Professional Documents
Culture Documents
CISM - Presentation 1
CISM - Presentation 1
CISM - Presentation 1
Mandates
Domain 2
Information Risk Management
and Compliance
deploys
reports to
Domain 3
Information Security Program
Development and Management
requires
Domain 4
Information Security Incident
Management
About the CISM Exam (1/2)
● The CISM certification is designed to meet the growing demand for
professionals who can integrate Information Security (IS) with discrete IS
control skills
● The technical skills and practices the CISM certification promotes and
evaluates are the building blocks of success in this growing field, and the
CISM designation demonstrates proficiency in this role
● The CISM certification/ designation reflects a solid achievement record in
managing information security, as well as in such areas as risk analysis,
risk management, security strategy, security organization etc.
● Certification launched: 2003
● Number of individuals certified: 23000
About the CISM Exam (2/2)
● CISM exam questions are developed with the intent of measuring and
testing practical knowledge and the application of general concepts and
standards
● PBE & CBE (only pencil & eraser are allowed)
● 4 hour exam
● 200 multiple choice questions designed with one best answer
● No negative points
● No prerequisite for exam (only for attending to exam)
Recommended reading for CISM Exam
● Must
○ ISACA CISM Official Glossary
○ ISACA CISM Item Development Guide
○ ISACA CISM QAE Item Development Guide
● Should
○ ISACA Risk IT Framework
○ ISACA CISM Review Manual
● Could
○ Risk IT Practitioner Guide
Earning the CISM Qualification
● Candidate who pass the CISM exam are not automatically CISM-certified/
qualified and cannot use the CISM designation.
● All current requirements are present in official CISM ”Application for CISM
Certification” document:
○ www.isaca.org/cismapp
Summary
● ISACA CISM Review Manual Structure
● CISM Domain Structure
● About the CISM Exam
● Recommended reading for CISM Exam
● Earning the CISM qualification
Q&A
Domain 1
Information
Domain 1
Information
Security
Governance
Security
Governance
Agenda
● Overview of the CISM certification
● Domain 1 – Information Security Governance
● Domain 2 – Information Risk Management and Compliance
● Domain 3 – Information Security Program Development and Management
● Domain 4 – Information Security Incident Management
Module Agenda
● Learning objectives
● Domain 1 – CISM exam relevance
● Module agenda
○ Priorities for the CISM
○ Corporate Governance
○ Information Security Strategy
○ Information Security Program
○ Elements of a Security Program
○ Roles and Responsibilities
○ Evaluating a Security Program
○ Reporting and Compliance
○ Ethics
Learning Objectives
● After this module, the CISM candidate should be able to
○ Support governance
○ Support business cases to justify security
○ Compliance with legal and regulatory mandates
○ Support organizational priorities and strategy
○ Identify drivers affecting the organization
○ Define roles and responsibilities
○ Establish metrics to report on effectiveness of the security
strategy
Domain 1 – CISM Exam Relevance
Ensure that the CISM candidate…
● Effective security governance framework
● Building and deploying a security strategy aligned with organizational
goals
● Manage risk appropriately
● Responsible management of program resources
The content area for Domain 1 will represent approximately 24% of the CISM
examination – 48 questions
Domain 1 – Task Statements
There are 9 general task statements pertaining to IS Governance in CISM
Certification Job Practice:
● Establish and maintain an information security strategy and governance
framework
● Integrate information security governance into corporate governance
● Establish and maintain information security policy
● Develop business cases to support investments
● Identify internal and external influences to the organization
● Obtain commitment from senior management
● Define and communicate the roles, and
● Establish, monitor, evaluate, and report metrics
Domain 1 – Knowledge Statements
There are 15 general knowledge statements pertaining IS Governance in CISM
Certification Job Practice
● Knowledge of (selected)
8/89 | 26/432
What is Information Security (IS)
In your own words:
● Please describe what Information Security is.
● What is the purpose or value of information security in relation to the
business?
Information Security (1/2)
Information is indispensable to conduct business effectively today
● Information must be
○ Available
○ Integral (information and process)
○ Confidential (when needed)
● Protection of information is a responsibility of the Board of Directors:
○ Oversight,
○ Culture,
○ Policies
□ Confidentiality □ Integrity □ Nonrepudiation
□ Availability □ Access control □ Compliance
□ Authentication □ Privacy □…
Information Security (2/2)
Information Protection includes
● Accountability
● Oversight
● Prioritization
● Risk Management
● Regulatory and Compliance Management
Information Security Governance Overview
● Information security is more than just IT security (more than technology)
● Information Security deals with all aspects of information
● Information must be protected at all levels of the organization and in all
forms
○ E.g. digital, paper, fax, audio, video, microfiche, networks, storage
media, computer systems…
● Information security is a responsibility of everyone
Selling the Importance of Information Security
● Benefits of effective information security governance include
○ Improved trust in customer relationships
○ Protecting the organization’s reputation
○ Better accountability for safeguarding information during critical
business activities
○ Reduction in loss through better incident handling and disaster
recovery
CISM Priorities
● The CISM must understand:
○ Requirements for effective information security governance
● Elements and action required to:
○ Develop an information security strategy
○ Plan of action to implement it
The First Priority for the CISM
Remember that Information Security is a business-driven activity
● Security is here to support the interests and needs of the organization
● Security is always a balance between cost and benefit; security and
productivity/performance
● Security can never be a one size fits all solution
○ Each organization if different and within this organization security
has to be tailored for specific organizational needs
Corporate
Domain 1
Governance
Information
Security
Governance
Corporate Governance
● Ethical corporate behavior by directors or others charged with
governance in the creation and presentation of value for al stakeholders
● The distribution of rights and responsibilities among different
participants in the corporation, such as board, managers, shareholders
and other stakeholders
The Organization for Economic Co-operation and Development (OECD) states: “Corporate
governance involves a set of relationships between a company’s management, its board,
its shareholders and other stakeholders. Corporate governance also provides the
structure through which the objectives of the company are set, and the means of
attaining those objectives and monitoring performance are determined.”
