Cybrary Cism Study Notes

Study Notecards
Information Security
Governance
© 2022 Proprietary and Confidential. All Rights Reserved.

Corporate Governance Structure
Shareholders
General Manager/
Board Secretary Board of Directors
Chief Executive Officer
Senior Management
Board Committees
Corporate Risk Audit Compliance

Governance Committee Committee Pay Committee
Committee
Committee
Cyber
Governance
Committee

Governing Boards and Senior Management
Under the standard of due care, senior leadership has the

ultimate responsibility to ensure risks are adequately mitigated
Must ensure appropriate resources are allocated
Make risk-aware business decisions

CEO and COO
Chief Executive Officer (CEO)
Highest-ranking executive in a company
Primary responsibilities include making major corporate decisions,
managing the overall operations and resources of a company,
acting as the main point of communication between the board of
directors and corporate operations
Chief Operating Officer (COO)
Senior executive who oversees the daily administrative and
operational functions of a business
Typically reports to the CEO and is considered 2nd in the chain of
command
CRO, CIO, CISO, and CSO
Chief Risk Officer (CRO)
Responsible for overall Enterprise Risk Management
Typically focused on non-IT risks
Chief Information Officer (CIO)
Company executive responsible for the management,
implementation, and usability of information and computer
technologies.
Chief Information Security Officer (CISO)
Often reports to CEO or board of directors
Responsible for C-I-A Triad

Information Security Manager
Offer leadership in determining the methodology for the
identification, evaluation, and minimization of risk to information
resources, including IT Systems
Work closely with senior management to ensure risk is assessed on a
regular basis

Data Owners and Data Custodians
Data Owner
Makes decisions on how data is accessed, edited, and used
Determines classification and is accountable for the risks
associated with their data
Often the functional or business unit leaders that determine
appropriate trade-offs for security
Data Custodian
Responsible for the day-to-day maintenance and configuration of
security controls for data
May also be called security practitioners

Principles of Corporate Governance
Fairness: Act without partiality or prejudice
Accountability: The right to hold people to a set of standards and to
judge whether they have fulfilled their responsibilities in light of these
standards
Transparency: Provide timely reporting of potential issues faced by the
enterprise. Shareholders should have a transparent view of the
organization on a regular basis to understand the risk posed to their
investments.
Responsibility: The actions to be performed by stakeholders as part of
the corporate governance structure. Failing to fulfill the assigned
responsibilities could result in risk.
Benefits of Information Security Governance
Effective information security governance can offer many benefits to an
organization, including:
Compliance and protection from litigation or penalties
Cost savings through better risk management
Efficient utilization of security investments that support organization’s
objectives
Reduced risks and potential business impacts to an acceptable level
Better oversight of systems and business operations
Opportunity to leverage new technologies to business advantage
Business value generated through the optimization of security investments
with organizational objectives
Governance
Corporate Governance
Providing strategic vision and direction
Reaching security and business objectives
Ensure that risks are managed appropriately and proactively
Verify that the enterprise’s resources are used responsibly
Governance answers four questions: IF the answer is no to any of

1. Are we doing the right things? these questions, how do we
2. Are we doing them the right way? close the gap between current
3. Are we getting them done well? state and desired state?
4. Are we getting the benefits?
Frameworks

Information Security Governance Frameworks
Security Strategy intrinsically linked with business objectives
Governing security policies that address each aspect of strategy, controls
and regulation
Complete set of standards for each policy to ensure that procedures and
guidelines comply with policy
Effective security organizational structure without conflicts of interest and
with significant authority and adequate resources
Institutionalized metrics and monitoring processes to ensure compliance
and provide feedback for appropriate management decisions

What is a Cybersecurity Framework?
Provides a standardized approach to developing and managing an
information security program
Provides support and structure
Broad enough for use across industries
Consistent throughout the organization
Can help an organization close the gap between current state and
desired state

COBIT 2019

COBIT 2019
IT management framework developed by ISACA to help

businesses develop, organize and implement strategies
around information management and governance
Helps align business goals with IT goals by establishing
links between both

COBIT Governance Principles
Provide Holistic Approach Dynamic

Stakeholder Governance
Value System
Governance
Tailored to
Distinct End-to-End
Enterprise Needs
from Governance
Management System

Three Principles of Government Frameworks
Based on
Open and Flexible
Conceptual
Model
Aligned to
Major Standards

