CISM - Presentation 1

CISM Exam Prep Course
Certified Information Security Manager
Starring: Kelly Handerhan

About Your Instructor
Kelly Handerhan, CISM, CRISC, CISSP, PMP
kellyh@Cybertrain.IT
703-568-1663
Start and finish Course style
Coffee and breaks Lunch

Let’s Get To Know Each Other
● Your name and surname
● Your organization
● Your profession (title, function, job responsibilities)
● Your experience with the InfoSec/IT Audit/ITSM
● Your personal session expectations
Overview
Domain 1
of the CISM
Certification
Information
Security
Governance
Course Objectives
● Introduction to CISM certification
● The role of a CISM
● Understanding the IT Security domains and related concepts
● Presenting business value and requirements of IT Security
● Understanding of ISACA RISK IT Framework structure, concepts,
definitions, and processes dedicated to risk management
Main goal:
● Preparing students to CISM exam
Secondary Goal:
● Awareness of IT Security best practices
CISM Domain Structure (1/2)
● Domain 1
○ Information Security Governance
● Domain 2
○ Information Risk Management and Compliance
● Domain 3
○ Information Security Program Development and Management
● Domain 4
○ Information Security Incident Management
CISM Domain Structure (2/2)
Domain 1
Information Security Governance
Mandates
Domain 2
Information Risk Management
and Compliance
deploys
reports to
Domain 3
Information Security Program
Development and Management
requires
Domain 4
Information Security Incident
Management
About the CISM Exam (1/2)
● The CISM certification is designed to meet the growing demand for
professionals who can integrate Information Security (IS) with discrete IS
control skills
● The technical skills and practices the CISM certification promotes and
evaluates are the building blocks of success in this growing field, and the
CISM designation demonstrates proficiency in this role
● The CISM certification/ designation reflects a solid achievement record in
managing information security, as well as in such areas as risk analysis,
risk management, security strategy, security organization etc.
● Certification launched: 2003
● Number of individuals certified: 23000
About the CISM Exam (2/2)
● CISM exam questions are developed with the intent of measuring and
testing practical knowledge and the application of general concepts and
standards
● PBE & CBE (only pencil & eraser are allowed)
● 4 hour exam
● 200 multiple choice questions designed with one best answer
● No negative points
● No prerequisite for exam (only for attending to exam)
Recommended reading for CISM Exam
● Must
○ ISACA CISM Official Glossary
○ ISACA CISM Item Development Guide
○ ISACA CISM QAE Item Development Guide
● Should
○ ISACA Risk IT Framework
○ ISACA CISM Review Manual
● Could
○ Risk IT Practitioner Guide
Earning the CISM Qualification
● Candidate who pass the CISM exam are not automatically CISM-certified/
qualified and cannot use the CISM designation.
● All current requirements are present in official CISM ”Application for CISM
Certification” document:
○ www.isaca.org/cismapp
Summary
● ISACA CISM Review Manual Structure
● CISM Domain Structure
● About the CISM Exam
● Recommended reading for CISM Exam
● Earning the CISM qualification
Q&A
Domain 1
Information
Domain 1
Information
Security
Governance
Security
Governance
Agenda
● Overview of the CISM certification
● Domain 1 – Information Security Governance
● Domain 2 – Information Risk Management and Compliance
● Domain 3 – Information Security Program Development and Management
● Domain 4 – Information Security Incident Management
Module Agenda
● Learning objectives
● Domain 1 – CISM exam relevance
● Module agenda
○ Priorities for the CISM
○ Corporate Governance
○ Information Security Strategy
○ Information Security Program
○ Elements of a Security Program
○ Roles and Responsibilities
○ Evaluating a Security Program
○ Reporting and Compliance
○ Ethics
Learning Objectives
● After this module, the CISM candidate should be able to
○ Support governance
○ Support business cases to justify security
○ Compliance with legal and regulatory mandates
○ Support organizational priorities and strategy
○ Identify drivers affecting the organization
○ Define roles and responsibilities
○ Establish metrics to report on effectiveness of the security
strategy
Domain 1 – CISM Exam Relevance
Ensure that the CISM candidate…
● Effective security governance framework
● Building and deploying a security strategy aligned with organizational
goals
● Manage risk appropriately
● Responsible management of program resources
The content area for Domain 1 will represent approximately 24% of the CISM
examination – 48 questions
Domain 1 – Task Statements
There are 9 general task statements pertaining to IS Governance in CISM
Certification Job Practice:
● Establish and maintain an information security strategy and governance
framework
● Integrate information security governance into corporate governance
● Establish and maintain information security policy
● Develop business cases to support investments
● Identify internal and external influences to the organization
● Obtain commitment from senior management
● Define and communicate the roles, and
● Establish, monitor, evaluate, and report metrics
Domain 1 – Knowledge Statements
There are 15 general knowledge statements pertaining IS Governance in CISM
Certification Job Practice
● Knowledge of (selected)
○ Methods to develop an information security strategy
○ Relationship among information security and business goals
○ Methods to implement an information security governance framework
○ Internationally recognized standards, frameworks and best practices related to

information security governance and strategy development
○ Methods to develop information security policies, business cases, strategic

budgetary planning and reporting methods
○ Information security management roles and responsibilities

The Priorities for the
CISM Candidate
8/89 | 26/432
What is Information Security (IS)
In your own words:
● Please describe what Information Security is.
● What is the purpose or value of information security in relation to the
business?
Information Security (1/2)
Information is indispensable to conduct business effectively today
● Information must be
○ Available
○ Integral (information and process)
○ Confidential (when needed)
● Protection of information is a responsibility of the Board of Directors:
○ Oversight,
○ Culture,
○ Policies
□ Confidentiality □ Integrity □ Nonrepudiation
□ Availability □ Access control □ Compliance
□ Authentication □ Privacy □…
Information Security (2/2)
Information Protection includes
● Accountability
● Oversight
● Prioritization
● Risk Management
● Regulatory and Compliance Management
Information Security Governance Overview
● Information security is more than just IT security (more than technology)
● Information Security deals with all aspects of information
● Information must be protected at all levels of the organization and in all
forms
○ E.g. digital, paper, fax, audio, video, microfiche, networks, storage
media, computer systems…
● Information security is a responsibility of everyone
Selling the Importance of Information Security
● Benefits of effective information security governance include
○ Improved trust in customer relationships
○ Protecting the organization’s reputation
○ Better accountability for safeguarding information during critical
business activities
○ Reduction in loss through better incident handling and disaster
recovery
CISM Priorities
● The CISM must understand:
○ Requirements for effective information security governance
● Elements and action required to:
○ Develop an information security strategy
○ Plan of action to implement it
The First Priority for the CISM
Remember that Information Security is a business-driven activity
● Security is here to support the interests and needs of the organization
● Security is always a balance between cost and benefit; security and
productivity/performance
● Security can never be a one size fits all solution
○ Each organization if different and within this organization security
has to be tailored for specific organizational needs
Corporate
Domain 1
Governance
Information
Security
Governance
Corporate Governance
● Ethical corporate behavior by directors or others charged with
governance in the creation and presentation of value for al stakeholders
● The distribution of rights and responsibilities among different
participants in the corporation, such as board, managers, shareholders
and other stakeholders
The Organization for Economic Co-operation and Development (OECD) states: “Corporate
governance involves a set of relationships between a company’s management, its board,
its shareholders and other stakeholders. Corporate governance also provides the
structure through which the objectives of the company are set, and the means of
attaining those objectives and monitoring performance are determined.”
Business Goals and Objectives
● Corporate governance is the set of responsibilities and practices exercised
by the board and executive management
● Information security governance is a subset of corporate governance
● Goals include:
○ Providing strategic vision and direction
○ Reaching security and business objectives
○ Ensure that risks are managed appropriately and proactively
○ Verify that the enterprise’s resources are used responsibly

6 Basic Outcomes of Effective Security Governance
● Strategy Alignment
● Risk Management
● Value Delivery
● Resource Management
● Performance Measurement
● Integration
Benefits of Information Security Governance
Effective information security governance can offer many benefits to an
organization, including:
● Compliance and protection from litigation or penalties
● Cost savings through better risk management
○ Efficient utilization of security investments that support
organization’s objectives
● Reduced risks and potential business impacts to an acceptable level
● Better oversight of systems and business operations
● Opportunity to leverage new technologies to business advantage
● Business value generated through the optimization o security investments
with organizational objectives
Performance and Governance
● Governance is only possible when metrics are in place to determine
whether critical organizational objectives are achieved
● Those metrics are used for
o Measuring
○ Monitoring
○ Controlling
○ Reporting
● Enterprise-wide measurements should be developed that will be
consistent in all organization activities
Information
Domain 1 Security
Strategy
Information
Security
Governance
What is Security
A structured deployment of risk-based controls related to
● People/Human
● Processes/Organizational
● Technology/Technical
Developing Information Security Strategy
Information Security Strategy
● Long-term perspective
● Standard across the organization
● Aligned with business strategy/direction
● Understands the culture of the organization
● Reflects business needs and priorities
Elements of a Strategy
● A security strategy needs to include
○ Resources needed
○ Constraints
○ A road map
■ Includes people, processes, technologies and other resources
■ A security architecture: defining business drivers, resource
relationships and process flows
○ Achieving the desired state is a long-term goal of a series of projects
or program
Information Security Strategy Objectives
● The Information Security Strategy forms the basis for the plan(s) of action
required to achieve security objectives
● The long-term objectives describe the “desired state”
● Should describe a well-articulated vision of the desired outcomes for a
security program
● Information Security Strategy objectives should be stated in terms of
specific goals directly aimed at supporting business activities
● Security Strategy must
○ Be defined
○ Be measurable
○ Provide guidance
The Goal of Information Security
● The goal of information security is to protect the organization’s assets,
individuals, mission and vision
● In order to achieve this, organization has to do:
○ Asset identification
○ Classification of data/information and systems according to criticality
and sensitivity
○ Application of appropriate controls
Business Linkages
● Start with understanding the specific objectives of a particular line of
business
● Take into consideration all information flows and processes that are critical
to ensuring continued operations
● Enable security to be aligned with and support business at levels:
o Strategic
o Tactical
○ Operational
Business Case Development
Included in the Business Case:
● Reference
● Context (business objectives/opportunities)
● Value Proposition
● Focus
● Deliverables
● Dependencies (CSFs)
● Project metrics (KPIs, KGIs)
● Workload
● Requires resources
● Commitments
The Information Security
Program
Steps in Developing Effective Security Program
In your own words:
What steps/elements are necessary to develop an effective security program?

Security Program Priorities
● Achieve high standards of corporate governance
● Treat information security as a critical business issue
● Create a security positive environment
● Have declared responsibilities
Security vs. Business
● Security must be aligned with business needs and direction
● Security is embedded into the business functions and acts as a internal part
of business operations providing:
○ Strength
○ Resilience
○ Protection
○ Stability
○ Consistency
○ Reliability
● Security must be treated, discussed, and maintained as a business issue
Security Program Objectives
● Ensure the availability of systems and data
○ Allow access to the correct people in a timely manner
● Protect the integrity of data and business processes
○ Ensure no improper modifications
● Protect the confidentiality of information
○ Unauthorized disclosure of information
○ Privacy, trade secrets
● Protect the authenticity and nonrepudiation of business transaction and
information exchanges
Security Program
● Starts with theories and concepts
○ Policy (global or local ones)
● Interpreted through
○ Procedures
○ Baselines
○ Standards
○ Best practices
○ Guidelines
○ …
● Measured through
○ Monitoring
○ Audit
Security Integration
● Security needs to be integrated INTO the business procedures
● The goal is to reduce security gaps through organizational- wide security
programs Integrate IT with:
○ Physical security
○ Risk management
○ Privacy and compliance
○ Business Continuity Management (BCM)
Architecture
● Information security architecture is similar physically
● Requirements definition
○ Design/modelling
○ Creation of detailed blueprints
○ Development, deployment
● Architecture is planning and design to meet the needs of the stakeholders
● Security architecture is one of the greatest needs for most organizations
Information Security Frameworks
● Framework
○ Template
○ Structure
○ Measurable/Auditable
○ Project Planning and Management
○ Strategic, Tactical, and Operational Viewpoints
Using an Information Security Framework
Effective information security is provided through adoption
● Defines information security objectives
● Aligns with business objectives
● Provides metrics to measure compliance and trends
● Standardizes baseline security activities enterprise-wide
The Desired State of Security
The desired state of security should be defined in terms of
● It should be clear to all stakeholders what the intended security state is
● The desired state according to COBIT
○ “Protecting the interests of those relying on information, and the
processes, systems and communications that handle, store and
deliver the information, from harm resulting from failures of
availability, confidentiality and integrity”
● Focuses on IT-related processes from IT governance, management and
control perspectives
The Maturity of the Security Program Using CMM
Level 5 - Optimized
Level 4 - Managed and measurable
Level 3 - Defined Process
Level 2 - Repeatable but intuitive
Level 1 - Ad Hoc
Level 0 - Non Existent

Using the Balanced Scorecard (BSC)
Financial
perspective
How do we l<)<)k tc)
<)lll.
shareholders?
Customer perspective Internal business

The Balanced
processes perspective
How do our Scorecard
What must we excel at?
customers see us?
Learning and
Growth perspective
How can we continue
to improve?
Source: Kaplan and Norton (1996)