Business Goals and Objectives
● Corporate governance is the set of responsibilities and practices exercised
by the board and executive management
● Goals include:
Level 1 - Ad Hoc
Learning and
Growth perspective
How can we continue
to improve?
●
Roles and Responsibilities
Roles and Responsibilities of Senior Management
● Board of Directors
○ Information security governance / Accountability
● Executive Management
○ Implementing effective security governance and defining the
strategic security objectives
○ Budget and Support
● Steering Committee
○ Ensuring that all stakeholders impacted by security considerations
are involved
○ Oversight and monitoring of security program
Senior Management Commitment
● The support of senior management is crucial to success
○ Budget
○ Direction/policy
○ Reporting and monitoring
● A bottom-up management approach to information security activities is
much less likely to be successful
Senior Management Commitment
How can we obtain continued Senior Management Support for the Security
program?
Steering Commitment
● Oversight of Information Security Program
● Acts as Liaison between Management, Business, Information Technology,
and Information Security
● Assess and incorporate results of the risk assessment activity into the
decision-making process
● Ensures all stakeholder interests are addressed
● Oversees compliance activities
Chief Information Security Officer (CISO)
● Responsible for Information Security related activity
○ Policy
○ Investigation
○ Testing
○ Compliance
● IT planning, budgeting, and performance, including its information security
components
Information Security Manager
● Responsible for their organization’s security programs, usually including
information risk management
● Playing a leading role in introducing an appropriate, structure methodology
● Act as major consultants in support of senior management
Business and Functional Manager
● Responsible for business operations
● Responsible for security enforcement and direction in their area
● Day to day monitoring
○ Reporting
○ Disciplinary actions
○ Compliance
IT Security Practitioners
● Responsible for proper implementation of security requirements in their IT
systems
● Support or use the risk management process to identify and assess new
potential risk and implement new security controls as needed to safeguard
their IT systems
Security Awareness Trainers
● Must understand the risk management process
● Develop appropriate training materials
● Conduct security trainings and awareness programs
● Incorporate risk assessment into training programs to educate the end
users
Centralized vs. Decentralized Security
● Consistency vs. flexibility
● Central control vs. local ownership
● Procedural vs. responsive
● Core skills vs. distributed skills
● Visibility to senior management vs. visibility to users and local business
units
Evaluating the Security
Program
Audit and Assurance of Security
● Objective review of security risk, controls and compliance
● Assurance regarding the effectiveness of security is a part of regular
organizational reporting and monitoring
Evaluating the Security Program
● Metrics are used to measure results
● Measure security concepts that are important to the business
● Use metrics that can be used for each reporting period
○ Compare results and detect trends
Effective Security Metrics
● Set metrics that will indicate the health of the security program
● Incident management
● Degree of alignment between security and business development
○ Was security consulted
○ Were controls designed in the systems or added later
● Choose metrics that can be controlled
○ Measure items that can be influenced or managed by local managers/security
○ Not external factors such as number of viruses released in the past year
○ Have clear reporting guidelines
○ Monitor on a regular scheduled basis
Key Performance Indicators (KPIs)
● Thresholds to measure
○ Compliance/non-compliance
○ Pass/fail
○ Satisfactory/unsatisfactory results
● A KPI is set at a level that indicates action should/must be taken
○ Alarm point
End to End Security
● Security must be enabled across the organization – not just on a system by
system basis
● Performance measures should ensure that security systems are integrated
with each other
○ Layered defenses
Correlation Tools
● The CISO may use Security Event and Incident Management (SEIM, SIM,
SEM) tools to aggregate data from across the organization
● Data analysis
● Trend detection
● Reporting tools
Reporting and Compliance
Regulations and Standards
● The CISM must be aware of National
○ Laws
○ Privacy
○ Regulations
● Reporting, Performance
● Industry Standards
○ Payment Card Industry (PCI)
○ BASEL II
Effect of Regulations
● Requirements for business operations
○ Cost
○ Reputation
● Scheduled reporting requirements
○ Frequency
○ Format
Reporting and Analysis
● Data gathering at source
○ Accuracy
○ Identification
● Reports signed by Organizational Officer
Ethics
RFC 1087, Ethics and the Internet
● Internet Activities Board (IAB) characterized the following activities as
unethical and unacceptable on the Internet:
○ Seeks to gain unauthorized access to the resources of the Internet
○ Disrupts the intended use of the Internet
○ Wastes resources (people, capacity, computer) through such actions
○ Destroys the integrity of computer-based information, and/or
○ Compromises the privacy of users
Ethical Standards
● Rules of behavior ● Responsibility to all stakeholders
○ Legal ○ Customers
○ Corporate ○ Partners
○ Industry ○ Suppliers
○ Personal ○ Management
○ Owners
○ Employees
○ community
Ethics Plan of Action
● Develop a corporate guide to computer ethics for the organization
● Develop a computer ethics policy to supplement the computer security
policy
● Add information about computer ethics to the employee handbook
● Find out whether the organization has a business ethics policy, and expand
it to include computer ethics
● Learn more about computer ethics and spread what is learned
ISACA Code of Ethics (1/3)
● Required for all certification holders
● Support the implementation of, and encourage compliance with,
appropriate standards, procedures and controls for information systems
● Perform their duties with objectivity, due diligence and professional care,
in accordance with professional standards and best practices
ISACA Code of Ethics (2/3)
● Serve in the interest of stakeholders in a lawful and honest manner, while maintaining high
standards of conduct and character, and not engage in acts discreditable to the profession
● Maintain the privacy and confidentiality of information obtained in the course of their duties
unless disclosure is required by legal authority
○ Such information shall not be used or personal benefit or released to inappropriate parties
ISACA Code of Ethics (3/3)
● Maintain competency in their respective fields and agree to undertake only those
activities, which they can reasonably expect to complete with professional competence
● Inform appropriate parties of the results of work performed; revealing all significant
facts known to them
● Support the professional education of stakeholders in enhancing their understanding
of information systems security and control
Summary & Conclusion
● Priorities for the CISM
● Corporate Governance
● Information Security Strategy
● Information Security Program
● Elements of a Security Program
● Roles and Responsibilities
● Evaluating a Security Program
● Reporting and Compliance
● Ethics
1. Risk Category - This is where you categorize your risk. Does it fall under the category of scope, time, cost,
resources, environmental, or another key category? Using these categories helps tease out likely risks and
groups them into relevant categories for future reference.
