isaca-cism-courseware
-
Upload
christian-cascante-caballero -
Category
Documents
-
view
10 -
download
0
description
Transcript of isaca-cism-courseware
-
ISACA
CISM Certification
Certified Information Security
Manager Courseware Version 4.0
-
1
4/17/2015
1
CISM
Firebrand Accelerated
Training
4/17/2015
2
2015 CISM Review Course
Introduction
-
2
4/17/2015
4
Agenda
This introduction will address:
The CISM Certification
Course format
Examination format
Introduction of Attendees
To set the scene Recent Incidents
4/17/2015
5
This is NOT a Death-By-PowerPoint Seminar
-
3
4/17/2015
6
But it IS a Seminar
4/17/2015
7
CISM
Certified Information Security Manager
Designed for personnel that have (or want to
have) responsibility for managing an
Information Security program
Tough but very good quality examination
Requires understanding of the concepts
behind a security program not just the
definitions
https://www.google.nl/imgres?imgurl=http://futurama-madhouse.net/fanart/tfp/tfp_159.gif&imgrefurl=http://www.futurama-madhouse.net/fanart/tfp4.shtml&docid=KH2WwkGtkaxvvM&tbnid=uIKSuTQAtwWoPM&w=369&h=423&ei=1EtsUpC1Guz40gW0n4GoCw&ved=0CAYQxiAwBA&iact=chttps://www.google.nl/imgres?imgurl=http://www.iwantthatsign.com/WebRoot/BT2/Shops/BT4029/4D44/33F1/5B40/676F/6029/0A0C/05E8/4AA7/look-no-hands.jpg&imgrefurl=http://www.iwantthatsign.com/LOOK-NO-HANDS-Car-Sign&docid=iug8oE_fMTTJoM&tbnid=Db0OvVZmyQqdbM&w=561&h=565&ei=1EtsUpC1Guz40gW0n4GoCw&ved=0CAUQxiAwAw&iact=c -
4
4/17/2015
8
CISM Exam Review Course Overview
The CISM Exam is based on the CISM job
practice.
The ISACA CISM Certification Committee
oversees the development of the exam and
ensures the currency of its content.
There are four content areas that the CISM
candidate is expected to know.
4/17/2015
9
CISM Qualifications
To earn the CISM designation, information security professionals are required to:
Successfully pass the CISM exam
Adhere to the ISACA Code of Professional Ethics
Agree to comply with the CISM continuing education policy
Submit verified evidence of five (5) years of work experience in the field of information security.
-
5
4/17/2015
10
Daily Format
Lecture and Sample questions
Domain structure
Learning Objectives
Content
Sample Questions
Please note that the information in every
domain overlaps with the information in other
domains during the course we will introduce
topics that are expanded upon in latter domains
4/17/2015
11
Domain Structure
Information Security
Governance
Information Security
Incident
Management
Information
Risk
Management and Compliance
Information Security Program
Development and Management
Mandates
Requires
Deploys
Reports To
Influences
-
6
4/17/2015
12
Course Structure
Start Time
Breaks
Meals
End of Day
End of class on last day
4/17/2015
13
Logistics
Fire Escapes
Assembly point
Mobile phones / pagers
-
7
4/17/2015
14
The Examination
4/17/2015
15
Description of the Exam
The exam consists of 200 multiple choice
questions that cover the CISM job practice
areas.
Four hours are allotted for completing the
exam
See the Candidates Guide to the CISM Exam
and Certification
-
8
4/17/2015
16
Examination Job Content Areas
The exam items are based on the content in 4
information security areas
Information Security Governance 24%
Information Risk Management and Compliance
33%
Information Security Program Development
and Management 25%
Information Security Incident Management
18%
4/17/2015
17
Examination Job Content Areas
Information Security
Governance, 24%
Information Risk
Management and
Compliance, 33%
Information Security Program
Development and
Management, 25%
Information Security Incident
Management, 18%
-
9
4/17/2015
18
2015 Exam Dates
The exam will be administered three times in
2015
The 1st exam date is June 13
April 21 is deadline for registration
The 2nd exam date is Sept 12
The 3rd exam date is Dec 12
Many examination locations worldwide
Register at www.isaca.org
4/17/2015
19
Examination Day
Be on time!!
The doors are locked when the instructions
start approximately 30 minutes before
examination start time.
Bring the admission ticket (sent out prior to
the examination from ISACA) and an
acceptable form of original photo
identification (passport, photo id or drivers
license).
-
10
4/17/2015
20
Completing the Examination Items
Bring several #2 pencils and an eraser
Read each question carefully
Read ALL answers prior to selecting the BEST answer
Mark the appropriate answer on the test answer sheet.
When correcting an answer be sure to thoroughly erase the wrong answer before filling in a new one.
There is no penalty for guessing. Answer every question.
4/17/2015
21
Grading the Exam
Candidate scores are reported as a scaled
score based on the conversion of a
candidates raw score on an exam to a
common scale.
ISACA uses and reports scores on a common
scale from 200 to 800. A candidate must
receive a score of 450 or higher to pass.
Exam results will be mailed (and emailed) out
approximately 8 weeks after the exam date.
Good Luck!
-
11
4/17/2015
22
Introduction of Classmates
4/17/2015
23
HIGHLY TECHNICAL ATTACKS HIGHLY TECHNICAL ATTACKS
-
12
4/17/2015
24
Stuxnet
Part of Operation Olympic Games, a 2006 operation designed to disrupt Irans nuclear programme
General James E Cartwright, head of CyberOps inside the US Strategic Command developed the Stuxnet plan
Stage 1: Plant code that extracts maps of the air-gapped networks supporting nuclear labs & reprocessing plants in Iran
Stage 2: Payload development by NSAs Foreign Affairs Directorate & IDFs Intelligence Corps Unit 8200
Code named: The Bug
Stage 3: Test against P-1 centrifuges
Stage 4: Plant the worm in Natanz via spies, and tricked insiders ( engineers to maintenance workers anyone with physical access to the plant). This was in 2008
The Op was successful
ICS were infected & high-speed centrifuges were infected
Iranians blamed themselves or suppliers for observed problems
4/17/2015
25
Stuxnet
20x more complex than any piece of previous malware
Array of capabilities
Increase pressure inside nuclear reactors while telling system operators everything was normal
Does not carry a forged security clearance (used by malware to escalate privilege). It had a real clearance, stolen from one of the most Globally-reputable technology companies
Exploited 20 zero-day vulnerabilities
Target specific. It remained dormant until target was sighted. Target was the P-1 centrifuges. May have shut down 1000 centrifuges in Natanz,
Iran has responded to the attack with an open call to hackers to join the Iranian Revolutionary Guard. It now has the 2nd largest online army
-
13
4/17/2015
26
GhostNet
GhostNet represents a network of
compromised computers resident in high-
value political, economic, and media
locations spread across numerous countries
worldwide
4/17/2015
27
GhostNet
Infected 986 machines across 93 countries
-
14
4/17/2015
28
GhostNet
Malware retrieving a sensitive document
This screen capture of the Wireshark network analysis tool shows an infected
computer at the Office of the Dalai Lama uploading a sensitive document to one
of the CGI networks control servers.
4/17/2015
29
GhostNet
The gh0st RAT interface:
-
15
4/17/2015
30
GhostNet
gh0st RAT demonstration
https://www.youtube.com/watch?v=6p7FqSav6
Ho
4/17/2015
31
Technical Social Engineering
The purpose of social engineering is to
transparently install malicious software or to
trick you into handing over sensitive
information.
Technical Social Engineering is a chained
exploit. Human nature and software
vulnerabilities are both exploited.