Balanced Scorecard (BSC) measurement areas
The original balanced scorecard addresses 4 key areas of performance:
● Financial metrics - provide information about financial performance both
revenue and expenses
● Customer metrics - assess the extent to which the company is meeting
customer needs and expectations
● Business process measures - provide insight into the efficiency of internal
processes and allow leaders to identify and correct problems
● Measures of learning and growth - give managers information about
employee satisfaction and development
The ISO/EIC 27001:2013
● ISO/EIC 27001:2013 Information Technology - Security techniques -
Information security management systems (ISMS) – Requirements
● The goal of the ISO 27001:2013 is to:
○ Establish
○ Implement
○ Maintain
○ Continually improve
● An information security management system
○ Contains:
■ 14 clauses, 35 controls objectives, and 114 controls
Examples of Other Security Related Frameworks
● SABSA (Sherwood Applied Business Security Architecture)
● COBIT (Control Objectives for Information and related Technology)
● COSO ERM and COSO IC
● Business Model for Information Security
● Model originated at the Institute for Critical Information Infrastructure Protection
● Publications from NIST and ISF
● US Federal Information Security
● Management Act (FISMA)
● Securing quality
○ ISO standards on quality (ISO 9001:2000)
○ Six Sigma
Constraints for Security Strategy
● Constraints
○ Legal – Laws and regulatory requirements
○ Physical – capacity, space, environmental constraints
○ Ethics - Appropriate, reasonable and customary
○ Culture - Both inside and outside the organization
○ Organizational structure - How decisions are made and by whom, turf protection
○ Costs - Time, money
○ Personnel - Resistance to change, resentment against new constraints
○ Resources - Capital, technology, people
○ Capabilities - Experience, Knowledge, training, skills, expertise
○ Time - Window of opportunity, mandated compliance
○ Risk acceptance and tolerance – risk appetite, threats, vulnerabilities, impacts
Elements of a Security
Program
Elements of Risk and Security
● The basis for most security programs is risk management
○ Risk Identification
○ Risk Mitigation
● Ongoing Risk Monitoring and evaluation
● Remember that risk is measured according to potential impact on the
ability of the business to meet its mission - not just on the impact on IT
Information Security Concepts (1/2)
● Access ● Business impact analysis
● Architecture ● Confidentiality
● Attacks ● Counter measures
● Auditability ● Criticality
● Authentication ● Data classification
● Authorization ● Exposures
● Availability ● Gap analysis
● Business dependency analysis ● Governance
Information Security Concepts (2/2)
● Identification ● Sensitivity
● Impact ● Standards
● Integrity ● Strategy
● Layered security ● Threats
● Management ● Vulnerabilities
● Nonrepudiation ● Enterprise architecture
● Risk/Residual risk ● Security domains
● Security metrics ● Trust models
Security Program Elements
● Information on Security Governance ● Awareness and education
○ Policies ● Complication enforcement
○ Standards ● Technologies
○ Processes & procedures ● Personnel security
○ Guidelines ● Organizational structure
● Controls ● Skills
○ Managerial (administrative) ● Outsourced security providers
○ Operational (and Physical) ● Other organizational support and assurance providers
○ Technical (Logical) ● Facilities
● Training ● Environmental security
●
Roles and Responsibilities
Roles and Responsibilities of Senior Management
● Board of Directors
○ Information security governance / Accountability
● Executive Management
○ Implementing effective security governance and defining the
strategic security objectives
○ Budget and Support
● Steering Committee
○ Ensuring that all stakeholders impacted by security considerations
are involved
○ Oversight and monitoring of security program
Senior Management Commitment
● The support of senior management is crucial to success
○ Budget
○ Direction/policy
○ Reporting and monitoring
● A bottom-up management approach to information security activities is
much less likely to be successful
Senior Management Commitment
How can we obtain continued Senior Management Support for the Security
program?
Steering Commitment
● Oversight of Information Security Program
● Acts as Liaison between Management, Business, Information Technology,
and Information Security
● Assess and incorporate results of the risk assessment activity into the
decision-making process
● Ensures all stakeholder interests are addressed
● Oversees compliance activities
Chief Information Security Officer (CISO)
● Responsible for Information Security related activity
○ Policy
○ Investigation
○ Testing
○ Compliance
● IT planning, budgeting, and performance, including its information security
components
Information Security Manager
● Responsible for their organization’s security programs, usually including
information risk management
● Playing a leading role in introducing an appropriate, structure methodology
● Act as major consultants in support of senior management
Business and Functional Manager
● Responsible for business operations
● Responsible for security enforcement and direction in their area
● Day to day monitoring
○ Reporting
○ Disciplinary actions
○ Compliance
IT Security Practitioners
● Responsible for proper implementation of security requirements in their IT
systems
● Support or use the risk management process to identify and assess new
potential risk and implement new security controls as needed to safeguard
their IT systems
Security Awareness Trainers
● Must understand the risk management process
● Develop appropriate training materials
● Conduct security trainings and awareness programs
● Incorporate risk assessment into training programs to educate the end
users
Centralized vs. Decentralized Security
● Consistency vs. flexibility
● Central control vs. local ownership
● Procedural vs. responsive
● Core skills vs. distributed skills
● Visibility to senior management vs. visibility to users and local business
units
Evaluating the Security
Program
Audit and Assurance of Security
● Objective review of security risk, controls and compliance
● Assurance regarding the effectiveness of security is a part of regular
organizational reporting and monitoring
Evaluating the Security Program
● Metrics are used to measure results
● Measure security concepts that are important to the business
● Use metrics that can be used for each reporting period
○ Compare results and detect trends
Effective Security Metrics
● Set metrics that will indicate the health of the security program
● Incident management
● Degree of alignment between security and business development
○ Was security consulted
○ Were controls designed in the systems or added later
● Choose metrics that can be controlled
○ Measure items that can be influenced or managed by local managers/security
○ Not external factors such as number of viruses released in the past year
○ Have clear reporting guidelines
○ Monitor on a regular scheduled basis
Key Performance Indicators (KPIs)
● Thresholds to measure
○ Compliance/non-compliance
○ Pass/fail
○ Satisfactory/unsatisfactory results
● A KPI is set at a level that indicates action should/must be taken
○ Alarm point
End to End Security
● Security must be enabled across the organization – not just on a system by
system basis
● Performance measures should ensure that security systems are integrated
with each other
○ Layered defenses
Correlation Tools
● The CISO may use Security Event and Incident Management (SEIM, SIM,
SEM) tools to aggregate data from across the organization
● Data analysis
● Trend detection
● Reporting tools
Reporting and Compliance
Regulations and Standards
● The CISM must be aware of National
○ Laws
○ Privacy
○ Regulations
● Reporting, Performance
● Industry Standards
○ Payment Card Industry (PCI)
○ BASEL II
Effect of Regulations
● Requirements for business operations
○ Cost
○ Reputation
● Scheduled reporting requirements
○ Frequency
○ Format
Reporting and Analysis
● Data gathering at source
○ Accuracy
○ Identification
● Reports signed by Organizational Officer
Ethics
RFC 1087, Ethics and the Internet
● Internet Activities Board (IAB) characterized the following activities as
unethical and unacceptable on the Internet:
○ Seeks to gain unauthorized access to the resources of the Internet
○ Disrupts the intended use of the Internet
○ Wastes resources (people, capacity, computer) through such actions
○ Destroys the integrity of computer-based information, and/or
○ Compromises the privacy of users
Ethical Standards
● Rules of behavior ● Responsibility to all stakeholders
○ Legal ○ Customers
○ Corporate ○ Partners
○ Industry ○ Suppliers
○ Personal ○ Management
○ Owners
○ Employees
○ community
Ethics Plan of Action
● Develop a corporate guide to computer ethics for the organization
● Develop a computer ethics policy to supplement the computer security
policy
● Add information about computer ethics to the employee handbook
● Find out whether the organization has a business ethics policy, and expand
it to include computer ethics
● Learn more about computer ethics and spread what is learned
ISACA Code of Ethics (1/3)
● Required for all certification holders
● Support the implementation of, and encourage compliance with,
appropriate standards, procedures and controls for information systems
● Perform their duties with objectivity, due diligence and professional care,
in accordance with professional standards and best practices
● Serve in the interest of stakeholders in a lawful and honest manner, while maintaining high
standards of conduct and character, and not engage in acts discreditable to the profession
● Maintain the privacy and confidentiality of information obtained in the course of their duties
unless disclosure is required by legal authority
○ Such information shall not be used or personal benefit or released to inappropriate parties
● Maintain competency in their respective fields and agree to undertake only those
activities, which they can reasonably expect to complete with professional competence
● Inform appropriate parties of the results of work performed; revealing all significant
facts known to them
● Support the professional education of stakeholders in enhancing their understanding
of information systems security and control
Summary & Conclusion
● Priorities for the CISM
● Corporate Governance
● Information Security Strategy
● Information Security Program
● Elements of a Security Program
● Roles and Responsibilities
● Evaluating a Security Program
● Reporting and Compliance
● Ethics
CHAPTER 1 QUICK REFERENCE REVIEW OF CISM REVIEW MANUAL

Q&A
Domain 2
Information Risk
Management
Chapter 2 Risk Management
● Risk Introduction
● IT Risk Identification
● IT Risk Assessment
● Risk Response and Mitigation
● Risk and Control Monitoring and Reporting
Introduction to Risk Management
● Risk
○ The combination of the probability of an event and its consequence
○ Often an adverse event
● Several factors considered when evaluating risk:
○ Mission of the organization Assets
○ Threat
○ Vulnerability
○ Likelihood Impact
Risk Definitions
● Asset: Something of tangible or intangible value and is worth protecting
● Vulnerability: A weakness in the design, implementation, operation or internal control of a process that
could expose a system to adverse threats
● Threat: Something that could pose loss to all or part of an asset
Risk Definitions (2)
● Threat Agent: What carries out the attack
● Exploit: An instance of compromise
● Risk: The combination of the probability of an event and its consequence. Risks are often seen as an
adverse event that can threaten an organization’s assets or exploit vulnerabilities and cause harm
○ ISO 31000 defines risks as “the effect of uncertainty on objectives.” indicating risk can be positive
(opportunities) or negative
○ ISO 27005 considers risks to be negative
Risk Definitions (3)
● Inherent Risk: With all business endeavors there is some degree of risk
● Residual Risk: Risk that remains after a control has been implemented. Ultimately, risk should be
mitigated until the residual risk is within the level that management is willing to accept
(management’s risk tolerance)
● Secondary Risk: One risk response may cause a second risk event
● Risk Appetite: Senior management’s approach to risk (Seeking, Neutral, Averse)
● Risk Tolerance: The acceptable level of variation that management is willing to allow for any
particular risk
● Risk Threshold: A quantified limit beyond which your organization is not willing to go
● Controls: Proactive and Reactive mechanisms put in place to manage risks
Risk Governance
Governance: the accountability for protection of the assets of an organization
● Board of directors
● Applicable to all departments and includes risk management
Value creation = benefits realization, risk optimization and resource
optimization
Governance answers four questions:
1. Are we doing the right things?
2. Are we doing them the right way?
3. Are we getting them done well?
4. Are we getting the benefits?
Risk Governance Objectives
Effective risk governance helps ensure that risk management practices are embedded in the
enterprise, enabling it to secure optimal risk – adjusted return.
Risk governance has four main objectives:

1. Establish and maintain a common risk view.
2. Integrate risk management into the enterprise.
3. Make risk-aware business decisions.
4. Ensure that risk management controls are implemented and operating correctly.
Risk Management
Management: Focuses on planning, building, running and monitoring to
create value by achieving objectives set by the governance system
Risk management: Foresees challenges to achieving objectives and attempts