2. Risk Description - A brief description of the potential risk. For instance, the first potential risk identified in
the Resources category is: “There is conflict over resources and team members don’t have enough time due to
competing demands.”
3. Risk ID - This is a unique identification number used to identify and track the risk in the risk register. If
Resources is Category 8, then the first risk identified in this category has a unique ID of 8.1.
12 Elements of the Risk Register Continued
Elements 4 to 8 record the results of the Risk Assessment phase
4. Project Impact – A description of the potential impact on the project as a result of the risk. For example:
“The project schedule may slip, budget may increase and project scope may not be achieved.”
5. Likelihood – The estimated likelihood or probability that the risk will occur at some point and become a
project issue. This can be qualitative: high, medium, or low; but it can also be quantitative if enough
information is available. For our example, we know that resources have been over-committed in the past and
we assess the likelihood of occurrence as “High.”
6. Consequence – The potential consequence or impact of the risk if it did become a project issue. For our
project, time is a fixed constraint, and so any risk that has the potential to significantly delay the project
schedule has a “High” consequence.
12 Elements of the Risk Register Continued
7. Risk Rank – This is the magnitude or the level of the risk. It is a combination of likelihood and
consequence. As they are both “High” in our example, then the risk rank is also “High.”
8. Risk Trigger – What are the triggers that would indicate the need to implement contingency plans?
“If resource conflicts have not been resolved three weeks before the scheduled start date, then
implement contingency plans.”
12 Elements of the Risk Register Continued
These last four elements record the outcomes of the Risk Response and Mitigation phase.
9. Prevention Plan – This is an action plan to prevent the risk from occurring. For our example, the Prevention Plan includes: Liaise
with functional managers and team members to pre-empt future conflicts; and specify and agree resource needs (staff and
equipment) with functional managers.
10. Contingency Plan – This is an action plan to address the risk if it does occur. For our example, the Contingency Plan includes:
“Train and up-skill existing team members in combination with HR department.”
11. Risk Owner – This is the person responsible for managing the risk and implementing the Prevention or Contingency Plans.
Stakeholders, members of the project team, the Project Manager and the Project Sponsor can all be risk owners.
12. Residual Risk – This is the risk that remains after treatment is carried out. After treatment, we assess the residual risk level as
“Low.” Residual risk must fall within management’s stated risk tolerance.
Risk Awareness
● Awareness powerful in creating culture, forming ethics, and influencing
behavior
○ Involves each member of the team (proactive)
● Acknowledges that risk is an integral part of the business
The Risk Awareness Program
● The Risk Awareness program:
○ Creates understanding of risk, risk factors, and types of risk
○ Should be tailored to the needs of the groups within an organization
○ Should not disclose vulnerabilities or ongoing investigations
● Can serve to mitigate risk through education on policy and procedures
● Management training: Highlight need for management a supervisory role/oversee actions of staff
● Senior management training: Highlight liability, need for compliance, due care and due
diligence/culture and ownership
Risk Assessment
2.1 Risk Identification vs. Risk Assessment
● Risk identification
○ The process of determining and documenting the risk that an enterprise faces
○ Documentation of assets and their values
● Risk Assessment
○ A process used to identify and evaluate risk and its potential effects
○ Assessing critical functions and defining controls in place
Current State of Controls
● Audit
● Control tests: Selected to address one or more specific type of risk
● Incident reports
● IT operations feedback
● Logs: Valuable but underutilized
● Media reports
● Observation
● Self-assessments
● Third-party assurance
● User feedback
● Vender reports
● Vulnerability assessments/penetration tests
Risk and Control Analysis
● Compare current state against desired state
○ Gap analysis
○ Maturity models
○ Effectiveness of controls
● Data analysis
○ Are all of the data available?
○ Have any of the data been altered or changed?
○ Are the data in the correct format?
○ Are the data based on measuring important factors?
Risk and Control Analysis
● Threat and misuse case modeling
○ Misuse case modeling looks at all the possible errors, mistakes
or ways a system can be misused
○ Threat modeling examines the ways a system can be attacked and
used for a purpose for which the system was never intended
● Root cause analysis: establish origins of events (root cause) to learn from
consequences
○ Pre-mortem: a facilitated workshop where the group is told to
pretend that the project has failed and then they are to discuss why
it has failed
Gap Analysis
Monitoring Risk
● Key performance indicators (KPIs)
○ Measure that determines how well the process is performing in
enabling the goal to be reached
● Key risk indicators (KRIs)
○ A subset of risk indicators that are highly relevant and possess a
high probability of predicting or indicating important risk
● Key goal indicators (KGIs)
○ A measure that tells management, after the fact, whether an IT
process has achieved its business requirements and is usually
expressed in terms of information criteria
Risk Assessment Methodologies
● Risk analysis provides data necessary for risk response activity
● Two main methods
○ Quantitative
○ Qualitative
○ Hybrid: Semi-quantitative
Qualitative Risk Assessment
● Based on scenarios or descriptions of situations that may have
occurred or may occur
● Feedback based on a range of values:
○ Very low
○ Low
○ Moderate
○ High
○ Very high
● Results usually conveyed in a table that compares likelihood with impact
● Problem: Does not provide hard numerical values
Quantitative Risk Assessment
● Based on numerical calculations
● Suitable for cost-benefit analysis
● Can be difficult to place a value on subjective elements of risk
● Calculating the cost of an event
○ Unpredictable depending on many factors
● Threat/vulnerability pairings
○ Be aware of relationships between threats and vulnerabilities
Semi-Quantitative Risk Assessment
● Combines elements of qualitative and quantitative risk assessment
● Uses a range of values used to assess risk
● Provide meaningful ways to determine the difference between the