-
16
4/17/2015
32
Technical Social Engineering
4/17/2015
33
Operation Aurora
Targeted 34 companies in the financial, technology & defense sectors
Never before seen level of sophistication outside the defense industry. Prior to this, commercial attacks were SQL-injection or wireless breach based
Highly sophisticated & coordinated hack attack against Googles corporate network
Targeted & stole IP (source code repositories)
Accessed Gmail accounts of human rights activists
-
17
4/17/2015
34
Operation Aurora
Used several pieces of malware, levels of encryption, stealth programming & zero-day exploits in IE, Word, Excel & Adobe PDFs
Attack was obfuscated & avoided common detection methods
Tailored to target a small number of corporate users
sending a malicious document attached to an email or
sending a spoofed email message with a link to a malicious website
Infected machines will typically have the following components installed:
%System%\[RANDOM].dll: main file. Runs as a service and has back door capabilities
%System%\acelpvc.dll: Streams live desktop feed to the attacker
%System%\VedioDriver.dll: Helper dll for acelpvc.dll
4/17/2015
35
Operation Aurora
Siphoned off live feed and/or data to C & C
servers in Illinois, Texas & Taiwan
One C&C server was hosted by RackSpace
Designed to occur during a holiday season
when co. SOC & IRTs would be thinly staffed
-
18
4/17/2015
36
Operation Aurora Tojan.Hydraq
Infects Win2K, Win7, Win2003, Win2008,
Vista, XP
Creates 2 files
Creates a service RASxxxx
Registers service by creating a registry
subkey
Modifies this registry entry:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\Current
Version\SvcHost\netsvcs
Opens a backdoor allowing a remote
attacker to do a number of things
4/17/2015
37
Operation Aurora Google Case Study
Initial attack occurred when company executives visited a
malicious site
Via clicked URL sent by
email/IM or
Via social networking sites
Drive-by Download
IE exploited via zero-day
exploit
Multiple pieces of
malware downloaded
into device
Automatically &
Transparently
-
19
4/17/2015
38
Operation Aurora Google Case Study
Shell code 3X encrypted
Downloaded encrypted
binary code in 2
encrypted .exes from
external node
Opened backdoor
Established
encrypted covert
channel
masquerading as SSL
connection
Beachead
into other parts
of the corporate
network
4/17/2015
39
ICEFOG Advanced Persistent Threat
A threat actor
Emerging trend of cyber-mercenary teams of 10s to
100s available for hire to perform surgical hit-and-
run ops
Going after the supply chain & compromising target
with surgical precision
Relies on spear phishing emails that attempt to trick
a victim into opening a malicious attachment or
visiting a malicious website
Victims were Japanese & South Korean targets.
From China with love
-
20
4/17/2015
40
End of Introduction
-
1
4/17/2015
1
ISACA
Trust in, and value from,
information systems
4/17/2015
2
2015 CISM Review Course
Chapter 1
Information Security
Governance
-
2
4/17/2015
3
Course Agenda
Priorities for the CISM
Corporate Governance
Information Security Strategy
Information Security Program
Elements of a Security Program
Roles and Responsibilities
Evaluating a Security Program
Reporting and Compliance
Ethics
4/17/2015
4
The CISM Candidate understands: Effective security governance framework
Building and deploying a security strategy
aligned with organizational goals
Manage risk appropriately
Responsible management of program
resources
The content area in this chapter will
represent approximately 24% of
the CISM examination
(approximately 48 questions).
Examination Content
-
3
4/17/2015
5
Chapter 1 Learning Objectives
Align the organizations Information security strategy with
business goals and objectives
Obtain Senior Management commitment
Provide support for:
Governance
Business cases to justify security
Compliance with legal and regulatory mandates
Organizational priorities and strategy
Identify drivers affecting the organization
Define roles and responsibilities
Establish metrics to report on effectiveness of the security
strategy
4/17/2015
6
The Priorities for the CISM
Candidate in Chapter One
-
4
4/17/2015
7
CISM Priorities
The CISM must understand:
Requirements for effective information
security governance
Elements and actions required to:
Develop an information security strategy
Plan of action to implement it
4/17/2015
8
The First Question
In your own words, please describe what
information Security is, what is the purpose
or value of information security in relation to
the business
-
5
4/17/2015
9
Information Security
Information is indispensable to conduct
business effectively today
Information must be:
Available
Have Integrity of data and process
Be kept Confidential as needed
Protection of information is a responsibility
of the Board of Directors
4/17/2015
10
Information Security
Information Protection includes:
Accountability
Oversight
Prioritization
Risk Management
Compliance (Regulations and Legislation)
-
6
4/17/2015
11
Information security is much more than just IT
security (more than technology)
Information must be protected at all levels of the
organization and in all forms
Information security is a responsibility of
everyone
In all forms paper, fax, audio, video,
microfiche, networks, storage media, computer
systems
Information Security Governance Overview
4/17/2015
12
Benefits of effective information security
governance include:
Improved trust in customer relationships
Protecting the organizations reputation
Better accountability for safeguarding
information during critical business activities
Reduction in loss through better incident
handling and disaster recovery
Selling the Importance of Information Security
-
7
4/17/2015
13
The First Priority for the CISM
Remember that Information Security is a
business-driven activity.
Security is here to support the interests and
needs of the organization not just the
desires of security
Security is always a balance between cost
and benefit; security and productivity
4/17/2015
14
Corporate Governance
-
8
4/17/2015
15
Business Goals and Objectives
Corporate governance is the set of
responsibilities and practices exercised by
the board and executive management
Goals include:
Providing strategic direction
Reaching security and business objectives
Ensure that risks are managed appropriately
Verify that the enterprises resources are used
responsibly
4/17/2015
16
Outcomes of Information Security Governance
The six basic outcomes of effective security
governance:
Strategic alignment
Risk management
Value delivery
Resource management
Performance measurement
Integration
-
9
4/17/2015
17
Benefits of Information Security Governance
Effective information security governance can offer
many benefits to an organization, including:
Compliance and protection from litigation or penalties
Cost savings through better risk management
Avoid risk of lost opportunities
Better oversight of systems and business operations
Opportunity to leverage new technologies to business
advantage
4/17/2015
18
Performance and Governance
Governance is only possible when metrics are in place to:
Measuring
Monitoring
Reporting
On whether critical organizational objectives are achieved
Enterprise-wide measurements should be developed
-
10
4/17/2015
19
Information Security
Strategy
4/17/2015
20
Developing Information Security Strategy
Information Security Strategy
Long term perspective
Standard across the organization
Aligned with business strategy / direction
Understands the culture of the organization
Reflects business priorities
-
11
4/17/2015
21
Elements of a Strategy
A security strategy needs to include:
Resources needed
Constraints
A road map
Includes people, processes, technologies and
other resources
A security architecture: defining business
drivers, resource relationships and process flows
Achieving the desired state is a long-term
goal of a series of projects
4/17/2015
22
Objectives of Security Strategy
The objectives of an information security
strategy must
Be defined
Be supported by metrics (measureable)
Provide guidance
-
12
4/17/2015
23
The Goal of Information Security
The goal of information security is to
protect the organizations assets,
individuals and mission
This requires:
Asset identification
Classification of data and systems
according to criticality and sensitivity
Application of appropriate controls *Information is an asset only to the degree it supports the primary
purpose of the business
4/17/2015
24
Defining Security Objectives
The information security strategy forms the basis for the plan(s) of action required to achieve security objectives
The long-term objectives describe the desired state
Should describe a well-articulated vision of the desired outcomes for a security program
Security strategy objectives should be stated in terms of specific goals directly aimed at supporting business activities
-
13
4/17/2015
25
Business Linkages
Business linkages
Start with understanding the specific
objectives of a particular line of business
Take into consideration all information flows
and processes that are critical to ensuring
continued operations
Enable security to be aligned with and
support business at strategic, tactical and
operational levels
4/17/2015
26
Business Case Development
The Business case for initiating a project
must be captured and communicated:
Reference
Context
Value Proposition
Focus
Deliverables
The Business case for Security must address the same criteria
Dependencies
Project metrics
Workload
Required resources
Commitments
-
14
4/17/2015
27
The Information Security
Program
4/17/2015
28
Question:
What steps/elements are
necessary to develop an
effective security program?
