isaca-cism-courseware

ISACA

CISM Certification

Certified Information Security

Manager Courseware Version 4.0

1

4/17/2015

1

CISM

Firebrand Accelerated

Training

4/17/2015

2

2015 CISM Review Course

Introduction

2

4/17/2015

4

Agenda

This introduction will address:

The CISM Certification

Course format

Examination format

Introduction of Attendees

To set the scene Recent Incidents

4/17/2015

5

This is NOT a Death-By-PowerPoint Seminar

3

4/17/2015

6

But it IS a Seminar

4/17/2015

7

CISM

Certified Information Security Manager

Designed for personnel that have (or want to

have) responsibility for managing an

Information Security program

Tough but very good quality examination

Requires understanding of the concepts

behind a security program not just the

definitions
https://www.google.nl/imgres?imgurl=http://futurama-madhouse.net/fanart/tfp/tfp_159.gif&imgrefurl=http://www.futurama-madhouse.net/fanart/tfp4.shtml&docid=KH2WwkGtkaxvvM&tbnid=uIKSuTQAtwWoPM&w=369&h=423&ei=1EtsUpC1Guz40gW0n4GoCw&ved=0CAYQxiAwBA&iact=chttps://www.google.nl/imgres?imgurl=http://www.iwantthatsign.com/WebRoot/BT2/Shops/BT4029/4D44/33F1/5B40/676F/6029/0A0C/05E8/4AA7/look-no-hands.jpg&imgrefurl=http://www.iwantthatsign.com/LOOK-NO-HANDS-Car-Sign&docid=iug8oE_fMTTJoM&tbnid=Db0OvVZmyQqdbM&w=561&h=565&ei=1EtsUpC1Guz40gW0n4GoCw&ved=0CAUQxiAwAw&iact=c

4

4/17/2015

8

CISM Exam Review Course Overview

The CISM Exam is based on the CISM job

practice.

The ISACA CISM Certification Committee

oversees the development of the exam and

ensures the currency of its content.

There are four content areas that the CISM

candidate is expected to know.

4/17/2015

9

CISM Qualifications

To earn the CISM designation, information security professionals are required to:

Successfully pass the CISM exam

Adhere to the ISACA Code of Professional Ethics

Agree to comply with the CISM continuing education policy

Submit verified evidence of five (5) years of work experience in the field of information security.

5

4/17/2015

10

Daily Format

Lecture and Sample questions

Domain structure

Learning Objectives

Content

Sample Questions

Please note that the information in every

domain overlaps with the information in other

domains during the course we will introduce

topics that are expanded upon in latter domains

4/17/2015

11

Domain Structure

Information Security

Governance


Incident

Management

Information

Risk

Management and Compliance

Information Security Program

Development and Management

Mandates

Requires

Deploys

Reports To

Influences

6

4/17/2015

12

Course Structure

Start Time

Breaks

Meals

End of Day

End of class on last day

4/17/2015

13

Logistics

Fire Escapes

Assembly point

Mobile phones / pagers

7

4/17/2015

14

The Examination

4/17/2015

15

Description of the Exam

The exam consists of 200 multiple choice

questions that cover the CISM job practice

areas.

Four hours are allotted for completing the

exam

See the Candidates Guide to the CISM Exam

and Certification

8

4/17/2015

16

Examination Job Content Areas

The exam items are based on the content in 4

information security areas

Information Security Governance 24%

Information Risk Management and Compliance

33%

Information Security Program Development

and Management 25%

Information Security Incident Management

18%

4/17/2015

17

Examination Job Content Areas


Governance, 24%

Information Risk

Management and

Compliance, 33%


Development and

Management, 25%

Information Security Incident

Management, 18%

9

4/17/2015

18

2015 Exam Dates

The exam will be administered three times in

2015

The 1st exam date is June 13

April 21 is deadline for registration

The 2nd exam date is Sept 12

The 3rd exam date is Dec 12

Many examination locations worldwide

Register at www.isaca.org

4/17/2015

19

Examination Day

Be on time!!

The doors are locked when the instructions

start approximately 30 minutes before

examination start time.

Bring the admission ticket (sent out prior to

the examination from ISACA) and an

acceptable form of original photo

identification (passport, photo id or drivers

license).

10

4/17/2015

20

Completing the Examination Items

Bring several #2 pencils and an eraser

Read each question carefully

Read ALL answers prior to selecting the BEST answer

Mark the appropriate answer on the test answer sheet.

When correcting an answer be sure to thoroughly erase the wrong answer before filling in a new one.

There is no penalty for guessing. Answer every question.

4/17/2015

21

Grading the Exam

Candidate scores are reported as a scaled

score based on the conversion of a

candidates raw score on an exam to a

common scale.

ISACA uses and reports scores on a common

scale from 200 to 800. A candidate must

receive a score of 450 or higher to pass.

Exam results will be mailed (and emailed) out

approximately 8 weeks after the exam date.

Good Luck!

11

4/17/2015

22

Introduction of Classmates

4/17/2015

23

HIGHLY TECHNICAL ATTACKS HIGHLY TECHNICAL ATTACKS

12

4/17/2015

24

Stuxnet

Part of Operation Olympic Games, a 2006 operation designed to disrupt Irans nuclear programme

General James E Cartwright, head of CyberOps inside the US Strategic Command developed the Stuxnet plan

Stage 1: Plant code that extracts maps of the air-gapped networks supporting nuclear labs & reprocessing plants in Iran

Stage 2: Payload development by NSAs Foreign Affairs Directorate & IDFs Intelligence Corps Unit 8200

Code named: The Bug

Stage 3: Test against P-1 centrifuges

Stage 4: Plant the worm in Natanz via spies, and tricked insiders ( engineers to maintenance workers anyone with physical access to the plant). This was in 2008

The Op was successful

ICS were infected & high-speed centrifuges were infected

Iranians blamed themselves or suppliers for observed problems

4/17/2015

25

Stuxnet

20x more complex than any piece of previous malware

Array of capabilities

Increase pressure inside nuclear reactors while telling system operators everything was normal

Does not carry a forged security clearance (used by malware to escalate privilege). It had a real clearance, stolen from one of the most Globally-reputable technology companies

Exploited 20 zero-day vulnerabilities

Target specific. It remained dormant until target was sighted. Target was the P-1 centrifuges. May have shut down 1000 centrifuges in Natanz,

Iran has responded to the attack with an open call to hackers to join the Iranian Revolutionary Guard. It now has the 2nd largest online army

13

4/17/2015

26

GhostNet

GhostNet represents a network of

compromised computers resident in high-

value political, economic, and media

locations spread across numerous countries

worldwide

4/17/2015

27

GhostNet

Infected 986 machines across 93 countries

14

4/17/2015

28

GhostNet

Malware retrieving a sensitive document

This screen capture of the Wireshark network analysis tool shows an infected

computer at the Office of the Dalai Lama uploading a sensitive document to one

of the CGI networks control servers.

4/17/2015

29

GhostNet

The gh0st RAT interface:

15

4/17/2015

30

GhostNet

gh0st RAT demonstration

https://www.youtube.com/watch?v=6p7FqSav6

Ho

4/17/2015

31

Technical Social Engineering

The purpose of social engineering is to

transparently install malicious software or to

trick you into handing over sensitive

information.

Technical Social Engineering is a chained

exploit. Human nature and software

vulnerabilities are both exploited.