various risk levels
Semi-Quantitative Risk
Risk Ranking
● Completed following results of risk assessment
● Combination of all components of risk OCTAVE®
● Used to identify, prioritize and manage information security risk
● Includes measuring capability and maturity of risk management processes
2.8 Business-related Risk
● IT risk assessment report must express risk in terms that management can understand
○ Use business terms
○ Refrain from highly technical/IT-specific terminology
● Business processes and initiatives
○ IT risk assessment process must be aligned with the direction of the business Risk should be
examined with changes to business processes
● Management of IT operations
○ Risk depends on culture
○ IT management should be active in mitigating risk
2.8 Business-related Risk (2)
● Required for all certification holders
● Support the implementation of, and encourage compliance with, appropriate standards, procedures
and controls for information systems
● Perform their duties with objectivity, due diligence and professional care, in accordance with
professional standards and best practices
2.9 Risk Associated with Enterprise Architecture
Risk Scenarios Hardware
Hardware includes: Risk associated are:
● Central processing units (CPUs) ● Outdated hardware
● Motherboards ● Poorly maintained hardware Misconfigured
● RAM ROM hardware Poor architecture
● Networking components ● Lack of documentation Lost, misplaced or
● Firewalls and gateways stolen hardware
● Keyboards ● Hardware that is not discarded in a secure
● Monitors manner
● Sniffing or capturing traffic Physical access
● Hardware failure Unauthorized hardware
Risk Scenarios Software
● Risk associated with software includes:
○ Logic flaws or semantic errors
○ Bugs (semantic errors)
● Lack of patching
● Lack of access control
● Disclosure of sensitive information
● Improper modification of information
● Loss of source code
● Lack of version control
● Lack of input and output validation
Risk Scenarios Software
Operating systems Risk associated: Applications Risk associated:
● Unpatched vulnerabilities ● Poor or no data validation Exposure of sensitive
● Poorly written code data Improper modification of data Logic flaws
● Complexity Misconfiguration ● Software bugs Lack of logs
● Weak access controls ● Lack of version control Loss of source
● Lack of interoperability code
● Uncontrolled changes ● Weak or lack of access control
● Lack of operability with other software
● Back doors
● Poor coding practices
Risk Scenarios Utilities
Environmental utilities risk associated: Software utilities risk associated:
● Power interruptions ● Use of outdated drivers
● Losses ● Unavailability of drivers
● Generators ● Unpatched drivers
● Batteries ● Use of insecure components
● HVAC ● Unpatched vulnerabilities
● Water
● Secure operational area
Risk Network Components
Risk associated with:
● Network configuration and management
● Network equipment protection
● The use of layered defense
● Suitable levels of redundancy
● Availability of bandwidth
Risk Network Components (2)
Risk associated with:
● Use of encryption for transmission of sensitive data
● Encryption key management
● Use of certificates to support public key infrastructure
● Damage to cabling and network equipment
● Tapping network connections and eavesdropping on communications
● Choice of network architecture
● Documentation of network architecture
Risk Scenarios: Network Components
Risk associated with:
● Firewalls
○ Packet Filters
○ Stateful Firewalls
○ Proxy Servers
● Domain name system
○ Rogue DNS
○ Poisoning
Risk Scenarios: Network Components (2)
Risk associated with:
● Wireless access point
○ Rogue Access Points
○ Evil Twin
● Routers
● Switches
● VLANs
Risk Scenarios: Network Architecture
Risk Scenarios: Network Architecture
Risk associated with:
● Local area network
● Wide area network
● Virtual private network
● Length and location
● Encryption
● Demilitarized zone
● Extranet
● User interfaces
Risk Scenarios: Data Management
Risk associated with:
● Clear ownership of data can be a significant risk
● Staff awareness of risk associated with improper data management
● Review processes and policies and compliance
Why Monitor?: New Threats and Vulnerabilities
● Risk environment always changing
● Ensure that new threats and vulnerabilities are evaluated during IT risk
assessment
● Work with owners to determine responses
● Pressure to implement new technologies
○ Often can cause organizations to lose sight of the business risk
● Foresight and forecasting
● Evaluate and assess the approach of the organization
● Should not ignore new technologies as they may already be in use
Risk Scenarios: Industry Trends
Risk associated with:
● Failure to see changing trends can result in loss of market share
● Failure of IT to support a new business model may result in loss to the
organization
● Assess the maturity of the department and organization toward new trends
Risk Scenarios: 3rd Party Risk
● Third-party Management
○ Data and business process ownership remains with the
organization doing the outsourcing, including security
requirements
Risk Scenarios: 3rd Party Risk (2)
● Third-party Management
○ Risks associated with outsourcing include:
■ Hiring and training practices of the supplier
■ Reporting and liaison between the outsourcing organization
and supplier
■ Time to respond to any incidents
■ Liability for non-compliance with terms of the contract
■ Nondisclosure of data or business practices
■ Responding to requests from law enforcement
■ Length of contract and terms for dissolution/termination of
contract
■ Location of data storage including backup data
■ Separation between data and management of data of
competing firms
Risk Scenarios: 3rd Party Risk (3)
● Third-party Management
○ Outsourcing: Considered from risk/regulatory perspective
■ Contracts should address security and regulatory requirements
○ Contractual requirements
○ Service level agreements/Contractual requirements with customer
Risk Scenarios: The Cloud
● Unauthorized access to customer and business data
● Security risks at the vendor
○ The character of the vendor’s employees
○ The security of the vendor’s technology
○ The access the vendor has to their data
● Compliance and legal risks
○ Where the data resides
○ Who is allowed to access it
○ How it is protected
● Risks related to lack of control
● Availability risks
Cloud Computing Risks
When thinking about risks related to using cloud
services, what are the top concerns?
2.15 Project and Program Management
Reasons IT projects fail:
Exclusive to Cybrary for Business customers and Cybrary Insider Pros. Live online certification
prep, speciality knowledge, skill and ability training, product training and more!
