Scribd
Upload
92 views113 pages

Cism WB03

Uploaded by

kingshukdutta

The document discusses the development of an effective information security program. It states that a security program should be based on business objectives and good information, be well-designed with management support, and use quality metrics. It also notes that developing a security program requires significant planning, expertise, and resources. Finally, it emphasizes the importance of aligning a security program's objectives with the overall business strategy in a cost-effective manner to maximize business needs while minimizing disruptions.

Copyright:

© All Rights Reserved
Download as PDF, TXT or read online from Scribd
Download as pdf or txt

Cism WB03

Uploaded by

kingshukdutta
92 views113 pages
The document discusses the development of an effective information security program. It states that a security program should be based on business objectives and good information, be well-designed with management support, and use quality metrics. It also notes that developing a security program requires significant planning, expertise, and resources. Finally, it emphasizes the importance of aligning a security program's objectives with the overall business strategy in a cost-effective manner to maximize business needs while minimizing disruptions.

Original Description:

CISM_WB03

Original Title

CISM_WB03

Copyright

© © All Rights Reserved

Available Formats

PDF, TXT or read online from Scribd

Did you find this document useful?

Is this content inappropriate?

The document discusses the development of an effective information security program. It states that a security program should be based on business objectives and good information, be well-designed with management support, and use quality metrics. It also notes that developing a security program requires significant planning, expertise, and resources. Finally, it emphasizes the importance of aligning a security program's objectives with the overall business strategy in a cost-effective manner to maximize business needs while minimizing disruptions.

Copyright:

© All Rights Reserved
Download as PDF, TXT or read online from Scribd
Download as pdf or txt
92 views113 pages

Cism WB03

Uploaded by

kingshukdutta
The document discusses the development of an effective information security program. It states that a security program should be based on business objectives and good information, be well-designed with management support, and use quality metrics. It also notes that developing a security program requires significant planning, expertise, and resources. Finally, it emphasizes the importance of aligning a security program's objectives with the overall business strategy in a cost-effective manner to maximize business needs while minimizing disruptions.

Copyright:

© All Rights Reserved
Download as PDF, TXT or read online from Scribd
Download as pdf or txt
You are on page 1/ 113

Certified Information Security Manager (CISM)

Domain 03 - Information Security Program


Development
Slide 1

Lesson 1: Development of Information Security


Program
 The information security program covers all of the activities and
resources that provide information security
 This could be a short-term project or large multiyear endeavor

 Three important elements to a security program


 The program should be based on good information integrated with the business
objectives
 Well-designed with support for management
 Quality metrics used for the design and implementation phases as well as ongoing
monitoring

_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 2

Importance of the Program


 The goal of the strategy isn’t implementation and operation
 Security program is used to design security systems from build, deployment,
modification, maintenance to the end of the lifecycle
 Any security program takes a great deal of planning with the use of expertise and
resources

_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 3

Outcomes of Security Program Development

 Strategic alignment
 Aligned with business objectives
 Communications and feedback

 Risk management
 Maintaining acceptable levels

 Value delivery
 Resource management
 People, technology, and processes

 Assurance process integration


 Performance measurement

_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 4

Effective Information Security Program


Development
 These include the roles and responsibilities of executive management
 A matrix of outcomes and responsibilities which connects the program
components with related activities
 All team members should be working together and made aware of the content of
the information security program to coordinate with their respective areas

Strategy

Compliance Policy

Monitoring Awareness

Implementation

_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 5

Lesson 2: Information Security Program


Objectives
 Program Objectives
 Defining Objectives

_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 6

Program Objectives
 Main objective:
 Implement the strategy in a most cost-effective manner possible.
 Maximize business
 Minimize disruptions.