Cobit Goals Cascade
Stakeholder
Drivers
and Needs
Enterprise
Goals
Alignment
Goals
Governance and
Management
Objectives
Five Domains of COBIT
Goal is to achieve objectives across five domains:
Evaluate, Direct and Monitor (EDM)

Align, Plan and Organize (APO)
Build, Acquire and Implement (BAI)
Deliver, Service and Support (DSS)
Monitor, Evaluation and Assess (MEA)
ISO 27000 Series

A Risk-Based Framework
Risk
Assessment Safeguard
and Treatment Implementation

ISO 27001
Provides a framework to help organizations
protect their information by adopting an
Information Security Management System
(ISMS).
Based on continuous improvement
The standard is separated into two parts.
The first consists of 11 clauses, or
requirements for ISO 27001 (0 to 10). The
second part, called Annex A, provides a
guideline for 114 control objectives and
controls.

Clauses/Requirements for ISO 27001
Provide the standard's
1 Context of the Organization
"metadata", i.e.
Introduction, Scope, Leadership
2
Normative References,
Terms, and Definitions 3 Planning
4 Support
5 Operation
6 Performance Evaluation
7 Improvement
Annex A 27001
Annex A provides a list that offers controls by which the

ISO 27001 requirements can be met, and the structure
of an ISMS can be derived.
Provides 14 Control Families (A5-A18) further described
in ISO 27002 as a potential means of achieving
compliance

Control Families
A.1-A.4: Contain explanatory information
A.5. Information Security Policies: Describe how to handle information security policies.
A.6. Organization of Information Security: Provide the framework for the implementation
and operation of information security by defining its internal organization (e.g., roles,
responsibilities, etc.), and through the organizational aspects of information security.
A.7. Human Resource Security: Ensure people are hired, trained, and managed in a
secure way; also, the principles of disciplinary action and terminating the agreements are
addressed.
A.8. Asset Management: Ensure that information security assets (e.g., information,
processing devices, storage devices, etc.) are identified, that responsibilities for their
security are designated, and that people know how to handle them according to
predefined classification levels.

Control Families
A.9. Access Control: Limit access to information and information assets according to
real business needs. The controls are for both physical and logical access.
A.10. Cryptography: Provide the basis for proper use of encryption solutions to
protect the confidentiality, authenticity, and/or integrity of information.
A.11. Physical and Environmental Security: Prevent unauthorized access to physical
areas, and protect equipment and facilities from being compromised.
A.12. Operation Security: Information and information processing facilities should be
protected from malware, data loss, and the exploitation of technical vulnerabilities.
A.13. Communications Security: Information should be protected in networks and as
it is transferred, both internally and externally to the organization.
A.14. System Acquisition, Development, and Maintenance: Information security
should be designed and implemented throughout the lifecycle of information systems.
A.15. Supplier Relationships: Ensure that outsourced activities performed by
suppliers and partners also use appropriate information security controls, and they
describe how to monitor third-party security performance.
Control Families
A.15. Supplier Relationships: Ensure that outsourced activities performed by
suppliers and partners also use appropriate information security controls, and they
describe how to monitor third-party security performance.
A.16. Information Security Incident Management: Provide a framework to ensure the
proper communication and handling of security events and incidents so that they can
be resolved in a timely manner; they also define how to preserve evidence, as well as
how to learn from incidents to prevent their recurrence.
A.17. Information Security Aspects of Business Continuity Management: Ensure the
continuity of information security management during disruptions, and the availability
of information systems.
A.18. Compliance: Provide a framework to prevent legal, statutory, regulatory, and
contractual breaches, and audit whether information security is implemented and is
effective according to the defined policies, procedures, and requirements of the ISO
27001 standard.
ISO 27000 Standards
27001: Designed to develop, build, implement, assess and improve an ISMS (Information
Security Management System)
27002: Describes the implementation of the controls referenced in Appendix A of ISO 27001.
Specifies 15 domains, 35 control objectives, and 14 controls
27003:2017: Provides guidance for the implementation of an ISMS based on ISO/IEC 27001
ISO/IEC 27004:2016: Provides guidelines on evaluating the information security performance
and the effectiveness of an information security management system. Establishes:
Monitoring and measurement of information security performance
Monitoring and measurement of the effectiveness of an ISMS
Analysis and evaluation of the results of monitoring and measurement
ISO 27005: Provides guidelines for Information Security Risk Management for organizations
following ISO 27001 Framework