3.2 Risk Response Options
● Four options for risk response:
1. Risk acceptance
2. Risk mitigation
3. Risk avoidance
4. Risk transfer
Risk Acceptance
● A conscious decision made by senior management to recognize the existence of risk and
knowingly decide to allow (assume) the risk to remain without (further) mitigation
○ Management responsible for impact of the risk event
● Defined as the amount of risk that senior management has determined is within
acceptable or permissible bounds
○ Not the same as risk ignorance, which is the failure to identify or acknowledge risk
● Risk tolerance: An exception when senior management decides to exceed risk acceptance
levels
Risk Acceptance (2)
● Examples of risk acceptance:
○ It is predicted that a certain project will not deliver the required business functionality by the
planned delivery date. Management may decide to accept the risk and proceed with the project.
○ A particular risk is assessed to be extremely rare but very important (catastrophic), and
approaches to reduce it are prohibitive. Management may decide to accept this risk.
● Risk acceptance often based on poorly calculated risk levels
● Level of risk and impact is always changing, so regular reviews are needed
Risk Mitigation
● Risk mitigation means that action is taken to reduce the frequency and/or
impact of a risk
○ May require the use of several controls until it reaches levels of
risk acceptance or risk tolerance
Risk Mitigation (2)
● Examples of risk mitigation:
○ Strengthening overall risk management practices, such as implementing sufficiently
mature risk management processes
○ Deploying new technical, management or operational controls that reduce either the
likelihood or the impact of an adverse event
○ Installing a new access control system
○ Implementing policies or operational procedures
○ Developing an effective incident response and business continuity plan (BCP)
○ Using compensating controls
Risk Avoidance
● Risk avoidance means exiting the activities or conditions that give rise to risk
○ Applies when no other risk response is adequate
● Examples of risk avoidance are:
○ Relocating a data center away from a region with significant natural hazards
○ Declining to engage in a very large project when the business case shows a notable risk of
failure
○ Declining to engage in a project that would build on obsolete and convoluted systems
because there is no acceptable degree of confidence that the project will deliver anything
workable
○ Deciding not to use a certain technology or software package because it would prevent future
expansion
Risk Sharing/Transfer
● Risk transfer is a decision to reduce loss through sharing the risk of loss
with another organization (ex., purchasing insurance)
● Partnerships with another organization are an example
● Decision should be reviewed on a regular basis
Analysis Techniques
● Analysis techniques can help management to determine the best risk response
Considerations for selecting a response include:
○ The priority of the risk as indicated in the risk assessment report
○ Any other response alternatives that are suggested through further analysis
● As controls to mitigate risk are designed and developed, the risk owner also
mandates the development of the ability to monitor and report on the
effectiveness of the controls.
● Regular monitoring and reporting on risk is essential to management, and the use of
KPIs and KRIs assists management in the monitoring of trends, compliance and issues
related to risk.
● Risk management is a never-ending process.
People
Key Information Security Program Elements
-Training
Technolog -Awareness Proces
y -HR Policies s
-Background Checks
-Roles / responsibilities
-Mobile Computing
-Social Engineering
-Social Networking
-Acceptable Use
-Policies
-Performance Mgt
-System Security -Risk Management
-UTM. Firewalls -Asset Management
-IDS/IPS People -Data Classification
-Data Center -Info Rights Mgt
-Physical Security -Data Leak Prevention
-Vulnerability Assmt -Access Management
-Penetration Testing -Change Management
-Application Security -Patch Management
-Secure SDLC -Configuration Mgmt
-SIM/SIEM -Incident Response
-Managed Services -Incident
Management
Essential Information Security Practices
● Management Commitment
● Risk Management
● Asset Inventory and Management
● Change Management
● Incident Response and Management
● Configuration Management
● Training and awareness
● Continuous Audit
● Metrics and Measurement
Essential Information Security Practices (2)
● Vulnerability Assessment
● Penetration Testing
● Application Security Testing
● Device Management
● Log Monitoring, Analysis, and Management
● Secure Development
Security Program Requirements
● Must develop an enterprise security architecture at conceptual, logical, functional, and
physical levels
● Must manage risk to acceptable levels
○ Risk develops the Business Case that convinces mgmt. security should be performed
● Must be defined in business terms to help non-technical stakeholders understand and endorse
program goals
● Must provide security-related feedback to business owners and stakeholders
● Must address risks in relation to the five categories of assets (See next slide)
Security Safeguards as They Relate to the Five Types of Assets
Security Program are Based on Frameworks
● ISO 27000 Series
● COBIT
● COSO
● TOGAF
● Zachman
● SABSA
IS 27001/27002
ISO 27002 Culture and Controls
● ISO27001 is a culture one has to build in the organization which would
help to:
○ Increase security awareness within the organization
○ Identify critical assets via the Business Risk Assessment
○ Provide a framework for continuous improvement
○ Bring confidence internally as well as to external business partners
○ Enhance the knowledge and importance of security-related issues
at the management level
● Combined framework to meet multiple client
requirements/compliance requirements
ISO 27000
Process Development
● Examine Current state vs. Desired State
● Look to close the gaps
● Consider a Maturity Model to help assess missing processes
SSE-CMM: System Security Engineering Capability Maturity Model
Level 1 - Performed Informally
● Security design is poorly-defined
● Security issues are dealt with in a reactive way
● No contingency plan exists
● Budgets, quality, functionality and project scheduling is ad hoc
● No Process Areas
Level 2 - Planned & Tracked
● Common Features include:
○ Planning Performance
○ Disciplined Performance
○ Verifying Performance
○ Tracking Performance
○ Procedures are established at the project level
○ Definition, planning & performance become de-facto standards
from project to project
○ Events are tracked
Level 3 - Well Defined
● Common Features include:
○ Defining a Standard Process
○ Perform the Defined Process
○ Coordinate Security Practices
○ Standardized security processes across organization
○ Personnel are trained to ensure knowledge and skills
○ Assurance (audits) track performance
○ Measures are defined based upon the defined process
Level 4 - Quantitatively Controlled
● Measurable goals for security quality exist
● Measures are tied to the business goals of the organization
● Common Features include:
○ Establish Measurable Quality Goals
○ Objectively Manage (SLA) Performance
Level 4 - Quantitatively Controlled
● Common Features include:
○ Improve Organizational Capability
○ Improve Process Effectiveness (ROI)
○ Continuous improvement arise from measures and security events
○ New technologies and processes are evaluated
Security Baseline
“We hope to be
“We are at 50% COBIT Level 3
compliance but
(Or NIST compliant)
are striving for
100%” within one year”
Today’s Goal
Baseline Baseline
Security Standards
● These standards can be used to develop or advance a security program (if
one is not in place):
Gap Analysis: What do we need to do to
○ ISO/IEC 27001 achieve our goal?