 If this is well developed, the primary task is turning the high-level


strategy into logical and physical reality

_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 7

Program Objectives Continued


 Remember that it’s inevitable:
 Some elements may have to be modified or reconsidered.
 There could be changes in business requirements
 Underlying infrastructure may have changed
 Topology changes
 Perhaps internal resistance

_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 8

Defining Objectives
 There are almost always a security program in place
 Compare existing organization activity to what is required to get to the desired
state.
 Determine the forces that drive the business needs:
 Regulatory compliance
 Higher frequency of security incidents
 Reputational damage
 Growing commercial demands of Payment Card Industry (PCI) and Data Security
Standards (DSS)

_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 9

Defining Objectives Continued


 After the objectives have been defined:
 Developing the processes and projects that close the gap between the current state
and those objectives
 Identify the control objectives.
 Develop suitable metrics
 Monitor control points.

_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 10

Cross Organizational Responsibilities


Role Responsibility KPI

Executive management Oversight and alignment Assigning responsibilities

Business risk management IT risk assessment Prioritization of risks

Department manager Signoff and testing of security Formal approval of security features as
requirements, and determining access well as assigned access rights
authorization
IT operations management Security monitoring Identification of security incidents as
Incident response well as proper response and recovery
Crisis management procedures
Site inventory
Quality manager Security review Creating security policy compliance
Application security design Meeting business requirements for
Change control CIA
Management of security upgrades Testing and application of security
software fixes

_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 11

Lesson 3: Information Security Program


Development Concepts
 The information security manager must have an understanding of many management
and process concepts such as:
 SDLC
 Requirements
 Specifications
 Control, design, and development objectives
 Implementing and testing controls
 charterMonitoring and metrics
 Architectures
 Documentation
 Quality assurance
 Program management – budgeting, costing, and other financial issues
 Risk management
 Communications

_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 12

Technology Resources
 Most resources will be of a variety of technologies as well as processes,
policies and people
 Examples of resources might be:
 Firewalls and other security systems, including network devices or intrusion detection

 Cryptographic techniques, such as PKI or digital signatures


 Authentication options, such as multi-factor authentication
 Application security methodologies
 Web security
 Compilation of logs
 Vulnerability scans and penetration testing
 Business continuity programs

_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 13

Information Security Manager


 Good governance includes clearly defined roles and responsibilities
 The information security manager is included in the definition of
responsibilities
 Meeting security objectives
 Delegation of roles and responsibilities
 Use of proper resources
 Creating a set of monitoring and management metrics
 Being a part of the top-down commitment

_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 14

Lesson 4: Scope and Charter of Information


Security Program Development
 Implementation of a security program will impact an organization’s
normal way of doing business
 The extent of management support in the implementation of the
strategy and risk management activities would determine the charter

_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 15

Assurance Function Integration


 Any security program, to be effective, will include activities of many
other department’s functions
 Each department has its own vernacular; nevertheless, there must be
some organization to the integration of the policy within the business
 Perhaps one department does their own risk assessment for physical security, it
would still have relevance to the overall security, including to Information Systems

_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 16

Challenges in Developing Information Security


Program
 It takes a lot of cooperation to effectively set a program in place and
measure its results
 It’s not unusual for the security program development to be impacted by people,
process and policy issues that may be in conflict
 Other issues may result in cost overruns, especially as unanticipated issues arise and
new requirements come to light

_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 17

Pitfalls
 Implementation security program can encounter some resistance, such as:
 Resistance to the changes
 A perception that increased security could reduce access required for job functions
 Overreliance on subjective metrics
 A failure of the strategy
 Poor project management that may result in delays
 Previously undetected or buggy software

_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 18

Objectives of the Security Program


 One of the main objectives should be the implementation of strategy in
the most cost-effective manner possible, while minimizing impact on the
business function
 Whether the strategy has been developed in a detailed or conceptual
level, the program development will need a lot of planning and design
to become project plans

_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 19

Program Goals
 At a high level, security programs desired outcomes may include:
 Strategic alignment
 Risk management
 Value delivery
 Resource management
 Assurance process integration
 Performance measurements

_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 20

The Steps of the Security Program


 Defining objectives
 These should be clearly defined to help close the gap between the current state and
the objectives
 Residual risks
 The desired state
 The objectives could be found more expensive or more time consuming than
planned