16

4/17/2015

32

Technical Social Engineering

4/17/2015

33

Operation Aurora

Targeted 34 companies in the financial, technology & defense sectors

Never before seen level of sophistication outside the defense industry. Prior to this, commercial attacks were SQL-injection or wireless breach based

Highly sophisticated & coordinated hack attack against Googles corporate network

Targeted & stole IP (source code repositories)

Accessed Gmail accounts of human rights activists

17

4/17/2015

34

Operation Aurora

Used several pieces of malware, levels of encryption, stealth programming & zero-day exploits in IE, Word, Excel & Adobe PDFs

Attack was obfuscated & avoided common detection methods

Tailored to target a small number of corporate users

sending a malicious document attached to an email or

sending a spoofed email message with a link to a malicious website

Infected machines will typically have the following components installed:

%System%\[RANDOM].dll: main file. Runs as a service and has back door capabilities

%System%\acelpvc.dll: Streams live desktop feed to the attacker

%System%\VedioDriver.dll: Helper dll for acelpvc.dll

4/17/2015

35

Operation Aurora

Siphoned off live feed and/or data to C & C

servers in Illinois, Texas & Taiwan

One C&C server was hosted by RackSpace

Designed to occur during a holiday season

when co. SOC & IRTs would be thinly staffed

18

4/17/2015

36

Operation Aurora Tojan.Hydraq

Infects Win2K, Win7, Win2003, Win2008,

Vista, XP

Creates 2 files

Creates a service RASxxxx

Registers service by creating a registry

subkey

Modifies this registry entry:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\Current

Version\SvcHost\netsvcs

Opens a backdoor allowing a remote

attacker to do a number of things

4/17/2015

37

Operation Aurora Google Case Study

Initial attack occurred when company executives visited a

malicious site

Via clicked URL sent by

email/IM or

Via social networking sites

Drive-by Download

IE exploited via zero-day

exploit

Multiple pieces of

malware downloaded

into device

Automatically &

Transparently

19

4/17/2015

38

Operation Aurora Google Case Study

Shell code 3X encrypted

Downloaded encrypted

binary code in 2

encrypted .exes from

external node

Opened backdoor

Established

encrypted covert

channel

masquerading as SSL

connection

Beachead

into other parts

of the corporate

network

4/17/2015

39

ICEFOG Advanced Persistent Threat

A threat actor

Emerging trend of cyber-mercenary teams of 10s to

100s available for hire to perform surgical hit-and-

run ops

Going after the supply chain & compromising target

with surgical precision

Relies on spear phishing emails that attempt to trick

a victim into opening a malicious attachment or

visiting a malicious website

Victims were Japanese & South Korean targets.

From China with love

20

4/17/2015

40

End of Introduction

1

4/17/2015

1

ISACA

Trust in, and value from,

information systems

4/17/2015

2


Chapter 1


Governance

2

4/17/2015

3

Course Agenda

Priorities for the CISM

Corporate Governance

Information Security Strategy


Elements of a Security Program

Roles and Responsibilities

Evaluating a Security Program

Reporting and Compliance

Ethics

4/17/2015

4

The CISM Candidate understands: Effective security governance framework

Building and deploying a security strategy

aligned with organizational goals

Manage risk appropriately

Responsible management of program

resources

The content area in this chapter will

represent approximately 24% of

the CISM examination

(approximately 48 questions).

Examination Content

3

4/17/2015

5

Chapter 1 Learning Objectives

Align the organizations Information security strategy with

business goals and objectives

Obtain Senior Management commitment

Provide support for:

Governance

Business cases to justify security

Compliance with legal and regulatory mandates

Organizational priorities and strategy

Identify drivers affecting the organization

Define roles and responsibilities

Establish metrics to report on effectiveness of the security

strategy

4/17/2015

6

The Priorities for the CISM

Candidate in Chapter One

4

4/17/2015

7

CISM Priorities

The CISM must understand:

Requirements for effective information

security governance

Elements and actions required to:

Develop an information security strategy

Plan of action to implement it

4/17/2015

8

The First Question

In your own words, please describe what

information Security is, what is the purpose

or value of information security in relation to

the business

5

4/17/2015

9


Information is indispensable to conduct

business effectively today

Information must be:

Available

Have Integrity of data and process

Be kept Confidential as needed

Protection of information is a responsibility

of the Board of Directors

4/17/2015

10


Information Protection includes:

Accountability

Oversight

Prioritization

Risk Management

Compliance (Regulations and Legislation)

6

4/17/2015

11

Information security is much more than just IT

security (more than technology)

Information must be protected at all levels of the

organization and in all forms

Information security is a responsibility of

everyone

In all forms paper, fax, audio, video,

microfiche, networks, storage media, computer

systems

Information Security Governance Overview

4/17/2015

12

Benefits of effective information security

governance include:

Improved trust in customer relationships

Protecting the organizations reputation

Better accountability for safeguarding

information during critical business activities

Reduction in loss through better incident

handling and disaster recovery

Selling the Importance of Information Security

7

4/17/2015

13

The First Priority for the CISM

Remember that Information Security is a

business-driven activity.

Security is here to support the interests and

needs of the organization not just the

desires of security

Security is always a balance between cost

and benefit; security and productivity

4/17/2015

14

Corporate Governance

8

4/17/2015

15

Business Goals and Objectives

Corporate governance is the set of

responsibilities and practices exercised by

the board and executive management

Goals include:

Providing strategic direction

Reaching security and business objectives

Ensure that risks are managed appropriately

Verify that the enterprises resources are used

responsibly

4/17/2015

16

Outcomes of Information Security Governance

The six basic outcomes of effective security

governance:

Strategic alignment

Risk management

Value delivery

Resource management

Performance measurement

Integration

9

4/17/2015

17

Benefits of Information Security Governance

Effective information security governance can offer

many benefits to an organization, including:

Compliance and protection from litigation or penalties

Cost savings through better risk management

Avoid risk of lost opportunities

Better oversight of systems and business operations

Opportunity to leverage new technologies to business

advantage

4/17/2015

18

Performance and Governance

Governance is only possible when metrics are in place to:

Measuring

Monitoring

Reporting

On whether critical organizational objectives are achieved

Enterprise-wide measurements should be developed

10

4/17/2015

19


Strategy

4/17/2015

20

Developing Information Security Strategy

Information Security Strategy

Long term perspective

Standard across the organization

Aligned with business strategy / direction

Understands the culture of the organization

Reflects business priorities

11

4/17/2015

21

Elements of a Strategy

A security strategy needs to include:

Resources needed

Constraints

A road map

Includes people, processes, technologies and

other resources

A security architecture: defining business

drivers, resource relationships and process flows

Achieving the desired state is a long-term

goal of a series of projects

4/17/2015

22

Objectives of Security Strategy

The objectives of an information security

strategy must

Be defined

Be supported by metrics (measureable)

Provide guidance

12

4/17/2015

23

The Goal of Information Security

The goal of information security is to

protect the organizations assets,

individuals and mission

This requires:

Asset identification

Classification of data and systems

according to criticality and sensitivity

Application of appropriate controls *Information is an asset only to the degree it supports the primary

purpose of the business

4/17/2015

24

Defining Security Objectives

The information security strategy forms the basis for the plan(s) of action required to achieve security objectives

The long-term objectives describe the desired state

Should describe a well-articulated vision of the desired outcomes for a security program

Security strategy objectives should be stated in terms of specific goals directly aimed at supporting business activities

13

4/17/2015

25

Business Linkages

Business linkages

Start with understanding the specific

objectives of a particular line of business

Take into consideration all information flows

and processes that are critical to ensuring

continued operations

Enable security to be aligned with and

support business at strategic, tactical and

operational levels

4/17/2015

26

Business Case Development

The Business case for initiating a project

must be captured and communicated:

Reference

Context

Value Proposition

Focus

Deliverables

The Business case for Security must address the same criteria

Dependencies

Project metrics

Workload

Required resources

Commitments

14

4/17/2015

27

The Information Security

Program

4/17/2015

28

Question:

What steps/elements are

necessary to develop an

effective security program?

