TASK 1: Conduct surveys to evaluate current status of information security programsThis task outlines concepts to support knowledge of: + Elements of an information security program, including physical security, procedural security, information systems security, employee awareness, and information destruction and recovery capabilities * Survey techniques + Quantitative and qualitative risk assessments * Risk mitigation strategies (e.g., technology, personnel, process, facility design) * Cost-benefit analysis methods + Protection technology, equipment, and procedures (e.g., interoperability) * Information security threats Integration of facility and system plans, drawings, and schematics ASIS SPREE ox20)0:8 rar ‘« Identify information assets Assess the impact of a loss * Valuate information assets event or disclosure + Assess threats to information _* Identify and evaluate gaps in assets security controls + Assess likely adversaries a Identify existing and planned * Assess the likelihood of security controls occurrence of threats ° Assess and prioritize risks * Identify vulnerabilities | ASES SPREE xnsenrmmt* Intentional Threats ° Natural Threats * Inadvertent Threats * Data Mining ° Insiders * Counterfeiting and Piracy ASIS SPREE cx0 93 reraana :« Risk assessments should identify, quantify, and prioritize risks » Assessments should be performed regularly and include risk monitoring * Make a convincing business case for: = Proactive strategies = Dedication of resources = Ability to affect the business decision making process ASIS SPREE cx0 93 reraana* Recognize that both insiders and outsiders are potential threats * Identify and valuate trade secrets * Implement a proactive plan for safeguarding trade secrets * Secure physical and electronic versions of your trade secrets + Impart intellectual knowledge on a “need-to-know” basis * Provide training about intellectual property plan and security ASIS SPREE cx0 93 reraana :* Layers of protection represent the following: = Increasing levels of trust for those with access to successive layers = Security technologies or measures that operate in concert = Successive layers employed to delay, detect, and deter intruders ASIS SPREE cx0 93 reraana :Apply multiple levels or layers of protective measures Ensure that successive levels or layers complement each other Integrates different families of protective measures in strategy ASIS SPREE cx0 93 reraana ”* Place shredders or secure collection receptacles + * Place signs in such areas to remind employees + that overruns and misprints must be destroyed + Document any transfers of sensitive records or + documents + Carefully select contractors that destroy sensitive + information + Destroy records and sensitive information ina + manner that precludes reconstruction consistent with its level of sensitivity, and document the date and place of destruction Destroy obsolete records regularly Destroy incidental and duplicate records on a regular basis Store media awaiting destruction in secure containers Avoid discarding media in receptacles accessible to the public Protect records and information when being transported ASIS SPREE cx0 eranPrototypes and models + Should be afforded all the same security measures as other information assets + Obsoletes should be destroyed so they cannot be reverse-engineered Manufacturing processes and equipment * Access should be restricted + Obsolete or damaged production equipment + Photography in production or processing areas should be disposed of in a manner that does not should be restricted compromise or divulge information regarding the + Contractors with access should have executed Production or processing area. NDAs * Information regarding loading dock activity may + Those who enter the processing area should also require protection: display ID badges Compartmentalization and Physical or Visual Barriers: + Information of various classifications should be stored separately. + Safeguards such as barriers and covers should be used when sensitive information may be exposed to view by unauthorized individuals. ASIS TPRSS 0220195 immanent 2° Establish privacy policies * Provide a mechanism to * Designate an employee investigate compromises of responsible for implementing privacy information + Evaluate privacy information * Review federal, state, and and determine legal and international guidelines to regulatory requirements ensure full compliance + Ensure that systems are in ° Clearly mark privacy information place to guard employee and to state how it will be used customer privacy * Conduct program audits ASIS SPR ex 1s mans 7* Coordinate IAP matters with all appropriate elements of the company + Incorporate IAP into the organization's business continuity plan * Infuse IAP-related material into employee training * Communicate IAP issues to all levels of management + Investigate