_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 21

Defining the Roadmap


 A roadmap is needed so the information security manager doesn’t start
off with a blank slate
 Being able to create a roadmap is an effective skill that can help the
information security manager in developing a program that leads to the
desired state
 The roadmap should have:
 Objective
 The scope
 Constraints
 Approach
 Result

_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 22

Defining the Roadmap Continued


 Developing a roadmap should start with a review of the existing data,
applications, systems, facilities and processes
 A review objective is a statement of what is to be determined in the course of a
review
 The objective defines information that the security manager wants to
get out of the review
 The scope is a term that refers to the mapping of the objective of the
review to that item being reviewed - in a way, the review objective
dictates scope

_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 23

Defining the Roadmap Continued


 Constraints are situations within which the reviewer operates
 The approach is a set of activities that cover the scope in a way that
meets the objective of the review using the given constraints
 The main goal is to identify the best approach that has fewest constraints

 The result is an assessment to see if the review objective was met and
help answer the question “is this secure?”

_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 24

Elements of the Roadmap


 Roadmaps are used to implement the information security strategy and
must consider a number of factors. With a well-developed strategy,
there should be a high-level roadmap already created
 Without a good strategy, or risk objectives, then there is a risk that nothing will be
integrated or prioritized and thus making a very poor security program

_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 25

Elements of the Roadmap Continued


 Much of the security program will involve designing controls to meet
the objectives and then deciding on a course of projects to implement,
deploy and test those controls
 Consideration should be given to the ability of the organization to absorb new
security activities
 During the design of the security program, the manager should focus on
the relationship between general and application level controls
 This may involve a step-by-step breakdown of interrelated activities that cover the
infrastructure and operating environment as well as security measures

_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 26

Elements of the Roadmap Continued


 General controls are activities that support the entire organization in a
centralized fashion
 The term general is used to describe controls over the infrastructure that may
operate in a shared environment
 These controls can be managed by different groups, thus the security manager must
identify the roles and responsibilities respectively

_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 27

Elements of the Roadmap Continued


 Using the constraints of the roles and responsibilities, the information
security manager should be able to identify key technology elements
that facilitate the achievement of control objectives
 These elements, if used centrally throughout the organization, will become a part of
the security architecture

_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 28

Gap Analysis
 After the roles and responsibilities are properly established, an
inventory should be taken of the required versus existing technology
and processes
 This inventory and analysis can identify where the control objectives are not
adequately supported by controls
 This information can help in progress being made towards achieving the security
program goals

_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 29

Lesson 5: Information Security Management


Framework
 The Management Framework
 COBIT 5
 ISO/IEC 27001

_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 30

Security Management Framework


 This is a conceptual representation of a management structure
 Defines Technical, operational, administrative, and managerial components of the
program
 Should also define the organizational units and leadership.

 Other outcomes of an effective security management framework focus


on shorter-term needs. For instance:
 Decision makers require awareness of risk and mitigation options

 The IS Manager should craft options for outcomes such as:


 Tactical and strategic value add to the organization
 Efficient operation with regards to cost.
 IS drivers, activities, benefits and needs

_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 31

COBIT 5
 COBIT provides a comprehensive framework that helps an enterprise
in achieving their objectives. Let’s list the 5 principles:
 Principle 1: Meeting stakeholder needs:
 Principle 2: Covering the Enterprise End-to-End
 Principle 3: Applying a single, integrated framework
 Principle 4: Enabling a Holistic Approach
 Principle 5: Separating Governance from Management

 Cobit 5 for information security


 Focuses on providing guidance for professionals.