to lower probability and impact of those challenges
Risk Capacity, Risk Appetite, Risk Tolerance
● Risk capacity: The objective amount of loss an enterprise can tolerate
without risking its continued existence
○ Defined by board and executive management at the enterprise level
● Risk appetite: A board/management decision on how much risk is desirable
○ Translated into a number of standards and policies to contain the risk
level within the boundaries set by risk appetite
● Risk tolerance: Tolerable deviations from the level set by the risk appetite
definitions
Context of IT Risk Management
● Risk Management: Coordinated activities to direct and control and enterprise with regard to risk
● Understanding of the organization and its context, or environment
● Assessing the context includes:
○ Intent and capability of threats
○ Assets
○ Relationship of vulnerabilities
○ Vulnerability to changes in economic or political conditions
○ Changes to market trends and patterns
○ Emergence of new competition
○ Impact of new legislation
○ Existence of potential natural disaster
○ Constraints caused by legacy systems and antiquated technology
○ Strained labor relations and inflexible management
ISACA’s Risk Management Life Cycle
● Cyclical process
● Process based on the complete cycle of all the elements
● Continuous process with refinement, adaptation and improvement and
maturity
Risk Identification
Methods to Identify Risk
Methods to Identify Risk
● Sources of risk documentation
● Audit reports Incident reports
● Interviews with SMEs Public media
● Annual reports
● Press releases
● Vulnerability assessments and penetration tests
● Business continuity and disaster recovery plans
● Interviews and workshops
● Threat intelligence services
1.3 Risk Culture and Communication
Risk culture: Balance between negative, positive & regulatory elements of risk
1.3 Risk Culture and Communication
● Benefits of open communication
○ Risk aware business decisions
○ Assistance in executive management’s understanding of the actual exposure to
risk
○ Awareness among all internal stakeholders of the importance of integrating risk
management into their daily duties
○ Transparency to external stakeholders regarding the actual level of risk and risk
management processes in use
1.4 The Business IT’s Risk Strategy
● IT risk measured by the impact of the risk on business operations
● Buy-in of senior management
○ Risk management almost always unsuccessful without
it
○ Provides budget, authority and access needed
○ Support should be visible and active
Alignment with Business Goals and Objectives
● Look beyond IT
● Communicate with senior management
○ Vision and strategy
○ Lines of business, new technologies, future growth, changes in
priorities
● Ensure risk is aligned with and integrated into strategy, vision and
direction
Alignment with Business Goals and Objectives
● The risk practitioner should seek to:
○ Understand the business
○ Listen to the strategy
○ Proactively seek out ways to secure new technologies and business processes
○ Build relationships and communication infrastructure to weave risk management into
each business process and new project
○ Be aware of and mitigate the risk of change
○ Work to create a culture that encourages the participation of risk management into
business processes
○ Understand past events
Organizational Structures and Impact on Risk
● Risk management should be enterprise wide
○ Often the responsibility of one person or a small function within
another area
● Ideally, the three lines of defense
● Often unclear to whom the risk practitioner reports
● Size and diversity can impact managing risk
○ Differences between departments
○ Differences globally
● RACI
Compliance
● Understand the laws and requirements of the regions in which an
organization operates
● Regulations require reporting
○ Failure to comply may result in penalties
● Reports should be:
○ Accurate
○ Complete
○ Timely
Establishing an ERM approach
● A standard approach that can be applied across the enterprise
● Tailored to the needs of each enterprise
● Risk management can be consultative
● Policy
Administrative Risk Controls
● Segregation of duties
● Job rotation
● Mandatory vacations
● Dual Control, M of N Control
● Secure state
● Principle of Least Privilege
● Need to know
● AUP
● Data/System Ownership
1.6 Threats and Vulnerabilities Related to Assets
Assets
● Information
● Reputation
● Brand
● Intellectual property
● Facilities
● Equipment
● Cash and investments
● Customer lists
● Research
● People
● Service/business process
Assets
● Contributing factors to calculating asset value include:
○ Financial penalties for legal non-compliance
○ Impact on business processes
○ Damage to reputation
○ Additional costs for repair/replacement
○ Effect on third parties and business partners
○ Injury to staff or other personnel
○ Violations of privacy
○ Breach of contracts
○ Loss of competitive advantage
○ Legal costs
Threats
● Internal threats
○ Personnel
● External threats
○ Natural events
○ Theft
○ Sabotage/terrorism
○ Criminal acts
○ Software errors
○ Mechanical failures
○ Accidents
○ Emerging threats
Probability and Impact
● Probability - the likelihood of the threat materializing
○ Can be expressed as frequency or ARO (Annual Rate of Expectancy)
○ Affected by three components
■ Motivation: The more motivated the attacker, the more likely he/she will attack
■ Skills: If the attacker has the right tools/skills, the more likely he/she is to succeed
■ Presence of a vulnerability: The presence of a vulnerability means the more likely an
attack will be successful
● Impact—The severity or consequences
■ Can be expressed as EF (Exposure Factor)
1.7 IT Risk Related to Organizational Assets
● People
● Technology
● Data
● Trademarks/Intellectual property
● Business processes
1.8 IT Risk Scenarios
● Risk scenario - A potential risk that can affect an organization - The tangible and assessable
representation of risk
● A risk scenario should contain the following:
○ Asset
○ Threat type
○ Event
○ Asset affected by the risk event
○ Time (if relevant to the scenario)
■ Duration of event
■ Criticality of asset
■ Lag between event and consequence
1.8 IT Risk Scenarios (2)
● Benefits of risk scenarios
○ Provide a tool to facilitate communication
○ Enhance risk management effort
○ Provide realistic view of risk
Risk Ownership
● Ownership & accountability must be assigned to the risk
● Risk owner determines necessary controls
● Owner is determined following the identification of risk
○ Also responsible for control monitoring
● Manager or senior official who will bear responsibility for
○ Determining the risk response
○ Monitoring effectiveness of the control
○ Monitoring and controlling the risk
○ Controls may be managed by IT, but owner is responsible for
risk-related decisions
The IT Risk Register
● Purpose: To consolidate all information about risk into a central
repository
● Lists all known risk
○ Severity, source, and potential impact
○ Risk owner
○ Current status and disposition
○ Information gathered by audits, vulnerability assessments,
penetration tests, etc.
Risk Register
12 Elements of the Risk Register
Elements 1 to 3 record the results of the Risk Identification phase:
1. Risk Category - This is where you categorize your risk. Does it fall under the category of scope, time, cost,
resources, environmental, or another key category? Using these categories helps tease out likely risks and
groups them into relevant categories for future reference.
2. Risk Description - A brief description of the potential risk. For instance, the first potential risk identified in
the Resources category is: “There is conflict over resources and team members don’t have enough time due to
competing demands.”
3. Risk ID - This is a unique identification number used to identify and track the risk in the risk register. If
Resources is Category 8, then the first risk identified in this category has a unique ID of 8.1.
12 Elements of the Risk Register Continued
Elements 4 to 8 record the results of the Risk Assessment phase
4. Project Impact – A description of the potential impact on the project as a result of the risk. For example:
“The project schedule may slip, budget may increase and project scope may not be achieved.”
5. Likelihood – The estimated likelihood or probability that the risk will occur at some point and become a
project issue. This can be qualitative: high, medium, or low; but it can also be quantitative if enough
information is available. For our example, we know that resources have been over-committed in the past and
we assess the likelihood of occurrence as “High.”
6. Consequence – The potential consequence or impact of the risk if it did become a project issue. For our
project, time is a fixed constraint, and so any risk that has the potential to significantly delay the project
schedule has a “High” consequence.
7. Risk Rank – This is the magnitude or the level of the risk. It is a combination of likelihood and
consequence. As they are both “High” in our example, then the risk rank is also “High.”
8. Risk Trigger – What are the triggers that would indicate the need to implement contingency plans?
“If resource conflicts have not been resolved three weeks before the scheduled start date, then
implement contingency plans.”
These last four elements record the outcomes of the Risk Response and Mitigation phase.
9. Prevention Plan – This is an action plan to prevent the risk from occurring. For our example, the Prevention Plan includes: Liaise
with functional managers and team members to pre-empt future conflicts; and specify and agree resource needs (staff and
equipment) with functional managers.
10. Contingency Plan – This is an action plan to address the risk if it does occur. For our example, the Contingency Plan includes:
“Train and up-skill existing team members in combination with HR department.”
11. Risk Owner – This is the person responsible for managing the risk and implementing the Prevention or Contingency Plans.
Stakeholders, members of the project team, the Project Manager and the Project Sponsor can all be risk owners.
12. Residual Risk – This is the risk that remains after treatment is carried out. After treatment, we assess the residual risk level as
“Low.” Residual risk must fall within management’s stated risk tolerance.
Risk Awareness
● Awareness powerful in creating culture, forming ethics, and influencing
behavior
○ Involves each member of the team (proactive)
● Acknowledges that risk is an integral part of the business
The Risk Awareness Program
● The Risk Awareness program:
○ Creates understanding of risk, risk factors, and types of risk
○ Should be tailored to the needs of the groups within an organization
○ Should not disclose vulnerabilities or ongoing investigations
● Can serve to mitigate risk through education on policy and procedures
● Management training: Highlight need for management a supervisory role/oversee actions of staff
● Senior management training: Highlight liability, need for compliance, due care and due
diligence/culture and ownership
Risk Assessment
2.1 Risk Identification vs. Risk Assessment
● Risk identification
○ The process of determining and documenting the risk that an enterprise faces
○ Documentation of assets and their values
● Risk Assessment
○ A process used to identify and evaluate risk and its potential effects
○ Assessing critical functions and defining controls in place
Current State of Controls
● Audit
● Control tests: Selected to address one or more specific type of risk
● Incident reports
● IT operations feedback
● Logs: Valuable but underutilized
● Media reports
● Observation
● Self-assessments
● Third-party assurance
● User feedback
● Vender reports
● Vulnerability assessments/penetration tests
Risk and Control Analysis
● Compare current state against desired state
○ Gap analysis
○ Maturity models
○ Effectiveness of controls
● Data analysis
○ Are all of the data available?
○ Have any of the data been altered or changed?
○ Are the data in the correct format?
○ Are the data based on measuring important factors?
Risk and Control Analysis
● Threat and misuse case modeling
○ Misuse case modeling looks at all the possible errors, mistakes
or ways a system can be misused
○ Threat modeling examines the ways a system can be attacked and
used for a purpose for which the system was never intended
● Root cause analysis: establish origins of events (root cause) to learn from
consequences
○ Pre-mortem: a facilitated workshop where the group is told to
pretend that the project has failed and then they are to discuss why
it has failed
Gap Analysis
Monitoring Risk
● Key performance indicators (KPIs)
○ Measure that determines how well the process is performing in
enabling the goal to be reached
● Key risk indicators (KRIs)
○ A subset of risk indicators that are highly relevant and possess a
high probability of predicting or indicating important risk
● Key goal indicators (KGIs)
○ A measure that tells management, after the fact, whether an IT
process has achieved its business requirements and is usually
expressed in terms of information criteria
Risk Assessment Methodologies
● Risk analysis provides data necessary for risk response activity
● Two main methods
○ Quantitative
○ Qualitative
○ Hybrid: Semi-quantitative
Qualitative Risk Assessment
● Based on scenarios or descriptions of situations that may have
occurred or may occur
● Feedback based on a range of values:
○ Very low
○ Low
○ Moderate
○ High
○ Very high
● Results usually conveyed in a table that compares likelihood with impact
● Problem: Does not provide hard numerical values
Quantitative Risk Assessment
● Based on numerical calculations
● Suitable for cost-benefit analysis
● Can be difficult to place a value on subjective elements of risk
● Calculating the cost of an event
○ Unpredictable depending on many factors
● Threat/vulnerability pairings
○ Be aware of relationships between threats and vulnerabilities
Semi-Quantitative Risk Assessment
● Combines elements of qualitative and quantitative risk assessment
● Uses a range of values used to assess risk
● Provide meaningful ways to determine the difference between the
various risk levels
Semi-Quantitative Risk
Risk Ranking
● Completed following results of risk assessment
● Combination of all components of risk OCTAVE®
● Used to identify, prioritize and manage information security risk
● Includes measuring capability and maturity of risk management processes
2.8 Business-related Risk
● IT risk assessment report must express risk in terms that management can understand
○ Use business terms
○ Refrain from highly technical/IT-specific terminology
● Business processes and initiatives
○ IT risk assessment process must be aligned with the direction of the business Risk should be
examined with changes to business processes
● Management of IT operations
○ Risk depends on culture
○ IT management should be active in mitigating risk
2.8 Business-related Risk (2)
● Required for all certification holders
● Support the implementation of, and encourage compliance with, appropriate standards, procedures
and controls for information systems
● Perform their duties with objectivity, due diligence and professional care, in accordance with
professional standards and best practices
2.9 Risk Associated with Enterprise Architecture
Risk Scenarios Hardware
Hardware includes: Risk associated are:
● Central processing units (CPUs) ● Outdated hardware
● Motherboards ● Poorly maintained hardware Misconfigured
● RAM ROM hardware Poor architecture
● Networking components ● Lack of documentation Lost, misplaced or
● Firewalls and gateways stolen hardware
● Keyboards ● Hardware that is not discarded in a secure
● Monitors manner
● Sniffing or capturing traffic Physical access
● Hardware failure Unauthorized hardware
Risk Scenarios Software
● Risk associated with software includes:
○ Logic flaws or semantic errors
○ Bugs (semantic errors)
● Lack of patching
● Lack of access control
● Disclosure of sensitive information
● Improper modification of information
● Loss of source code
● Lack of version control
● Lack of input and output validation
Risk Scenarios Software
Operating systems Risk associated: Applications Risk associated:
● Unpatched vulnerabilities ● Poor or no data validation Exposure of sensitive
● Poorly written code data Improper modification of data Logic flaws
● Complexity Misconfiguration ● Software bugs Lack of logs
● Weak access controls ● Lack of version control Loss of source
● Lack of interoperability code
● Uncontrolled changes ● Weak or lack of access control
● Lack of operability with other software
● Back doors
● Poor coding practices
Risk Scenarios Utilities
Environmental utilities risk associated: Software utilities risk associated:
● Power interruptions ● Use of outdated drivers
● Losses ● Unavailability of drivers
● Generators ● Unpatched drivers
● Batteries ● Use of insecure components
● HVAC ● Unpatched vulnerabilities
● Water
● Secure operational area
Risk Network Components
Risk associated with:
● Network configuration and management
● Network equipment protection
● The use of layered defense
● Suitable levels of redundancy
● Availability of bandwidth
Risk Network Components (2)
● Use of encryption for transmission of sensitive data
● Encryption key management
● Use of certificates to support public key infrastructure
● Damage to cabling and network equipment
● Tapping network connections and eavesdropping on communications
● Choice of network architecture
● Documentation of network architecture
Risk Scenarios: Network Components
● Firewalls
○ Packet Filters
○ Stateful Firewalls
○ Proxy Servers
● Domain name system
○ Rogue DNS
○ Poisoning
Risk Scenarios: Network Components (2)
● Wireless access point
○ Rogue Access Points
○ Evil Twin
● Routers
● Switches
● VLANs
Risk Scenarios: Network Architecture
Risk Scenarios: Network Architecture
● Local area network
● Wide area network
● Virtual private network
● Length and location
● Encryption
● Demilitarized zone
● Extranet
● User interfaces
Risk Scenarios: Data Management
● Clear ownership of data can be a significant risk
● Staff awareness of risk associated with improper data management
● Review processes and policies and compliance
Why Monitor?: New Threats and Vulnerabilities
● Risk environment always changing
● Ensure that new threats and vulnerabilities are evaluated during IT risk
assessment
● Work with owners to determine responses
● Pressure to implement new technologies
○ Often can cause organizations to lose sight of the business risk
● Foresight and forecasting
● Evaluate and assess the approach of the organization
● Should not ignore new technologies as they may already be in use
Risk Scenarios: Industry Trends
● Failure to see changing trends can result in loss of market share
● Failure of IT to support a new business model may result in loss to the
organization
● Assess the maturity of the department and organization toward new trends
Risk Scenarios: 3rd Party Risk
● Third-party Management
○ Data and business process ownership remains with the
organization doing the outsourcing, including security
requirements
Risk Scenarios: 3rd Party Risk (2)
○ Risks associated with outsourcing include:
■ Hiring and training practices of the supplier
■ Reporting and liaison between the outsourcing organization
and supplier
■ Time to respond to any incidents
■ Liability for non-compliance with terms of the contract
■ Nondisclosure of data or business practices
■ Responding to requests from law enforcement
■ Length of contract and terms for dissolution/termination of
contract
■ Location of data storage including backup data
■ Separation between data and management of data of
competing firms
Risk Scenarios: 3rd Party Risk (3)
○ Outsourcing: Considered from risk/regulatory perspective
■ Contracts should address security and regulatory requirements
○ Contractual requirements
○ Service level agreements/Contractual requirements with customer
Risk Scenarios: The Cloud
● Unauthorized access to customer and business data
● Security risks at the vendor
○ The character of the vendor’s employees
○ The security of the vendor’s technology
○ The access the vendor has to their data
● Compliance and legal risks
○ Where the data resides
○ Who is allowed to access it
○ How it is protected
● Risks related to lack of control
● Availability risks
Cloud Computing Risks
When thinking about risks related to using cloud
services, what are the top concerns?
2.15 Project and Program Management
Reasons IT projects fail:
● Unclear or changing requirements Scope creep

● Lack of budget
● Lack of skilled resources Problems with technology
Delays in delivery of supporting elements/
● equipment Unrealistic timelines
● Lack of progress reporting
● Lack of good project management leads to: Loss
of business
2.15 Project and Program Management (2)
Reasons IT projects fail:
● Loss of competitive advantage Low morale among staff