Information Security Strategy

Strategy Objectives
Strategic Alignment
Risk Management
Value Delivery
Resource Optimization
Performance Optimization
Performance Measurement
Process Assurance Integration

Pitfalls of Security Strategy Development
Important to be aware of bias:
Overconfidence Herding
Anchoring False Consensus/Confirmation Bias
Optimism Selective Recall
Status Quo Groupthink
Mental Accounting

Closing the Gap
Strategy should provide the basis for a plan of action to achieve
security objectives
Assess current environment SWOT
Define desired state
Evaluate risks
Develop strategy
Determine suitable framework
Develop security program

SWOT Analysis
Strengths Weaknesses Opportunities Threats

What company What company Underserved Emerging
does well lacks markets competitors
Qualities What competitors Few competitors Changing regulatory
distinctive from do better Emerging need for environment
competitors Resource your products or Negative
Internal resources limitations services press/media
like skilled staff Unclear unique Press/media coverage
Tangible assets selling proposition coverage of your Changing customer
like intellectual company attitudes toward
property your company

Assessing the Program with a Balanced Scorecard
Scorecard addresses 4 performance areas:
Financial Metrics: Provide information
about revenue and expenses
Customer Metrics: Assess how the
company meets customer needs
Internal Process Measures: Provide
insight into the efficiency of internal
processes and allow leaders to identify and
correct problems
Measures of Learning and Growth: Give
managers information about employee Source: The Security Executive Council, "Defining
the Value of Security's Accomplishments"
satisfaction and development
Organizational Culture

Organizational Culture
System of shared assumptions, values, and beliefs that governs how people behave
Strongly influences people in the organization and dictates job performance
Incentives
Working
Leadership
Relations
Organizational
Culture
Human
Capability
Behavior

Information Security Culture
Information culture is a workplace culture in which security awareness
and behaviors are seamlessly integrated into each employee's daily
operations, as well as a strategic executive leadership priority.
An effective cybersecurity culture can help employees understand their
roles and responsibilities in keeping their organizations safe and
customer data secure.
Only 34% of respondents say they understand their role in their
organization's cyber culture.

Goals of an Information Security Aware Culture
Encourages employees to make thoughtful decisions that
align with information security policies.
Requires the workforce to know the security risk and the
processes for avoiding that risk.
Builds and enforces an operating process of tasks that
keep the enterprise safe.

Best Practices Start With Security Culture
Cybersecurity best practices start with building a security culture.
Teaching employees to recognize threats, curb poor behavior, and
follow basic security habits is the best return on investment (ROI).
However, measuring and justifying the expense proves challenging.
Persuading upper management to invest in changing the company
culture can be difficult without a quantitative ROI.

Risk Definitions

Essential Risk Definitions
Asset: Something of tangible or intangible value worth protecting
Vulnerability: Weakness in the design, implementation, operation, or
internal control process that could expose a system to adverse threats--
lack of adequate controls
Threat: Something that could pose loss to all or part of an asset
Probability: The likelihood the risk will occur
Impact: Damage caused if the risk event occurs. Referred to as severity.
Threat Agent: What carries out the attack
Exploit: An instance of compromise

Definition of Risk
Risk: The combination of the probability of an event and its consequence.

Risks are often seen as an adverse event that can threaten an organization's
assets or exploit vulnerabilities and cause harm.
Risks are always in the future.

Once a risk has happened it is an incident.

Additional Risk Definitions
Inherent Risk: With all business endeavors there is some degree of risk
Residual Risk: Risk that remains after a control has been implemented.
Ultimately risk should be mitigated until the residual risk is within the
level that management is willing to accept (management’s risk tolerance)
Secondary Risk: One risk response may cause a second risk event
Risk Appetite: Senior management’s approach to risk (Seeking, Neutral,
Averse)
Risk Tolerance: Acceptable level of variation that management is willing
to allow for any particular risk
Risk Profile: An organization's current exposure to risk

Additional Risk Definitions
Risk Threshold: A quantified limit beyond
which your organization is not willing to go
Risk Capacity: Amount of risk an
organization can absorb without
threatening its viability
Risk Utility: The positive outcome desired
from taking a risk
Controls: Proactive and reactive
mechanisms put in place to manage risks