_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 32

ISO/IEC 27001
 Security Policy
 Organization of assets and resources
 Asset Classification and Controls
 Personnel security
 Communications and operations management
 Access control
 Information Systems Acquisition
 Business continuity management
 Compliance
 Incident management

_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 33

Lesson 6: Information Security Framework


Components
 Operational Components
 Management Components
 Administrative Components
 Educational and Informational Components

_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 34

Operational Components
 These are the ongoing management and administrative activities that
must be performed to provide the required level of security assurance.
They include:
 SOPs
 Business operations security practices
 Maintenance and administration of security technologies

 These are generally conducted on a daily to weekly basis

_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 35

Operational Components Continued


 Examples of Operational Components:
 Identity Management and access control
 Security event monitoring and analysis
 System patching procedures
 Configuration Management
 Security metrics collection
 Incident response

_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 36

Management Components
 This could include activities like:
 Standards development or modification
 Policy reviews
 Oversight of initiatives or program execution

 Management objectives, requirements and policies are key in shaping the


rest of the information security program which in turn, defines what
must be managed.
 Ongoing or periodic analysis of assets, threats, risk and organizational
impacts must be on-going

_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 37

Administrative Components
 As IS Management function grows so do:
 Resources
 Personnel
 Financial aspects

 Financial Administration generally consist of:


 Budgeting
 Time line planning
 TCO
 ROI

_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 38

Educational and Informational Components

 These must include:


 Employee education and awareness
 Information security awareness training
 Employee orientation
 Initial training
 Acceptable use policies
 Employee monitoring policies

_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 39

Lesson 7: Information Security Program


Resources
 Many resources are required to develop and implement a security
program, and it’s important that the information security manager
understands what those resources are and how they can be used
 Resources are the mechanisms available, in some measure, that can help achieve the
desired state security

_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 40

Resources
 Many resources have already been enumerated in other domains;
examples of the resources are:
 Policies, standards, procedures and guidelines
 Architecture
 Controls: physical, technical and procedural
 Countermeasures and layer defenses as well as other technologies
 Personnel and organizational structure
 Skills and training, especially awareness and education
 Threat and vulnerability assessments
 Risk assessment and management

_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 41

Documentation
 Existing policies, standards, procedures and
guidelines are your primary documentation;
they can be resources as well as constraints
 Policies are often designed around regulatory
requirements and often list the security
requirements that are in alignment with the business
needs

_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 42

Enterprise Architecture
 As has been discussed earlier, there are many architectural approaches
that can be used for security
 The architectural approach is a newer idea seen in the last 10 years, and as such you
may be with a large organization where security has evolved in an ongoing process of
bits and pieces lacking the integration needed
 This can create a very complex situation to work with
 The goal of architecture is to define relationships between various business
attributes

_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 43

Enterprise Architecture Continued


 The contextual architecture defines the relationship between various
business attributes
 For example, this would include the who, what, when, where and how

 The logical architecture would describe the same elements in terms of


the relationship
 The physical layer will identify the relationships between different
security mechanisms that execute the logical relationships
 Component architecture would list the actual devices and their
interconnections
 The operational architecture describes how security device delivery is
organized

_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 44

Enterprise Architecture Continued


 There are a number of architectural approaches designed for the
enterprise, some of which deal partially with security or exclusively with
security
 The detailed discussion of these is outside the scope of this course, but they consist
of two basic categories
 Process models

 Framework models

 Basically, the architecture is tightly aligned with purpose, or linked to the business
objectives

_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 45

Controls as Strategy Implementation Resources

 Controls are considered a regulatory device, system, procedure or


process that regulates some operational activity
 Remember that these exist as policies, procedures, practices, technologies and
organizational structures to meet the business objectives
 Security controls address people, technology, and processes
 Controls represent corrective or preventive actions, although they can also be
deterrent and detective

_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 46

Controls as Strategy Implementation Resources


Continued
 The categories of controls are:
 Deterrent
 Preventive
 Detective
 Corrective or compensatory

 Controls should be automated, making it technically unfeasible to bypass


them

_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 47

Common Control Practices


 Some common control practices that make it difficult to bypass the
controls have principles such as:
 Logical access control – mandatory access control or discretionary access control
 Secure failure
 Least privilege
 Compartmentalization
 Segregation of duties
 Transparency
 Trust
 Trust no one

_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 48

Countermeasures
 These are controls that are put in place to respond to a specific threat
 These too may be preventive, detective or corrective
 Countermeasures, like controls, are designed in response to a specific threat
 Not all countermeasures are technical in nature
 An example may be training about social engineering