● members
● Inefficient processes
● Lack of testing of new systems or changes to existing
systems Impact on other business operations
● Failure to meet SLAs or contractual requirements
● Failure to comply with laws and regulations
System Development Lifecycle (SDLC)
2.16 Business Continuity and Disaster Recovery Management
● Purpose is to enable a business to continue offering critical services in the event of
a disruption
● Identify business processes of strategic importance
● Risk assessment based on these processes
● Primary responsibilities of senior management BCP/DRP
solutions may differ based on scenario
Business Continuity Plan/Disaster Recovery Plan
● Business continuity plan -
○ Business continuity focuses on continuing critical business operations in the event
of a crisis and having plans in place to support those operations until the business
can return to normal operations
○ Business impact analysis Examines the impact of an outage over time
● Disaster recovery plan -
○ The recovery of business and IT services following a disaster or incident within a
predefined schedule and budget
○ Review along with the BCP to ensure they are up to date, reflect risk scenarios and
have been tested
2.17 Exception Management Practices
● Cases may exist where exceptions to policies, procedures and
standards are needed
● Only allowed through a documented, formal process that requires
approval from senior management
● Should be removed when no longer needed
2.18 IT Risk Assessment Report
● Results of risk assessment should indicate gaps between current risk state and desired
state
● Risk assessment report should provide management documentation of risk along with
recommendations for addressing any outstanding risk issues
○ Justifiable and linked with results of the risk assessment
○ Document process used and results of the risk assessment
State risk levels and priorities
2.18 IT Risk Assessment Report
The risk assessment report normally includes:
● Objectives of the risk assessment process
● Scope and description of the area subject to assessment External context and factors
affecting risk
● Internal factors or limitations affecting risk assessment Risk assessment criteria
● Risk assessment methodology used Resources and references used
● Identification of risk, threats and vulnerabilities Assumptions used in the risk
assessment
● Potential of unknown factors affecting assessment
● Results of risk assessment Recommendations and conclusions
2.19 Risk Ownership and Accountability
● Each risk must be linked to an owner
○ Makes decision on the best response to the identified risk
● Owner must be at a level in the organization where they can make the
necessary decision and can be accountable
● Ownership with an individual is needed for accountability
2.21 Summary
● During risk assessment, the risk practitioner has a responsibility to assess
or determine the severity of each risk facing the organization.
● The risk practitioner should also validate the work of the previous phase
and ensure that, as much as possible, all risk is identified, assessed,
documented and reported to senior management.
Risk Response and Mitigation
Aligning Risk Response with Business Objectives
● Management must always be aware of the drivers for risk management,
such as compliance with regulations and the need to support and align
the risk response with business priorities and objectives.
● Management is responsible for evaluating and responding to the
recommendations included in the risk report provided following risk
assessment.
Exclusive to Cybrary for Business customers and Cybrary Insider Pros. Live online certification
prep, speciality knowledge, skill and ability training, product training and more!
3.2 Risk Response Options
● Four options for risk response:
1. Risk acceptance
2. Risk mitigation
3. Risk avoidance
4. Risk transfer
Risk Acceptance
● A conscious decision made by senior management to recognize the existence of risk and
knowingly decide to allow (assume) the risk to remain without (further) mitigation
○ Management responsible for impact of the risk event
● Defined as the amount of risk that senior management has determined is within
acceptable or permissible bounds
○ Not the same as risk ignorance, which is the failure to identify or acknowledge risk
● Risk tolerance: An exception when senior management decides to exceed risk acceptance
levels
Risk Acceptance (2)
● Examples of risk acceptance:
○ It is predicted that a certain project will not deliver the required business functionality by the
planned delivery date. Management may decide to accept the risk and proceed with the project.
○ A particular risk is assessed to be extremely rare but very important (catastrophic), and
approaches to reduce it are prohibitive. Management may decide to accept this risk.
● Risk acceptance often based on poorly calculated risk levels
● Level of risk and impact is always changing, so regular reviews are needed
Risk Mitigation
● Risk mitigation means that action is taken to reduce the frequency and/or
impact of a risk
○ May require the use of several controls until it reaches levels of
risk acceptance or risk tolerance
Risk Mitigation (2)
● Examples of risk mitigation:
○ Strengthening overall risk management practices, such as implementing sufficiently
mature risk management processes
○ Deploying new technical, management or operational controls that reduce either the
likelihood or the impact of an adverse event
○ Installing a new access control system
○ Implementing policies or operational procedures
○ Developing an effective incident response and business continuity plan (BCP)
○ Using compensating controls
Risk Avoidance
● Risk avoidance means exiting the activities or conditions that give rise to risk
○ Applies when no other risk response is adequate
● Examples of risk avoidance are:
○ Relocating a data center away from a region with significant natural hazards
○ Declining to engage in a very large project when the business case shows a notable risk of
failure
○ Declining to engage in a project that would build on obsolete and convoluted systems
because there is no acceptable degree of confidence that the project will deliver anything
workable
○ Deciding not to use a certain technology or software package because it would prevent future
expansion
Risk Sharing/Transfer
● Risk transfer is a decision to reduce loss through sharing the risk of loss
with another organization (ex., purchasing insurance)
● Partnerships with another organization are an example
● Decision should be reviewed on a regular basis
Analysis Techniques
● Analysis techniques can help management to determine the best risk response
Considerations for selecting a response include:
○ The priority of the risk as indicated in the risk assessment report
○ The recommended controls from the risk assessment report
○ Any other response alternatives that are suggested through further analysis
○ The cost of the various response options, including:

requirements for compliance with regulations or legislation
○ Alignment of the response option with the strategy of the organization
○ Possibility of integrating the response with other organizational initiatives
○ Compatibility with other controls in place
○ Time, resources and budget available

Cost-Benefit Analysis
● Used to justify expense associated with the control
● Factors used in calculating the total cost of the control:
○ Cost of acquisition
○ Ongoing cost of maintenance
○ Cost to remove/replace control
Cost-Benefit Analysis (2)
● Factors used in calculating benefit realized from the control:
○ Reduced cost of risk event
○ Reduced liability
○ Reduced insurance premiums Increased
customer confidence
○ Increased shareholder confidence
○ Trust from financial backers Faster
recovery
○ Better employee relations (safety)
Return on Investment
● ROI is often used as a method of justifying an investment
○ The investment is expected to pay for itself within a set time period
● Can be difficult to determine cost of control because it is hard to
predict the likelihood of an attack
● Return on security investment refers to ROI in relation to payback for
security controls
○ Cost may or may not provide a direct benefit in the future, like the
purchase of insurance
3.4 Vulnerabilities Associated with New Controls
● New controls present benefits as well as new risk and
vulnerabilities
● Example: An access control system
○ Pro: Protects from unauthorized access
○ Con: Affects normal users who forget passwords, resulting in
increased denial of service and more calls for technical assistance
Control Design & Implementation
● Controls may be proactive (safeguards) or reactive
(countermeasures)
● Risk assessment should determine the effectiveness of current
controls to mitigate risk
● In cases where current controls are not sufficient, controls must be
adjusted or new controls implemented
Control Groups
● Technical (Logical)
○ Firewalls
○ Encryption
○ ACLs
● Physical
○ Door locks
○ Security Guard
○ Mantraps
● Managerial (Administrative)
○ Policy
○ Directives
○ Standard Operating Procedures
Administrative, Technical & Physical Controls
Control, Design & Implementation
3.7 Control Design & Implementation
Control Standards & Framework
● Many industries have standards that can be used as benchmarks for
security
○ Some industries require compliance
● Control framework: a set of fundamental controls that facilitates the
discharge of business process owner responsibilities to prevent financial
or information loss in an enterprise
3.9 Characteristics of Inherent & Residual Risk
● Inherent risk: the risk level or exposure without taking into account the
actions that management has taken or might take (e.g., implementing
controls)
○ Higher level of inherent risk may require additional controls
● Residual risk = Total risk – Control effectiveness
○ Residual risk should be reduced to a level ≤ acceptable risk
3.10 Control Activities, Objectives, Practices, & Metrics
● Reducing IT risk to acceptable risk levels requires measurement and
monitoring
● This phase supports the risk and control monitoring and reporting phase
by putting mechanisms into place to measure risk and controls
The System Development Cycle
● Risk must be evaluated and monitored at all points during the
SDLC.
● New risk may emerge as the system moves through the SDLC.
● The risk practitioner should be alert to circumstances where the
development team is not following the standards and policies of the
organization regarding system development or the implementation of
controls.
The System Development Cycle (SDLC)
Business Continuity & Disaster Recovery Management
● The business impact analysis (BIA) is used to identify risk and the impact
of an incident so that step can be taken to prevent or respond effectively
to an incident.
● When changes are made, this may impact business continuity or
disaster recovery management.
Summary
● Risk response options are examined based on the risk assessment, and
the appropriate response is selected.
● Projects and programs designed to implement the risk response are
documented on the risk register.
● Changes in risk and effectiveness of controls should continue to be
monitored.
Risk and Control Monitoring and Reporting
Continuous Monitoring
● A risk response is designed and implemented based on a risk assessment
that was conducted at a single point in time
● Because of the changing nature of risk and associated controls, ongoing
monitoring is an essential step of the risk management life cycle.
○ Controls can become less effective
○ The operational environment may change, and
○ New threats, technologies and vulnerabilities may emerge
4.1 Key Risk Indicators
● Examples of KRIs:
○ Quantity of unauthorized equipment or software detected in scans
○ Number of instances of SLAs exceeding thresholds
○ High average downtime due to operational incidents
○ Average time to deploy new security patches to servers
○ Excessive average time to research and remediate operations incidents
○ Number of desktops/laptops that do not have current antivirus signatures or have not run a full
scan within scheduled periods
4.1 Key Risk Indicators (2)
● KRIs support:
○ Risk appetite
○ Risk identification
○ Risk mitigation
○ Risk culture
○ Risk measurement and reporting
○ Regulatory compliance
● Good metrics are SMART
○ Specific
○ Measurable
○ Attainable
○ Relevant
○ Timely
● Benefits of KRIs
○ Provide early warning
○ Provide backward-looking view on risk events
○ Enable documentation and analysis of trends
○ Provide an indication of risk appetite and tolerance
○ Increase the likelihood of achieving strategic objectives
○ Assist in optimizing risk governance
KRI Selection
● The risk practitioner should work with relevant stakeholders to ensure
buy-in and ownership
○ KRIs should not focus solely on IT
● Other factors that can influence KRI selection
○ Balance
○ Root cause
KRI Effectiveness
● Impact
● Effort
● Reliability
● Sensitivity
● Repeatable
KRI Optimization
KRI Maintenance
● KRIs need to change over time
● KRIs are related to risk appetite and risk tolerance levels
● Trigger levels should be defined at a point that enables enough time to
take appropriate action
Key Performance Indicators
● A KPI is a measure that determines how well the process is
performing in enabling the goal to be reached.
● KPIs are indicators of whether or not a goal will likely be reached.
● KPIs are used to set benchmarks for risk management goals and monitor
whether these goals are being attained.
Key Performance Indicators
● KPIs should be:
○ Valuable to the business
○ Tied to a business function or service
○ Under the control of management
○ Quantitatively measured
○ Used repeatedly in different reporting periods
● Examples:
○ Network availability
○ Customer satisfaction
○ Number of complaints resolved on first contact
○ Response time for data
○ Number of employees that attended awareness sessions
Using KPIs with KRIs
Data Collection and Extraction Tools & Techniques
● Internal Data Sources Include:
○ Audit reports
○ Incident reports
○ User feedback
○ Observation
○ Interviews with management
○ Security reports
○ Logs
Logs
● Analysis of log data should answer the following:
○ Are the controls operating correctly?
■ Is the level of risk acceptable?
■ Are the risk strategy and controls aligned with business strategy and priorities?
■ Are the controls flexible enough to meet changing threats?
○ Is correct risk data being provided in a timely manner?
■ Is the risk management effort aiding in reaching corporate objectives?
■ Is the awareness of risk and compliance embedded into user behaviors?
● Logs may contain sensitive information and may be needed for forensic purposes
● Logs should not contain too much information
Security Event & Incident Management (SEIM)
External Sources of Information
● External data sources can include:
○ Media reports
○ Computer emergency response team (CERT) advisories
○ Security company reports
○ Regulatory bodies
○ Peer organizations
Changes to the IT Risk Profile
● Changes in the risk profile are the result of:
○ New technologies
○ Changes to business procedures
○ Mergers or acquisitions
○ New or revised regulations
○ Changes in customer expectations
○ Actions of competitors
○ Effectiveness of risk awareness programs
Monitoring Controls
The steps to monitoring controls are:
1. Identify and confirm risk control owners and stakeholders.
2. Engage with stakeholders and communicate the risk and information security requirements and
objectives for monitoring and reporting.
3. Align and continually maintain the information security
○ Monitoring and evaluation approach with the IT and enterprise approaches.
4. Establish the information security monitoring process and procedure.
5. Agree on a life cycle management and change control process for information security monitoring
and reporting.
6. Request, prioritize and allocate resources for monitoring information security.
Monitoring Controls
● The purpose of control monitoring is to verify whether the control is
effectively addressing the risk.
● The purpose of risk monitoring is to collect, validate and evaluate goals
and metrics, to monitor that processes are performing as expected, and
to provide reporting.
● Monitoring may be done through self-assessment or independent
assurance reviews.
● The risk practitioner should encourage management and process
owners to positive ownership of control improvement.
Vulnerability Assessments
● A vulnerability assessment is a thorough review of an entire system or
facility, and it is intended that the assessment will provide a good,
complete review of all security controls, including both technical and
nontechnical controls.
● It is used to identify any gaps or misconfigurations in the security
profile of the organization.
● Generates a number of false positives/noise.
Penetration Tests
● A targeted attempt to break into a system or application (or in a
physical test, to break into a building)
● Uses results of a vulnerability assessment
● If successful, the vulnerability must be mitigated
○ If unsuccessful, mitigation may not be required
● Should only be conducted with management approval and through
defined methodology and oversight
Third-Party Assurance
● Can be used to earn customer and shareholder confidence
● May be based on an external IS audit or certification of compliance with
an international standard (i.e.,COBIT 5, ISO/IEC 27001)
○ Another source is SSAE 16
Results of Control Assessments
● The effectiveness of control monitoring is dependent on the:
○ Timeliness of the reporting—Are data received in time to take corrective action?
○ Skill of the data analyst—Does the analyst have the skills to properly evaluate the
controls?
○ Quality of monitoring data available—Are the monitoring data accurate and complete?
○ Quantity of data to be analyzed—Can the risk practitioner find the important data in the
midst of all the other log data available?
Maturity Model Assessment & Improvement Techniques
● The risk practitioner must be committed to continuous
improvement
○ A mature risk management program will be better at preventing,
detecting and responding to events
● Maturity comes from practice and learning from past events Is
frequently used to assess gap analysis
Maturity Model Assessment & Improvement Techniques
● Review IT risk management objectives and goals on a periodic/annual basis.
● The following areas should be continually monitored:
○ New assets
○ Changes to the scope of risk assessment
○ Changes in business priorities, assets, services, products and operations
○ Risk acceptance levels
○ New threats Newly discovered vulnerabilities
○ Possibility of increased risk due to aggregation of threats and
vulnerabilities
○ Incidents
○ Logs and other data sources
○ People and the morale of the organization
○ Changes in the supply chain
○ Changes in the financial markets
● Risk practitioner has a key role in ensuring that management is aware
of the current IT risk profile and that risk is managed in a way that
meets management objectives.
● Risk practitioner works with risk owners, IT, third parties, incident
response teams and auditors to monitor risk.
● Lessons learned are used to improve the risk management process.
Summary
● As risk is identified and assessed, the risk owners select the appropriate
response to the risk and create risk action plans to implement or modify
controls selected to mitigate risk.
● As controls to mitigate risk are designed and developed, the risk owner also
mandates the development of the ability to monitor and report on the
effectiveness of the controls.
● Regular monitoring and reporting on risk is essential to management, and the use of
KPIs and KRIs assists management in the monitoring of trends, compliance and issues
related to risk.
● Risk management is a never-ending process.
● IT risk and controls should be continuously monitored and reported on to ensure