15

4/17/2015

29

Security Program Priorities

Achieve high standards of corporate

governance

Treat information security as a critical

business issue

Create a security positive environment

Have declared responsibilities

4/17/2015

30

Security versus Business

Security must be aligned with business needs

and direction

Security is woven into the business functions

Provides

Strength

Resilience

Protection

Stability

Consistency

16

4/17/2015

31

Security Program Objectives

Ensure the availability of systems and data

Allow access to the correct people in a

timely manner

Protect the integrity of data and business

processes

Ensure no improper modifications

Protect confidentiality of information

Unauthorized disclosure of information

Privacy, trade secrets,

4/17/2015

32

What is Security

A structured deployment of risk-based

controls related to:

People

Processes

Technology

17

4/17/2015

33

Security Integration

Security needs to be integrated INTO the

business processes

The goal is to reduce security gaps through

organizational-wide security programs

Integrate IT with:

Physical security

Risk Management

Privacy and Compliance

Business Continuity Management

4/17/2015

34

Security Program

Starts with theory and concepts

Policy

Interpreted through:

Procedures

Baselines

Standards

Measured through audit

18

4/17/2015

35

Architecture

Information security architecture is similar physical

architecture

Requirements definition

Design / Modeling

Creation of detailed blueprints

Development, deployment

Architecture is planning and design to meet the

needs of the stakeholders

Security architecture is one of the greatest needs for

most organizations

4/17/2015

36

Information Security Frameworks

Framework

Template

Structure

Measurable / Auditable

Project Planning and Management

Strategic, Tactical and Operational

viewpoints

19

4/17/2015

37

Using an Information Security Framework

Effective information security is provided

through adoption of a security framework

Defines information security objectives

Aligns with business objectives

Provides metrics to measure compliance and

trends

Standardizes baseline security activities

enterprise-wide

4/17/2015

38

The Desired State of Security

The desired state of security must be defined in terms of attributes, characteristics and outcomes

It should be clear to all stakeholders what the intended security state is

20

4/17/2015

39

The Desired State cont.

The desired state according to COBIT (Control

Objectives for Information and related

Technology)

Protecting the interests of those relying on

information, and the processes, systems and

communications that handle, store and deliver the

information, from harm resulting from failures of

availability, confidentiality and integrity

Focuses on IT-related processes from IT

governance, management and control perspectives

4/17/2015

40

The Maturity of the Security Program Using CMM

0: NonexistentNo recognition by organization of need for security

1: Ad hocRisks are considered on an ad hoc basisno formal processes

2: Repeatable but intuitiveEmerging understanding of risk and need for security

3: Defined processCompanywide risk management policy/security awareness

4: Managed and measurableRisk assessment standard procedure, roles and responsibilities assigned, policies and standards in place

5: OptimizedOrganization-wide processes implemented, monitored and managed

21

4/17/2015

41

Using the Balanced Scorecard

The Four Perspectives of the Balanced Scorecard

Vision and

Strategy

Learning and

Growth

Internal

Business

Processes

Financial

Customer

4/17/2015

42

The ISO27001:2013 Framework

The goal of ISO27001:2013 is to:

Establish

Implement

Maintain, and

Continually improve

An information security management system

Contains:

14 Clauses, 35 Controls Objectives and 114

controls

22

4/17/2015

43

Examples of Other Security Frameworks

SABSA (Sherwood Applied Business Security

Architecture)

COBIT

COSO

Business Model for Information Security

Model originated at the Institute for Critical

Information Infrastructure Protection

4/17/2015

44

Examples of Other Security Frameworks

ISO standards on quality (ISO 9001:2000)

Six Sigma

Publications from NIST and ISF

US Federal Information Security

Management Act (FISMA)

23

4/17/2015

45

Constraints and Considerations for a Security

Program

Constraints

LegalLaws and regulatory requirements

PhysicalCapacity, space, environmental

constraints

EthicsAppropriate, reasonable and customary

CultureBoth inside and outside the

organization

CostsTime, money

PersonnelResistance to change, resentment

against new constraints

4/17/2015

46

Constraints and Considerations for a

Security Program cont.

Constraints

Organizational structureHow decisions are

made and by whom, turf protection

ResourcesCapital, technology, people

CapabilitiesKnowledge, training, skills,

expertise

TimeWindow of opportunity, mandated

compliance

Risk toleranceThreats, vulnerabilities, impacts

24

4/17/2015

47


4/17/2015

48

Elements of Risk and Security

The next few slides list many factors that go

into a Security program.

25

4/17/2015

49

Risk Management

The basis for most security programs is Risk

Management:

Risk identification

Risk Mitigation

Ongoing Risk Monitoring and evaluation

The CISM must remember that risk is

measured according to potential impact on

the ability of the business to meet its mission

not just on the impact on IT.

4/17/2015

50

Information Security Concepts

Access

Architecture

Attacks

Auditability

Authentication

Authorization

Availability

Business dependency analysis

Business impact

analysis

Confidentiality

Countermeasures

Criticality

Data classification

Exposures

Gap analysis

Governance

26

4/17/2015

51

Information Security Concepts cont.

Identification

Impact

Integrity

Layered security

Management

Nonrepudiation

Risk / Residual risk

Security metrics

Sensitivity

Standards

Strategy

Threats

Vulnerabilities

Enterprise architecture

Security domains

Trust models

4/17/2015

52

Security Program Elements

Policies

Standards

Procedures

Guidelines

Controlsphysical,

technical,

procedural

Technologies

Personnel security

Organizational

structure

Skills

27

4/17/2015

53

Security Program Elements cont.

Training

Awareness and education

Compliance enforcement

Outsourced security providers

Other organizational support and assurance providers

Facilities

Environmental security

4/17/2015

54

Third Party Agreements

Ensure that security requirements are

addressed in all third party agreements

Service Level Agreements

Jurisdiction in case of dispute

Right to audit or obtain independent

verification of compliance

28

4/17/2015

55


4/17/2015

56

Roles and Responsibilities of Senior

Management

Board of directors

Information security governance / Accountability

Executive management

Implementing effective security governance and defining the strategic security objectives

Budget and Support

Steering committee

Ensuring that all stakeholders impacted by security considerations are involved

Oversight and monitoring of security program

29

4/17/2015

57

Senior Management Commitment

To be successful, information security must

have the support of senior management

Budget

Direction/ Policy

Reporting and Monitoring

A bottom-up management approach to

information security activities is much less

likely to be successful

4/17/2015

58

How can we obtain continued

Senior Management support for

the security program?