Types of Risk
Systemic Risk: Category of risk that describes threats to a system, market
or economic segment. Markets with interconnected institutions and
independent operations, such as finance, are most susceptible.
Contagious Risk: Events that impact multiple organizations in a short time
DYN DoS led to loss of availability to Amazon, Twitter, Google, etc.
Loss of trust and confidence in the payment and settlement systems
Obscure Risk: Risk that has not yet occurred and is unlikely or difficult to
fathom (aka black swan event
Visibility: Be in a position that it can observe anything going wrong
Recognition: Can recognize an observed event as something wrong

The Information Security Program

Goal of the Information Security Program
Includes the practical elements that make the IS strategy possible
Provides the means for closing the gap between current state and desired state
Determine Desired
Outcome
Develop Develop Manage Program

Perform Program to to Ensure
Determine Desired State Strategy to
Gap Analysis Enact Strategy Objectives Met
Close Gaps
Risk Management
Determine Current State Activities

Information Security Program
As defined by ISACA, the goal of this domain is to:
Develop and maintain an information security program that identifies,

manages and protects the organization’s assets while aligning to information
security strategy and business goals, thereby supporting an effective
security posture.
Is best coordinated by the Chief Operating Officer, as this individual should

properly see the need for balance between information security and
business operations

Goals of Information Security Architecture
Document and communicate the artifacts of the security program

Ensure that HW, SW, FW all fulfill a stated business objective
Ensure that components work well together
Promote consistency throughout the enterprise
Guarantee resources are used effectively and efficiently
Provide for scalability of the enterprise

Information Security Program Elements
People Process Technology

Training Risk Management System Security
Awareness Asset Management UTM. Firewalls
HR Policies Data Classification IDS/IPS
Background Checks Info Rights Mgt Data Center
Roles / Responsibilities Data Leak Prevention Physical Security
Mobile Computing Access Management Vulnerability Assessment
Social Engineering Change Management Penetration Testing
Social Networking Patch Management Application Security
Acceptable Use Configuration Management Secure SDLC
Policies Incident Response SIM/SIEM
Performance Management Incident Management Managed Services

Data Security and
Endpoint Protection

Data Security
Confidentiality Integrity
Data at Rest: Encryption—EFS—TPM (Trusted Hashes/Message Digest
Platform Module)—bitlocker—whole drive encryption
Availability
Data in Motion: Secure Transport Protocols -
Redundancy
SSL/TLS, SSH, IPSec
Data in Use: Homomorphic Encryption
Non-Repudiation
Digital Signatures: Hash (integrity) encrypted with
the sender’s private key (authenticity)
Data traversing unsecured networks can have end-
to-end security through the use of VPNs
Endpoint Protection
Includes desktops, laptops, tablets, etc. Hardening systems includes:
Remove unnecessary services

Patch systems
Rename guest and administrative accounts
Review default settings and configurations
Install anti-malware and monitoring software
Images are often used to deploys baseline O/S and applications
Configuration management requires changes to be controlled and documented
Remote access tools are often used by the network team to provide assistance and remote admin
Many devices have remote destruction capabilities in case of loss or compromise
Data should be encrypted for the sake of privacy
VDI relies on highly controlled servers running the apps users work with. Client systems work as
terminals or thin clients

Network Protection
Segmentation

Segmentation
Routers: Segment the network based on broadcast traffic, security, or bandwidth needs
VLANs
Firewalls: Boundary devices
Packet filters: Screening router with an ACL configured (fast)
Black listing: All traffic is allowed, except what’s denied on a “black list”
White listing: All traffic is denied, except what’s allowed on a “white list”
Stateful Firewalls: Aware of the “state” of the connection—anomalies in protocol function
Application Proxies: Understand applications such as web services (HTTP and HTTPS).
Web proxies Web Servers, Mail Servers (SMTP)
Proxy Servers, Application
Mail proxies Firewalls, IDS/IPS, Honeypots
DMZ LAN Internet

Air gaps (Trusted) (Untrusted)
DMZ - screened
subnet
(Semi-Trusted) Firewall
Firewall
Network Protection
Network Address Translation