continued efficiency and effectiveness.
Domain 3
Information
Domain 1 Security
Program Development
Information
and Management
Security
Governance
Information Security Program
● As defined by ISACA the goal of this domain is to “Develop and maintain
an information security program that identifies, manages and protects
the organization’s assets while aligning to information security strategy
and business goals, thereby supporting an effective security posture.”
Key Information Security Program Elements
Technology Process
People
Key Information Security Program Elements
-Training
Technolog -Awareness Proces
y -HR Policies s
-Background Checks
-Roles / responsibilities
-Mobile Computing
-Social Engineering
-Social Networking
-Acceptable Use
-Policies
-Performance Mgt
-System Security -Risk Management
-UTM. Firewalls -Asset Management
-IDS/IPS People -Data Classification
-Data Center -Info Rights Mgt
-Physical Security -Data Leak Prevention
-Vulnerability Assmt -Access Management
-Penetration Testing -Change Management
-Application Security -Patch Management
-Secure SDLC -Configuration Mgmt
-SIM/SIEM -Incident Response
-Managed Services -Incident
Management
Essential Information Security Practices
● Management Commitment
● Risk Management
● Asset Inventory and Management
● Change Management
● Incident Response and Management
● Configuration Management
● Training and awareness
● Continuous Audit
● Metrics and Measurement
Essential Information Security Practices (2)
● Vulnerability Assessment
● Penetration Testing
● Application Security Testing
● Device Management
● Log Monitoring, Analysis, and Management
● Secure Development
Security Program Requirements
● Must develop an enterprise security architecture at conceptual, logical, functional, and
physical levels
● Must manage risk to acceptable levels
○ Risk develops the Business Case that convinces mgmt. security should be performed
● Must be defined in business terms to help non-technical stakeholders understand and endorse
program goals
● Must provide security-related feedback to business owners and stakeholders
● Must address risks in relation to the five categories of assets (See next slide)
Security Safeguards as They Relate to the Five Types of Assets
Security Program are Based on Frameworks
● ISO 27000 Series
● COBIT
● COSO
● TOGAF
● Zachman
● SABSA
IS 27001/27002
ISO 27002 Culture and Controls
● ISO27001 is a culture one has to build in the organization which would
help to:
○ Increase security awareness within the organization
○ Identify critical assets via the Business Risk Assessment
○ Provide a framework for continuous improvement
○ Bring confidence internally as well as to external business partners
○ Enhance the knowledge and importance of security-related issues
at the management level
● Combined framework to meet multiple client
requirements/compliance requirements
ISO 27000
Process Development
● Examine Current state vs. Desired State
● Look to close the gaps
● Consider a Maturity Model to help assess missing processes
SSE-CMM: System Security Engineering Capability Maturity Model
Level 1 - Performed Informally
● Security design is poorly-defined
● Security issues are dealt with in a reactive way
● No contingency plan exists
● Budgets, quality, functionality and project scheduling is ad hoc
● No Process Areas
Level 2 - Planned & Tracked
● Common Features include:
○ Planning Performance
○ Disciplined Performance
○ Verifying Performance
○ Tracking Performance
○ Procedures are established at the project level
○ Definition, planning & performance become de-facto standards
from project to project
○ Events are tracked
Level 3 - Well Defined
○ Defining a Standard Process
○ Perform the Defined Process
○ Coordinate Security Practices
○ Standardized security processes across organization
○ Personnel are trained to ensure knowledge and skills
○ Assurance (audits) track performance
○ Measures are defined based upon the defined process
Level 4 - Quantitatively Controlled
● Measurable goals for security quality exist
● Measures are tied to the business goals of the organization
○ Establish Measurable Quality Goals
○ Objectively Manage (SLA) Performance
Level 4 - Quantitatively Controlled
○ Improve Organizational Capability
○ Improve Process Effectiveness (ROI)
○ Continuous improvement arise from measures and security events
○ New technologies and processes are evaluated
Security Baseline
“We hope to be
“We are at 50% COBIT Level 3
compliance but
(Or NIST compliant)
are striving for
100%” within one year”
Today’s Goal
Baseline Baseline
Security Standards
● These standards can be used to develop or advance a security program (if
one is not in place):
Gap Analysis: What do we need to do to
○ ISO/IEC 27001 achieve our goal?
○ ISACA COBIT
Where Where we
we are want to be
COBIT Levels
Lvl Lvl Lvl Lvl Lvl Lvl
0 1 2 3 4 5
Nonexistent Initial/Ad hoc Defined Optimized
Process
Repeatable Managed &
but intuitive Measurable
Security Functions
Monitor industry practices Provide
recommendations
Metrics, investigation, security
escalation
Strategy
Policy,
Compliance Policy Procedure,
Standards
Monitoring Awareness Training &

Publishing
Testing, logs, Implementation

metrics
Security architecture and

engineering
Security Policy
● Policy - First step to developing security infrastructure
● Set direction for implementation of controls, tools, procedures
● Approved by senior management
● Documented and communicated to all employees and associates
Example Policies
● Risks shall be managed utilizing appropriate controls and countermeasure to achieve
acceptable levels at acceptable costs
● Monitoring and metrics shall be implemented, managed, and maintained to provide ongoing
assurance that all security policies are enforced and control objectives are met
● Incident response capabilities are implemented and managed sufficient to ensure that incidents
do not materially affect the ability of the organization to continue operations
● Business continuity and disaster recovery plans shall be developed, maintained and tested in a
manner that ensures the ability of the organization to continue operations under all conditions
Security Policy Document
● Definition of information security
● Statement of management commitment
● Framework for approaching risk and controls
● Brief explanation of policies, minimally covering regulatory compliance,
training/awareness, business continuity, and consequences of violations
● Allocation of responsibility, including reporting security incidents
● References to more detailed documents
Policy Documentation
Policy = Direction for Control
Employees must understand intent
Philosophy of organization
Auditors test for compliance
Created by Senior Mgmt Reviewed
periodically
Procedures: Standards: Guidelines

Detailed steps to An image of Recommendations
implement a policy. what is and acceptable
Written by process acceptable alternatives
owners
Policies, Procedures, Standards
● Policy Objective: Describes ‘what’ needs to be accomplished
● Policy Control: Technique to meet objectives
● Procedure: Outlines ‘how’ the Policy will be accomplished

● Standard: Specific rule, metric or boundary that implements policy
Policies, Procedures, Standards (2)
● Example 1:
○ Policy: Computer systems are not to be exposed to illegal,
○ inappropriate, or dangerous software
○ Policy Control Standard: Allowed software is defined to include ...
○ Policy Control Procedure: A description of how to load a computer with required software.
● Example 2:
○ Policy: Access to confidential information is controlled
○ Policy Control Standard: Confidential information SHALL never be emailed without being
encrypted
○ Policy Guideline: Confidential info SHOULD not be written to a
○ memory stick
● Discussion: Are these effective controls by themselves?
Corporate Policies
Monitoring: Includes Metrics
● Metrics inform management (and independent auditors) of the
effectiveness of the security program
● Monitoring achievement of control objective may be more important
than perfecting security procedures
Monitoring Function: Metrics
● Project Plan or Budget Metrics
● Risk performance
● Disaster Recovery
Strategic ● Test results
Metrics
● Audit results
● Regulatory compliance results
● Policy compliance metrics

Metrics
● Exceptions to
policy/standards ● Vulnerability Scan results
Tactical Operational
● Changes in process or Metrics ● Server configuration.
Metrics
system affecting risk standards compliance
● Incident ● IDS monitoring results
management ● Firewall log analysis
effectiveness ● Patch management
status
Monitoring Function: Metrics
Risk: Cost Effectiveness:
● The aggregate ALE What is:
● % of risk eliminated, mitigated, ● Cost of workstation security per user
transferred ● Cost of email spam and virus protection
● # of open risks due to inaction per mailbox
Operational Performance Organizational Awareness:
● Time to detect and contain incidents % of employees passing quiz, after training
● % packages installed without problem vs. 3 months later
● % of systems audited in last quarter % of employees taking training
Technical Security Architecture Security Process Monitoring:
● # of malware identified and ● Last date and type of BCP, DRP, IRP testing
neutralized ● Last date asset inventories were
● Types of compromises, by severity & reviewed & updated
attack type ● Frequency of executive mgmt review
● Attack attempts repelled by control activities compared to planned
devices
● Volume of messages, KB processed by
communications control devices
Metrics Selected
What are the most important areas to monitor in your organization?
● Malware Infestation ● Cracking Attempt
● Web Availability
● Brute Force Attacks
Major Risks:
Category Metric Calculation & Collection Period of
Method Reporting
Strategic Cost of security/terminal Information Tech. Group 1 year
Cost of incidents Incident Response totals 6 months
Tactical % employees passing Annual email 1 year
CISM Exam requesting testing
results
% employees Two annual trainings 1 year
completing CISM with sign-in.
training Performance review
# Hours Web unavailable Incident Response form 6 months
Operational # brute force attacks Incident Response form 1 month
# malware infections Incident Response form 1 month
Procurements and Contracts
● Managing Outside services
● NSA/CSS and SA-CMM
● OSD Acquisition Reform
● Contracts
● SLAs
Managing Outside Services
“Develop and follow a set of procedures and standards that is consistent with
the business organization’s overall procurement process and acquisition
strategy to acquire IT-related infrastructure, facilities, hardware, software and
services needed by the business.” --ISACA
Service Level Agreements
● Usually a legally binding contract that offers guarantees usually centering
on performance and reliability of procured systems, as well as response
times from the vendor.
● Could also be used internally from department to department
● A form of risk transference
● Metrics should be clearly defined in the SLA
● Usually offer some sort of financial compensation if the metrics are not
met
Contracts
● Legally binding agreement between parties
● Should be in writing and modified in writing
● Five elements necessary for a contract to be legally binding:
● Competency/Capacity
● Consideration
● Offer
● Legal
● Acknowledgement
● Breaches are violations of contract
● Damages are often awarded in response to a breach of contract
Third-Party Providers
● Internet service providers, call centers, data processing centers, etc.
● Vicarious liability imposes legal responsibility on an entity when the
entity had nothing to do with actually causing the injury.
○ Often applied through “Respondeat Superior” when a superior is
liable for the actions of his or her employees
● Laws are evolving.
○ Is an ISP responsible for what it’s customers do?
○ Is a software service that provides P2P sharing liable when its
customers use that software to violate copyright restrictions?
Configuration Management
● Defined by ISC2 as “a process of identifying and documenting hardware components,
software and the associated settings.”
● The goal is to move beyond the original design to a hardened, operationally sound
configuration
● Identifying, controlling, accounting for and auditing changes made to the baseline TCB
● These changes come about as we perform system hardening tasks to secure a system.
● Will control changes and test documentation through the operational life cycle of a system
● Implemented hand in hand with change control
● ESSENTIAL to Disaster Recovery
Configuration Management Documentation
● Make
● Model
● MAC address
● Serial number
● Operating System/Firmware version
● Location
● BIOS or other passwords
● Permanent IP if applicable
● Organizational department label
System Hardening & Baselining
● Removing unnecessary services
● Installing the latest services packs and patches
● Renaming default accounts
● Changing default settings
● Enabling security configurations like auditing, firewalls, updates, etc.
● ***Don’t forget physical security!***
Change Management
● Directive, Administrative Control that should be
incorporated into organizational policy.
● The formal review of all proposed changes--no “on-the-fly” changes
● Only approved changes will be implemented
● The ultimate goal is system stability
● Periodic reassessment of the environment to evaluate the need for
upgrades/modifications
The Change Management Process
● Request Submittal
● Risk/Impact Assessment
● Approval or Rejection of Change
● Testing
● Scheduling/User Notification/Training
● Implementation
● Validation
● Documentation
Patch Management
● An essential part of Configuration and Change Management
● May come as a result of vendor notification or penetration testing
● Cve.mitre.org
○ (Common Vulnerability and Exposures) database provides standard conventions for known
vulnerabilities
● Nvd.nist.gov
○ Enables automation of vulnerability management, security measurement, and compliance.
○ NVD includes databases of security checklists, security related software flaws, incorrect
configurations, product names, and impact metrics.
● www.cert.gov
○ Online resource concerning common vulnerabilities and attacks
Patch Management Definition and Scope
● Faster, more systematic testing and an optimized patch rollout reduces
the window of vulnerability on installed systems
CISM Exam Prep Course
Certified Information Security Manager
Starring: Kelly Handerhan