_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 49

Technologies
 The technology chosen to mitigate risk may be constrained by existing
legacy architecture
 These constraints can be minimized due to the wide range of technology alternatives

_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 50

Technologies Continued
 Some common types of technology that can be used as design control points are:
 Access control lists
 Data loss prevention
 Content filtering
 Database management systems
 Encryption– symmetric or asymmetric
 Hashing
 OSI
 Operating systems
 Public/private key encryption
 Route filtering
 Traffic/packet filtering
 IP security

_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 51

Personnel
 Personnel should have defined roles and responsibilities as well as an
inventory of their skills
 Roles – (RACI) responsible, accountable, consulted, informed
 There are charts that can be used to define the various roles associated with
developing an information security program
 These are often designated to an individual by virtue of their job function

_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 52

Personnel Continued
 Skills are the training, expertise and experience of the person
 This is often given a job function
 Skills can be gained through training or on-the-job experience

 Culture represents the organization’s behavior and often influences how


the work gets done
 One goal may be to build a security-aware culture

_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 53

Security Awareness
 There should be an awareness of the risks and available safeguards, and this
awareness is often the first line of defense
 A good security program should consider the human element
 Awareness training should be available for all employees, contractors, and third parties

_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 54

Awareness Topics
 Awareness training can vary but should include topics such as:
 Backing up files
 Good password security
 E-mail and web-based attacks
 Understanding social engineering
 Knowing how to report security incidents
 Securing information in all forms
 Detecting malware

_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 55

Formal Audits
 Audits, like a security review, should have objectives, scope, constraints,
approach and results
 The audit is based on approach to identify, evaluate, test, and assess effectiveness of
controls
 The goal is to test if the control meets the stated objectives, or said to be in
compliance with the policies and standards
 The audit documentation should verify the mapping of controls to objectives, how
the test is conducted, and their final assessment
 External standards of audit frameworks can be found with COBIT, or
ISO/IEC 27002

_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 56

Compliance Enforcement
 Once a security program is implemented, there should be a plan to
check compliance enforcement
 This should refer to any activity to ensure compliance with the stated objectives
 In some cases, the control may be chosen based on its ease of monitoring and
enforcement
 A complex control may actually pose more risk and the lack of monitoring compliance

_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 57

Project Risk Analysis


 In other words, the project itself may have its own inherent risks
 Possible threats that could be found through all stages of
implementation might be:
 Unclear objectives
 Carelessness or mistakes
 Lack of training or good planning
 Insufficient resources
 Improper specifications
 Mistakes and execution
 Malicious actions

_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 58

Other Actions
 Conducting a vulnerability analysis
 Risk and business impact assessment
 Resource dependency analysis
 Review of external security service providers (outsource or service
contract). Examples of these might be:
 Physical perimeter security
 BCP
 Penetration testing
 Audits
 Security reviews
 Forensics

_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 59

Other Organizational Support


 Many other sources of information may be useful for a security manager
to integrate into their security program
 Good practices organizations
 Security networking roundtables
 Security training organizations
 Vulnerability alerting services

_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 60

Program Budgeting
 Budgeting is an important part of information security program
development and can be seen as a constraint on the program’s success
 Information security manager should be very familiar with the budgeting process
prior to the development of the program

_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 61

Program Budgeting Continued


 Elements of each project that should be considered for cost might be:
 Ongoing operational costs
 Hardware and software subscription services
 Employee time
 Contracting or consulting fees
 Space and other environmental requirements
 Testing resources
 Documentation support
 Maintenance
 Unknown contingencies

_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 62

Lesson 8: Implementing an Information


Security Program
 The successful development and implementation of the information
security program will depend on some prerequisites such as:
 Defined and agreed upon objectives
 Resources required for the building blocks of the program
 Defined control objectives
 Security reviews and audits as well as gap analysis
 Management support

_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 63

Policy Compliance
 Policies are the basis for accountability with regards to security
responsibilities
 Policies must become comprehensive enough to cover all situations, yet flexible to
allow different processes and procedures to evolve
 The security manager should make sure there are no “orphan” systems or systems
without policy compliance owners
 At times there may be exceptions to policy that should be well documented