third parties prior to allowing access to confidential information ASIS SPREE x09 ore "* Peripheral information should not provide valuable intelligence * Consider the vulnerability of information released to outside entities * Ensure publicly available information doesn’t reveal sensitive information « Assess vulnerabilities by taking the adversary’s perspective. ¢ Implement an approval process for any presentations, papers, or articles that may contain information pertinent to sensitive activities or plans ° Develop specific, tailored IAP policies for key projects ASIS SPREE cx0 83 1eraana 8+ Establish a reporting mechanism tailored to individuals who travel * Document all information and equipment to be carried to the meeting + Debrief travelers on their return * Obtain site location details before a venue is confirmed + Encouraging meeting planners to select sites and rooms based on information protection concerns + Perform technical surveillance countermeasures inspection * Secure shipment and storage before, during, and after the event Maintaining security of printed and electronic materials and computer media during reproduction, transportation, and storage Minimizing the distribution of hard copy information Ensure suppliers follow appropriate security practices Limit access to meeting rooms Collect information and notes left behind by attendees and destroy ASIS SPREE cx0 83 reraanaTechnical Surveillance Countermeasures (TSCM) + Include services, equipment, etc. designed to locate, identify, and neutralize * Should be part of an organization's overall protection strategy « Arrange for regular inspection of telecommunications equipment * Meeting rooms should be inspected for surveillance vulnerabilities regularly ASIS SPREE cx0 133 reraana* Change default passwords, usernames, and administrative accounts * Assign administrative privileges appropriately * Limit and monitor physical access to network components * Ensure a separation of duties for IT staff where possible + Install and update antivirus/firewall software * Implement formal patch management and configuration protocols * Train users in computer security awareness * Require external organizations to maintain an equivalent security ASIS SPREE cx 33 reraana ®IAP professionals should also be aware of the following: * Logical network access control * Application security * Sanitizing information systems and media * Encryption + Digital signature ° Wireless environment ASIS SPREE cx 33 reraana+ Require employees to acknowledge, in writing, that company-issued equipment and any information produced or stored on it are the property of the employer. + Control the use of mobile devices with embedded cameras + Do not store personal info or passwords on wireless devices + Lock cell phones when they are not in use + Install software that can remotely lock a phone or erase its data + Tag or engrave laptops with the organization's info + Prevent the last logged-in username from being displayed Use a nondescript carrying case. Be careful when using a wireless hot spot Disable auto-connect to unsecure WIFI access points Regularly check with the device manufacturer for software updates or news of security vulnerabilities. Encrypt mobile devices ASIS SPREE cx0 3 rerasna* Online meetings are convenient, but not always secure * Find out how a service provider protects private information * Encryption should be used for the transfer of data ¢ Unless validated, users should assume discussions are not private ASIS SPREE cx0 133 reraana* Look into the provider’s financial performance and reputation * Establish individual and corporate nondisclosure agreements * Conduct on-site reviews of the provider before signing an agreement ¢ Ensure that appropriate physical security and IT measures are in place * Consult with legal counsel on laws and regulations ASIS SPREE cx0 133 reraana 2* Destroy stored records periodically * Maintain records no longer than is necessary * Protect incidental business records discarded daily * Monitor daily trash * Recycling does not equal secure destruction * Note that recycling does not equal secure destruction. It is better to arrange for recycling after materials are properly destroyed * Apply due diligence ASIS SPREE cx 33 reraana aMatters to discuss with the organization’s legal counsel: * Actions on any patent, copyright, or trademark/service mark violations * Current legal protocols and case law ¢ Intellectual property rights protection. ASIS SPREE cx0 133 reraana* Incorporate copyright protections into contracts and marketing strategies + Enter into written, enforceable contracts to protect the copyright * Refuse to assign or license the copyright until all consequences are understood * Ensure that the copyright remains with the organization* Become familiar with the organization's rights before the product crosses the border * Develop and register a host country language version Register the trademark in neighboring countries * Conduct ongoing research to identify products that infringe the trademark ASIS SPREE cx0 133 reraana >* Follow trade secret guidelines until a patent has been issued * Ensure that patent protection is acquired in all appropriate jurisdictions * Consider using other venues for resolving patent disputes ASIS SPR orn :3ramsens o* Document the identification and valuation of the trade secrets * Ensure that traditional and cyber security measures are in place * Conduct periodic, random security audits to ensure compliance » Execute nondisclosure agreements ° Establish need-to-know criteria * Institute effective information warning notifications * Properly destroy materials no longer needed ASIS SPREE cx0 133 reraana aInternational Concerns + Consult with lawyers well in advance before introducing intellectual property into another country + Become familiar with the country’s intellectual property rules and regulations NDAs and Contracts + Should include verification that the employee has read, understands, and will abide by the IAP policies and procedures, and reminded after employment ends ASIS SPREE cx0 133 reraana >TASK 2: Develop policies and procedures to ensure information is evaluated and protected against vulnerabilities and threats LoeanThis task outlines concepts to support knowledge of: * Principles of information security management * Information security theory and terminology * Information security industry standards (e.g., ISO, Pll, PCI) * Laws and regulations regarding records management including collection, retention, legal holds, and disposition practices (e.g., General Data Protection Regulation [GDPR], biometric information) * Practices to protect proprietary information and intellectual property * Information protection measures, including security processes, physical access systems, and data management ASIS SPREE 6220198 ornWhat is the difference between an IAP program and an ISS program? + IAP focuses holistically on the security of information assets * ISS focuses on the security of information technology ASIS SPREE cx0 33 rerasna 2ISS Terms * Information systems threat * Information systems vulnerability * Information systems risk * Information systems countermeasure * Residual threat risk + Residual risk ASIS SPREE cx0 33 rerasna >. | Threats x Vulnerabilities Residual Risk = ——————_____— Countermeasures ASIS SPREE cx0 33 rerasna -Virtual Threat° Vulnerabilities in the information systems infrastructure itself + Vulnerabilities in people using the information systems infrastructure * Vulnerabilities in people maintaining the information systems infrastructure * Vulnerabilities on executive and senior management ° Vulnerabilities in information systems management processes ASIS SPREE cx0 33 rerasna *Information System Control Objectives Confidentiality v v v v Integrity Availability v v v v ASIS SPREE cx0 83 rerasnaSSeS ASIS SPREE cx0 33 rerasna* Mechanisms for increasing security include: = Multifactor authentication = Biometric authentication = One-time password (OTP) = Encryption ASIS SPREE cx0 83 rerasna >Back up data off-site Reliability is a related concern Redundancy aids the effort to ensure data availability ASIS SPREE cx0 33 rerasna ©Talcoee lei N el CUM Ox Chari gt) = Administrative controls Technical controls Physical controls ASIS SPREE cx0 33 rerasna *Infrastructure Countermeasures should include the following: * Perimeter security * Device protection security * Access control and authentication ASIS SPREE cx0 33 rerasna* Vulnerability and patch management * System monitoring and log review * Information systems security metrics * Physical security of the information systems infrastructure ° IT staff training in information security ASIS SPREE cx0 33 rerasna e» Leadership exercised from the top + Policies that incorporate ISS across the entire organization ° ISS awareness training and education programs for all users * Incorporation of ISS matters in business continuity, contingency, and emergency plans ¢ Information security management incorporated in all third-party information-sharing agreements and implementations ASIS SPREE cx0 33 rerasna “ISS resources available to the security practitioner: * ISO/IEC 27000 Standards and NIST 800 Series ° The Certified Information Systems Security Professional (CISSP) common body of knowledge * Guidance for boards of directors and executive management was developed and published by the Information Systems Audit and Control Association. ASIS SPREE cx0 33 rerasna 6ISO 27001 outlines information security management practices as follows: * Security policy * Access control * Organization of ISS * Information systems acquisition, * Asset management development, and maintenance * Human resources security ¢ Information security