Secure Network Design Concepts
● Network Address Translation
● Virtual Private Networks
● Firewalls
● Virtual LANs
● Secure Single Sign-on
Switch
● Switches will often have numerous ports, and learn which MAC addresses
are on which ports
● Also, switches help reduce collisions on a network
Routers
● Segment traffic into different networks, frequently referred to as
subnets
● Connect different network addresses
● Isolate Broadcast traffic (not natively done on a switch)
VLANs
● A VLAN is the concept of creating multiple broadcast domains (LANs) on a
single switch
● Much cheaper than a router
● Unable to connect different networks, unless using a Layer 3 switch
VLANs
DMZ
Firewalls
● Firewalls: Allow/Block traffic based on rules called ACLs (Access
Control Lists)
● Static Packet Filters: Base decisions on Source/Destination IP Address

and Port
● Stateful inspection. Knowledge of who initiated the session. Can block

unsolicited replies.
● Protocol Anomaly firewalls— can block traffic based on syntax being

different than the RFC would specify
● Application Proxies/Kernel Proxies: Make decisions on Content,
Active Directory Integration, Certificates, Time
Firewalls
Firewalls
● Enforce network policy.
● Usually, firewalls are put on the perimeter of a network and allow or deny
traffic based on company or network policy.
● MUST have IP forwarding turned off*
● Firewalls are often used to create a DMZ.
● Generally are dual/multi homed*
● Types of firewalls
Packet Filter
● Uses Access control lists (ACLs), which are rules that a firewall applies to
each packet it receives.
● Not state full, just looks at the network and transport layer packets (IP
addresses, ports, and “flags”)
○ Do not look into the application, cannot block viri etc.
○ Generally do not support anything advanced or custom

Packet Filter
● Uses Access control lists (ACLs), which are rules that a firewall applies to
each packet it receives.
● Not state full, just looks at the network and transport layer packets (IP
addresses, ports, and “flags”)
○ Do not look into the application, cannot block viri etc.
○ Generally do not support anything advanced or custom

Stateful Firewall
● Router keeps track of a connections in a table
● It knows which conversations are active, who is involved etc.
● It allows return traffic to come back where a packet filter would have to
have a specific rule to define returned traffic*
● Context dependent access control

Application Proxies
● Application Proxies understand the application/protocol they are
proxying/evaluating.
● This allows for additional security as they can inspect the data for
protocol violations or content.
NAT/PAT
● A proxy that works without special software and is transparent to the
end users.
● Remaps IP addresses, allowing you to use private addresses internally

and map them to public IP addresses
● NAT allows a one-to-one mapping of IP addresses
● PAT allows multiple private address to share one public address

SSO Single Sign-On Pros and Cons
● Pros
○ Ease of use for end users
○ Centralized Control
○ Ease of administration
● Cons
○ Single point of failure
○ Standards necessary
○ Keys to the kingdom
Kerberos
● A network authentication protocol designed from MITs project Athena.
○ Kerberos tries to ensure authentication security in an insecure
environment
● Used in Windows 2000+ and some Unix
● Allows for single sign on
● Never transfers passwords
● Uses Symmetric encryption to verify Identifications
● Avoids replay attacks
Kerberos Components
● Principals – users or network services
● KDC – Key Distribution Center, stores secret keys (passwords) for
principals (Consists of Authenticating Server and Ticket Granting Server)
● Tickets
○ Ticket Granting Ticket (TGT) gets you more tickets
○ Service Tickets – access to specific network services (ex. File
sharing)
● Realms – a grouping of principals that a KDC provides service for, looks
like a domain name
Welcome to the Kerberos Carnival
Realm
Cryptography
Domain 1
Information
Security
Governance
Definitions and Concepts
● Plain Text + Initialization Vector + Algorithm + Key
=
Ciphertext
Definitions and Concepts
● Plain text is unencrypted text
● Initialization Vector (IV) adds randomness to the beginning of the process
● Algorithm is the collection of math functions that can be performed
● Key: Instruction set on how to use the algorithm
Symmetric Cryptography
● Symmetric = Same
● In symmetric cryptography the same key is used to both encrypt and decrypt
● Very fast means of encrypting/decrypting with good strength for privacy
● Preferred means of protecting privacy data
● Also can be called “Private Key” “Secret Key” or “Shared Key” Cryptography
Drawbacks to Symmetric Cryptography
● Out of band key exchange
● Not scalable
○ N * (N-1)
2
● No authenticity, integrity, or non-repudiation
Asymmetric Cryptography
● Every user has a key pair.
○ Public key is made available to anyone who requests it
○ Private key is only available to that user and must not be disclosed
or shared
● The keys are mathematically related so that anything encrypted with one
key can only be decrypted by the other.
Review Symmetric vs. Asymmetric
● Symmetric
○ Fast
○ Out of band key exchange
○ No integrity, authenticity or non-repudiation Not
Scalable
● Asymmetric
○ Slow
○ Scales to large organizations well
○ Provides non-repudiation
○ Key exchange does not require exchange of any secret information
Hybrid Cryptography in SSL/TLS
● Client initiates a secure connection
● Server responds by sending it’s public key to the client
● The client then generates a symmetric session key.
● Client encrypts uses the server’s public key to encrypt the session key.
● Client sends the session key (encrypted with the server’s public key) to the server
● Server uses its private key to decrypt the session key
● Now that a symmetric session key has been distributed, both parties have a secure channel
across which to communicate.
Integrity
● Data gets modified
○ Accidentally through corruption
○ Intentionally through malicious alteration
● Hash: only good for accidental modification
● MAC: Provides reasonable authenticity and integrity not strong enough to be
non-repudiation (because it uses a symmetric key)
● Digital Signatures: Can detect both malicious and accidental modification, but
requires an overhead.
○ Provides true non- repudiation
Hashing
● Digital representation of the contents of the file If the file changes, the hash
will change
● One way math
● When two different documents produce the same hash, it is called a collision
● A birthday attack is an attempt to cause collisions. It is based on the idea that
it is easier to find two hashes that happen to match than to produce a specific
hash.
Digital Signature
● Message is hashed.
● Hash is encrypted by Sender’s Private Key.
● SHA-1 is generally used for the hash.
● RSA is the asymmetric encryption algorithm that encrypts the
hash with the sender’s private key.
What Prevents MITM Attacks
● Authentication
● Remember Encryption CANNOT thwart a MITM attack
● Authentication is what prevents MITM
Certificates
● X.509 v.4 standard
● Provides authenticity of a server’s public key
● Necessary to avoid MITM attacks with servers using SSL or TLS
● Digitally signed by Certificate Authority
PKI (Public Key Infrastructure)
● Certificate Authority (CA)
● Registration Authority (RA)
● Certificate Repository
● Certificate Revocation List
Certificate Contents
Certificate Revocation
● CRL: CA publishes CRL. Client is responsible for downloading to see if a certificate has been revoked.
● OCSP (Online Certificate Status Protocol): Streamlines the process of verifying whether or not a
certificate has been revoked.
Certification and Accreditation
● Certification is the technical evaluation of the product’s security mechanisms in a particular
environment.
○ Certification should yield verification
● Accreditation is management’s approval and acceptance of the product and the related risks.
○ Accreditation yields validation
Traditional Evaluation Criteria
● Trusted Computer System Evaluation Criteria (TCSEC)
○ Evaluates Confidentiality
● Information Technology Security Evaluation Criteria (ITSEC)
○ Evaluates Confidentiality, Integrity, and Availability
● Common Criteria (CC)
○ Provided a common structure and language
○ It is an international standard (ISO 15408)
Traditional Evaluation Criteria
Canadian
Orange Book
Criteria
(TCSEC)
(CTCPEC)
1985
1993
UK
Confidence Federal ISO 15408-1999
Levels 1989 Criteria Draft Common Criteria
1993 (CC)
V1.0 1996
German V2.0 1998
Criteria V3.0 1999
ITSEC 1991
French
Criteria
ISO 15408 Protection Profile
Agency requests a specific
security solution
Target of The Vendor provides a

Evaluation solution (product)
Security Target The Vendor provides an

explanation of the solution
Security Functionality Security Assurance

Requirements Requirements
Function and Assurance are

evaluated
Evaluation
Evaluation Assurance EAL is assigned based on

Level Assigned how the ToE satisfies the
Protection Profile
Common Criteria (CC)
● ISO (15408) Standard created in 1993 for global security evaluation
● Made up from TCSEC, ITSEC, and the Canadian version
● Components
● Protection profile
○ a set of security requirements and objectives for the system
● A Protection Profile consists of
○ Descriptive elements – contains the name of the profile and the description of the security problem to solved.
○ Rationale – justifies the profile and provides a detailed description of the real-world problems that need to be
solved.
○ Functional requirements – establishes a protection boundary that the product must provide.
○ Development assurance requirements – Identify the requirements for the various development phases of the
product.
○ Evaluation assurance requirements – establish the type and intensity of the evaluation
Common Criteria CC Ratings
● Rated as Evaluation Assurance Level (EAL) 1 through 7
○ EAL 1 – Functionally tested
○ EAL 2 – Structurally tested
○ EAL 3 – Methodically tested and checked
○ EAL 4 – Methodically designed, tested, and reviewed
○ EAL 5 – Semi formally designed and tested
○ EAL 6 – Semi-formally verified designed and tested
○ EAL 7 – Formally verified designed and tested
What Human Safeguards are Available
● Human safeguards for employees are some of the most important safeguards an organization can
deploy. They should be coupled with effective procedures to help protect information systems.
○ Position definition
■ Separate duties and authorities
■ Determine least privilege
■ Document position sensitivity
○ Hiring and screening
○ Dissemination and enforcement (responsibility, accountability, and compliance)
○ Termination
■ Friendly
■ Unfriendly
Being Aware of the Rules
Security Awareness Training
● Employees cannot and will not follow the directives and procedures, if they do not know about them
● Employees must know expectations and ramifications, if not met
● Employee recognition award program
● Part of due care
● Administrative control
● Reported incidents should increase as a result of effective training
● Training is best when customized to job roles
Knowledge Transfer
● Awareness, Training, Education
● “People are often the weakest link in securing information. Awareness of the need to protect
information, training in the skills needed to operate them securely, and education in security
measures and practices are of critical importance for the success of an organization’s security
program.”
● The Goal of Knowledge Transfer is to modify employee behavior
Awareness/Training/Education Benefits
● Overriding Benefits:
○ Modifies employee behavior and improves attitudes towards information security
○ Increases ability to hold employees accountable for their actions
○ Raises collective security awareness level of the organization
Domain 4
Information
Domain 1
Information
Security
Incident Management
Security
Governance
Incident Response and Business Continuity
● The goal of this domain is to develop and prepare the ability to plan, respond and recover from
disruptive events affecting our information assets
● Intrusion Detection
● Incident Response
● Business Continuity Planning and Disaster Recovery
Incident Response Plan
Prepare
Document Identify
Respond Detect
Triage
Prepare
● Defines the preparation work that has to be completed prior to having any capability to respond to incidents:
○ Coordinate planning and design
■ Identify incident management requirements
■ Obtain funding and sponsorship
■ Develop Implementation Plan
○ Coordinate implementation
■ Develop Policies, processes and plans
■ Establish Incident handling criteria
■ Define Criticality
■ Evaluate Incident management capability
■ Define post-mortem review
■ Define process change procedure
Protect
● Protect and secure critical data and computing infrastructure and its constituency when responding
to incidents
● Be prepared to contain the attack. Implement abilities to isolate the systems or networks
● Implement lessons learned
● Use proactive security assessments
Detect
● Identify unusual/suspicious activity that might compromise critical business functions or
infrastructure
○ Proactive detection—conduct detective monitoring regularly
■ Honeypots
■ Scan for unauthorized servers or hosts Analyze
network traffic
■ Review audit logs and files
○ Reactive detection is essential as well to be able to quickly detect and attack
○ Intrusion detection
○ Review audit logs and files
Triage
● Process of sorting, categorizing, correlating, prioritizing and assigning incoming report/events
● Analyze what is known, then prioritize
● Allows events to be managed based on order of criticality
Respond
● Steps taken to address, contain, resolve or mitigate an incident
○ Technical response
○ Collect data
○ Analyze incident
○ Research corresponding technical mitigation techniques
○ Isolate affected system
○ Deploy patches and workaround
● Management Response: Activities that require supervisory or mgmt. intervention—
notification, interaction, escalation or approval—business and senior managers
● Legal response—Activity that relates to the investigation, prosecution, liability copyright and privacy
issues
Document
● Debrief team
● Lessons learned
Intrusion Detection System/Intrusion Prevention System
● IDS Reactive system that will document an attack or notify an admin
● IPS Proactive system that will stop an attack in progress
● Most systems today are IDS/IPS
Violation Analysis
● First step of any incident response should always include violation analysis
● Has an actual security incident transpired, or do we simply have abnormal system activity?
● Is this event malicious or accidental?
● Is it internal/external?
● What is the scope of the incident?
Intrusion Detection Systems
● Software is used to monitor a network segment or an individual computer
● Used to detect attacks and other malicious activity
● Dynamic in nature
● The two main types:
○ Network-based (packet sniffer + analysis engine)
○ Host-based based (local host only)
Protocol Analyzers (Sniffers) and Intrusion Detection Systems
● Promiscuous mode
● Switching can affect the Packet Capture.
● Solution is PORTSPAN
Types of IDS
● Network-based IDS
○ Monitors traffic on a network segment
○ Computer or network appliance with NIC in promiscuous mode
○ Sensors communicate with a central management console
● Host-based IDS
○ Small agent programs that reside on individual computer
○ Detects suspicious activity on one system, not a network segment
● IDS Components:
○ Sensors Analysis engine
○ Management console
IDS Components
● IDS Components:
○ Sensors Analysis engine
○ Management console
Sensor Placement
● In front of firewalls to discover attacks being launched
● Behind firewalls to find out about intruders who have gotten through
● On the internal network to detect internal attacks
Sensor Placement
Analysis Engine Methods
Pattern Matching
● Rule-Based Intrusion Detection
● Signature-Based Intrusion Detection
● Knowledge-Based Intrusion Detection
Profile Comparison
● Statistical-Based Intrusion Detection
● Anomaly-Based Intrusion Detection
● Behavior-Based Intrusion Detection
Types of IDS
● Signature-based—MOST COMMON
○ IDS has a database of signatures, which are patterns of previously
identified attacks
○ Cannot identify new attacks Database needs
continual updates
● Behavior-based
○ Compares audit files, logs, and network behavior, and develops
and maintains profiles of normal behavior
○ Better defense against new attacks
○ Creates many false positives
IDS/IPS Response Options
● Passive(IDS):
○ Page or email administrator
○ Log event
● Active (IPS)
○ Send reset packets to the attacker’s connections
○ Change a firewall or router ACL to block an IP address or range
○ Re-configure router or firewall to block protocol being used for
attack
IDS Issues
● May not be able to process all packets on large networks
○ Missed packets may contain actual attacks
○ IDS vendors are moving more and more to hardware-based systems
● Cannot analyze encrypted data
● Switch-based networks make it harder to pick up all packets
● A lot of false alarms
● Not an answer to all prayers
○ Firewalls, anti-virus software, policies, and other security
controls are still important
Security Incident Response
● Event: a change of state
● Incident: series of events that has a negative impact on the company
and its security
● Incident response focuses on containing the damage of an attack and
restoring normal operations
● Investigations focus on gathering evidence of an attack with the goal of
prosecuting the attacker
Security Incident Response Continued
● Framework should include:
○ Response capability
○ Incident Response and handling
○ Recovery and Feedback
Response Capability
Incident response considerations
● Items the Computer Incident Response Team must have at its disposal
● List of outside agencies and resources to contact or report to
● Computer Emergency Response Team (CERT)
● List of computer or forensics experts to contact
● Steps on how to secure and preserve evidence
● Steps on how to search for evidence
● List of items that should be included on the report
● A list that indicates how the different systems should be treated in this type of
situation
Recovery and Feedback
● Recovery and Repair: Restoration of the system to operations
○ Remember, it does no good to restore to its original status—must
provide greater security lest if fall prey to the same attack again
● Provide Feedback: One of the most important (and most overlooked) steps
● Document, document, document!
Computer Forensics
● Computer Forensics: The discipline of using proven methods toward the collection, preservation,
validation, identification, analysis, interpretation, documentation and presentation of digital