30

4/17/2015

59

Steering Committee

Oversight of Information Security Program

Acts as Liaison between Management,

Business, Information Technology, and


Ensures all stakeholder interests are

addressed

Oversees compliance activities

4/17/2015

60

CISO Chief Information Security Officer

Responsibilities

Responsible for Information security-

related activity

Policy

Investigation

Testing

Compliance

31

4/17/2015

61

Business Manager Responsibilities

Responsible for security enforcement and

direction in their area

Day to day monitoring

Reporting

Disciplinary actions

Compliance

4/17/2015

62

IT Staff Responsibilities

Responsible for security design, deployment

and maintenance

System and Network monitoring

Reporting

Operations of security controls

Compliance

32

4/17/2015

63

Centralized versus Decentralized

Security

Which is better?

Consistency versus flexibility

Central control versus Local ownership

Procedural versus responsive

Core skills versus distributed skills

Visibility to senior management versus

visibility to users and local business units

4/17/2015

64

Evaluating the Security Program

33

4/17/2015

65

Audit and Assurance of Security

Objective review of security risk, controls

and compliance

Assurance regarding the effectiveness of

security is a part of regular organizational

reporting and monitoring

4/17/2015

66

Evaluating the Security Program

Metrics are used to measure results

Measure security concepts that are

important to the business

Use metrics that can be used for each

reporting period

Compare results and detect trends

34

4/17/2015

67

Effective Security Metrics

Set metrics that will indicate the health of

the security program

Incident management

Degree of alignment between security and

business development

Was security consulted

Were controls designed in the systems or

added later

4/17/2015

68

Effective Security Metrics cont.

Choose metrics that can be controlled

Measure items that can be influenced or

managed by local managers / security

Not external factors such as number of

viruses released in the past year

Have clear reporting guidelines

Monitor on a regular scheduled basis

35

4/17/2015

69

Key Performance Indicators (KPIs)

Thresholds to measure

Compliance / non-compliance

Pass / fail

Satisfactory / unsatisfactory results

A KPI is set at a level that indicates action

should / must be taken

Alarm point

4/17/2015

70

End to End Security

Security must be enabled across the

organization not just on a system by system

basis

Performance measures should ensure that

security systems are integrated with each

other

Layered defenses

36

4/17/2015

71

Correlation Tools

The CISM may use Security Event and Incident Management (SEIM, SIM, SEM) tools to aggregate data from across the organization

Data analysis

Trend detection

Reporting tools

4/17/2015

72

Reporting and Compliance

37

4/17/2015

73

Regulations and Standards

The CISM must be aware of National

Laws

Privacy

Regulations

Reporting, Performance

Industry standards

Payment Card Industry (PCI)

BASEL II

4/17/2015

74

Effect of Regulations

Requirements for business operations

Potential impact of breach

Cost

Reputation

Scheduled reporting requirements

Frequency

Format

38

4/17/2015

75

Reporting and Analysis

Data gathering at source

Accuracy

Identification

Reports signed by Organizational Officer

4/17/2015

76

Ethics

39

4/17/2015

77

Ethical Standards

Rules of behaviour

Legal

Corporate

Industry

Personal

4/17/2015

78

Ethical Responsibility

Responsibility to all stakeholders

Customers

Suppliers

Management

Owners

Employees

Community

40

4/17/2015

79

ISACA Code of Ethics cont.

Required for all certification holders

Support the implementation of, and

encourage compliance with, appropriate

standards, procedures and controls for

information systems.

Perform their duties with objectivity, due

diligence and professional care, in

accordance with professional standards and

best practices.

4/17/2015

80


Serve in the interest of stakeholders in a

lawful and honest manner, while maintaining

high standards of conduct and character, and

not engage in acts discreditable to the

profession.

Maintain the privacy and confidentiality of

information obtained in the course of their

duties unless disclosure is required by legal

authority. Such information shall not be used

for personal benefit or released to

inappropriate parties.

41

4/17/2015

81


Maintain competency in their respective

fields and agree to undertake only those

activities, which they can reasonably expect

to complete with professional competence.

Inform appropriate parties of the results of

work performed; revealing all significant

facts known to them.

Support the professional education of

stakeholders in enhancing their understanding

of information systems security and control.

4/17/2015

82

Practice Question

1. The PRIMARY purpose of a security

strategy is to provide:

A. The basis for determining the security

architecture for the organization.

B. The intent and direction of management.

C. Guidance for users on how to comply with

security requirements.

D. Standards to measure compliance.

42

4/17/2015

83

Practice Question

2. The BEST method of improving security

compliance is:

A. To make it easier for employees to follow

security rules.

B. To have comprehensive organization-wide

security policies.

C. To have an active security awareness program.

D. To inform all staff about legal regulations and

legislation..

4/17/2015

84

Practice Question

3. The MOST important task of the CRISC

regarding compliance with regulations is to:

A. Develop the policies and standards to be followed

by the organization.

B. Ensure that accurate and complete data is used in

reporting procedures

C. Provide guidance to business units on the legal

requirements for compliance.

D. Approve all reports prior to submission to outside

agencies

43

4/17/2015

85

Practice Question

4. The MOST important consideration in the

development of security policies is that:

A. The policies reflect the intent of Senior

Management.

B. The policies are legal.

C. All employees agree with the policies.

D. That the correct procedures are developed to

support the requirements of policy.

4/17/2015

86

End of Domain

17/04/2015

1

4/17/2015

1

ISACA


information systems

4/17/2015

2


Chapter 2

Information Risk

Management and

Compliance

17/04/2015

2

4/17/2015

3

Course Agenda

Information Asset

Classification

Identify regulatory, legal

and other requirements

Identify risk, threats and

vulnerabilities

Risk treatment

Evaluate security controls

Integrate risk management

into business processes

Report non-compliance

and other changes in risk

4/17/2015

4

Ensure that the CISM candidate Manages information risk to an acceptable

level to meet the business and compliance

requirements of the organization





Exam Relevance

17/04/2015

3

4/17/2015

5

Chapter 2 Task Statements

Establish an information asset classification

and ownership process

Ensure risk, threat and vulnerability

assessments are conducted periodically

Evaluate security controls

Identify gaps between current and desired

state

4/17/2015

6

Chapter 2 Task Statements cont.

Integrate risk, threat and vulnerability

identification and management into the

organization

Monitor existing risk to ensure changes are

identified and managed appropriately

Report information risk management levels to

management.

17/04/2015

4

4/17/2015

7

Information Asset

Classification

4/17/2015

8

Information Asset Classification

Need to know what information to protect

Need to know who is responsible to

protect it

Ownership

Roles and responsibilities

17/04/2015

5

4/17/2015

9


Information protection requires clear

assignment of responsibilities

Information owner

Information System owner

Board of Directors / Chief Executive Officer

Users

Information Custodians

Third Party Suppliers

4/17/2015

10


Information security risk management is an

integral part of security governance

Is the responsibility of the board of directors

or the equivalent to ensure that these

efforts are visible

Management must be involved in and sign off

on acceptable risk levels and risk

management objectives

17/04/2015

6

4/17/2015

11

Information Classification Considerations

Business Impact and reliance of business on

information and information system

Understand business objectives

Availability of data / systems

Sensitivity of data / systems

4/17/2015

12

Information asset protection may be required

by legislation

Privacy

Consumer data

Employee data

Financial accuracy

SOX-type laws

Regulations and Legislation

17/04/2015

7

4/17/2015

13

Asset Valuation

Information Asset valuation may be based on:

Financial considerations

Liability for lost data

Cost to create or restore data

Impact on business mission

Reputation

Customer or supplier confidence

4/17/2015

14

Valuation Process

Determine ownership

Determine number of

classification levels

Develop labeling

scheme

Identify all information

types and locations

De-classify when data

no longer needs

protection

17/04/2015

8

4/17/2015

15

Information Protection

Ensure that data is protected consistently

across all systems

Protect data in all forms paper, electronic,

optical, fax,

Protect data at all times:

Storage

Transmission

Processing

Destruction

4/17/2015

16

Information Asset Protection

Policies

Communicated

Enforced

Clean desk / Clear screen

Need to know Least privilege

Procedures

Labeling

Destruction

17/04/2015

9

4/17/2015

17

Risk Management

4/17/2015

18

Definition of Risk

Risk is a function of the likelihood of a

threat-source exercising a vulnerability and

the resulting impact of that adverse event on

the mission of the organization.