NAT (Network Address Translation)
Source: 63.17.85.1 :5235 WWW

Destination: 1.1.1.1 :80 1.1.1.1
10.0.0.0.1 Router
10.0.0.0.2 LAN 10.0.0.100 (Network Address
10.0.0.0.3 Translation) 63.17.85.1 Internet
Private Internal IP Addresses (RFC 1918)

10.0.0.0
172.16.0.0 - 172.31.0.0
192.168.1.0

NAT (Network Address Translation)/
PAT Port Address Translation)
Source: 63.17.85.1 :5235
Destination: 1.1.1.1 :80
10.0.0.0.1 Router
10.0.0.0.2 LAN 10.0.0.100 (Network Address
10.0.0.0.3 Translation) 63.17.85.1 Internet
Private Internal IP Addresses (RFC 1918) IP Address Port

10.0.0.0
172.16.0.0 - 172.31.0.0 10.0.0.1 5325
192.168.1.0
10.0.0.1 4209

Network Protection
Wireless Networks

Wireless Networks
Encryption
WEP Wired Equivalent Privacy: Weak
WPA (Wi-Fi Protected Access): Better &
LAN
backwards with WEP
WPA II: Stronger keys and algorithms
RADIUS Active
WPA III: Stronger key negotiation
(remote Directory
Authentication: Proof of identity
access) (runs on
802.1x
domain
Centralized Management: Ease of admin,
controller)
better security, consistency
RADIUS
Decentralized: Flexibility and better
alignment with business objectives
RAS
Every access point is administered Dial-up
individually client

Network Services

Services
DNS: Uses records and cache to provide name resolution
Pharming—modification of records
Cache Poisoning—modification of cache
DNSSec—uses keys to authenticate other DNS Servers
DHCP: Automatic assignment of IP addresses
Discover: Broadcast to learn who is DHCP Service
Offer: All DHCP servers respond and offer an IP address
Request: Client requests an IP from the FIRST server that offered an IP address
Acknowledge: DHCP Server grants the client the IP address removes the IP address from
its scope
LDAP (Lightweight Directory Access Protocol): Authentication Servers (Domain Controllers)
Web Services: Very susceptible to cross-site scripting, DoS
Mail Services: Very susceptible to DoS and confidentiality breaches

Services Continued: Network Access Control
Verifies health of system

Relies on client-side and server-side software
Uses a SHV (System Health Validator) on server
Client presents a Certificate of Health
Can provide denial of access, quarantine, or redirection to a
remediation network

Incident Management Processes

Incident Management Process Flow
Prepare
Respond
Protect
Triage Detect

Process Flow: Prepare
Coordinate Planning and Design
Identify Incident Management Requirements
Obtain Funding and Sponsorship
Develop Policies, Processes, and Plans
Establish Incident Handling Criteria
Determine and Implement Defined Resources
Determine Processes for Change Management to Incident
Response Plan and Process Changes
Process Flow: Protect
Protect and secure critical data and computing infrastructure
Implement changes to computing infrastructure
Implement infrastructure improvements to mitigate ongoing or
potential incidents, based on Lessons Learned/Postmortems
Evaluate computing infrastructure by performing proactive
security assessment and evaluation

Process Flow: Detect
Proactive Detection
Monitors information on a regular basis
Examines Information from vulnerability assessments/penetration tests,
network monitoring, alerts, SIEM systems, log review
Reactive Detection
Conducted when reports from users or organizations notice unusual or
suspicious activity
Requires multiple communications pathways for users to report incidents

Process Flow: Triage
Provides a means of sorting, categorizing, correlating, prioritizing, and assigning
incoming reports/events
Categorizing
DoS
Malicious code
Unauthorized access
Inappropriate usage
Multiple components
Correlation: Evaluates an event and determine if other relevant information
relates to the event or is necessary for proper handling
Prioritization: Allows for efficient use of resources
Assignment: An incident or potential incident is assigned to the IMT, which
begins the Incident Response Process
Process Flow: Respond
Determines the steps needed to address, resolve or mitigate an incident
Technical Response:
Collection and analysis of information from various technical sources
Implementation or modification of technical controls
Management Response: Activities that require supervisory intervention, notification,

interaction escalation, or approval. This type of response is usually implemented by
business managers/senior management and traverses business units
Legal Response: Activities that relate to laws and regulations and may result in an
investigation, prosecution, liability, copyright, etc.

