(a) How many policy documents does the ISO 27000 standard provide? Briefly describe the content areas covered by each of them. (b) Compare the ISO 27000 series of documents with the NIST documents discussed in Chapter 8. Which areas, if any, are missing from the NIST documents? Identify the strengths and weaknesses of the NIST program compared to the ISO standard. What is SANS SCORE and why is it useful? Review the security policy documents provided by SANS SCORE and discuss contents of the relevant documents available under each of the following categories: (a) Server Security (b) Application Security (c) Network Security (d) Incident Handling. What is the fundamental difference between a security management model and a security architecture model? Explain with an illustrative example. (a) What are the key principles on which access control is founded? (b) What two access control methods that use a state machine model to enforce security? Compare and contrast the two methods by explaining their similarities and differences.

(a) The ISO 27000 standard provides several policy documents that organizations can reference and utilize for cybersecurity management. The main policy document is ISO/IEC 27001, which outlines the requirements for establishing, implementing, maintaining, and continually improving an information security management system (ISMS). This document provides a framework for organizations to manage their information security processes and addresses various areas such as risk assessment, security objectives, asset management, access control, cryptography, and incident management.

In addition to ISO/IEC 27001, the ISO 27000 series includes supporting documents that provide guidance and recommendations for implementing the requirements outlined in ISO/IEC 27001. These documents include ISO/IEC 27002, which provides a code of practice for information security controls, and ISO/IEC 27003, which provides guidelines for implementing an ISMS. Other documents in the series cover specific topics such as risk assessment techniques (ISO/IEC 27005) and metrics for information security (ISO/IEC 27004).

(b) In comparison to the NIST documents discussed in Chapter 8, the ISO 27000 series covers a broader range of topics and provides more detailed guidance on implementing information security controls. While the NIST documents focus primarily on cybersecurity for federal agencies and critical infrastructure, the ISO standard is applicable to organizations of all sizes and industries globally.

One area that may be missing from the NIST documents is the specific guidance on implementing an ISMS, as outlined in ISO/IEC 27001. The ISO standard places a strong emphasis on the establishment of an ISMS and provides detailed requirements for its implementation and maintenance. This could be seen as a strength of the ISO standard, as it provides a more structured approach to managing information security.

However, one strength of the NIST program is its close alignment with U.S. federal regulations and guidelines, such as the Federal Information Security Modernization Act (FISMA) and the Cybersecurity Framework. This alignment can be advantageous for organizations operating within the U.S. federal space, as it ensures compliance with regulatory requirements.

SANS SCORE (Security Consensus Operational Readiness Evaluation) is a tool developed by the SANS Institute that assesses an organization’s security posture based on a set of predefined security policy documents. It provides a baseline for evaluating an organization’s security practices and identifies areas of improvement.

The SANS SCORE platform provides a range of security policy documents categorized into different areas. In terms of server security, the relevant documents typically cover areas such as server hardening, access controls, authentication, and system monitoring. For application security, the documents may address secure coding practices, secure configuration, and secure deployment methodologies. Network security documents may cover topics like firewall configuration, network segmentation, and intrusion detection. Incident handling documents would typically outline procedures for incident detection, response, and recovery.

(a) The key principles on which access control is founded include the concepts of least privilege, separation of duties, and need-to-know. Least privilege ensures that individuals are only given the minimum levels of access necessary to perform their job responsibilities. Separation of duties ensures that no one individual has complete control or unrestricted access to critical systems or data. Need-to-know restricts access only to those who require the information to perform their tasks.

(b) Two access control methods that use a state machine model to enforce security are Role-Based Access Control (RBAC) and Attribute-Based Access Control (ABAC). These methods share the similarity of using a state machine model to determine access rights based on defined rules and conditions. However, they differ in how access decisions are made.

RBAC assigns permissions based on predefined roles that individuals are assigned to within an organization. Access decisions are made based on whether a role has the necessary permissions to perform a specific action. ABAC, on the other hand, assigns permissions based on the attributes and characteristics of the user, the resource being accessed, and the environment. Access decisions are made by evaluating attributes against a set of defined rules and policies.

In summary, RBAC and ABAC both use state machine models to enforce security, but RBAC is based on predefined roles while ABAC considers multiple attributes to determine access.