_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 64

Standards Compliance
 Standards supply the boundaries of options for systems, processes and
actions that enforce policy
 A standard should give some consistency to similar systems within the same domain
having similar configurations and operations
 When possible, compliance should be automated to avoid intentional or
unintentional activity that may deviate from the policies

_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 65

Training and Education


 If any part of this security program is dependent on people, it should be
included in its roadmap for the training and education of those involved
 The training should be to educate employees about operational requirements and
the responsibilities of their activities
 People having an understanding of why a policy is enforced are more motivated to
follow those policies

_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 66

ISACA Control Objectives


 ISACA identifies 11 control objectives as minimum controls needed to be in
place for system security:
 Management of IT security
 IT security plan
 Identity management
 User account management
 Security testing, surveillance and monitoring
 Security incident definition
 Protection of security technology
 Cryptographic management
 Malicious software prevention, detection and correction
 Network security
 Exchange of sensitive data

_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 67

Third-party Service Providers


 A third-party service provider may provide
partial or complete business processes or
services
 As such they will require some level of access to the
organization’s networks and information systems
 Information security manager should ensure that
appropriate policies, procedures and processes are
designed to address the outsourcing lifecycle

_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 68

Third-party Service Providers Continued


 The organization and third parties should commit to:
 How data is stored with security
 Allocation of appropriate resources to maintain security
 Taking responsibility for security rather than expecting the organization to supply
additional safeguards
 Maintain accountability within the service provider
 Maintain all application security processes so they are transparent to customers
 Well-defined procedures for incident response
 Policy of data destruction and sanitization

_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 69

Integration into Lifecycle Processes


 Security should be designed and built into the project management and
system development lifecycle processes
 The security manager must remember that technology processes evolve as a part of
the SDLC
 There should be accountability for policy compliance through request change, by
identifying where the changes are initiated, funded and deployed

_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 70

Monitoring and Communication


 There are many monitoring considerations that should be implemented
in this program regardless of the scope
 For example, changes or modifications of controls should be monitored to
determine if they are operating as intended
 This may involve reviewing logs or other alerts
 Key controls should be monitored in real time if possible

_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 71

Documentation
 Documentation should accompany any security program
 Documentation should record changes at various stages to ensure that it is current
 Some of the documentation might include:
 Program objectives
 The roadmap
 Business case
 Required resources
 Risks, controls – standards, procedures, guidelines
 Budgets
 System designs and architectures
 Project plans, milestones, timelines

_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 72

The Plan of Action


 The gap analysis should have identified projects where improvements
are needed
 Many of these projects could be technology implementations or
reconfigurations to meet the stated objectives
 These projects have time, budget and a measurable result

_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 73

Plan of Action Continued


 The plan of action should encompass total quality management which
contain some of the following elements:
 Vision – clear and compelling statement about the organization’s purpose
 Strategic objectives – set of goals to move towards the vision
 CSF – circumstances or events to achieve objectives
 KPI – concrete metrics to ensure that the CSFs are achieved
 Key actions – initiatives to be delivered to achieve the objectives and KGI

_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 74

Lesson 9: Information Infrastructure and


Architecture
 Infrastructure is the base or foundation in which information systems
are to be deployed
 It may comprise of computing platforms, networks and middleware layers for a wide
variety of applications

_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 75

Managing Complexity
 As business environments grow, many business
processes and support functions must integrate
seamlessly to be effective, which can be seen as
increasing complexity
 Providing a framework and roadmap
 Architecture can act as a roadmap

 Simplicity and clarity to layering and modularization


 Business focus beyond the technical domain

_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 76

Managing Complexity Continued


 Architecture and control objectives are
considered a combination of technologies to
provide control points within a system’s
infrastructure
 Some examples of architecture policy
domains would be:
 Database management systems
 Telecommunications
 Web application access

