responses are identified and prioritized
  Plus E. Risk Management Strategy
    1. Risk management processes are established, managed, and agreed to by organizational stakeholders
    2. Organizational risk tolerance is determined and clearly expressed
    3. The organization’s determination of risk tolerance is informed by its role in critical infrastructure and sector specific risk analysis
Plus II. PROTECT
  Plus A. Access Control
    1. Identities and credentials are managed for authorized devices and users
    2. Physical access to assets is managed and protected
    3. Remote access is managed
    4. Access permissions are managed, incorporating the principles of least privilege and separation of duties
    5. Network integrity is protected, incorporating network segregation where appropriate
  Plus B. Awareness and Training
    1. All users are informed and trained
    2. Privileged users understand roles & responsibilities
    3. Third-party stakeholders (e.g., suppliers, customers, partners) understand roles & responsibilities
    4. Senior executives understand roles & responsibilities
    5. Physical and information security personnel understand roles & responsibilities
  Plus C. Data Security
    1. Data-at-rest is protected
    2. Data-in-transit is protected
    3. Assets are formally managed throughout removal, transfers, and disposition
    4. Adequate capacity to ensure availability is maintained
    5. Protections against data leaks are implemented
    6. Integrity checking mechanisms are used to verify software, firmware, and information integrity
    7. The development and testing environment(s) are separate from the production environment
  Plus D. Information Protection Processes and Procedures
    1. A baseline configuration of information technology/industrial control systems is created and maintained
    2. A System Development Life Cycle to manage systems is implemented
    3. Configuration change control processes are in place
    4. Backups of information are conducted, maintained, and tested periodically
    5. Policy and regulations regarding the physical operating environment for organizational assets are met
    6. Data is destroyed according to policy
    7. Protection processes are continuously improved
    8. Effectiveness of protection technologies is shared with appropriate parties
    9. Response plans (Incident Response and Business Continuity) and recovery plans (Incident Recovery and Disaster Recovery) are in place and managed
    10. Response and recovery plans are tested
    11. Cybersecurity is included in human resources practices (e.g., deprovisioning, personnel screening)
    12. A vulnerability management plan is developed and implemented
  Plus E. Maintenance
    1. Maintenance and repair of organizational assets is performed and logged in a timely manner, with approved and controlled tools
    2. Remote maintenance of organizational assets is approved, logged, and performed in a manner that prevents unauthorized access
  Plus F. Protective Technology
    1. Audit/log records are determined, documented, implemented, and reviewed in accordance with policy
    2. Removable media is protected and its use restricted according to policy
    3. Access to systems and assets is controlled, incorporating the principle of least functionality
    4. Communications and control networks are protected
Plus III. DETECT
  Plus A. Anomalies and Events
    1. A baseline of network operations and expected data flows for users and systems is established and managed
    2. Detected events are analyzed to understand attack targets and methods
    3. Event data are aggregated and correlated from multiple sources and sensors
    4. Impact of events is determined
    5. Incident alert thresholds are established
  Plus B. Security Continuous Monitoring
    1. The network is monitored to detect potential cybersecurity events
    2. The physical environment is monitored to detect potential cybersecurity events
    3. Personnel activity is monitored to detect potential cybersecurity events
    4. Malicious code is detected
    5. Unauthorized mobile code is detected
    6. External service provider activity is monitored to detect potential cybersecurity events
    7. Monitoring for unauthorized personnel, connections, devices, and software is performed
    8. Vulnerability scans are performed
  Plus C. Detection Processes
    1. Roles and responsibilities for detection are well defined to ensure accountability
    2. Detection activities comply with all applicable requirements
    3. Detection processes are tested
    4. Event detection information is communicated to appropriate parties
    5. Detection processes are continuously improved
Plus IV. RESPOND
  Plus A. Response Planning
    1. Response plan is executed during or after an event
  Plus B. Communications
    1. Personnel know their roles and order of operations when a response is needed
    2. Events are reported consistent with established criteria
    3. Information is shared consistent with response plans
    4. Coordination with stakeholders occurs consistent with response plans
    5. Voluntary information sharing occurs with external stakeholders to achieve broader cybersecurity situational awareness
  Plus C. Analysis
    1. Notifications from detection systems are investigated 
    2. The impact of the incident is understood
    3. Forensics are performed
    4. Incidents are categorized consistent with response plans
  Plus D. Mitigation
    1. Incidents are contained
    2. Incidents are mitigated
    3. Newly identified vulnerabilities are mitigated or documented as accepted risks
  Plus E. Improvements
    1. Response plans incorporate lessons learned
    2. Response strategies are updated
Plus V. RECOVER
  Plus A. Recovery Planning
    1. Recovery plan is executed during or after an event
  Plus B. Improvements
    1. Recovery plans incorporate lessons learned
    2. Recovery strategies are updated
  Plus C. Communications
    1. Public relations are managed
    2. Reputation after an event is repaired
    3. Recovery activities are communicated to internal stakeholders and executive and management teams

Plus Cluster

Plus I. Cluster: Information Technology
  Plus A. Information Technology Cluster Standards
    Plus 1. Demonstrate effective professional communication skills and practices that enable positive customer relationships
        a. Identify organization's products and services (including own strengths as an agent of the company).
        b. Recognize the importance of all customers to the business.
    Plus 2. Use product or service design processes and guidelines to produce a quality information technology product or service
        a. Test products for reliability.
        b. Initiate predictive maintenance procedures.
        c. Document a Quality Assurance (QA) program (includes creating a plan and evaluating effectiveness of the program).
    3. Demonstrate the use of cross-functional teams in achieving IT project goals.
    4. Demonstrate positive cyber citizenry by applying industry accepted ethical practices and behaviors.
    5. Explain the implications of IT on business development.
    6. Describe trends in emerging and evolving computer technologies and their influence on IT practices.
    7. Perform standard computer backup and restore procedures to protect IT information.
    8. Recognize and analyze potential IT security threats to develop and maintain security requirements.
    9. Describe quality assurance practices and methods employed in producing and providing quality IT products and services.
    10. Describe the use of computer forensics to prevent and solve information technology crimes and security breaches.
    11. Demonstrate knowledge of the hardware components associated with information systems.
    12. Compare key functions and applications of software and determine maintenance strategies for computer systems.

Plus Career Ready Practices

Plus I. Career Ready Practices
  Plus A. Career Ready Skills
    1. Act as a responsible and contributing citizen and employee.
    2. Apply appropriate academic and technical skills.
    3. Attend to personal health and financial well-being.
    4. Communicate clearly, effectively and with reason.
    5. Consider the environmental, social and economic impacts of decisions.
    6. Demonstrate creativity and innovation.
    7. Employ valid and reliable research strategies.
    8. Model integrity, ethical leadership and effective management.
    9. Plan education and career path aligned to personal goals.
    10. Use technology to enhance productivity.
    11. Utilize critical thinking to make sense of problems and persevere in solving them.
    12. Work productively in teams while using cultural/global competence.