incident » Physical and environmental ene emen on security * Business continuity management * Communications and operations * Compliance management ASIS SPREE ox0 83 1eraana “8 domains: . Security and Risk Management . Asset Security . Security Engineering Communications and Network Security . Identity and Access Management (IAM) . Security Assessment and Testing . Security Operations . Software Development Security SPREE x0 0 rmeraena © % ONOARYWN A° Security professionals should be aware of key laws and regulations that affect the information security landscape. * The legal framework is generally designed to obligate organizations to protect sensitive information in its care, belonging to others. ASIS SPREE cx0 33 rerasna «* Build and Maintain a Secure Network and Systems + Requirement 1: Install and maintain a firewall configuration * Requirement 2: Do not use vendor-supplied defaults * Protect Cardholder Data = Requirement 3: Protect stored cardholder data * Requirement 4: Encrypt transmission of cardholder data * Maintain a Vulnerability Management Program = Requirement 5: Protect systems against malware; regularly update antivirus software = Requirement 6: Develop and maintain secure systems and applications ASIS SPREE cx0 33 rerasna ** Implement Strong Access Control Measures = Requirement 7: Restrict access to cardholder data = Requirement 8: Identify and authenticate access to system components = Requirement 9: Restrict physical access to cardholder data * Regularly Monitor and Test Networks * Requirement 10: Track and monitor all access = Requirement 11: Regularly test security systems and processes * Maintain an Information Security Policy = Requirement 12: Maintain a policy that addresses information security ASIS SPREE cx0 83 rerasna >HIPPA regulations require the following: * Maintain a risk-driven information security management program ° Ensure the confidentiality and availability of all protected information * Protect against any reasonably anticipated threats or hazards * Protect against any reasonably anticipated unauthorized uses * Ensure compliance by its workforce * Ensure compliance by third parties ASIS SPR or :3ramsens m* The GLBA regulates the use and disclosure of nonpublic personal information of individuals who obtain services from by financial institutions Generally emphasize the following: = Executive management involvement = Risk- and vulnerability-driven measures, based on regular assessments = Written information security policies = Employee training = Control of third parties ASIS SPREE oxissimmecns a* COPPA applies to any online operator that collects personal information from children under 13 * Rules specify: = What a website operator must include in a privacy policy = When and how to seek verifiable consent from a parent * Responsibilities an operator has to protect a child's privacy and safety online ASIS SPREE cx0 33 rerasna a* The Sarbanes-Oxley Law of 2002 (SOX) requires that all public companies address their information security procedures and practices in a very public way. ASIS SPREE cx0 85 rerasna #* The Red Flags Rule regulates financial institutions. The purpose of the program is the early detection and prevention of identity theft through: = Identifying relevant patterns, practices, and specific forms of activity that signal possible identity theft = Defining procedures to detect red flags in daily operations = Responding appropriately to any detected red flags = Ensuring the program is updated periodically ASIS SPREE cx0 33 rerasna sFTC Enforcement Actions * The U.S. Federal Trade Commission has adopted a “safeguards rule” under the GLBA, which requires each financial institution within its jurisdiction to develop, implement, and maintain a comprehensive information security program ASIS SPREE cx0 33 rerasna >General Data Protection Regulation (GDPR) Regulation in EU law on data protection and privacy Addresses the transfer of personal data outside the EU and EEA Aims to give individuals control over their personal data ASIS SPREE omn10 ratios >* Per the GDPR, transfer of data outside of the EU may only happen to countries deemed as having adequate data protection laws = EU does not list the U.S. as one of these countries = EU-U.S. Privacy Shield was designed to create program whereby participating companies deemed as having adequate protection, and therefore facilitate the transfer of information ASIS SPREE cx0 83 rerasna a* What are the organization’s information security needs, obligations, and opportunities? ° How effective is the organization at managing the security of its critical information assets? ° What are the gaps between its needs and its realities? » What capacity exists for closing the gaps? ASIS SPREE cx0 33 rerasna ®» What are the organization’s information security needs, obligations, and opportunities? ° How effective is the