_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 77

Objectives of Information Security


Architectures
 The underlying idea for architectures is that the objectives of complex
systems must:
 Be comprehensively defined
 Have precise specifications
 Their structures engineered and tested to perform, fit and function
 Have the performance monitored or measured according to the design objectives

 Little exists for overall comprehensive enterprise security


infrastructure, or its management as it relates to the business objectives

_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 78

Objectives of Information Security


Architectures Continued
 The SABSA model has six layers that can assist in developing a model
for enterprise architecture
 The business view – contextual security architecture
 The architects view – conceptual security architecture
 The designers view – logical security architecture
 The builders view – physical security architecture
 The tradesmen view– component security architecture
 The facilities managers view– operational architecture

_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 79

Physical and Environmental Controls


 The best technical security can be thwarted by a lack of good physical
security
 If you can touch it you own it - often physical mechanisms can override logical controls
 Physical controls can also mitigate damaged facilities and other resources that might be
of a natural or technological event

_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 80

Lesson 10: Information Security Program


 As an information security manager, there is no expectation that you are
directly configuring the processes involving security; rather, those
functions are assigned to other people within the organization
 The information security manager is available to close gaps between
business units within the organization that have responsibility for
different security controls
 As an example, working with procurement to purchase technologies that might need
to be reviewed
 New IT projects that are supported by the business can also follow some type of
system development lifecycle, and these would be integrated by the information
security manager

_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 81

Information Security Program Deployment


Metrics
 In the development of an information program, several metrics should be
considered
 Metrics necessary to track and guide the program development
 Will metrics be needed for ongoing management results
 It may be useful to clarify the distinction between managing technical IT
security systems at the operational level and the overall management of the
information security program
 Remember that information security governance should have a set of goals
for the information security program that are designed for the organization
 Metrics really serve just one purpose, which is decision support
 Strategic metrics – combination of management metrics to validate if program is on track & budget
 Management metrics – managing the security program to the levels of compliance
 Operational metrics – often technical metrics such as vulnerability scans, patch management

_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 82

Metrics
 There are a number of other considerations for the creation of metrics;
the essential attributes to be considered would be:
 Are they manageable
 Are they meaningful
 What metrics are actionable
 Unambiguous
 Are they reliable
 Are the timely
 Are they predictive

_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 83

Strategic Alignment
 Remember that the alignment of security activities with the
organizational objectives are essential in all phases of the security
program
 One primary concern is if the program objectives have materially changed
 Another concern is that changes or modifications to the strategic objectives are
reflected in the security program objectives

_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 84

Risk Management
 The lifecycle approach to risk management should be used since the
program development risks are different than the strategic or ongoing
management risks
 Primarily, risks addressed to the program development are often designed as project
risks
 The design risk is that the end result is not suitable for the intended purpose
 Should always consider project risk as it relates to costs, timetables, resources and
critical path matters

_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 85

Value Delivery
 The security program is usually a series of
planned projects designed to improve the
quality of the overall program
 Standard metrics should be used to see if the program
is meeting the objectives and delivering the expected
value
 There should be an examination of the budgeted cost
of the work scheduled with the actual cost of the work
performed

_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 86

Resource Management
 Even with good processes for identifying and designating the technology,
roles and responsibilities for program development, you are still
required to make sure day-to-day operations work properly
 Metrics for resource utilization should be used to support efforts at maximizing the
program development
 May be helpful to gather historical data on resource dependencies that might affect
the security program
 In managing resources, you should make sure that personnel who have a lead role
have a backup that can perform the given function unassisted
 Some consider “cross-training”

_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 87

Assurance Process Integration


 A security program should consider how it will interface with and
integrate into other assurance activities
 Examples might be:
 Physical security, IT security, legal, HR and privacy issues
 The development and implementation of the security program should provide
opportunities to hook into these departments

_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 88

Performance Measurement
 There should be a means of gauging how
effective performance measurements
themselves reflect the performance of
various aspects of the security program
 You may find that some performance
measurements are not adequate, accurate or
reliable and timely
 Performance measurements should
demonstrate if the security program is
working and achieving its objectives