Asset

Threat

Vulnerability

Likelihood (probability)

Impact (consequence)

17/04/2015

10

4/17/2015

19

Why is Risk Important

Risk management is a fundamental

function of Information Security

Provides rationale and justification for

virtually all information security activities

Prioritization of Risk allows the development

of a security roadmap

4/17/2015

20

Risk Management Definition

What is risk management?

The systematic application of management

policies, procedures and practices to the

tasks of:

Identifying

Analyzing

Evaluating

Treating

Monitoring,

Risk related to information and information

systems

17/04/2015

11

4/17/2015

21

Risk Management Objective

The objective of risk management is to

identify, quantify and manage

information security risk.

Reduce risk to an acceptable level

through the application of risk-based,

cost-effective controls.

4/17/2015

22

Risk Management Overview

Risk is the probability of occurrence of an

event or transaction causing financial loss

or damage to

Organization

Staff

Assets

Reputation

Quantitative and

Qualitative Measures

17/04/2015

12

4/17/2015

23

Risk Management Overview

Risk management is the process of

ensuring that the impact of threats

exploiting vulnerabilities is within

acceptable limits at an acceptable cost

At a high level, this is accomplished by

Balancing risk against mitigation costs

Implementing appropriate countermeasures

and controls

4/17/2015

24

Defining the Risk Environment

The most critical prerequisite to a successful risk management program is understanding the organization including:

Key business drivers

The organizations SWOT (strengths, weaknesses, opportunities and threats)

Internal and external stakeholders

Organizational structure and culture

Assets (resources, information, customers, equipment)

Goals and objectives, and the strategies already in place to achieve them

17/04/2015

13

4/17/2015

25

Threats to Information and Information

Systems

Threats to information and information

systems are related to:

Availability

Confidentiality

Integrity

Non-repudiation

4/17/2015

26

Threat Analysis

Intentional versus Unintentional attacks

Natural

Man-made

Utility / Equipment

Threats affected by

The skill and motivation of the attacker

The existence of attack tools

17/04/2015

14

4/17/2015

27

Aggregate Risk

Aggregate risk must be considered

Aggregate risk is where a several smaller

risk factors combine to create a larger risk

(the perfect storm scenario)

4/17/2015

28

Cascading Risk

Cascading risks are the effect of one incident

leading to a chain of adverse events (domino

effect)

17/04/2015

15

4/17/2015

29

Identification of Vulnerabilities

Weaknesses in security controls

Patches not applied

Non-hardened systems

Inappropriate access levels

Unencrypted sensitive data

Software bugs or coding issues (buffer

overflow)

Physical security

4/17/2015

30

The Effect of Risk

An exploit of a vulnerability by a threat may

lead to an exposure.

An exposure is measured by the impact it has

on the organization or the ability of the

organization to meet its mission.

17/04/2015

16

4/17/2015

31

Impact

Examples of direct and indirect financial losses:

Direct loss of money (cash or credit)

Criminal or civil liability

Loss of reputation/goodwill/image

Reduction of share value

Conflict of interests to staff or customers or

shareholders

4/17/2015

32

Impact cont.

Examples of direct and indirect financial losses:

Breach of confidence/privacy

Loss of business opportunity/competition

Loss of market share

Reduction in operational efficiency/performance

Interruption of business activity

Noncompliance with laws and regulations resulting in

penalties

17/04/2015

17

4/17/2015

33

Risk Management Process

Risk

Identification

(Assessment

and Analysis) Risk

Treatment

(Control

Selection) Evaluation

and

Assessment

4/17/2015

34

Risk Assessment Methodology

Quantitative

Determine the impact of a single event

Single Loss Expectancy

SLE = Asset Value x Exposure Factor

Calculate frequency of events

Annualized rate of occurrence (ARO)

ARO = Incidents per year

17/04/2015

18

4/17/2015

35

Annualized Loss Expectancy (ALE)

ALE is the calculated cost of risk per year

from a single event

ALE = SLE x ARO

Used to justify expense of implementing

controls to reduce risk levels

Cost of controls should not be greater than

benefit realized by implementing the control

4/17/2015

36

Qualitative Risk Assessment

Determine risk levels through scenario-based

analysis

Rank risk levels according to frequency and

impact (Low (1), Moderate (2), High (3))

Impact

Lik

elihood

Low Moderate High

High 3 6 9

Moderate 2 4 6

Low 1 2 3

17/04/2015

19

4/17/2015

37

Data Gathering Techniques

Surveys / Questionnaires

Observation

Workshops

Delphi techniques

4/17/2015

38

Results of Risk Assessment

Documentation of risk levels

Risk register

Determination of threat and vulnerability

levels

Forecast of impact and frequency of events

Recommendations for risk mitigation

Controls, safeguards, countermeasures

17/04/2015

20

4/17/2015

39

Alignment of Risk Assessment and BIA

Risk Assessment measures Impact and

Likelihood

Business Impact Analysis measures Impact

over Time

Related disciplines but not the same

BIA must be done periodically to determine

how risk and impact levels increase over time

Set priorities for critical business functions

4/17/2015

40

Risk Treatment

17/04/2015

21

4/17/2015

41

Risk Treatment

Risk Treatment takes the recommendations

from the risk assessment process and selects

the best choice for managing risk at an

acceptable level

Residual Risk

Risk Acceptance

Cost / Benefit

Priorities

Balance between security and business

4/17/2015

42

Risk Treatment

Risk Treatment Options

Reduction / mitigation implement changes

Enhance managerial, technical, physical

and operational controls

Acceptance

Transference

Avoidance

17/04/2015

22

4/17/2015

43

Risk Mitigation and Controls

Controls (safeguards / countermeasures) are

implemented in order to reduce a specified

risk

Existing controls and countermeasures can

be evaluated

New controls and countermeasures can be

designed

4/17/2015

44

Control Recommendations

Factors to be considered when recommending

new or enhanced controls are:

Cost-benefit analysis

Anticipated effectiveness

Compatibility with other controls, systems, and

processes

Legislation and regulation

Organizational policy, standards, and culture

Impact of control on business processes

Control reliability

17/04/2015

23

4/17/2015

45

Cost Benefit Analysis of Controls

Cost-benefit analysis must consider the cost of

the control throughout the full life cycle of the

control or countermeasure including:

Acquisition / purchase costs

Deployment and implementation costs

Recurring maintenance costs

Testing and assessment costs

4/17/2015

46

Cost Benefit Analysis of Controls cont.