organization at managing the security of its critical information assets? ASIS SPREE cx0 33 rerasna e* What are the organization’s information security needs, obligations, and opportunities? = Legal obligations to protect information = Ethical obligations to protect information of customers, trading partners, and others = Reducing brand risk and other damages due to security incidents = Fiduciary responsibilities = Competitive opportunities ASIS SPREE cx0 33 rerasna* How effective is the organization at managing the security of its critical information assets? = Administrative, technical, and and education physical controls = Computer and network = Management structure security =ISS policies = Physical security = Information classification = Personnel security and control "= Third-party ISS assurance = User awareness, training, ASIS SPREE cx0 8 erasna G» What are the gaps between its needs and its realities? = Management gaps = Procedural gaps = Technology gaps = Cultural gaps What capacity exists for closing the gaps? = Time and resources = Attention span = Culture ASIS CPPS ox :3ramsens 2TASK 3: Implement and manage an integrated information security programThis task outlines concepts to support knowledge of: + Information security including confidentiality, integrity, and availability + Information security systems methodology * Authentication techniques (e.g., multifactor, biometrics) * Continuous evaluation and improvement programs + Ethical hacking and penetration testing techniques and practices + Encryption and data-masking techniques (e.g. cryptography) + Systems integration techniques (e.g... interoperability, licensing, networking) Cost-benefit analysis methodology Project management techniques Budget review process (e.g., system development lifecycle) Vendor evaluation and selection process Final acceptance and testing procedures Protection technology and forensic investigations Training and awareness programs to mitigate threats and vulnerabilities (e.g., phishing, social engineering, ransomware, insider threats) ASIS SPREE cx0 83 reraana* Cyberattacks based in part on: * Increasing connectivity and availability of assailable networks, systems, etc. = The ability of cybercriminals to derive significant financial rewards Worldwide federation between cybercriminals and malware developers Nation-state, terrorist, and politically driven backing of targeted cybercrimes Alack of cohesive law enforcement around the globe ASIS SPREE ox0 93 erasnaISS Policy Implementation Ee Identity organizational issues that impact ISS policy é tep y ] Identify the information in need of protection and the protection required Identify the various classes of policy users Draft ISS policies based on Steps 1-3 GEESE ie 2 oni win nascent np coins ante ae Train all personnel in the organization's ISS policies. Enforce the ISS policies. Review and modify policies, as appropriate, but at least annually.This international standard encourages: * Understanding an organization's information security requirements * Establishing policy and objectives for information security * Implementing operating controls * Monitoring and reviewing the performance and effectiveness of the ISMS * Continual improvement based on objective measurement. ASIS SPREE cx0 eran eisMS Contial improvement ASIS SPREE cx0 eran ®Making Continual Improvement * Take corrective and preventive actions based on the results of internal ISMS audits, management reviews, and other relevant information An ISS-Aware Culture + An effective information security program ultimately depends upon people's behavior + Behavior depends on what people know, how they feel, and what their instincts tell them to do + ISS awareness training programs rarely have significant impact on people's deeper security instincts ASIS SPREE cx0 eran° ISS may not be core to the organization + “Information systems security” contains the word “security” * Organizational culture is often neglected « Adifferent language * It will not happen to us ASIS SPREE cx0 eranISS risks that can weaken physical security: * Denial-of-service (DOS) * Insertion of inaccurate data * Data theft * Data modification * Data destruction ASIS SPREE cx0 133 reraana =* Social engineering is the manipulation of people to get them to do something that weakens the security of the network * Examples include scams and phishing * One of the ways criminals use social engineering is to convince people to give up their user IDs and passwords ASIS SPREE cx0 133 reraana 7Phishing ° The fraudulent practice of sending emails or text messages purporting to be from a reputable source in order to induce individuals to reveal personal information, such as passwords and or other credentials. ASIS SPREE cx0 133 reraana ™The hacker: = Goes after a system by directly accessing or by exploiting a vulnerability Works with tools under