○ ISACA COBIT
Where Where we
we are want to be
COBIT Levels
Lvl Lvl Lvl Lvl Lvl Lvl
0 1 2 3 4 5
Nonexistent Initial/Ad hoc Defined Optimized
Process
Repeatable Managed &
but intuitive Measurable
Security Functions
Monitor industry practices Provide
recommendations
Metrics, investigation, security
escalation
Strategy
Policy,
Compliance Policy Procedure,
Standards
● Monitoring and metrics shall be implemented, managed, and maintained to provide ongoing
assurance that all security policies are enforced and control objectives are met
● Incident response capabilities are implemented and managed sufficient to ensure that incidents
do not materially affect the ability of the organization to continue operations
● Business continuity and disaster recovery plans shall be developed, maintained and tested in a
manner that ensures the ability of the organization to continue operations under all conditions
Security Policy Document
● Definition of information security
● Statement of management commitment
● Framework for approaching risk and controls
● Brief explanation of policies, minimally covering regulatory compliance,
training/awareness, business continuity, and consequences of violations
● Allocation of responsibility, including reporting security incidents
● References to more detailed documents
Policy Documentation
Policy = Direction for Control
Employees must understand intent
Philosophy of organization
Auditors test for compliance
Created by Senior Mgmt Reviewed
periodically
● Usually, firewalls are put on the perimeter of a network and allow or deny
traffic based on company or network policy.
● MUST have IP forwarding turned off*
● Firewalls are often used to create a DMZ.
● Generally are dual/multi homed*
● Types of firewalls
Packet Filter
● Uses Access control lists (ACLs), which are rules that a firewall applies to
each packet it receives.
● Not state full, just looks at the network and transport layer packets (IP
addresses, ports, and “flags”)
○ Do not look into the application, cannot block viri etc.
● Not state full, just looks at the network and transport layer packets (IP
addresses, ports, and “flags”)
○ Do not look into the application, cannot block viri etc.
● It allows return traffic to come back where a packet filter would have to
have a specific rule to define returned traffic*
● This allows for additional security as they can inspect the data for
protocol violations or content.
NAT/PAT
● A proxy that works without special software and is transparent to the
end users.
Realm
Cryptography
Domain 1
Information
Security
Governance
Definitions and Concepts
● Plain Text + Initialization Vector + Algorithm + Key
=
Ciphertext
Definitions and Concepts
● Plain text is unencrypted text
● Initialization Vector (IV) adds randomness to the beginning of the process
● Algorithm is the collection of math functions that can be performed
● Key: Instruction set on how to use the algorithm
Symmetric Cryptography
● Symmetric = Same
● In symmetric cryptography the same key is used to both encrypt and decrypt
● Very fast means of encrypting/decrypting with good strength for privacy
● Preferred means of protecting privacy data
● Also can be called “Private Key” “Secret Key” or “Shared Key” Cryptography
Drawbacks to Symmetric Cryptography
● Out of band key exchange
● Not scalable
○ N * (N-1)
2
● No authenticity, integrity, or non-repudiation
Asymmetric Cryptography
● Every user has a key pair.
○ Public key is made available to anyone who requests it
○ Private key is only available to that user and must not be disclosed
or shared
● The keys are mathematically related so that anything encrypted with one
key can only be decrypted by the other.
Review Symmetric vs. Asymmetric
● Symmetric
○ Fast
○ Out of band key exchange
○ No integrity, authenticity or non-repudiation Not
Scalable
● Asymmetric
○ Slow
○ Scales to large organizations well
○ Provides non-repudiation
○ Key exchange does not require exchange of any secret information
Hybrid Cryptography in SSL/TLS
● Client initiates a secure connection
● Server responds by sending it’s public key to the client
● The client then generates a symmetric session key.
● Client encrypts uses the server’s public key to encrypt the session key.
● Client sends the session key (encrypted with the server’s public key) to the server
● Server uses its private key to decrypt the session key
● Now that a symmetric session key has been distributed, both parties have a secure channel
across which to communicate.
Integrity
● Data gets modified
○ Accidentally through corruption
○ Intentionally through malicious alteration
● Hash: only good for accidental modification
● MAC: Provides reasonable authenticity and integrity not strong enough to be
non-repudiation (because it uses a symmetric key)
● Digital Signatures: Can detect both malicious and accidental modification, but
requires an overhead.
○ Provides true non- repudiation
Hashing
● Digital representation of the contents of the file If the file changes, the hash
will change
● One way math
● When two different documents produce the same hash, it is called a collision
● A birthday attack is an attempt to cause collisions. It is based on the idea that
it is easier to find two hashes that happen to match than to produce a specific
hash.
Digital Signature
● Message is hashed.
● Hash is encrypted by Sender’s Private Key.
● SHA-1 is generally used for the hash.
● RSA is the asymmetric encryption algorithm that encrypts the
hash with the sender’s private key.
What Prevents MITM Attacks
● Authentication
● Remember Encryption CANNOT thwart a MITM attack
● Authentication is what prevents MITM
Certificates
● X.509 v.4 standard
● Provides authenticity of a server’s public key
● Necessary to avoid MITM attacks with servers using SSL or TLS
● Digitally signed by Certificate Authority
PKI (Public Key Infrastructure)
● Certificate Authority (CA)
● Registration Authority (RA)
● Certificate Repository
● Certificate Revocation List
Certificate Contents
Certificate Revocation
● CRL: CA publishes CRL. Client is responsible for downloading to see if a certificate has been revoked.
● OCSP (Online Certificate Status Protocol): Streamlines the process of verifying whether or not a
certificate has been revoked.
Certification and Accreditation
● Certification is the technical evaluation of the product’s security mechanisms in a particular
environment.