-
15
4/17/2015
29
Security Program Priorities
Achieve high standards of corporate
governance
Treat information security as a critical
business issue
Create a security positive environment
Have declared responsibilities
4/17/2015
30
Security versus Business
Security must be aligned with business needs
and direction
Security is woven into the business functions
Provides
Strength
Resilience
Protection
Stability
Consistency
-
16
4/17/2015
31
Security Program Objectives
Ensure the availability of systems and data
Allow access to the correct people in a
timely manner
Protect the integrity of data and business
processes
Ensure no improper modifications
Protect confidentiality of information
Unauthorized disclosure of information
Privacy, trade secrets,
4/17/2015
32
What is Security
A structured deployment of risk-based
controls related to:
People
Processes
Technology
-
17
4/17/2015
33
Security Integration
Security needs to be integrated INTO the
business processes
The goal is to reduce security gaps through
organizational-wide security programs
Integrate IT with:
Physical security
Risk Management
Privacy and Compliance
Business Continuity Management
4/17/2015
34
Security Program
Starts with theory and concepts
Policy
Interpreted through:
Procedures
Baselines
Standards
Measured through audit
-
18
4/17/2015
35
Architecture
Information security architecture is similar physical
architecture
Requirements definition
Design / Modeling
Creation of detailed blueprints
Development, deployment
Architecture is planning and design to meet the
needs of the stakeholders
Security architecture is one of the greatest needs for
most organizations
4/17/2015
36
Information Security Frameworks
Framework
Template
Structure
Measurable / Auditable
Project Planning and Management
Strategic, Tactical and Operational
viewpoints
-
19
4/17/2015
37
Using an Information Security Framework
Effective information security is provided
through adoption of a security framework
Defines information security objectives
Aligns with business objectives
Provides metrics to measure compliance and
trends
Standardizes baseline security activities
enterprise-wide
4/17/2015
38
The Desired State of Security
The desired state of security must be defined in terms of attributes, characteristics and outcomes
It should be clear to all stakeholders what the intended security state is
-
20
4/17/2015
39
The Desired State cont.
The desired state according to COBIT (Control
Objectives for Information and related
Technology)
Protecting the interests of those relying on
information, and the processes, systems and
communications that handle, store and deliver the
information, from harm resulting from failures of
availability, confidentiality and integrity
Focuses on IT-related processes from IT
governance, management and control perspectives
4/17/2015
40
The Maturity of the Security Program Using CMM
0: NonexistentNo recognition by organization of need for security
1: Ad hocRisks are considered on an ad hoc basisno formal processes
2: Repeatable but intuitiveEmerging understanding of risk and need for security
3: Defined processCompanywide risk management policy/security awareness
4: Managed and measurableRisk assessment standard procedure, roles and responsibilities assigned, policies and standards in place
5: OptimizedOrganization-wide processes implemented, monitored and managed
-
21
4/17/2015
41
Using the Balanced Scorecard
The Four Perspectives of the Balanced Scorecard
Vision and
Strategy
Learning and
Growth
Internal
Business
Processes
Financial
Customer
4/17/2015
42
The ISO27001:2013 Framework
The goal of ISO27001:2013 is to:
Establish
Implement
Maintain, and
Continually improve
An information security management system
Contains:
14 Clauses, 35 Controls Objectives and 114
controls
-
22
4/17/2015
43
Examples of Other Security Frameworks
SABSA (Sherwood Applied Business Security
Architecture)
COBIT
COSO
Business Model for Information Security
Model originated at the Institute for Critical
Information Infrastructure Protection
4/17/2015
44
Examples of Other Security Frameworks
ISO standards on quality (ISO 9001:2000)
Six Sigma
Publications from NIST and ISF
US Federal Information Security
Management Act (FISMA)
-
23
4/17/2015
45
Constraints and Considerations for a Security
Program
Constraints
LegalLaws and regulatory requirements
PhysicalCapacity, space, environmental
constraints
EthicsAppropriate, reasonable and customary
CultureBoth inside and outside the
organization
CostsTime, money
PersonnelResistance to change, resentment
against new constraints
4/17/2015
46
Constraints and Considerations for a
Security Program cont.
Constraints
Organizational structureHow decisions are
made and by whom, turf protection
ResourcesCapital, technology, people
CapabilitiesKnowledge, training, skills,
expertise
TimeWindow of opportunity, mandated
compliance
Risk toleranceThreats, vulnerabilities, impacts
-
24
4/17/2015
47
Elements of a Security Program
4/17/2015
48
Elements of Risk and Security
The next few slides list many factors that go
into a Security program.
-
25
4/17/2015
49
Risk Management
The basis for most security programs is Risk
Management:
Risk identification
Risk Mitigation
Ongoing Risk Monitoring and evaluation
The CISM must remember that risk is
measured according to potential impact on
the ability of the business to meet its mission
not just on the impact on IT.
4/17/2015
50
Information Security Concepts
Access
Architecture
Attacks
Auditability
Authentication
Authorization
Availability
Business dependency analysis
Business impact
analysis
Confidentiality
Countermeasures
Criticality
Data classification
Exposures
Gap analysis
Governance
-
26
4/17/2015
51
Information Security Concepts cont.
Identification
Impact
Integrity
Layered security
Management
Nonrepudiation
Risk / Residual risk
Security metrics
Sensitivity
Standards
Strategy
Threats
Vulnerabilities
Enterprise architecture
Security domains
Trust models
4/17/2015
52
Security Program Elements
Policies
Standards
Procedures
Guidelines
Controlsphysical,
technical,
procedural
Technologies
Personnel security
Organizational
structure
Skills
-
27
4/17/2015
53
Security Program Elements cont.
Training
Awareness and education
Compliance enforcement
Outsourced security providers
Other organizational support and assurance providers
Facilities
Environmental security
4/17/2015
54
Third Party Agreements
Ensure that security requirements are
addressed in all third party agreements
Service Level Agreements
Jurisdiction in case of dispute
Right to audit or obtain independent
verification of compliance
-
28
4/17/2015
55
Roles and Responsibilities
4/17/2015
56
Roles and Responsibilities of Senior
Management
Board of directors
Information security governance / Accountability
Executive management
Implementing effective security governance and defining the strategic security objectives
Budget and Support
Steering committee
Ensuring that all stakeholders impacted by security considerations are involved
Oversight and monitoring of security program
-
29
4/17/2015
57
Senior Management Commitment
To be successful, information security must
have the support of senior management
Budget
Direction/ Policy
Reporting and Monitoring
A bottom-up management approach to
information security activities is much less
likely to be successful
4/17/2015
58
How can we obtain continued
Senior Management support for
the security program?