Cost benefit analysis includes costs of:

Compliance monitoring and enforcement

Inconvenience to users

Reduced throughput of controlled processes

Training in new procedures or technologies as

applicable

End of life decommissioning

17/04/2015

24

4/17/2015

47

Risk Mitigation Schematic

Owners

Countermeasures

Threat Agents

Threats

Risk

Assets To

Wish to minimize Value

Impose

To

Reduce

Give Rise to

Wish to abuse and/or may damage

To That

increase

4/17/2015

48

Control Types and Categories

Controls may be:

Managerial

Technical

Physical

17/04/2015

25

4/17/2015

49

Control Types and Categories cont.

Controls may be:

Directive

Deterrent

Preventative

Detective

Recovery

Corrective

Compensating

4/17/2015

50

Security Control Baselines

Creating baselines of control can assist in developing a consistent security infrastructure

Principles for developing baselines include

Assess of the level of security that is appropriate for the organization

Mandate a configuration for all systems and components attached to the organizations network

17/04/2015

26

4/17/2015

51

Ongoing Risk Assessment and Building Risk

Management into the Organization

4/17/2015

52

Ongoing Risk Assessment

Monitor controls to ensure that they are

working effectively

Implemented as designed

Operating properly

Producing the desired outcome (mitigating

the risk they were installed to address)

17/04/2015

27

4/17/2015

53

Measuring Control Effectiveness

Determine metrics to measure control

effectiveness

Do regular monitoring and reporting

Aggregate data from several control points

Security Event Incident Monitoring (SEIM)

Measure control effectiveness in comparison

to business goals and objectives

4/17/2015

54

Building Risk Management In (Agenda)

Risk Management should be built in to

business processes

Change control

Systems development life cycle (SDLC)

Ongoing monitoring and analysis

Audit

Business process re-engineering

Project management

Employment

Procurement

17/04/2015

28

4/17/2015

55

Risk Related to Change Control

Uncontrolled / Unauthorized changes

Changes implemented incorrectly

Backup

Rollback

Changes that bypass / overwrite controls

Interruption to service

4/17/2015

56

Controlling Risk in Change Control

Oversight / Steering Committee

Formal Change control process

Documentation of changes

Approvals

Testing

Review of all proposed / implemented

changes for impact on security controls

17/04/2015

29

4/17/2015

57

Risk Management During SDLC

Integrate risk management throughout the

SDLC

Review risk levels as system is designed,

developed, tested and implemented

Test the implemented security controls

Ensure the ability to log and monitor events

is built into all systems

Review all new systems for correct operation

of controls and associated risk levels

4/17/2015

58

Ongoing Risk Management Monitoring

and Analysis

Do risk assessment annually

More frequently in event of:

Organizational changes

Regulation

Incidents

Monitor controls frequently and report to

management

Standardized reporting (format)

Trend analysis

17/04/2015

30

4/17/2015

59

Audit and Risk Management

Audit validates that risk is being managed

correctly

Compared with culture of organization

Policy

Regulation

Best practices

4/17/2015

60

Audit and Risk Management cont.

Validate that risk is within acceptable levels

Risk appetite

Threat and vulnerability analysis was done

correctly

Controls are working correctly

Mitigating risk effectively

Validate compliance with controls

Reporting and recommendations

17/04/2015

31

4/17/2015

61

Risk in Business Process Re-Engineering

Review all major systems and business

process changes for impact on risk levels

Ensure that ability to monitor controls is built

into business processes

Enable reporting and compliance

Regular reporting to management on status of

changes

Ensure that changes do not bypass controls

Separation of duties, least privilege

4/17/2015

62

Risk in Project Management

Risk of Scope Creep

Risk of project overrun

Budget

Time

Failure to deliver expected results

Vendor compliance with requirements

17/04/2015

32

4/17/2015

63

Risk During Employment Process

Hiring Procedures

Correct skills and experience

Background checks

Criminal

Financial

References from former employers /

associates

4/17/2015

64

New Employee Initiation

Require signing of

Non-disclosure agreements (NDA)

Non-compete agreements

Ethics statement

Review security policy

Awareness training

17/04/2015

33

4/17/2015

65

Risk During Employment

Access Creep adding more and more access

Violation of least privilege / need to know

Enforce compliance with controls

Regular awareness sessions

4/17/2015

66

Risk at Termination of Employment

Need to remove all access

Recover all organizational assets

ID cards

Laptops

Remote access tokens

Blackberry/ cellphone

Documents

Review NDAs

17/04/2015

34

4/17/2015

67

Risks During Procurement

Need to purchase the right equipment at

the right price

Improper buying practices

Influence

Kickbacks

Piracy / imitations

Inappropriate relations / selection of

vendors

4/17/2015

68

Risk During Procurement cont.

Equipment not delivered according to

specifications /contract terms

Equipment not configured / installed properly

Vendor not providing contracted maintenance

according to maintenance agreements

Maintain correct patch levels

17/04/2015

35

4/17/2015

69

Reporting to Management

Regular reporting

Standard format

Scheduled basis

Consistent metrics to allow comparison of

results over time

Reporting on an exceptional basis

Following an event

4/17/2015

70

Documentation

Typical risk management documentation

includes:

A risk register

An inventory of information assets

Threat and vulnerability analysis

Control effectiveness report

Initial risk rating

Risk report - consequences and likelihood of

compromise

A risk mitigation and action plan

17/04/2015

36

4/17/2015

71

Training and Awareness

The most effective control to mitigate risk is

training of all personnel

Awareness

Training

Education

Educate on policies, standards, practices

Creates accountability

4/17/2015

72

Training and Awareness

End users should receive training on

The importance of adhering to information

security policies, standards, and procedures

Clean desk policy

Responding to incidents and emergencies

Privacy and confidentiality requirements

The security implications of logical access in

an IT environment

17/04/2015

37

4/17/2015

73

Training for End Users

Practical training topics

Clean desk policy

Responding to incidents and emergencies

Privacy and confidentiality requirements

Handling sensitive data and intellectual

property

The security requirements for access to IT

systems

4/17/2015

74

Practice Question

The PRIMARY purpose of a risk management

program is

a) To eliminate risk

b) To reduce all risks to a minimal level of impact

c) To satisfy regulatory requirements

d) To ensure risk levels are acceptable to senior

management

17/04/2015

38

4/17/2015

75

Practice Question 2

The formula SLE x ARO relates to

a) Annualized Loss Expectancy (ALE)

b) Risk acceptance levels

c) The frequency of attacks

d) Calculation of the impact of a threat

17/04/2015

1

4/17/2015

1

ISACA


information systems

4/17/2015

2


Chapter 3


Program Development and

Management

17/04/2015

2

4/17/2015

3

Course Flow

Chapter One

Information

Security

Governance

Chapter Two

Information

Risk

Management

Chapter Three

Develop and

Manage a

Security

Program

Chapter Four

Information

Security

Incident

Management

Influenced

by

Enforced by

Directs

changes

to

Directs

development

of

4/17/2015

4

Course Agenda

Learning objectives

Security Program Development

Objectives

Role of the Information Security

Manager


Development



Technology and Tools, Security Models

Integrating Security into the Business

17/04/2015

3

4/17/2015

5

Ensure that the CISM candidate Understands how to manage the information

security program in alignment with the information security strategy





Exam Relevance

4/17/2015

6

Chapter 3 Learning Objectives

Develop and maintain plans to implement an

information security program that is aligned

with the information security strategy

Ensure alignment between the information

security program and other business functions

Identify internal and external resources

required to execute the information security

program

Ensure the development of information

security architectures

17/04/2015

4

4/17/2015

7

Learning Objectives cont.