○ Certification should yield verification
● Accreditation is management’s approval and acceptance of the product and the related risks.
○ Accreditation yields validation
Traditional Evaluation Criteria
● Trusted Computer System Evaluation Criteria (TCSEC)
○ Evaluates Confidentiality
● Information Technology Security Evaluation Criteria (ITSEC)
○ Evaluates Confidentiality, Integrity, and Availability
● Common Criteria (CC)
○ Provided a common structure and language
○ It is an international standard (ISO 15408)
Traditional Evaluation Criteria
Canadian
Orange Book
Criteria
(TCSEC)
(CTCPEC)
1985
1993
UK
Confidence Federal ISO 15408-1999
Levels 1989 Criteria Draft Common Criteria
1993 (CC)
V1.0 1996
German V2.0 1998
Criteria V3.0 1999
ITSEC 1991
French
Criteria
ISO 15408 Protection Profile
Agency requests a specific
security solution
Evaluation
Document Identify
Respond Detect
Triage
Prepare
● Defines the preparation work that has to be completed prior to having any capability to respond to incidents:
○ Coordinate planning and design
■ Identify incident management requirements
■ Obtain funding and sponsorship
■ Develop Implementation Plan
○ Coordinate implementation
■ Develop Policies, processes and plans
■ Establish Incident handling criteria
■ Define Criticality
■ Evaluate Incident management capability
■ Define post-mortem review
■ Define process change procedure
Protect
● Protect and secure critical data and computing infrastructure and its constituency when responding
to incidents
● Be prepared to contain the attack. Implement abilities to isolate the systems or networks
● Implement lessons learned
● Use proactive security assessments
Detect
● Identify unusual/suspicious activity that might compromise critical business functions or
infrastructure
○ Proactive detection—conduct detective monitoring regularly
■ Honeypots
■ Scan for unauthorized servers or hosts Analyze
network traffic
■ Review audit logs and files
○ Reactive detection is essential as well to be able to quickly detect and attack
○ Intrusion detection
○ Review audit logs and files
Triage
● Process of sorting, categorizing, correlating, prioritizing and assigning incoming report/events
● Analyze what is known, then prioritize
● Allows events to be managed based on order of criticality
Respond
● Steps taken to address, contain, resolve or mitigate an incident
○ Technical response
○ Collect data
○ Analyze incident
○ Research corresponding technical mitigation techniques
○ Isolate affected system
○ Deploy patches and workaround
● Management Response: Activities that require supervisory or mgmt. intervention—
notification, interaction, escalation or approval—business and senior managers
● Legal response—Activity that relates to the investigation, prosecution, liability copyright and privacy
issues
Document
● Debrief team
● Lessons learned
Intrusion Detection System/Intrusion Prevention System
● IDS Reactive system that will document an attack or notify an admin
● IPS Proactive system that will stop an attack in progress
● Most systems today are IDS/IPS
Violation Analysis
● First step of any incident response should always include violation analysis
● Has an actual security incident transpired, or do we simply have abnormal system activity?
● Is this event malicious or accidental?
● Is it internal/external?
● What is the scope of the incident?
Intrusion Detection Systems
● Software is used to monitor a network segment or an individual computer
● Used to detect attacks and other malicious activity
● Dynamic in nature
● The two main types:
○ Network-based (packet sniffer + analysis engine)
○ Host-based based (local host only)
Protocol Analyzers (Sniffers) and Intrusion Detection Systems
● Promiscuous mode
● Switching can affect the Packet Capture.
● Solution is PORTSPAN
Types of IDS
● Network-based IDS
○ Monitors traffic on a network segment
○ Computer or network appliance with NIC in promiscuous mode
○ Sensors communicate with a central management console
● Host-based IDS
○ Small agent programs that reside on individual computer
○ Detects suspicious activity on one system, not a network segment
● IDS Components:
○ Sensors Analysis engine
○ Management console
IDS Components
● IDS Components:
○ Sensors Analysis engine
○ Management console
Sensor Placement
● In front of firewalls to discover attacks being launched
● Behind firewalls to find out about intruders who have gotten through
● On the internal network to detect internal attacks
Sensor Placement
Analysis Engine Methods
Pattern Matching
● Rule-Based Intrusion Detection
● Signature-Based Intrusion Detection
● Knowledge-Based Intrusion Detection
Profile Comparison
● Statistical-Based Intrusion Detection
● Anomaly-Based Intrusion Detection
● Behavior-Based Intrusion Detection
Types of IDS
● Signature-based—MOST COMMON
○ IDS has a database of signatures, which are patterns of previously
identified attacks
○ Cannot identify new attacks Database needs
continual updates
● Behavior-based
○ Compares audit files, logs, and network behavior, and develops
and maintains profiles of normal behavior
○ Better defense against new attacks
○ Creates many false positives
IDS/IPS Response Options
● Passive(IDS):
○ Page or email administrator
○ Log event
● Active (IPS)
○ Send reset packets to the attacker’s connections
○ Change a firewall or router ACL to block an IP address or range
○ Re-configure router or firewall to block protocol being used for
attack
IDS Issues
● May not be able to process all packets on large networks
○ Missed packets may contain actual attacks
○ IDS vendors are moving more and more to hardware-based systems
● Cannot analyze encrypted data
● Switch-based networks make it harder to pick up all packets
● A lot of false alarms
● Not an answer to all prayers
○ Firewalls, anti-virus software, policies, and other security
controls are still important
Security Incident Response
● Event: a change of state
● Incident: series of events that has a negative impact on the company
and its security
● Incident response focuses on containing the damage of an attack and
restoring normal operations
● Investigations focus on gathering evidence of an attack with the goal of
prosecuting the attacker
Security Incident Response Continued
● Framework should include:
○ Response capability
○ Incident Response and handling
○ Recovery and Feedback
Response Capability
Incident response considerations
● Items the Computer Incident Response Team must have at its disposal
● List of outside agencies and resources to contact or report to
● Computer Emergency Response Team (CERT)
● List of computer or forensics experts to contact
● Steps on how to secure and preserve evidence
● Steps on how to search for evidence
● List of items that should be included on the report
● A list that indicates how the different systems should be treated in this type of
situation
Recovery and Feedback
● Recovery and Repair: Restoration of the system to operations
○ Remember, it does no good to restore to its original status—must
provide greater security lest if fall prey to the same attack again
● Provide Feedback: One of the most important (and most overlooked) steps
● Document, document, document!