-
30
4/17/2015
59
Steering Committee
Oversight of Information Security Program
Acts as Liaison between Management,
Business, Information Technology, and
Information Security
Ensures all stakeholder interests are
addressed
Oversees compliance activities
4/17/2015
60
CISO Chief Information Security Officer
Responsibilities
Responsible for Information security-
related activity
Policy
Investigation
Testing
Compliance
-
31
4/17/2015
61
Business Manager Responsibilities
Responsible for security enforcement and
direction in their area
Day to day monitoring
Reporting
Disciplinary actions
Compliance
4/17/2015
62
IT Staff Responsibilities
Responsible for security design, deployment
and maintenance
System and Network monitoring
Reporting
Operations of security controls
Compliance
-
32
4/17/2015
63
Centralized versus Decentralized
Security
Which is better?
Consistency versus flexibility
Central control versus Local ownership
Procedural versus responsive
Core skills versus distributed skills
Visibility to senior management versus
visibility to users and local business units
4/17/2015
64
Evaluating the Security Program
-
33
4/17/2015
65
Audit and Assurance of Security
Objective review of security risk, controls
and compliance
Assurance regarding the effectiveness of
security is a part of regular organizational
reporting and monitoring
4/17/2015
66
Evaluating the Security Program
Metrics are used to measure results
Measure security concepts that are
important to the business
Use metrics that can be used for each
reporting period
Compare results and detect trends
-
34
4/17/2015
67
Effective Security Metrics
Set metrics that will indicate the health of
the security program
Incident management
Degree of alignment between security and
business development
Was security consulted
Were controls designed in the systems or
added later
4/17/2015
68
Effective Security Metrics cont.
Choose metrics that can be controlled
Measure items that can be influenced or
managed by local managers / security
Not external factors such as number of
viruses released in the past year
Have clear reporting guidelines
Monitor on a regular scheduled basis
-
35
4/17/2015
69
Key Performance Indicators (KPIs)
Thresholds to measure
Compliance / non-compliance
Pass / fail
Satisfactory / unsatisfactory results
A KPI is set at a level that indicates action
should / must be taken
Alarm point
4/17/2015
70
End to End Security
Security must be enabled across the
organization not just on a system by system
basis
Performance measures should ensure that
security systems are integrated with each
other
Layered defenses
-
36
4/17/2015
71
Correlation Tools
The CISM may use Security Event and Incident Management (SEIM, SIM, SEM) tools to aggregate data from across the organization
Data analysis
Trend detection
Reporting tools
4/17/2015
72
Reporting and Compliance
-
37
4/17/2015
73
Regulations and Standards
The CISM must be aware of National
Laws
Privacy
Regulations
Reporting, Performance
Industry standards
Payment Card Industry (PCI)
BASEL II
4/17/2015
74
Effect of Regulations
Requirements for business operations
Potential impact of breach
Cost
Reputation
Scheduled reporting requirements
Frequency
Format
-
38
4/17/2015
75
Reporting and Analysis
Data gathering at source
Accuracy
Identification
Reports signed by Organizational Officer
4/17/2015
76
Ethics
-
39
4/17/2015
77
Ethical Standards
Rules of behaviour
Legal
Corporate
Industry
Personal
4/17/2015
78
Ethical Responsibility
Responsibility to all stakeholders
Customers
Suppliers
Management
Owners
Employees
Community
-
40
4/17/2015
79
ISACA Code of Ethics cont.
Required for all certification holders
Support the implementation of, and
encourage compliance with, appropriate
standards, procedures and controls for
information systems.
Perform their duties with objectivity, due
diligence and professional care, in
accordance with professional standards and
best practices.
4/17/2015
80
ISACA Code of Ethics cont.
Serve in the interest of stakeholders in a
lawful and honest manner, while maintaining
high standards of conduct and character, and
not engage in acts discreditable to the
profession.
Maintain the privacy and confidentiality of
information obtained in the course of their
duties unless disclosure is required by legal
authority. Such information shall not be used
for personal benefit or released to
inappropriate parties.
-
41
4/17/2015
81
ISACA Code of Ethics cont.
Maintain competency in their respective
fields and agree to undertake only those
activities, which they can reasonably expect
to complete with professional competence.
Inform appropriate parties of the results of
work performed; revealing all significant
facts known to them.
Support the professional education of
stakeholders in enhancing their understanding
of information systems security and control.
4/17/2015
82
Practice Question
1. The PRIMARY purpose of a security
strategy is to provide:
A. The basis for determining the security
architecture for the organization.
B. The intent and direction of management.
C. Guidance for users on how to comply with
security requirements.
D. Standards to measure compliance.
-
42
4/17/2015
83
Practice Question
2. The BEST method of improving security
compliance is:
A. To make it easier for employees to follow
security rules.
B. To have comprehensive organization-wide
security policies.
C. To have an active security awareness program.
D. To inform all staff about legal regulations and
legislation..
4/17/2015
84
Practice Question
3. The MOST important task of the CRISC
regarding compliance with regulations is to:
A. Develop the policies and standards to be followed
by the organization.
B. Ensure that accurate and complete data is used in
reporting procedures
C. Provide guidance to business units on the legal
requirements for compliance.
D. Approve all reports prior to submission to outside
agencies
-
43
4/17/2015
85
Practice Question
4. The MOST important consideration in the
development of security policies is that:
A. The policies reflect the intent of Senior
Management.
B. The policies are legal.
C. All employees agree with the policies.
D. That the correct procedures are developed to
support the requirements of policy.
4/17/2015
86
End of Domain
-
17/04/2015
1
4/17/2015
1
ISACA
Trust in, and value from,
information systems
4/17/2015
2
2015 CISM Review Course
Chapter 2
Information Risk
Management and
Compliance
-
17/04/2015
2
4/17/2015
3
Course Agenda
Information Asset
Classification
Identify regulatory, legal
and other requirements
Identify risk, threats and
vulnerabilities
Risk treatment
Evaluate security controls
Integrate risk management
into business processes
Report non-compliance
and other changes in risk
4/17/2015
4
Ensure that the CISM candidate Manages information risk to an acceptable
level to meet the business and compliance
requirements of the organization
The content area in this chapter will
represent approximately 33% of
the CISM examination
(approximately 66 questions).
Exam Relevance
-
17/04/2015
3
4/17/2015
5
Chapter 2 Task Statements
Establish an information asset classification
and ownership process
Ensure risk, threat and vulnerability
assessments are conducted periodically
Evaluate security controls
Identify gaps between current and desired
state
4/17/2015
6
Chapter 2 Task Statements cont.
Integrate risk, threat and vulnerability
identification and management into the
organization
Monitor existing risk to ensure changes are
identified and managed appropriately
Report information risk management levels to
management.
-
17/04/2015
4
4/17/2015
7
Information Asset
Classification
4/17/2015
8
Information Asset Classification
Need to know what information to protect
Need to know who is responsible to
protect it
Ownership
Roles and responsibilities
-
17/04/2015
5
4/17/2015
9
Roles and Responsibilities
Information protection requires clear
assignment of responsibilities
Information owner
Information System owner
Board of Directors / Chief Executive Officer
Users
Information Custodians
Third Party Suppliers
4/17/2015
10
Roles and Responsibilities
Information security risk management is an
integral part of security governance
Is the responsibility of the board of directors
or the equivalent to ensure that these
efforts are visible
Management must be involved in and sign off
on acceptable risk levels and risk
management objectives
-
17/04/2015
6
4/17/2015
11
Information Classification Considerations
Business Impact and reliance of business on
information and information system
Understand business objectives
Availability of data / systems
Sensitivity of data / systems
4/17/2015
12
Information asset protection may be required
by legislation
Privacy
Consumer data
Employee data
Financial accuracy
SOX-type laws
Regulations and Legislation
-
17/04/2015
7
4/17/2015
13
Asset Valuation
Information Asset valuation may be based on:
Financial considerations
Liability for lost data
Cost to create or restore data
Impact on business mission
Reputation
Customer or supplier confidence
4/17/2015
14
Valuation Process
Determine ownership
Determine number of
classification levels
Develop labeling
scheme
Identify all information
types and locations
De-classify when data
no longer needs
protection
-
17/04/2015
8
4/17/2015
15
Information Protection
Ensure that data is protected consistently
across all systems
Protect data in all forms paper, electronic,
optical, fax,
Protect data at all times:
Storage
Transmission
Processing
Destruction
4/17/2015
16
Information Asset Protection
Policies
Communicated
Enforced
Clean desk / Clear screen
Need to know Least privilege
Procedures
Labeling
Destruction
-
17/04/2015
9
4/17/2015
17
Risk Management
4/17/2015
18
Definition of Risk
Risk is a function of the likelihood of a
threat-source exercising a vulnerability and
the resulting impact of that adverse event on
the mission of the organization.