evidence
● IOCE and SWGDE are two entities that provide forensics guidelines and principles as follows
○ All forensic principles must be applied to digital evidence Evidence should

not be altered as a result of collection
○ If a person is to access original digital evidence, that person must be trained for such a purpose
○ All activity relating to the seizure, access, storage, and transfer of digital evidence must be
fully documented and available for review
○ An individual is responsible for actions affecting digital evidence while that evidence is in
their possession
○ Any entity responsible for seizing, accessing, storing or transferring digital evidence is
responsible for compliance with these principles
The Forensics Investigation Process
● Identification
● Preservation
● Collection
● Examination
● Analysis
● Presentation
● Decision
The Forensics Investigation Process: Identification
Locard’s principle of Exchange: when a crime is committed, the attacker takes
something and leaves something behind.
● What they leave behind can help us identify aspects of the responsible party
The Forensics Investigation Process: Preservation
● Chain of Custody must be well documented
● A history of how the evidence was
○ Collected
○ Analyzed
○ Transported
○ Preserved
● Necessary because digital evidence can be manipulated so easily
● Hashing Algorithms are used to show the integrity of the evidence has not
been modified by the investigation process
The Forensics Investigation Process: Collection
● Minimize handling/corruption of evidence
● Keep detailed logs of your actions
● Comply with the 5 rules of digital evidence
● Do not exceed your knowledge
● Follow organization’s security policy
● Capture an accurate image of the system
● Ensure actions are repeatable
● Work Fast (digital evidence may have a short lifespan)
● Work from volatile to persistent evidence
● DO NOT run any programs or open any files on the infected system until a
forensic copy of the disk has been made
The Forensics Investigation Process: Collection (2)
Steps to evidence collection:
● Photograph area, record what is on the screen
● Dump contents from memory
● Power down system
● Photograph inside of system
● Label each piece of evidence
● Record who collected what and how
● Have legal department and possibly human resources involved
The Forensics Investigation Process: Collection (3)
● The Fourth Amendment protects against illegal search and seizure
● Exceptions to previous statement
○ Private citizen not subject to Fourth Amendment rules unless acting as a police agent
○ Citizen may be subject to restrictions of Electronic Communications Privacy Act
● Computer evidence can be obtained by law enforcement only through:
○ Subpoena
○ Search warrant
○ Voluntary consent
○ Exigent Circumstances
The Forensics Investigation Process: Examination and Analysis
● Examination
○ Look for signatures of known attacks
○ Review audit logs
○ Hidden data recovery
● Analysis
○ Primary image (original) vs. Working image (copy)
○ Working image should be a bit by bit copy of original
○ Both copies must be hashed and the working copy should be write-protected
○ What is the root cause?
○ What files were altered/installed?
○ What communications channels were opened?
The Forensics Investigation Process: Presentation and Decision
● Presentation
○ Interpreting the results of the investigation and presenting the findings in an appropriate
format
○ Documentation
○ Expert Testimony
● Decision
○ What is the result of the investigation?
■ Suspects?
■ Corrective Actions?
Controlling the Crime Scene
● The scene of the crime should be immediately secured with only authorized individuals
allowed in
● Document, document, document—the integrity of the evidence could be called into question if it
is not properly documented
○ Who is at the crime scene/who has interaction with the systems and to what degree?
○ Also, any contamination at the crime scene must be documented (contamination does
not always negate the evidence)
● Logs should be kept detailing all activities. In most instances, an investigator’s notebook is not
admissible as evidence, however the investigator can use it to refer to during testimony
What Happens When Risk Management Fails?
Business continuity and disaster recovery!
BCP vs. DRP
● Business Continuity Planning: Focuses on sustaining operations and protecting the viability
of the business following a disaster, until normal business conditions can be restored. The
BCP is an “umbrella” term that includes many other plans including the DRP and is long term
focused
● Disaster Recovery Planning: goal is to minimize the effects of a disaster and to take the
necessary steps to ensure that the resources, personnel and business processes are able to
resume operations in a timely manner. Deals with the immediate aftermath of the disaster, and
is often IT focused. Short Term focused
BCP Relationship to Risk Management
Mitigate Risks
● Reduce negative effects:
○ Life Safety is the number 1 priority!
○ Reputation: Is the second most important asset of an organization. Though specific systems
are certainly essential, don’t forget to focus on the big picture—protect the company as a
whole
Business Continuity Planning
Disaster recovery and continuity planning deal with uncertainty and chance
● Must identify all possible threats and estimate possible damage
● Develop viable alternatives
Threat Types:
● Man-made
○ Strikes, riots, fires, terrorism, hackers, vandals
● Natural
○ Tornado, flood, earthquake
● Technical
○ Power outage, device failure, loss of a T1 line
Business Continuity Planning
● Categories of Disruptions
○ Non-disaster: Inconvenience.
■ Hard drive failure
■ Disruption of service
■ Device malfunction
○ Emergency/Crisis
■ Urgent, immediate event where there is the potential for loss of life or property
○ Disaster
■ Entire facility unusable for a day or longer
○ Catastrophe
■ Destroys facility
Companies should understand and be prepared for each category
ISO 27031
● Approved in 2011
● Provides a standard that did not exist previously
● Will solve issues of inconsistency in terms, definitions and documents (so for now, there may be
inconsistencies on the exam. Look for concepts more than specific terms)
● Until this ISO standard is included on the test, the following institutes will provide guidance on
BCP/DRP:
○ DRII (Disaster Recovery Institute International)
○ NIST 800-34
○ BCI GPG (Business Continuity International Good Practice Guidelines)
Business Continuity Plan Sub-Plans
● BCP
○ BRP (Business Recovery Plan)
○ COOP (Continuity of Operations Plan)
○ Continuity of Support Plan/IT Contingency
○ Plan Crisis Communication Plan
○ Cyber Incident Response Plan
○ DRP (Disaster Recovery Plan)
○ OEP (Occupant Emergency Plan)
Summary of BCP Sub-Plans NIST 800-34
● Business Recovery (or Resumption) Plan (BRP)
○ Purpose: Provide procedures for recovering business operations immediately following a disaster
○ Scope: Addresses business processes; not IT-focused; IT addressed based only on its support for
business process
● Continuity of Operations Plan (COOP)
○ Purpose: Provide procedures and capabilities to sustain an organization’s essential, strategic
functions at an alternate site for up to 30 days. This term is sometimes used in the U.S. government
to refer to the field of Business Continuity Management, but per NIST 800-34, it is a unique
sub-plan of BCP.
■ **Note, BCP addresses ALL business processes, not just mission critical.
○ Scope: Addresses the subset of an organization’s missions that are deemed most critical; usually
written at headquarters level; not IT-focused
Summary of BCP Sub-Plans NIST 800-34
● Continuity of Support Plan/IT Contingency Plan
○ Purpose: Provide procedures and capabilities for recovering a major application or general
support system
○ Scope: Same as IT contingency plan; addresses IT system disruptions; not business process focused
● Crisis Communications Plan
○ Purpose: Provides procedures for disseminating status reports to personnel and the public
○ Scope: Addresses communications with personnel and the public; not IT focused
● Cyber Incident Response Plan
○ Purpose: Provide strategies to detect, respond to, and limit consequences of malicious cyber incident
○ Scope: Focuses on information security responses to incidents affecting systems and/or networks
Summary of BCP NIST 800-34
● Disaster Recovery Plan (DRP)
○ Purpose: Provide detailed procedures to facilitate recovery of capabilities at an alternate
site
○ Scope: Often IT-focused; limited to major disruptions with long-term effects
● Occupant Emergency Plan (OEP)
○ Purpose: Provide coordinated procedures for minimizing loss of life or injury and
protecting property damage in response to a physical threat
○ Scope: Focuses on personnel and property particular to the specific facility; not business
process or IT system functionality based. May also be referred to as Crisis or Incident
management plans. However, the OEP concept should be recognizable as the “initial
response to the emergency event.”
NIST 800-34 Interrelationship of the Plans
7 Phases of Business Continuity Planning
● Phases of Plan:
○ Project Initiation
○ Business Impact Analysis
○ Recovery Strategy
○ Plan Design and Development
○ Implementation
○ Testing
○ Maintenance
7 Phases of Business Continuity Planning
Project Initiation
Business Impact Analysis

Recovery Strategy
Implementation Plan design and development
Testing Maintenance
Phases of the Plan: Project Initiation
● Project Initiation
○ Obtain senior management’s support
○ Secure funding and resource allocation
○ Name BCP coordinator/Project Manager
○ Develop Project Charter
○ Determine scope of the plan
○ Select Members of the BCP Team
Phases of the Plan: Business Impact Analysis
● BIA (Business Impact Analysis)
○ Initiated by BCP Committee
○ Identifies and prioritizes all business processes based on criticality
○ Addresses the impact on the organization in the event of loss of a specific services or process
■ Quantitative: Loss of revenue, loss of capital, loss due to liabilities, penalties and fines, etc.
■ Qualitative: loss of service quality, competitive advantage, market share, reputation, etc.
○ Establishes key metrics for use in determining appropriate countermeasures and recovery
strategy
○ IMPORTANCE (relevance) vs. CRITICALITY (downtime)
■ The Auditing Department is certainly important, though not usually critical. THE BIA
FOCUSES ON CRITICALITY
Phases of the Plan: Business Impact Analysis
● Key Metrics to Establish
○ Service Level Objectives
○ RPO (Recovery Point Objective)
○ MTD (Maximum Tolerable Downtime)
■ RTO (Recovery Time Objective)
■ WRT (Work Recovery Time)
○ MTBF (Mean Time Between Failures)
○ MTTR (Mean Time To Repair)
○ MOR (Minimum Operating Requirements)

Elements of the Plan: Business Impact Analysis
● Management should establish recovery priorities for business processes that identify:
○ Essential personnel
■ Succession Plans
■ MOAs/MOUs (Memorandums of Agreement/Understanding)
○ Technologies
○ Facilities
○ Communications systems
○ Vital records and data
Results from the BIA
● Results of Business Impact Analysis contain
○ Identified ALL business processes and assets, not just those considered critical
○ Impact company can handle dealing with each risk
○ Outage time that would be critical vs those which would not be critical
○ Preventive Controls
● Document and present to management for approval
● Results are used to create the recovery plans
Submit to DRP and BCP derived

BIA management from BIA
Phases of the Plan: Identify Recovery Strategies
● When preventive controls don’t work, recovery strategies are necessary
○ Facility Recovery
○ Hardware and Software Recovery
○ Personnel recovery
○ Data Recovery
Facility Recovery
● Facility Recovery
○ Subscription Services
■ Hot, warm, cold sites
○ Reciprocal Agreements
○ Others
■ Redundant/Mirrored site (partial or full)
■ Outsourcing
■ Rolling hot site
■ Prefabricated building
○ Offsite Facilities should be no less than 15 miles away for low to medium environments.
Critical operations should have an offsite facility 50-200 miles away.
Facility Recovery
● Facility Recovery
○ Subscription Services
■ Hot, warm, cold sites
○ Reciprocal Agreements
○ Others
■ Redundant/Mirrored site (partial or full)
■ Outsourcing
■ Rolling hot site
■ Prefabricated building
○ Offsite Facilities should be no less than 15 miles away for low to medium environments.
Critical operations should have an offsite facility 50-200 miles away.
Facility Recovery Operations
Alternative Time to Occupy Readiness Cost
Mirrored Site Within 24 hours Fully redundant in every way Highest
Hot Site Fully configured equipment and High

Within 24 hours
communications links; need only
load most recent data
Rolling Hot Site Usually 24 hours Similar to hot site, but supports data High
center operations only
Warm Site Within a week Medium

