DAN CISSP NOTES - 2018
mission, and objectives of the organization.
- Cost effective and budget aware.
- Must take ‘top-down’ approach, e.g. senior management to
initiate, define and steer security efforts.
- Information Security team should be led by a designated CISO
who must report directly to senior management.
- Should develop three types of plans:
Strategic | Five years, org’s mission, risk assessment, should be
updated annually.
Tactical | One year, organizational goals (Project plans,
acquisition plans, hiring plans, etc...)
Operational | Day-to-Day, highly detailed
Figure 1 Plans Mapping (Image from CISSP official study guide 7th
edition – Sybex)
- Planning must address organizational processes (acquisition,
divestitures and governance committee)
Acquisitions and mergers risks includes data loss, downtime,
failure to achieve ROI
Divestiture risks include data remanence on previously used
computer systems (needs proper sanitization), risks from
disgruntled ex-employee (needs strong hiring/termination policies)
- Security Governance should be managed by Governance
Committee - group of influential knowledge experts whose
primary task is to oversee and guide the actions of security and
an organization, or at least members of the BoD.
Security Roles and Responsibilities
Senior Manager | ULTIMATELY responsible for the security
maintained by an org., his responsibility is delegated to...
Security Professional (Implementer, not decision makers) | Trained
and experienced network, systems, and security engineer who is
responsible for following the directives mandated by senior
management.
Data Owner (High level Manager) | Responsible for classifying
and protecting information, delegates his responsibility to...
Data custodian (the day-to-day guy) | Implementing the
prescribed protection defined by the security policy (backups,
deploying security controls, managing data storage)
Auditor (The eye of the management) | Reviewing and verifying that
the security policy is properly implemented.
Control Frameworks
CobiT documented set of best IT security practices crafted by
ISACA, it’s based on five key principles:
1. Meeting stakeholders’ needs, 2. Covering the Enterprise End-
to-End, 3. Applying a Single, Integrated Framework 4. Enabling a
Holistic Approach, 5. Separating Governance from Management.
Other control standards:
• NIST SP 800-53 Set of controls to protect U.S. federal systems
developed by the National Institute of Standards and Technology
• COSO Internal Control—Integrated Framework Set of internal
corporate controls to help reduce the risk of financial fraud
developed by the Committee of Sponsoring Organizations
(COSO) of the Treadway Commission
Enterprise/Security architecture frameworks
Security Program Development:
• ISO/IEC 27000 series International standards on how to
develop and maintain an ISMS developed by ISO and IEC
Enterprise Architecture Development:
• Zachman Framework Model for the development of enterprise
architectures developed by John Zachman
• TOGAF Model and methodology for the development of
enterprise architectures developed by The Open Group
• DoDAF U.S. DoD framework that ensures interoperability of
systems to meet military mission goals
• MODAF Used mainly in military support missions developed by 2
the British Ministry of Defence
• SABSA model A model and methodology for the development
of information security enterprise architectures
Process Management Development:
• ITIL Processes to allow for IT service management developed
by the UK’s Office of Government Commerce
• Six Sigma Business management strategy that can be used to
carry out process improvement
• Capability Maturity Model Integration (CMMI) Organizational
development for process improvement developed by Carnegie
Mellon University.
Policies, Standards, Procedures, and Guidelines
Policies | Compulsory, high level document that defines the main
security objectives and outlines the security framework of the org.
Policy components:
Purpose – Why; Scope – Who, what, where and when;
Responsibilities – Who and Compliance – What.
Example of policy statement: “All laptops must have proper
access controls”
Types of policies: Organizational security policy focuses on issues
relevant to every aspect of an organization.
Issue-specific focuses on a specific network service, department,
and functions.
System-specific focuses on individual systems or types of
systems and prescribes approved hardware and software.
Overall categories of security policy
Regulatory policy is required whenever industry or legal standards
are applicable to your organization (HIPPA, SOX)
Advisory policy discusses behaviors and activities that are
acceptable and defines consequences of violations (most policies
are advisory)
Advance and Protect The Profession