Asset
Threat
Vulnerability
Likelihood (probability)
Impact (consequence)
-
17/04/2015
10
4/17/2015
19
Why is Risk Important
Risk management is a fundamental
function of Information Security
Provides rationale and justification for
virtually all information security activities
Prioritization of Risk allows the development
of a security roadmap
4/17/2015
20
Risk Management Definition
What is risk management?
The systematic application of management
policies, procedures and practices to the
tasks of:
Identifying
Analyzing
Evaluating
Treating
Monitoring,
Risk related to information and information
systems
-
17/04/2015
11
4/17/2015
21
Risk Management Objective
The objective of risk management is to
identify, quantify and manage
information security risk.
Reduce risk to an acceptable level
through the application of risk-based,
cost-effective controls.
4/17/2015
22
Risk Management Overview
Risk is the probability of occurrence of an
event or transaction causing financial loss
or damage to
Organization
Staff
Assets
Reputation
Quantitative and
Qualitative Measures
-
17/04/2015
12
4/17/2015
23
Risk Management Overview
Risk management is the process of
ensuring that the impact of threats
exploiting vulnerabilities is within
acceptable limits at an acceptable cost
At a high level, this is accomplished by
Balancing risk against mitigation costs
Implementing appropriate countermeasures
and controls
4/17/2015
24
Defining the Risk Environment
The most critical prerequisite to a successful risk management program is understanding the organization including:
Key business drivers
The organizations SWOT (strengths, weaknesses, opportunities and threats)
Internal and external stakeholders
Organizational structure and culture
Assets (resources, information, customers, equipment)
Goals and objectives, and the strategies already in place to achieve them
-
17/04/2015
13
4/17/2015
25
Threats to Information and Information
Systems
Threats to information and information
systems are related to:
Availability
Confidentiality
Integrity
Non-repudiation
4/17/2015
26
Threat Analysis
Intentional versus Unintentional attacks
Natural
Man-made
Utility / Equipment
Threats affected by
The skill and motivation of the attacker
The existence of attack tools
-
17/04/2015
14
4/17/2015
27
Aggregate Risk
Aggregate risk must be considered
Aggregate risk is where a several smaller
risk factors combine to create a larger risk
(the perfect storm scenario)
4/17/2015
28
Cascading Risk
Cascading risks are the effect of one incident
leading to a chain of adverse events (domino
effect)
-
17/04/2015
15
4/17/2015
29
Identification of Vulnerabilities
Weaknesses in security controls
Patches not applied
Non-hardened systems
Inappropriate access levels
Unencrypted sensitive data
Software bugs or coding issues (buffer
overflow)
Physical security
4/17/2015
30
The Effect of Risk
An exploit of a vulnerability by a threat may
lead to an exposure.
An exposure is measured by the impact it has
on the organization or the ability of the
organization to meet its mission.
-
17/04/2015
16
4/17/2015
31
Impact
Examples of direct and indirect financial losses:
Direct loss of money (cash or credit)
Criminal or civil liability
Loss of reputation/goodwill/image
Reduction of share value
Conflict of interests to staff or customers or
shareholders
4/17/2015
32
Impact cont.
Examples of direct and indirect financial losses:
Breach of confidence/privacy
Loss of business opportunity/competition
Loss of market share
Reduction in operational efficiency/performance
Interruption of business activity
Noncompliance with laws and regulations resulting in
penalties
-
17/04/2015
17
4/17/2015
33
Risk Management Process
Risk
Identification
(Assessment
and Analysis) Risk
Treatment
(Control
Selection) Evaluation
and
Assessment
4/17/2015
34
Risk Assessment Methodology
Quantitative
Determine the impact of a single event
Single Loss Expectancy
SLE = Asset Value x Exposure Factor
Calculate frequency of events
Annualized rate of occurrence (ARO)
ARO = Incidents per year
-
17/04/2015
18
4/17/2015
35
Annualized Loss Expectancy (ALE)
ALE is the calculated cost of risk per year
from a single event
ALE = SLE x ARO
Used to justify expense of implementing
controls to reduce risk levels
Cost of controls should not be greater than
benefit realized by implementing the control
4/17/2015
36
Qualitative Risk Assessment
Determine risk levels through scenario-based
analysis
Rank risk levels according to frequency and
impact (Low (1), Moderate (2), High (3))
Impact
Lik
elihood
Low Moderate High
High 3 6 9
Moderate 2 4 6
Low 1 2 3
-
17/04/2015
19
4/17/2015
37
Data Gathering Techniques
Surveys / Questionnaires
Observation
Workshops
Delphi techniques
4/17/2015
38
Results of Risk Assessment
Documentation of risk levels
Risk register
Determination of threat and vulnerability
levels
Forecast of impact and frequency of events
Recommendations for risk mitigation
Controls, safeguards, countermeasures
-
17/04/2015
20
4/17/2015
39
Alignment of Risk Assessment and BIA
Risk Assessment measures Impact and
Likelihood
Business Impact Analysis measures Impact
over Time
Related disciplines but not the same
BIA must be done periodically to determine
how risk and impact levels increase over time
Set priorities for critical business functions
4/17/2015
40
Risk Treatment
-
17/04/2015
21
4/17/2015
41
Risk Treatment
Risk Treatment takes the recommendations
from the risk assessment process and selects
the best choice for managing risk at an
acceptable level
Residual Risk
Risk Acceptance
Cost / Benefit
Priorities
Balance between security and business
4/17/2015
42
Risk Treatment
Risk Treatment Options
Reduction / mitigation implement changes
Enhance managerial, technical, physical
and operational controls
Acceptance
Transference
Avoidance
-
17/04/2015
22
4/17/2015
43
Risk Mitigation and Controls
Controls (safeguards / countermeasures) are
implemented in order to reduce a specified
risk
Existing controls and countermeasures can
be evaluated
New controls and countermeasures can be
designed
4/17/2015
44
Control Recommendations
Factors to be considered when recommending
new or enhanced controls are:
Cost-benefit analysis
Anticipated effectiveness
Compatibility with other controls, systems, and
processes
Legislation and regulation
Organizational policy, standards, and culture
Impact of control on business processes
Control reliability
-
17/04/2015
23
4/17/2015
45
Cost Benefit Analysis of Controls
Cost-benefit analysis must consider the cost of
the control throughout the full life cycle of the
control or countermeasure including:
Acquisition / purchase costs
Deployment and implementation costs
Recurring maintenance costs
Testing and assessment costs
4/17/2015
46
Cost Benefit Analysis of Controls cont.