Ensure the development, communication,

and maintenance of standards, procedures

and other documentation that support

information security policies

Design and develop a program for

information security awareness, training

and education

Integrate information security

requirements into contracts and third

party agreements

4/17/2015

8

Definition

Information security program management

includes:

Directing

Overseeing

Monitoring

Information-security-related activities in support

of organizational objectives.

17/04/2015

5

4/17/2015

9

Security Strategy and Program Relationship

The security strategy is the long term plan

of creating a security structure that will

support the business goals of the

organization

The security program outlines the steps

necessary to implement the security

strategy

The security program should be defined in

business terms

4/17/2015

10

Information Security Management

Information Security management is primarily

concerned with

Ongoing, day-to-day operations of a security

department

Budget for security

Planning

Business case development for security

projects

Staff development and training

17/04/2015

6

4/17/2015

11

Importance of Security Management

Achieving adequate levels of information security means:

Implementing cost effective security solutions

Supporting business operations

Strategic planning and alignment between security and the business

Compliance and reporting

4/17/2015

12

Definition

Information security program development

is the integrated set of:

Activities

Projects

Initiatives

to implement the information security

strategy

17/04/2015

7

4/17/2015

13

Effective Security Management

Effective security management must demonstrate value to the organization

Compliance with policies and procedures

Cost effective

Improved audit results

Business process assurance

4/17/2015

14

Reasons for Security Program Failure

Poorly understood requirements

Lack of understanding about what is important and why

Lack of funding or resources

Lack of will to make security a priority

Too much technical focus

17/04/2015

8

4/17/2015

15

Security Program Development Objectives

4/17/2015

16

Program Objectives

Implement the objectives of the security

strategy

Managerial controls

Technical controls

Physical controls

17/04/2015

9

4/17/2015

17

Security Program Development

The elements essential to ensure successful

security program design and

implementation:

A well defined and clear information

security strategy

Cooperation and support from

management and stakeholders

Effective metrics to measure program

effectiveness

4/17/2015

18

Security Program Development cont.

A well-executed security program will :

Support governance of information security

Convert security initiatives into a practical

real-world implementations

Provide proof that security implementations

are meeting business and security needs

Be flexible enough to adapt to changes in

security / business requirements

17/04/2015

10

4/17/2015

19

Outcomes of Information Security

Program Development

As seen in Chapter One, objectives for information security governance include:

Strategic alignment

Risk management

Value delivery

Resource management

Assurance process integration

Performance measurement

4/17/2015

20

Governance of the Security Program

Acceptance and support for the

strategy and the objectives of the

security program is the responsibility of

executive management

Everyone is responsible for compliance

with security requirements

17/04/2015

11

4/17/2015

21

Role of the Information Security Manager

4/17/2015

22

Role of the Information Security

Manager (Agenda)

Strategy

Policy

Awareness

Implementation

Monitoring

Compliance

Prevention Detection

Correction

17/04/2015

12

4/17/2015

23

Strategy

The first step to development of an

information security program (as seen in

chapter one) is to align the security strategy

with the objectives of the business

Governance

Resources

Reporting

Compliance

Regulations

4/17/2015

24

Policy

Policy provides:

Authority

Direction

Requires:

Background

Scope

Applicability

17/04/2015

13

4/17/2015

25

Creating Effective Policy

Ownership

Up to date

Exceptions

Enforceable / legal

Non-technical

Reflects culture and mission of the

organization

4/17/2015

26

Awareness

People are the most important element of a

security program, therefore they must:

Understand their roles

Be capable of performing their roles

Be provided adequate training

Be accountable for results

17/04/2015

14

4/17/2015

27

Implementation

Converts strategy to practical tools and

techniques

Controls

Safeguards

Countermeasures

4/17/2015

28

Monitoring

Review of security controls,

countermeasures, safeguards

Continuous or periodic testing

Frequency is dependent on

Laws

Business changes

Culture

17/04/2015

15

4/17/2015

29

Compliance

Compliance ensures that business processes

and security measures meet the requirements

of corporate policy, local regulations,

industry-based standards, and best practices.

Compliance requires proof (not just theory)

Testing, logging

Reporting

4/17/2015

30


Development

17/04/2015

16

4/17/2015

31

Developing an Information Security Road

Map

The CISM must consider the security program from the perspective of:

Data

Applications

Systems

Facilities

Processes

4/17/2015

32

Defining Security Program Objectives

Whether or not there is an existing information

security program, there are some basic

program components:

Understanding managements security

objectives

Develop key goal indicators (KGIs) that

reflect and measure business priorities

Ways to measure whether the program is

heading in the right direction

17/04/2015

17

4/17/2015

33

Inventory of Information Systems

Document all aspects of the information systems including:

System categorization

System description including system boundaries

Network diagram and data flows

Software and hardware inventory

Users and system owners

Business risk assessment

System risk assessment

Contingency plan

System security plan

4/17/2015

34

Challenges in Developing an Information

Security Program

The process of setting a program in place and

measuring its results requires a great deal of

cooperation among everyone in the

organization who handles data

Information security program development is

not usually hampered by technology choices

available, but rather by people, process and

policy issues that conflict with program

objectives and see security as a hindrance to

business operations

17/04/2015

18

4/17/2015

35

Challenges in Developing an Information

Security Program cont.

The challenges faced by the CISM while

developing a security program may include:

Organizational resistance due to:

Changes in areas of responsibility

A perception that increased security will

impact productivity and access

Unfair monitoring / restrictions

Lack of adequate budget, personnel, skills

or support

Unanticipated problems with existing

controls, systems or ongoing projects

4/17/2015

36

Elements of a Security Program Road Map

A vital element of the information security program is a roles and responsibilities matrix (RACI - Responsible, Accountable, Consulted, Informed)

CEO CISO CIO VP HR

Policy

Development

I R A C

Business

Continuity

I C R I

Incident

Management

I A R C

17/04/2015

19

4/17/2015

37

Elements of a Security Program Road Map

An understanding of the general risk appetite of an organization and a review to discover any gaps or determine whether the information security program is operating at acceptable levels

R

isk

Potential Loss due to

Equipment Failure

75,000

50,000

25,000

0

Current Risk Level

Acceptable Risk Level

4/17/2015

38

Elements of a Security Program Road

Map

Ability to link the security program with business objectives and demonstrate justification for the evolution from a security concept towards a security architecture and finally into the selection and implementation of security tools and technologies

Security

Context

Security

Concept Logical

Architecture Physical

Architecture Component

17/04/2015

20

4/17/2015

39

Security Programs and Projects

The overall security program will almost

always consist of a series of individual

projects designed to meet security objectives

Security Program

Firewall Implementation

project Policy Creation Project

Awareness Sessions

4/17/2015

40

Security Program and Project Development

A gap analysis will identify a series of projects

required to implement the information security

program

Each project should have time, budget,

milestones, deliverables, and measurable

results

Each project should be clearly defined and

integrate with other projects and

departments

HR, Finance, Physical security

17/04/2015

21

4/17/2015

41

Security Program and Project Development

cont.

Security projects should be prioritized so that:

Most important projects are given priority

Projects do not overlap or cause a delay for

other projects

Resources are appropriately allocated

Results are documented and reported to

management

4/17/2015

42

Security Project Planning

Determine project needs

Oversight / timelines

Equipment

Personnel (skills)

Outsourcing or contract staff

Infrastructure

Networks, databases, facilities, etc.