Incident Response Plan

Elements of an Incident Response Plan
Preparation
Lessons Identification
Learned
Containment
Recovery
Eradication

Preparation
Obtain senior management’s support

Establish a methodology
Establish policy and means of notification to deter intruders and
establish the right to obtain information from individual systems
Establish communications plan for stakeholders
Determine criteria for reporting incidents to law enforcement
Develop criteria and process for activating the incident management
team

Identification
Detect and verify that an incident has taken place and determine its
severity (escalating as appropriate)
Intrusion Detection Systems
Signature-based
Behavior-based
SIEM Systems
Aggregation
Trend analysis
Forecasting
Alerts/Log Reviews
Establish the Chain of Custody
Containment
Limit the exposure to other systems
Obtain agreement on actions taken—may affect availability of systems
Obtain and preserve evidence
Document and take backups of actions from this stage onwards
Control and manage communications to the public

Eradication
Determines the root cause of the incident and removes its source
Restore from backup
Restore from OEM source (rootkits)
Antivirus software
Apply patches
Scan systems to look for additional vulnerabilities

Recovery
Restores systems/services to meet objectives:
SLO/SDO: Service Level Objects/Service Delivery Objectives
MTD/MTO: Maximum Tolerable Downtime/Maximum Tolerable Outage
RTO: Recovery Time Objectives
RPO: Recovery Point Objectives
Systems owners review and test the system and declare normal operations

Lessons Learned
Report developed at the end of the incident response process to share
information about the incidents, as well as successes and failures of the
incident response processes
What happened and when?

Root cause?
Did staff perform well?
What procedures were followed and were they effective?
What would be done differently in the future?
Continuity of the Enterprise
Business Continuity and Disaster

Recovery Planning

Business Continuity Planning
Information system contingency planning is a coordinated strategy involving
plans, procedures, and technical measures that enable the recovery of
information systems, operations, and data after a disruption. Contingency
planning generally includes one or more of the following approaches:
Restoring information systems using alternate equipment

Performing some or all of the affected business processes using alternate
processing (manual) means (typically only for short-term disruptions)
Recovering information systems operations at an alternate location
(typically only for long–term disruptions or those physically impacting the
facility)
Implementing appropriate contingency planning controls based on the
information system's security impact level
Categories of Disruptions
A company should understand and be prepared for each category:
Incident: Events with a negative impact

Device malfunction
Disruption of service
Emergency/Crisis
Urgent, immediate event where there is potential for loss of life or property
Disaster
Entire facility is unusable for a day or longer
Catastrophe
Destroys facility
Anyone can declare an emergency (pull/trigger alarm, etc).

Only the BCP Coordinator can declare a disaster (triggering failover to another
facility).
Mitigate Risks
Reduce negative effects:
Life safety is the number one priority!

Reputation is the second most important asset of an organization.
Though specific systems are certainly essential, don't forget to
focus on the big picture--protect the company as a whole.

Business Continuity Planning
Threat Types:
Man-made
Strikes, riots, fires, terrorism, hackers, vandals
Natural
Tornado, flood, earthquake
Technical
Power outage, device failure, loss of a T1 line

Contingency Planning and Sub-
plans

Business Continuity Sub-Plans
Protect
Crisis Communication Plan
OEP (Occupant Emergency Plan)
Recover
BRP (Business Recovery Plan)
DRP (Disaster Recovery Plan)
Continuity of Support Plan/IT Contingency Plan
Sustain
COOP (Continuity of Operations Plan)

Protect
Crisis Communications Plan
Purpose: Provides procedures for disseminating status reports to
personnel and the public
Scope: Addresses communications with personnel and the public; not IT
focused
Occupant Emergency Plan (OEP)

Purpose: Provides coordinated procedures for minimizing loss of life or
injury and protecting property damage in response to a physical threat
Scope: Focuses on personnel and property particular to the specific facility;
not business process or IT system functionality based. May also be referred
to as Crisis or Incident Management Plans. However, the OEP concept
should be recognizable as the "initial response to the emergency event."
Recover
Business Recover (or Resumption) Plan (BRP)
Purpose: Provides procedures for recovering business operations
immediately after a disaster
Continuity of Support Plan / IT Contingency Plan

Purpose: Provides procedures and capabilities for recovering a major
application or general support system
Cyber Incident Response Plan