Cost benefit analysis includes costs of:
Compliance monitoring and enforcement
Inconvenience to users
Reduced throughput of controlled processes
Training in new procedures or technologies as
applicable
End of life decommissioning
-
17/04/2015
24
4/17/2015
47
Risk Mitigation Schematic
Owners
Countermeasures
Threat Agents
Threats
Risk
Assets To
Wish to minimize Value
Impose
To
Reduce
Give Rise to
Wish to abuse and/or may damage
To That
increase
4/17/2015
48
Control Types and Categories
Controls may be:
Managerial
Technical
Physical
-
17/04/2015
25
4/17/2015
49
Control Types and Categories cont.
Controls may be:
Directive
Deterrent
Preventative
Detective
Recovery
Corrective
Compensating
4/17/2015
50
Security Control Baselines
Creating baselines of control can assist in developing a consistent security infrastructure
Principles for developing baselines include
Assess of the level of security that is appropriate for the organization
Mandate a configuration for all systems and components attached to the organizations network
-
17/04/2015
26
4/17/2015
51
Ongoing Risk Assessment and Building Risk
Management into the Organization
4/17/2015
52
Ongoing Risk Assessment
Monitor controls to ensure that they are
working effectively
Implemented as designed
Operating properly
Producing the desired outcome (mitigating
the risk they were installed to address)
-
17/04/2015
27
4/17/2015
53
Measuring Control Effectiveness
Determine metrics to measure control
effectiveness
Do regular monitoring and reporting
Aggregate data from several control points
Security Event Incident Monitoring (SEIM)
Measure control effectiveness in comparison
to business goals and objectives
4/17/2015
54
Building Risk Management In (Agenda)
Risk Management should be built in to
business processes
Change control
Systems development life cycle (SDLC)
Ongoing monitoring and analysis
Audit
Business process re-engineering
Project management
Employment
Procurement
-
17/04/2015
28
4/17/2015
55
Risk Related to Change Control
Uncontrolled / Unauthorized changes
Changes implemented incorrectly
Backup
Rollback
Changes that bypass / overwrite controls
Interruption to service
4/17/2015
56
Controlling Risk in Change Control
Oversight / Steering Committee
Formal Change control process
Documentation of changes
Approvals
Testing
Review of all proposed / implemented
changes for impact on security controls
-
17/04/2015
29
4/17/2015
57
Risk Management During SDLC
Integrate risk management throughout the
SDLC
Review risk levels as system is designed,
developed, tested and implemented
Test the implemented security controls
Ensure the ability to log and monitor events
is built into all systems
Review all new systems for correct operation
of controls and associated risk levels
4/17/2015
58
Ongoing Risk Management Monitoring
and Analysis
Do risk assessment annually
More frequently in event of:
Organizational changes
Regulation
Incidents
Monitor controls frequently and report to
management
Standardized reporting (format)
Trend analysis
-
17/04/2015
30
4/17/2015
59
Audit and Risk Management
Audit validates that risk is being managed
correctly
Compared with culture of organization
Policy
Regulation
Best practices
4/17/2015
60
Audit and Risk Management cont.
Validate that risk is within acceptable levels
Risk appetite
Threat and vulnerability analysis was done
correctly
Controls are working correctly
Mitigating risk effectively
Validate compliance with controls
Reporting and recommendations
-
17/04/2015
31
4/17/2015
61
Risk in Business Process Re-Engineering
Review all major systems and business
process changes for impact on risk levels
Ensure that ability to monitor controls is built
into business processes
Enable reporting and compliance
Regular reporting to management on status of
changes
Ensure that changes do not bypass controls
Separation of duties, least privilege
4/17/2015
62
Risk in Project Management
Risk of Scope Creep
Risk of project overrun
Budget
Time
Failure to deliver expected results
Vendor compliance with requirements
-
17/04/2015
32
4/17/2015
63
Risk During Employment Process
Hiring Procedures
Correct skills and experience
Background checks
Criminal
Financial
References from former employers /
associates
4/17/2015
64
New Employee Initiation
Require signing of
Non-disclosure agreements (NDA)
Non-compete agreements
Ethics statement
Review security policy
Awareness training
-
17/04/2015
33
4/17/2015
65
Risk During Employment
Access Creep adding more and more access
Violation of least privilege / need to know
Enforce compliance with controls
Regular awareness sessions
4/17/2015
66
Risk at Termination of Employment
Need to remove all access
Recover all organizational assets
ID cards
Laptops
Remote access tokens
Blackberry/ cellphone
Documents
Review NDAs
-
17/04/2015
34
4/17/2015
67
Risks During Procurement
Need to purchase the right equipment at
the right price
Improper buying practices
Influence
Kickbacks
Piracy / imitations
Inappropriate relations / selection of
vendors
4/17/2015
68
Risk During Procurement cont.
Equipment not delivered according to
specifications /contract terms
Equipment not configured / installed properly
Vendor not providing contracted maintenance
according to maintenance agreements
Maintain correct patch levels
-
17/04/2015
35
4/17/2015
69
Reporting to Management
Regular reporting
Standard format
Scheduled basis
Consistent metrics to allow comparison of
results over time
Reporting on an exceptional basis
Following an event
4/17/2015
70
Documentation
Typical risk management documentation
includes:
A risk register
An inventory of information assets
Threat and vulnerability analysis
Control effectiveness report
Initial risk rating
Risk report - consequences and likelihood of
compromise
A risk mitigation and action plan
-
17/04/2015
36
4/17/2015
71
Training and Awareness
The most effective control to mitigate risk is
training of all personnel
Awareness
Training
Education
Educate on policies, standards, practices
Creates accountability
4/17/2015
72
Training and Awareness
End users should receive training on
The importance of adhering to information
security policies, standards, and procedures
Clean desk policy
Responding to incidents and emergencies
Privacy and confidentiality requirements
The security implications of logical access in
an IT environment
-
17/04/2015
37
4/17/2015
73
Training for End Users
Practical training topics
Clean desk policy
Responding to incidents and emergencies
Privacy and confidentiality requirements
Handling sensitive data and intellectual
property
The security requirements for access to IT
systems
4/17/2015
74
Practice Question
The PRIMARY purpose of a risk management
program is
a) To eliminate risk
b) To reduce all risks to a minimal level of impact
c) To satisfy regulatory requirements
d) To ensure risk levels are acceptable to senior
management
-
17/04/2015
38
4/17/2015
75
Practice Question 2
The formula SLE x ARO relates to
a) Annualized Loss Expectancy (ALE)
b) Risk acceptance levels
c) The frequency of attacks
d) Calculation of the impact of a threat
-
17/04/2015
1
4/17/2015
1
ISACA
Trust in, and value from,
information systems
4/17/2015
2
2015 CISM Review Course
Chapter 3
Information Security
Program Development and
Management
-
17/04/2015
2
4/17/2015
3
Course Flow
Chapter One
Information
Security
Governance
Chapter Two
Information
Risk
Management
Chapter Three
Develop and
Manage a
Security
Program
Chapter Four
Information
Security
Incident
Management
Influenced
by
Enforced by
Directs
changes
to
Directs
development
of
4/17/2015
4
Course Agenda
Learning objectives
Security Program Development
Objectives
Role of the Information Security
Manager
Information Security Program
Development
Elements of a Security Program
Information Security Concepts
Technology and Tools, Security Models
Integrating Security into the Business
-
17/04/2015
3
4/17/2015
5
Ensure that the CISM candidate Understands how to manage the information
security program in alignment with the information security strategy
The content area in this chapter will
represent approximately 25% of
the CISM examination
(approximately 50 questions).