Between a hot and cold site. Partially
configured equipment and does not
contain any live data; some
activation activity needed
Cold Site Within 30 days Typically contains the appropriate Lowest

electrical and heating/air
conditioning systems, but does not
contain equipment or active
communication links
Facility Recovery: Reciprocal Agreements
● How long will the facility be available to the company in need?
● How much assistance will the staff supply in the means of integrating the two environments and
ongoing support?
● How quickly can the company in need move into the facility?
● What are the issues pertaining to interoperability?
● How many of the resources will be available to the company in need?
● How will differences and conflicts be addressed?
● How does change control and configuration management take place?
Facility Recovery: Criteria for Alternative Facility
● Is the facility closed on weekends or holidays?
● Are the access controls tied in to emergency services?
● Is the facility fire resistant in its construction?
● What is the availability of a bonded transport service?
● Are there any geographical environmental hazards?
● Does the facility provide proper environmental controls?
● Is there a fire detection and suppression system?
● What is the vendor’s liability of stored media?
Hardware Recovery
● Technology Recovery is dependent upon good configuration management documentation
● May include
○ PC’s/Servers
○ Network Equipment
○ Supplies
○ Voice and data communications equipment
○ SLA’s can play an essential role in hardware recovery—See Below
Software Recovery
● BIOS Configuration Information
● Operating Systems
● Licensing Information
● Configuration Settings
● Applications
● Plans for what to do in the event that the operating system/applications are not longer available
to be purchased
Personnel Recovery
● Identify Essential Personnel—Entire staff is not always necessary to move into recovery operations
● How to handle personnel if the offsite facility is a great distance away
● Eliminate single points of failure in staffing and ensure backups are properly trained
● Don’t forget payroll!
Data Recovery
● Data Recovery options are driven by metrics established in the BIA (MTD, RTO, RPO, etc)
● Backups
● Database Shadowing
● Remote Journaling
● Electronic Vaulting
Data Recovery (2)
● Database Backups
○ Disk-shadowing
○ Mirroring technology
○ Updating one or more copies of data at the same time
○ Data saved to two media types for redundancy
Master Data Shadow Data

Repository Repository
Database
Data Recovery (3)
● Electronic Vaulting
○ Copy of modified file is sent to a remote location where an original backup is stored
○ Transfers bulk backup information
○ Batch process of moving data
● Remote Journaling
○ Moves the journal or transaction log to a remote location, not the actual files
Phases of the Plan: Plan and Design Development
● Now that all the research and planning has been done, this phase is where the actual plan is written
○ Should address
■ Responsibility
■ Authority
■ Priorities
■ Testing
Phases of the Plan: Implementation
● Plan is often created for an enterprise with individual functional managers responsible for plans
specific to their departments
● Copies of Plan should be kept in multiple locations
● Both Electronic and paper copies should be kept
● Plan should be distributed to those with a need to know
● Most employees will only see a small portion of the plan
Three Phases Following a Disruption
● Notification/Activation
○ Notifying recovery personnel Performing a damage assessment
● Recovery Phase--Failover
○ Actions taken by recovery teams and personnel to restore IT operations at an alternate site
or using contingency capabilities— performed by recovery team
● Reconstitution--Failback
○ Outlines actions taken to return the system to normal operating conditions—performed
by Salvage team
Phases of the Plan: Testing
● Should happen once per year, or as the result of a major change (VERY TESTABLE)
● The purpose of testing is to improve the response (never to find fault or blame)
● The type of testing is based upon the criticality of the organization, resources available and risk
tolerance
○ Testing: Happens before implementation of a plan. The goal is to ensure the accuracy
and the effectiveness of the plan
○ Exercises/Drills: Employees walk through step by step. Happens periodically. Main goal is to
train employees
○ Auditing: 3rd party observer ensures that components of a plan are being carried out and
that they are effective.
Types of Tests
● Checklist Test
○ Copies of plan distributed to different departments
○ Functional managers review
● Structured Walk-Through (Table Top) Test
○ Representatives from each department go over the plan
● Simulation Test
○ Going through a disaster scenario
○ Continues up to the actual relocation to an offsite facility
Types of Tests
● Parallel Test
○ Systems moved to alternate site, and processing takes place there
● Full-Interruption Test
○ Original site shut down
○ All of processing moved to offsite facility
Post Incident Review
● After a test or disaster has taken place:
○ Focus on how to improve
○ What should have happened
○ What should happen next
○ Not whose fault it was; this is not productive

Phases of the Plan: Maintenance
● Change Management:
○ Technical – hardware/software
○ People
○ Environment
○ Laws
● Large plans can take a lot of work to maintain
● Does not have a direct line to profitability
Phases of the Plan: Maintenance
Keeping plan in date
● Make it a part of business meetings and decisions
● Centralize responsibility for updates
● Part of job description
● Personnel evaluations
● Report regularly
● Audits
● As plans get revised, original copies should be retrieved and destroyed
CISM Review
Domain 1 - Information Security Governance
Establish and/or maintain an information security governance framework and supporting processes to ensure that the
information security strategy is aligned with organizational goals and objectives.
Task Statements
1.1 Establish and/or maintain an information security strategy in alignment with organizational goals and objectives to
guide the establishment and/or ongoing management of the information security program.
1.2 Establish and/or maintain an information system governance framework to guide activities that support the
information security strategy
1.3 Integrate information security governance into corporate governance to ensure that organizational goals and objectives
are supported by the information security program.
1.4 Establish and maintain information security policies to guide the development of standards, procedures and guidelines
in alignment with enterprise goals and objectives
CISM Review
Domain 1 - Information Security Governance (2)
Establish and/or maintain an information security governance framework and supporting processes to ensure that the
information security strategy is aligned with organizational goals and objectives.
Task Statements
1.5 Develop business cases to support investments in information security
1.6 Identify internal and external influences to the organization (e.g., emerging technologies, social media, business
environment, risk tolerance, regulatory requirements, third-party considerations, threat landscape) to ensure that these factors
are continually addressed by the information security strategy
1.7 Gain ongoing commitment from senior leadership and other stakeholders to support the successful implementation of the
information security strategy
1.8 Define, communicate, and monitor information security responsibilities throughout the organization (e.g., data owners, data
custodians, end users, privileged or high-risk users) and lines of authority
1.9 Establish monitor, evaluate and report key information security metrics to provide management with accurate and
meaningful information regarding the effectiveness of the information security strategy
CISM Review
Domain 2 - Information Risk Management
Manage Information risk to an acceptable level based on risk appetite in order to meet organizational goals and
objectives.
Task Statements
2.1 Establish and/or maintain a process for information asset classification to ensure that measures taken to
protect assets are proportional to their business value.
2.2 Identify legal, regulatory, organizational and other applicable requirements to manage the risk of
noncompliance to acceptable levels.
2.3 Ensure that risk assessments, vulnerability assessments and threat analyses are conducted consistently, at
appropriate times, and to identify and assess risk to the organization’s information.
2.4 Identify, recommend, or implement appropriate risk treatment/response options to manage risk to
acceptable levels based on organizational risk appetite.
2.5 Determine whether information security controls are appropriate and effectively manage risk to an
acceptable level.
CISM Review
Domain 2 - Information Risk Management (2)
Manage Information risk to an acceptable level based on risk appetite in order to meet organizational goals and objectives.
Task Statements
2.6 Facilitate the integration of information risk management into business and IT process (e.g., systems development,
procurement, project management) to enable a consistent and comprehensive information risk management program across
the organization.
2.7 Monitor for internal and external factors (e.g., key risk indicators (KRIs), threat landscape, geopolitical, regulatory change)
that may require reassessment of risk to ensure that changes to existing, or new, risk scenarios are identified and managed
appropriately.
2.8 Report noncompliance and other changes in information risk to facilitate the risk management decision-making process.
2.9 Ensure that information security risk is reported to senior management to support an understanding of potential impact
on the organizational goals and objectives.
CISM Review
Domain 3 - Information Security Program Development and Management
Develop and maintain an information security program that identifies, manages, and protects the organization’s assets while
aligning to information security strategy and business goals, thereby supporting an effective security posture.
Task Statements
3.1 Establish and/or maintain the information security program in alignment with the information security strategy.
3.2 Align the information security program with the operational objectives of other business functions (e.g., human resources
[HR], accounting, procurement, and IT) to ensure that the information security program ads value to and protects the
business.
3.3 Identify, acquire, and manage requirements for internal and external resources to execute the information security
program.
3.4 Establish and maintain information security processes and resources (including people and technologies) to execute the
information security program in alignment with the organization’s business goals.
3.5 Establish, communicate and maintain organizational information security standards, guidelines, procedures, and other
documentation to guide and enforce compliance with information security policies.
CISM Review
Domain 3 - Information Security Program Development and Management (2)
Develop and maintain an information security program that identifies, manages, and protects the organization’s assets while
aligning to information security strategy and business goals, thereby supporting an effective security posture.
Task Statements
3.6 Establish, promote and maintain a program for information security awareness and training to foster an effective security
culture.
3.7 Integrate information security requirements into organizational resources (e.g., change control, mergers and acquisitions,
system development, business continuity, disaster recovery) to maintain the organization’s security strategy.
3.8 Integrate information security requirements into contracts and activities of third parties (e.g., joint ventures, outsourced
providers, business partners, customers) and monitor adherence to established requirements in order to maintain the
organization’s security strategy.
3.9 Establish, monitor and analyze program management and operational metrics to evaluate the effectiveness and
efficiency of the information security program.
3.10 Compile and present reports to key stakeholders on the activities, trends and overall effectiveness of the IS program and
the underlying business processes in order to communicate security performance.
CISM Review
Domain 4 - Information Security Management (2)
Plan, establish, and manage the capability
Task Statements
4.1
4.2
4.3
4.4
4.5
Domain 4- 1
llnformation Security 'fncident Management
Pfan, establish and manage the capabihty to detect, irrivesfig at.e-, respond to and recover from cnfmm atio n secumy incidents tu minimize
business impact (19%)
T.ask Statements
4-. Establish and maintain -an organizational de·n n.it ion of, an d seventy hierarohy for, info rrna t lo n security ,in ccdents lo
1 al mN accu rated ass ificaUon and categ orization of an d respo se to in cfdents.
- 4L E sta blish and mairnt ain ari in·c dent respon se p:1-art to ensJ.ue an effective and timely res p on se to information
2 se,oum.y rnci d en ts.
4-. Dev.e op and implem ent prn cesses t o en su, re the timely id e lili ca· : o of informali o:n security incidenlts at
3 Em pad fu e bus iness . cou '.ld
4.4 Establish! an d maintain processes to in .estigate a111d do cument information :securi 'I in ci d en ts in md:er to
determ ill'le
4-. 1he appropri ate re.sp on s e and cause while adh ering to legal, regulaitmy and orga iz aUon al req111ire irnen ts.
5
E stab li sh and maintai n i nci dent notmcaUron and esca taUon p m cesses, · o enmrne that 1he· ap p ropriate· s ak
4L e.hol-de rs are involved tl'll ind dent response managem en
6,
Organize, train an d equip ncidenl response teams to resp ond to information secull'it y i ll'lci d ents i'n an eif'9dive and
timely manner.
4-.
4.7 Test, re iei.v and revise (as ap plicabJe ) flle tnci den t response plan p eriadlcalli!I to ensure an effective. responsie
H to tnfom1alion .seru rity in oidents and to improve respoose capabilities.
E stabli sh and rna·fllt ain cornmu1rf cation p lans arnd p rocesses to manage communicalion v-mh internal: an d external
errttitie s.
4-. 1 O E s tabli sh and maintai n rnteg ration among the incident response pJa n busjness continufty plan an d dTs aster
4.19 reco:veryCo duct
pl an.pos tinci:dent rerif ews: to determ ine the root caus e of trrfo rm ali on sea.nity incidents, dei.rel op
corre ctive actions , .r-eass e-.ss risk, evaJuaite response efl'ectwen ess and take apprnpriate remedi al act ro ns .

CISM - Presentation 1

Uploaded by

Copyright:

Available Formats

You might also like

CISM - Presentation 1

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

CISM - Presentation 1

Uploaded by

Copyright:

Available Formats

CISM Exam Prep Course

Certiﬁed Information Security Manager

Starring: Kelly Handerhan

Coffee and breaks Lunch

○ Methods to develop an information security strategy

○ Relationship among information security and business goals

○ Methods to implement an information security governance framework

○ Internationally recognized standards, frameworks and best practices related to

○ Methods to develop information security policies, business cases, strategic

○ Information security management roles and responsibilities

● Information security governance is a subset of corporate governance

○ Providing strategic vision and direction

○ Reaching security and business objectives

○ Ensure that risks are managed appropriately and proactively

○ Verify that the enterprise’s resources are used responsibly

What steps/elements are necessary to develop an effective security program?

Level 4 - Managed and measurable

Level 3 - Deﬁned Process

Level 2 - Repeatable but intuitive

Level 0 - Non Existent

Customer perspective Internal business

Source: Kaplan and Norton (1996)

CHAPTER 1 QUICK REFERENCE REVIEW OF CISM REVIEW MANUAL

Risk governance has four main objectives:

Risk management: Foresees challenges to achieving objectives and attempts

● Unclear or changing requirements Scope creep

● Loss of competitive advantage Low morale among staff

○ The recommended controls from the risk assessment report

○ The cost of the various response options, including:

○ Possibility of integrating the response with other organizational initiatives

○ Compatibility with other controls in place

○ Time, resources and budget available

● IT risk and controls should be continuously monitored and reported on to ensure

Monitoring Awareness Training &

Testing, logs, Implementation

Security architecture and

Procedures: Standards: Guidelines

● Procedure: Outlines ‘how’ the Policy will be accomplished

● Policy compliance metrics

Starring: Kelly Handerhan

● Static Packet Filters: Base decisions on Source/Destination IP Address

● Stateful inspection. Knowledge of who initiated the session. Can block

● Protocol Anomaly ﬁrewalls— can block trafﬁc based on syntax being

○ Generally do not support anything advanced or custom

○ Generally do not support anything advanced or custom

● Context dependent access control

● Remaps IP addresses, allowing you to use private addresses internally

● NAT allows a one-to-one mapping of IP addresses

● PAT allows multiple private address to share one public address

Target of The Vendor provides a

Security Target The Vendor provides an

Security Functionality Security Assurance

Function and Assurance are

Evaluation Assurance EAL is assigned based on

validation, identiﬁcation, analysis, interpretation, documentation and presentation of digital

○ All forensic principles must be applied to digital evidence Evidence should

○ Business Impact Analysis

○ Plan Design and Development