Purpose: Provides strategies to detect, respond to, and limit consequences of
cyber incidents
Disaster Recovery Plan (DRP)

Purpose: Provides detailed procedures to facilitate recovery of capabilities at
an external site
Sustain
Continuity of Operations Plan (COOP)
Purpose: Provides procedures and capabilities to sustain an organization's
essential, strategic functions at an alternate site for up to 30 days.
This term is sometimes used by the U.S. government to refer to the field
of Business Continuity Management, but per NIST 800-34, it is a unique
sub-plan of the BCP.
BCP addresses ALL business processes, not just mission critical.
Scope: Addresses the subset of an organization's missions that are deemed
most critical: usually written at the headquarters level; not IT-focused

Plan Testing, Training, and
Exercise

Phases of the Plan: Testing
Vary the plan for accuracy and completeness
Should happen once per year,or as the result of a major change
The purpose of testing is to improve the response (never to find fault or
blame)
Senior Management is responsible for ensuring the plans are tested
The type of testing is based upon the criticality of the organization,
resources available and risk tolerance

Types of Tests and Exercies
Checklist Test
Copies of plan distributed to different departments. Managers review.
Structured Walkthrough (Table Top) Test

Representatives from each department go over the plan.
Simulation Test
Go through a disaster scenario.
Continues up to the actual relocation to an offsite facility.
Parallel Test
Systems moved to an alternative site where processing takes place.
Full Interruption Test

Original site shut down. All of processing moved to offsite facility.

Training
Training for personnel with contingency plan responsibilities should focus on
familiarizing them with ISCP roles and teaching skills necessary to accomplish
those roles.
For purposes of NIST SP 800-34, training consists of informing personnel of
necessary information ( tested in the “Exercises” portion)
Training should include:
Purpose of the plan
Cross-team coordination and communication
Reporting procedures
Security requirements
Team-specific processes (Activation and Notification, Recovery, and Reconstitution Phases)
Individual responsibilities (Activation and Notification, Recovery, and Reconstitution Phases).

Exercises
Exercise evaluates employee response and ability to carry out the steps of
the contingency plan.
Personnel with roles and responsibilities in a particular ISCP meet to
validate the content of a plan through discussion of their roles and
responses to emergency situations, execution of responses in a simulated
operational environment, or other means of validating responses that do
not involve using the actual operational environment.
Exercises are scenario-driven, such as a power failure in one of the
organization’s data centers or a fire causing certain systems to be
damaged, with additional situations often being presented in an exercise.

Post-Incident Review
After a test or disaster has taken place:
Focus on how to improve
What should have happened
What should happen next
Not whose fault it was - this is not productive

Plan Maintenance

Phases of the Plan: Maintenance
As a general rule, the plan should be reviewed for accuracy and
completeness at an organization-defined frequency or whenever
significant changes occur to any element of the plan.
Certain elements, like contact lists, require more frequent reviews.
Plans for moderate-or high-impact systems should be reviewed often.
At a minimum, plan reviews should focus on these elements:
Operational requirements
Security requirements
Technical procedures
Hardware, software, and other equipment (types, specifications, and amount)
Names and contact information of team members

Keeping the Plan Up to Date
Make it a part of business meetings and decisions
Centralize responsibility for updates
Part of job description
Personnel evaluations
Report regularly
Audits
As plans get revised, original copies should be retrieved and destroyed.

Review of NIST 800-34
Business Continuity Planning Review

Project Initiation
Business Impact Analysis
Recovery Strategy
Plan Design and Development
Implementation
Testing
Maintenance
ISO 27031

Overview of ISO 27031
ISO 27031 provides guidance to business continuity and IT disaster
recovery professionals on how to plan for IT continuity and recovery as
part of a more comprehensive business continuity management system
(BCMS).
The standard helps IT personnel identify the requirements for Information
and Communication Technology (ICT) and implement strategies to
reduce the risk of disruption, as well as recognize, respond to and
recover from a disruption to ICT.
ISO 27031 uses the PDCA Cycle to provide this guidance