Exam Relevance
4/17/2015
6
Chapter 3 Learning Objectives
Develop and maintain plans to implement an
information security program that is aligned
with the information security strategy
Ensure alignment between the information
security program and other business functions
Identify internal and external resources
required to execute the information security
program
Ensure the development of information
security architectures
-
17/04/2015
4
4/17/2015
7
Learning Objectives cont.
Ensure the development, communication,
and maintenance of standards, procedures
and other documentation that support
information security policies
Design and develop a program for
information security awareness, training
and education
Integrate information security
requirements into contracts and third
party agreements
4/17/2015
8
Definition
Information security program management
includes:
Directing
Overseeing
Monitoring
Information-security-related activities in support
of organizational objectives.
-
17/04/2015
5
4/17/2015
9
Security Strategy and Program Relationship
The security strategy is the long term plan
of creating a security structure that will
support the business goals of the
organization
The security program outlines the steps
necessary to implement the security
strategy
The security program should be defined in
business terms
4/17/2015
10
Information Security Management
Information Security management is primarily
concerned with
Ongoing, day-to-day operations of a security
department
Budget for security
Planning
Business case development for security
projects
Staff development and training
-
17/04/2015
6
4/17/2015
11
Importance of Security Management
Achieving adequate levels of information security means:
Implementing cost effective security solutions
Supporting business operations
Strategic planning and alignment between security and the business
Compliance and reporting
4/17/2015
12
Definition
Information security program development
is the integrated set of:
Activities
Projects
Initiatives
to implement the information security
strategy
-
17/04/2015
7
4/17/2015
13
Effective Security Management
Effective security management must demonstrate value to the organization
Compliance with policies and procedures
Cost effective
Improved audit results
Business process assurance
4/17/2015
14
Reasons for Security Program Failure
Poorly understood requirements
Lack of understanding about what is important and why
Lack of funding or resources
Lack of will to make security a priority
Too much technical focus
-
17/04/2015
8
4/17/2015
15
Security Program Development Objectives
4/17/2015
16
Program Objectives
Implement the objectives of the security
strategy
Managerial controls
Technical controls
Physical controls
-
17/04/2015
9
4/17/2015
17
Security Program Development
The elements essential to ensure successful
security program design and
implementation:
A well defined and clear information
security strategy
Cooperation and support from
management and stakeholders
Effective metrics to measure program
effectiveness
4/17/2015
18
Security Program Development cont.
A well-executed security program will :
Support governance of information security
Convert security initiatives into a practical
real-world implementations
Provide proof that security implementations
are meeting business and security needs
Be flexible enough to adapt to changes in
security / business requirements
-
17/04/2015
10
4/17/2015
19
Outcomes of Information Security
Program Development
As seen in Chapter One, objectives for information security governance include:
Strategic alignment
Risk management
Value delivery
Resource management
Assurance process integration
Performance measurement
4/17/2015
20
Governance of the Security Program
Acceptance and support for the
strategy and the objectives of the
security program is the responsibility of
executive management
Everyone is responsible for compliance
with security requirements
-
17/04/2015
11
4/17/2015
21
Role of the Information Security Manager
4/17/2015
22
Role of the Information Security
Manager (Agenda)
Strategy
Policy
Awareness
Implementation
Monitoring
Compliance
Prevention Detection
Correction
-
17/04/2015
12
4/17/2015
23
Strategy
The first step to development of an
information security program (as seen in
chapter one) is to align the security strategy
with the objectives of the business
Governance
Resources
Reporting
Compliance
Regulations
4/17/2015
24
Policy
Policy provides:
Authority
Direction
Requires:
Background
Scope
Applicability
-
17/04/2015
13
4/17/2015
25
Creating Effective Policy
Ownership
Up to date
Exceptions
Enforceable / legal
Non-technical
Reflects culture and mission of the
organization
4/17/2015
26
Awareness
People are the most important element of a
security program, therefore they must:
Understand their roles
Be capable of performing their roles
Be provided adequate training
Be accountable for results
-
17/04/2015
14
4/17/2015
27
Implementation
Converts strategy to practical tools and
techniques
Controls
Safeguards
Countermeasures
4/17/2015
28
Monitoring
Review of security controls,
countermeasures, safeguards
Continuous or periodic testing
Frequency is dependent on
Laws
Business changes
Culture
-
17/04/2015
15
4/17/2015
29
Compliance
Compliance ensures that business processes
and security measures meet the requirements
of corporate policy, local regulations,
industry-based standards, and best practices.
Compliance requires proof (not just theory)
Testing, logging
Reporting
4/17/2015
30
Information Security Program
Development
-
17/04/2015
16
4/17/2015
31
Developing an Information Security Road
Map
The CISM must consider the security program from the perspective of:
Data
Applications
Systems
Facilities
Processes
4/17/2015
32
Defining Security Program Objectives
Whether or not there is an existing information
security program, there are some basic
program components:
Understanding managements security
objectives
Develop key goal indicators (KGIs) that
reflect and measure business priorities
Ways to measure whether the program is
heading in the right direction
-
17/04/2015
17
4/17/2015
33
Inventory of Information Systems
Document all aspects of the information systems including:
System categorization
System description including system boundaries
Network diagram and data flows
Software and hardware inventory
Users and system owners
Business risk assessment
System risk assessment
Contingency plan
System security plan
4/17/2015
34
Challenges in Developing an Information
Security Program
The process of setting a program in place and
measuring its results requires a great deal of
cooperation among everyone in the
organization who handles data
Information security program development is
not usually hampered by technology choices
available, but rather by people, process and
policy issues that conflict with program
objectives and see security as a hindrance to
business operations
-
17/04/2015
18
4/17/2015
35
Challenges in Developing an Information
Security Program cont.
The challenges faced by the CISM while
developing a security program may include:
Organizational resistance due to:
Changes in areas of responsibility
A perception that increased security will
impact productivity and access
Unfair monitoring / restrictions
Lack of adequate budget, personnel, skills
or support
Unanticipated problems with existing
controls, systems or ongoing projects
4/17/2015
36
Elements of a Security Program Road Map
A vital element of the information security program is a roles and responsibilities matrix (RACI - Responsible, Accountable, Consulted, Informed)
CEO CISO CIO VP HR
Policy
Development
I R A C
Business
Continuity
I C R I
Incident
Management
I A R C
-
17/04/2015
19
4/17/2015
37
Elements of a Security Program Road Map
An understanding of the general risk appetite of an organization and a review to discover any gaps or determine whether the information security program is operating at acceptable levels
R
isk
Potential Loss due to
Equipment Failure
75,000
50,000
25,000
0
Current Risk Level
Acceptable Risk Level
4/17/2015
38
Elements of a Security Program Road
Map
Ability to link the security program with business objectives and demonstrate justification for the evolution from a security concept towards a security architecture and finally into the selection and implementation of security tools and technologies
Security
Context
Security
Concept Logical
Architecture Physical
Architecture Component
-
17/04/2015
20
4/17/2015
39
Security Programs and Projects
The overall security program will almost
always consist of a series of individual
projects designed to meet security objectives
Security Program
Firewall Implementation
project Policy Creation Project
Awareness Sessions
4/17/2015
40
Security Program and Project Development
A gap analysis will identify a series of projects
required to implement the information security
program
Each project should have time, budget,
milestones, deliverables, and measurable
results
Each project should be clearly defined and
integrate with other projects and
departments
HR, Finance, Physical security
-
17/04/2015
21
4/17/2015
41
Security Program and Project Development
cont.