their control to gain access to the network Tries to identify what defenses are in place and then defeat them ASIS SPREE cx0 133 reraanaMalware often circumvents preventive measures because: + Antivirus software is not kept up to date ° Untrained users open booby-trapped emails and files * Untrained users visit booby-trapped Internet sites * System administrators allow users to install software on the desktop ASIS SPREE cx0 133 reraana >» Ransomware threatens the victim to either publish data or block access to it unless a ransom is paid Attacks are typically carried out using a Trojan disguised as a legitimate file that the user is tricked into downloading or opening ASIS SPREE cx0 133 reraana -Communications Attacks: Web Attacks Web attacks: Can focus on clients or on servers Are particularly dangerous because it can defeat almost every controlThe following are essential elements of an ISMS: * Appropriateness of any system in place * Ongoing risk identification and management * Incorporation of appropriate controls ° Appropriate monitoring, review, maintenance, and improvement ° Appropriate management responsibility * Internal auditing or review * Management review of the ISMS ASIS SPREE cx 33 reraana »Security Policy + Without a policy, itis difficult to tell people what they should do to be secure + The creation of a security policy is typically a multidisciplinary, multidepartment function + Physical security participation is critical Organization of ISS + Some elements of ISS organization are familiar to physical security professionals + Some ISS-specific issues include system access and third-party review ASIS SPREE cx0 133 reraana °Asset Management + Deals with the special requirements for information as it is transmitted and stored on the network + Some physical security-related information may need special handling * Video could contain highly sensitive content that needs to be specially protected + Anaccess control system contains the keys to an organization's doors and must have special controls in place ASIS SPREE cx0 133 reraanaHuman Resources Security + Necessary background checks, terms of employment screening, security awareness and training, disciplinary process, and termination practices in an ISMS context are similar to what a physical ‘security practitioner already knows. + Because physical security practitioners have a mature understanding of HR management, they can contribute much in this arena ASIS SPREE cx 33 reraana =Physical and Environmental Security + The ability to secure areas in which ISS assets reside is critical to protecting those assets + Likewise, it would harm the organization if an access control or video recording server were'stolen * As collaboration between physical and logical security increases, better solutions will result for all involved ASIS SPREE cx0 133 reraana aCommunications and Operations Management Issues that must be addressed from a security perspective (ISO 27002): * Computer system turn-on and shutdown * Emergency shutdown procedures * Change management * Segregation of duties * Third-party service delivery ASIS SPREE cx0 83 1erasna «Communications and Operations Management (cont.) Issues that must be addressed from a security perspective (cont): * Capacity management * System management * System acceptance * Malicious code protection ASIS SPREE cx0 133 reraana :Communications and Operations Management (cont.) Issues that must be addressed from a security perspective (cont): * System backup * Network security controls * Media handling * Security of system documentation ASIS SPREE cx0 133 reraana >Communications and Operations Management (cont.) Issues that must be addressed from a security perspective (cont): » Exchange of information * Online transactions * Monitoring * Clock synchronization ASIS SPREE cx0 133 reraanaAccess Control + Security systems that reside on a network, such as video surveillance and physical access control systems, require logical access control Information Security Incident Management + Physical security practitioners may be interested in the legal aspects of information security incident management, specifically regarding evidence from a seized computer, server, or network trace ASIS SPREE cx0 133 reraana «Business Continuity Management ° There are numerous areas of involvement for the physical security practitioner * Physical security technology assets must be operational in the event of an unexpected incident * The active participation of the physical security professional can be a critical to ISS practitioners ASIS SPREE cx0 133 reraana >Compliance * Some compliance issues directly affect both physical security and ISS ° The physical security professional should fully understand this aspect of the security policy so as not to place other systems at risk ASIS SPR ox 1:3 ramsens 5Po cf 4 a a s ey id Ly rr £ o A 5 a