17/04/2015

22

4/17/2015

43

Selection of Controls

Controls are

Technical

Managerial

Physical

Tools designed to provide reasonable

assurance that:

Business objectives will be achieved

Undesirable events will be prevented or

detected and corrected

4/17/2015

44

Common Control Practices

Common control practices include:

Logical Access control

Principle of least privilege / need to know

Compartmentalization to minimize damage

Domains

Segregation of duties

Transparency

17/04/2015

23

4/17/2015

45


4/17/2015

46

Security Program Elements (Agenda)

Policies

Standards

Procedures

Guidelines

Technologies

Personnel security

Organizational

structure

Outsourced security

providers

Facilities

Environmental

security

17/04/2015

24

4/17/2015

47

Policies

Provide authority and direction for security

program from management

High level versus functional policies

Are interpreted by standards,

procedures, baselines

What are the characteristics of effective

policies? What makes a policy effective?

4/17/2015

48

Acceptable Use Policy

An acceptable use policy

Should provide a user-friendly summary of

what should and should not be done to

comply with policy

Must detail in everyday terms the

obligations of all users

Must be communicated to all users

Must be read and understood by all users

Should be provided to new personnel

17/04/2015

25

4/17/2015

49

Acceptable Use Policy cont.

Rules of use for all personnel include the

policies and standards for

Access control

Classification of data

Marking and handling of documents

Reporting requirements and disclosure

constraints

Rules regarding email and Internet use

4/17/2015

50

Standards

Standards ensure that systems are

configured and operated in an similar manner

Compliance with standards should be

automated

Ensure that system configurations do not

(intentionally or unintentionally) deviate

from policy compliance

Standards are used to implement policy

Deviations from a standard must have formal

approval

17/04/2015

26

4/17/2015

51

Procedures

Procedures provide a defined, step by step

method of completing a task

i.e., new user registration / user ID

creation; incident management

Allow actual activity to be reviewed for

compliance with the required procedures

Helps ensure consistency of operations

4/17/2015

52

Guidelines

Provide recommendations for better security

practices:

Password creation, use of social media

Are only recommendations, not mandatory

17/04/2015

27

4/17/2015

53

Technology

One of the most important elements of a

security program

Without the right tools, an effective

security program is not feasible

Many tools available

4/17/2015

54

Personnel Security

Protect staff from being harmed

Duress alarms, cameras

Having the right people:

Skills / Education required

Awareness

Management and oversight

Disciplinary action when required

Separation of duties

17/04/2015

28

4/17/2015

55

Training and Skills Matrix

Determine level of training needed by staff

according to job responsibilities

Develop training matrix

Perform gap analysis

Manager Administrator User

Level III CISM CCSP SEC +

Level II SEC + GSEC Awareness

Level I Awareness SEC + Awareness

4/17/2015

56

Organizational Structure

Who should security report to

Normal reporting

Incident reports

Adequate:

Budget

Authority

Scope

17/04/2015

29

4/17/2015

57

Outsourced Security Providers

Outsourcing security and monitoring may

have many benefits

Provide necessary expertise

Monitor all corporate systems

Correlate activity from several systems

Centralized reporting

4/17/2015

58

Third-party Service Providers

When using a third party:

Ensure data are stored and secured adequately in the service provider environment

Define data destruction and data sanitization processes

Create channels of communication and liaison with outsourced firm

Maintain accountability in the service provider organization for policy enforcement

Remember that prime liability for data protection is with the organization, not with the outsourced firm

17/04/2015

30

4/17/2015

59

Facilities

Secure operational areas

Server rooms

Equipment rooms

Administrator, developer, and operator

work areas

Consider factors such as:

Age of building (fire codes)

Shared facility with other companies

4/17/2015

60

Facilities Security

Physical controls may include:

Smart cards or access controls based on biometrics

Security cameras

Security guards

Fences

Lighting

Locks

Sensors

17/04/2015

31

4/17/2015

61

Environmental Security

Heating, ventilation and humidity controls

Reliable power supplies

4/17/2015

62


17/04/2015

32

4/17/2015

63

Information Security Concepts (Agenda)

Topics already covered:

Confidentiality

Integrity

Availability

Countermeasures

Controls

Governance

Layered Defense

Risk Management

Threats

Vulnerabilities

Attacks

Exposure

Architecture

Business impact analysis (BIA)

Data classification

4/17/2015

64

Information Security Concepts (Agenda)

Access Control

Identification

Authentication

Authorization

Accounting / Auditability

Criticality

Sensitivity

Trust Models

17/04/2015

33

4/17/2015

65

Access Control

Controlling who and what has access to the

facilities, systems, people and data of the

organization

Ensuring the right people have the right

level of access

Preventing inappropriate use, modification

or destruction of organizational resources

Tracking all activity to the responsible

entity

4/17/2015

66

Identification

Access control starts with knowing who or

what is accessing our systems, data, facilities

or other resources.

Unique (track able to the correct

person/process)

Removed when no longer required

i.e., IDs, customer account numbers,

fingerprints

17/04/2015

34

4/17/2015

67

Authentication

Validating the claimed identity is the person

requesting access really who they say they

are?

Knowledge (password)

Ownership (Token, smartcard, badge)

Characteristic (biometrics)

4/17/2015

68

Authorization

Granting the authenticated user the correct

level of permissions needed

Read

Write

Execute

Create

Delete

17/04/2015

35

4/17/2015

69

Accounting / Auditability

Logging, monitoring and tracking of activity

Ability to associate activity with a specific

user

Audit log:

Protection

Review

Analysis

4/17/2015

70

Criticality

How much is the ability of the organization to

deliver its products and services dependent

on:

Information

Information systems

What would the extent of the impact be on

the business (quantitatively and qualitatively)

if they were not available

This is a measure of the criticality of the

resource

17/04/2015

36

4/17/2015

71

Sensitivity

How much is the organization dependent on

the accuracy or confidentiality requirements

for:

Information

Information systems

This is a measure of the sensitivity of the

resource

4/17/2015

72

Trust Models

Multi-level security

Users have different levels of trust (access)

Domains of trust

Departmentalization/compartmentalization

Security perimeters

Trusted links between systems

17/04/2015

37

4/17/2015

73

Technologies and Tools

Security Components and Models

4/17/2015

74

Technology-based Security

Technology-based controls

Many technologies available

Are used to implement controls

Have controls built into their

implementation

Must be enabled

Must be monitored / updated

17/04/2015

38

4/17/2015

75

Technologies

There are numerous technologies relevant to security that the CISM should be familiar with including:

Firewalls

Routers and switches

IDS, NIDS, HIDS

Cryptographic techniques (PKI, DES)

Digital signatures

Smart cards

4/17/2015

76

Security in Technical Components

Native control technologies

Security features built in to equipment and

applications.

Access control on switches, routers

Error handling in applications

Many products feature Out-of-the-box

security features that can be configured to

protect business information systems

Generally configured and operated by IT

17/04/2015

39

4/17/2015

77

Security in Technical Components cont.

Supplemental control technologies

Security control devices added to an

information system

IDS (Intrusion Detection Systems), Firewall,

PKI (Public Key Infrastructure)

Operate as a form of layered defense

4/17/2015

78

Security

isaca-cism-courseware

Documents

field of information

cism designation

cism firebrand

cism qualifications

cism candidate

cism job practice areas

exam items

course structure