Security projects should be prioritized so that:
Most important projects are given priority
Projects do not overlap or cause a delay for
other projects
Resources are appropriately allocated
Results are documented and reported to
management
4/17/2015
42
Security Project Planning
Determine project needs
Oversight / timelines
Equipment
Personnel (skills)
Outsourcing or contract staff
Infrastructure
Networks, databases, facilities, etc.
-
17/04/2015
22
4/17/2015
43
Selection of Controls
Controls are
Technical
Managerial
Physical
Tools designed to provide reasonable
assurance that:
Business objectives will be achieved
Undesirable events will be prevented or
detected and corrected
4/17/2015
44
Common Control Practices
Common control practices include:
Logical Access control
Principle of least privilege / need to know
Compartmentalization to minimize damage
Domains
Segregation of duties
Transparency
-
17/04/2015
23
4/17/2015
45
Elements of a Security Program
4/17/2015
46
Security Program Elements (Agenda)
Policies
Standards
Procedures
Guidelines
Technologies
Personnel security
Organizational
structure
Outsourced security
providers
Facilities
Environmental
security
-
17/04/2015
24
4/17/2015
47
Policies
Provide authority and direction for security
program from management
High level versus functional policies
Are interpreted by standards,
procedures, baselines
What are the characteristics of effective
policies? What makes a policy effective?
4/17/2015
48
Acceptable Use Policy
An acceptable use policy
Should provide a user-friendly summary of
what should and should not be done to
comply with policy
Must detail in everyday terms the
obligations of all users
Must be communicated to all users
Must be read and understood by all users
Should be provided to new personnel
-
17/04/2015
25
4/17/2015
49
Acceptable Use Policy cont.
Rules of use for all personnel include the
policies and standards for
Access control
Classification of data
Marking and handling of documents
Reporting requirements and disclosure
constraints
Rules regarding email and Internet use
4/17/2015
50
Standards
Standards ensure that systems are
configured and operated in an similar manner
Compliance with standards should be
automated
Ensure that system configurations do not
(intentionally or unintentionally) deviate
from policy compliance
Standards are used to implement policy
Deviations from a standard must have formal
approval
-
17/04/2015
26
4/17/2015
51
Procedures
Procedures provide a defined, step by step
method of completing a task
i.e., new user registration / user ID
creation; incident management
Allow actual activity to be reviewed for
compliance with the required procedures
Helps ensure consistency of operations
4/17/2015
52
Guidelines
Provide recommendations for better security
practices:
Password creation, use of social media
Are only recommendations, not mandatory
-
17/04/2015
27
4/17/2015
53
Technology
One of the most important elements of a
security program
Without the right tools, an effective
security program is not feasible
Many tools available
4/17/2015
54
Personnel Security
Protect staff from being harmed
Duress alarms, cameras
Having the right people:
Skills / Education required
Awareness
Management and oversight
Disciplinary action when required
Separation of duties
-
17/04/2015
28
4/17/2015
55
Training and Skills Matrix
Determine level of training needed by staff
according to job responsibilities
Develop training matrix
Perform gap analysis
Manager Administrator User
Level III CISM CCSP SEC +
Level II SEC + GSEC Awareness
Level I Awareness SEC + Awareness
4/17/2015
56
Organizational Structure
Who should security report to
Normal reporting
Incident reports
Adequate:
Budget
Authority
Scope
-
17/04/2015
29
4/17/2015
57
Outsourced Security Providers
Outsourcing security and monitoring may
have many benefits
Provide necessary expertise
Monitor all corporate systems
Correlate activity from several systems
Centralized reporting
4/17/2015
58
Third-party Service Providers
When using a third party:
Ensure data are stored and secured adequately in the service provider environment
Define data destruction and data sanitization processes
Create channels of communication and liaison with outsourced firm
Maintain accountability in the service provider organization for policy enforcement
Remember that prime liability for data protection is with the organization, not with the outsourced firm
-
17/04/2015
30
4/17/2015
59
Facilities
Secure operational areas
Server rooms
Equipment rooms
Administrator, developer, and operator
work areas
Consider factors such as:
Age of building (fire codes)
Shared facility with other companies
4/17/2015
60
Facilities Security
Physical controls may include:
Smart cards or access controls based on biometrics
Security cameras
Security guards
Fences
Lighting
Locks
Sensors
-
17/04/2015
31
4/17/2015
61
Environmental Security
Heating, ventilation and humidity controls
Reliable power supplies
4/17/2015
62
Information Security Concepts
-
17/04/2015
32
4/17/2015
63
Information Security Concepts (Agenda)
Topics already covered:
Confidentiality
Integrity
Availability
Countermeasures
Controls
Governance
Layered Defense
Risk Management
Threats
Vulnerabilities
Attacks
Exposure
Architecture
Business impact analysis (BIA)
Data classification
4/17/2015
64
Information Security Concepts (Agenda)
Access Control
Identification
Authentication
Authorization
Accounting / Auditability
Criticality
Sensitivity
Trust Models
-
17/04/2015
33
4/17/2015
65
Access Control
Controlling who and what has access to the
facilities, systems, people and data of the
organization
Ensuring the right people have the right
level of access
Preventing inappropriate use, modification
or destruction of organizational resources
Tracking all activity to the responsible
entity
4/17/2015
66
Identification
Access control starts with knowing who or
what is accessing our systems, data, facilities
or other resources.
Unique (track able to the correct
person/process)
Removed when no longer required
i.e., IDs, customer account numbers,
fingerprints
-
17/04/2015
34
4/17/2015
67
Authentication
Validating the claimed identity is the person
requesting access really who they say they
are?
Knowledge (password)
Ownership (Token, smartcard, badge)
Characteristic (biometrics)
4/17/2015
68
Authorization
Granting the authenticated user the correct
level of permissions needed
Read
Write
Execute
Create
Delete
-
17/04/2015
35
4/17/2015
69
Accounting / Auditability
Logging, monitoring and tracking of activity
Ability to associate activity with a specific
user
Audit log:
Protection
Review
Analysis
4/17/2015
70
Criticality
How much is the ability of the organization to
deliver its products and services dependent
on:
Information
Information systems
What would the extent of the impact be on
the business (quantitatively and qualitatively)
if they were not available
This is a measure of the criticality of the
resource
-
17/04/2015
36
4/17/2015
71
Sensitivity
How much is the organization dependent on
the accuracy or confidentiality requirements
for:
Information
Information systems
This is a measure of the sensitivity of the
resource
4/17/2015
72
Trust Models
Multi-level security
Users have different levels of trust (access)
Domains of trust
Departmentalization/compartmentalization
Security perimeters
Trusted links between systems
-
17/04/2015
37
4/17/2015
73
Technologies and Tools
Security Components and Models
4/17/2015
74
Technology-based Security
Technology-based controls
Many technologies available
Are used to implement controls
Have controls built into their
implementation
Must be enabled
Must be monitored / updated
-
17/04/2015
38
4/17/2015
75
Technologies
There are numerous technologies relevant to security that the CISM should be familiar with including:
Firewalls
Routers and switches
IDS, NIDS, HIDS
Cryptographic techniques (PKI, DES)
Digital signatures
Smart cards
4/17/2015
76
Security in Technical Components
Native control technologies
Security features built in to equipment and
applications.
Access control on switches, routers
Error handling in applications
Many products feature Out-of-the-box
security features that can be configured to
protect business information systems
Generally configured and operated by IT
-
17/04/2015
39
4/17/2015
77
Security in Technical Components cont.
Supplemental control technologies
Security control devices added to an
information system
IDS (Intrusion Detection Systems), Firewall,
PKI (Public Key Infrastructure)
Operate as a form of layered defense
4/17/2015
78
Security