Computer Forensics
● Computer Forensics: The discipline of using proven methods toward the collection, preservation,
● IOCE and SWGDE are two entities that provide forensics guidelines and principles as follows
○ Project Initiation
○ Recovery Strategy
○ Implementation
○ Testing
○ Maintenance
7 Phases of Business Continuity Planning
Project Initiation
Testing Maintenance
Phases of the Plan: Project Initiation
● Project Initiation
○ Obtain senior management’s support
○ Secure funding and resource allocation
○ Name BCP coordinator/Project Manager
○ Develop Project Charter
○ Determine scope of the plan
○ Select Members of the BCP Team
Phases of the Plan: Business Impact Analysis
● BIA (Business Impact Analysis)
○ Addresses the impact on the organization in the event of loss of a specific services or process
■ Quantitative: Loss of revenue, loss of capital, loss due to liabilities, penalties and fines, etc.
■ Qualitative: loss of service quality, competitive advantage, market share, reputation, etc.
○ Establishes key metrics for use in determining appropriate countermeasures and recovery
strategy
■ The Auditing Department is certainly important, though not usually critical. THE BIA
FOCUSES ON CRITICALITY
Phases of the Plan: Business Impact Analysis
● Key Metrics to Establish
Rolling Hot Site Usually 24 hours Similar to hot site, but supports data High
center operations only
Database
Data Recovery (3)
● Electronic Vaulting
○ Copy of modified file is sent to a remote location where an original backup is stored
○ Transfers bulk backup information
○ Batch process of moving data
● Remote Journaling
○ Moves the journal or transaction log to a remote location, not the actual files
Phases of the Plan: Plan and Design Development
● Now that all the research and planning has been done, this phase is where the actual plan is written
○ Should address
■ Responsibility
■ Authority
■ Priorities
■ Testing
Phases of the Plan: Implementation
● Plan is often created for an enterprise with individual functional managers responsible for plans
specific to their departments
● Copies of Plan should be kept in multiple locations
● Both Electronic and paper copies should be kept
● Plan should be distributed to those with a need to know
● Most employees will only see a small portion of the plan
Phases of the Plan: Implementation
Phases of the Plan: Implementation
Three Phases Following a Disruption
● Notification/Activation
○ Notifying recovery personnel Performing a damage assessment
● Recovery Phase--Failover
○ Actions taken by recovery teams and personnel to restore IT operations at an alternate site
or using contingency capabilities— performed by recovery team
● Reconstitution--Failback
○ Outlines actions taken to return the system to normal operating conditions—performed
by Salvage team
Phases of the Plan: Implementation
Phases of the Plan: Testing
● Should happen once per year, or as the result of a major change (VERY TESTABLE)
● The purpose of testing is to improve the response (never to find fault or blame)
● The type of testing is based upon the criticality of the organization, resources available and risk
tolerance
○ Testing: Happens before implementation of a plan. The goal is to ensure the accuracy
and the effectiveness of the plan
○ Exercises/Drills: Employees walk through step by step. Happens periodically. Main goal is to
train employees
○ Auditing: 3rd party observer ensures that components of a plan are being carried out and
that they are effective.
Types of Tests
● Checklist Test
○ Copies of plan distributed to different departments
○ Functional managers review
● Structured Walk-Through (Table Top) Test
○ Representatives from each department go over the plan
● Simulation Test
○ Going through a disaster scenario
○ Continues up to the actual relocation to an offsite facility
Types of Tests
● Parallel Test
○ Systems moved to alternate site, and processing takes place there
● Full-Interruption Test
○ Original site shut down
○ All of processing moved to offsite facility
Post Incident Review
● After a test or disaster has taken place:
○ Focus on how to improve
○ What should have happened
T.ask Statements
4-. Establish and maintain -an organizational de·n n.it ion of, an d seventy hierarohy for, info rrna t lo n security ,in ccdents lo
1 al mN accu rated ass ificaUon and categ orization of an d respo se to in cfdents.
- 4L E sta blish and mairnt ain ari in·c dent respon se p:1-art to ensJ.ue an effective and timely res p on se to information
2 se,oum.y rnci d en ts.
4-. Dev.e op and implem ent prn cesses t o en su, re the timely id e lili ca· : o of informali o:n security incidenlts at
3 Em pad fu e bus iness . cou '.ld
4.4 Establish! an d maintain processes to in .estigate a111d do cument information :securi 'I in ci d en ts in md:er to
determ ill'le
4-. 1he appropri ate re.sp on s e and cause while adh ering to legal, regulaitmy and orga iz aUon al req111ire irnen ts.
5
E stab li sh and maintai n i nci dent notmcaUron and esca taUon p m cesses, · o enmrne that 1he· ap p ropriate· s ak
4L e.hol-de rs are involved tl'll ind dent response managem en
6,
Organize, train an d equip ncidenl response teams to resp ond to information secull'it y i ll'lci d ents i'n an eif'9dive and
timely manner.
4-.
4.7 Test, re iei.v and revise (as ap plicabJe ) flle tnci den t response plan p eriadlcalli!I to ensure an effective. responsie
H to tnfom1alion .seru rity in oidents and to improve respoose capabilities.
E stabli sh and rna·fllt ain cornmu1rf cation p lans arnd p rocesses to manage communicalion v-mh internal: an d external
errttitie s.
4-. 1 O E s tabli sh and maintai n rnteg ration among the incident response pJa n busjness continufty plan an d dTs aster
4.19 reco:veryCo duct
pl an.pos tinci:dent rerif ews: to determ ine the root caus e of trrfo rm ali on sea.nity incidents, dei.rel op
corre ctive actions , .r-eass e-.ss risk, evaJuaite response efl'ectwen ess and take apprnpriate remedi al act ro ns .