PDCA in Relation to Continuity
Plan: Creates and updates the governance structure for the overall IRBC management system. Key
outputs: IRBC policy that adequately addresses continuity of information and communication
technology and strategy options that the organization can deploy to meet business requirements.
Do: Focuses on performing activities and implementing solutions that enable the organization to
monitor for, respond to, and recover from a disruption to ICT services. Key outputs: Implementation
of strategies, generation of plans, and execution of training and awareness activities to promote
continuity for ICT services.
Check: Includes the review and evaluation of the performance of the IRBC management system.
Key outputs: Continuous monitoring of information and communication technologies for disruptions
and performance levels, as well as periodic reviews of ICT responsiveness and recoverability.
Act: Allows management to review the performance of the IRBC effort and direct the
implementation of corrective action, which will enhance management system performance and/or
reduce the risk of future disruptions to IT service

Cybrary Cism Study Notes

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Cybrary Cism Study Notes

Uploaded by

Copyright:

Available Formats

Study Notecards

© 2022 Proprietary and Confidential. All Rights Reserved.

Corporate Risk Audit Compliance

© 2022 Proprietary and Confidential. All Rights Reserved.

Under the standard of due care, senior leadership has the

© 2022 Proprietary and Confidential. All Rights Reserved.

© 2022 Proprietary and Confidential. All Rights Reserved.

© 2022 Proprietary and Confidential. All Rights Reserved.

© 2022 Proprietary and Confidential. All Rights Reserved.

Governance answers four questions: IF the answer is no to any of

© 2022 Proprietary and Confidential. All Rights Reserved.

© 2022 Proprietary and Confidential. All Rights Reserved.

© 2022 Proprietary and Confidential. All Rights Reserved.

© 2022 Proprietary and Confidential. All Rights Reserved.

IT management framework developed by ISACA to help

© 2022 Proprietary and Confidential. All Rights Reserved.

Provide Holistic Approach Dynamic

© 2022 Proprietary and Confidential. All Rights Reserved.

© 2022 Proprietary and Confidential. All Rights Reserved.

Evaluate, Direct and Monitor (EDM)

© 2022 Proprietary and Confidential. All Rights Reserved.

© 2022 Proprietary and Confidential. All Rights Reserved.

© 2022 Proprietary and Confidential. All Rights Reserved.

Annex A provides a list that offers controls by which the

© 2022 Proprietary and Confidential. All Rights Reserved.

© 2022 Proprietary and Confidential. All Rights Reserved.

© 2022 Proprietary and Confidential. All Rights Reserved.

© 2022 Proprietary and Confidential. All Rights Reserved.

© 2022 Proprietary and Confidential. All Rights Reserved.

© 2022 Proprietary and Confidential. All Rights Reserved.

© 2022 Proprietary and Confidential. All Rights Reserved.

Strengths Weaknesses Opportunities Threats

© 2022 Proprietary and Confidential. All Rights Reserved.

© 2022 Proprietary and Confidential. All Rights Reserved.

© 2022 Proprietary and Confidential. All Rights Reserved.

© 2022 Proprietary and Confidential. All Rights Reserved.

© 2022 Proprietary and Confidential. All Rights Reserved.

© 2022 Proprietary and Confidential. All Rights Reserved.

© 2022 Proprietary and Confidential. All Rights Reserved.

© 2022 Proprietary and Confidential. All Rights Reserved.

Risk: The combination of the probability of an event and its consequence.

Risks are always in the future.

© 2022 Proprietary and Confidential. All Rights Reserved.

© 2022 Proprietary and Confidential. All Rights Reserved.

© 2022 Proprietary and Confidential. All Rights Reserved.

© 2022 Proprietary and Confidential. All Rights Reserved.

© 2022 Proprietary and Confidential. All Rights Reserved.

Develop Develop Manage Program

© 2022 Proprietary and Confidential. All Rights Reserved.

As defined by ISACA, the goal of this domain is to:

Develop and maintain an information security program that identifies,

Is best coordinated by the Chief Operating Officer, as this individual should

© 2022 Proprietary and Confidential. All Rights Reserved.

Document and communicate the artifacts of the security program

© 2022 Proprietary and Confidential. All Rights Reserved.

People Process Technology

© 2022 Proprietary and Confidential. All Rights Reserved.

© 2022 Proprietary and Confidential. All Rights Reserved.

Remove unnecessary services

© 2022 Proprietary and Confidential. All Rights Reserved.

© 2022 Proprietary and Confidential. All Rights Reserved.

DMZ LAN Internet

© 2022 Proprietary and Confidential. All Rights Reserved.

Source: 63.17.85.1 :5235 WWW