_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 89

Security Baselines
 Remember that a baseline is the lowest boundary of standards that
define the minimum required security for an enterprise
 A major part of the security program is made up of designing, developing and
implementing controls that conform to the standards and should meet the baselines
 A baseline can be used as a point of reference

_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 90

Lesson 11: Security Program Services and


Operational Activities
 IS Liaison Responsibilities
 Cross-Organizational Responsibilities
 Security Reviews and Audits
 Management of Security Technology
 Due Diligence
 Compliance Monitoring and Enforcement
 Assessment of Risk and Impact
 Outsourcing and Service Provider
 Cloud Computing
 Integration with IT Processes

_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 91

IS Liaison Responsibilities
 Physical/Corporate security
 IT Audit
 IT Unit
 Business Unit Managers
 Human Resources
 Legal Department
 Employees
 Procurement
 Compliance
 Privacy

_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 92

IS Liaison Responsibilities Continued


 Training
 Quality Assurance
 Insurance
 Third Party Management
 Project Management Office

_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 93

Cross-Organizational Responsibilities
 The IS Manager is directly responsible for many critical aspects of the IS
program.
 If many the IS Manager is working across multiple areas of responsibility then they
should assign separate responsibilities to Senior Managers to avoid conflicts of
interest.
 This is the idea of separation of duties

_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 94

Security Reviews and Audits


 Security Reviews will have:
 An Objective
 A scope
 Constraints
 An Approach
 A result

 Audits will have similar goals towards controls but can include:
 Mapping controls to control objectives
 How the tests were conducted
 Link the tests to the final assessment

_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 95

Security Reviews and Audits Continued


 Auditors: This is an important responsibility within the security review
and audit process
 Often have a negative light in the eyes of the IT Members
 Should be un-biased
 Should work with the appropriate organizational unit
 Can be internal and/or external to the organization

_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 96

Management of Security Technology


 There is often a heterogeneous set of controls within an organization
 This can also be a combination of new vs. legacy controls

 Technology Competencies
 There may be different members with a mixture of competencies

_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 97

Due Diligence
 Referred to as “standard of due care”
 Steps that should be taken by a reasonable person
 This means that there should be some basic components of a
reasonable security program in place
 Senior management support
 Comprehensive standards, procedure, and policies in place
 Appropriate education and awareness training
 Periodic Risk Assessments
 Implementation of adequate security controls
 Tested BCP/DRP

_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 98

Due Diligence Continued


 The IS Manager must be aware of the various standards for managing
and controlling access to information resources
 Some organizations may have different standards
 AICPA
 CICA
 ISO
 ISACA
 NFPA
 FERC

 There should also be a continuing research into the newest security


threats.

_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 99

Compliance Monitoring and Enforcement


 Compliance enforcement processes must be considered during program
development.
 This can be thought of as any activity within the IS program to ensure compliance
with the standards, policies, and procedures.
 Designing enforcement of procedures could be complicated
 A system of monitoring, to verify compliance should also be considered.

 Policy Compliance
 These are the basis for accountability
 Policies should be comprehensive to cover as many situations as possible
 Make sure there are no “orphans”

_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 100

Compliance Monitoring and Enforcement


Continued
 Standards Compliance: these are the boundaries of options for systems,
processes, and action that will be within policy.
 Should be the same policy for the same systems in the organization
 May also cover criticality and sensitivity of the resource

 Resolution of noncompliance issues:


 Being out of compliance can increase the risk to an organization
 Monitoring should be able to recognize noncompliance, and should be dealt with in a
timely manner
 Compliance Enforcement: An on going set of activities that help fulfill
the IS and other standards

_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 101

Assessment of Risk and Impact


 The main operational responsibility for the IS Manager is to manage risk
to an acceptable level.
 Vulnerability Assessment: These are weaknesses that could harm the
CIA of the organization, and therefore should be continually monitored.
 Actively reviewing or auditing
 Researching newest threats and testing if you are vulnerable

 Threat Assessment: Technical and behavioral threats to an organization


can evolve over time
 Introduction of new controls, applications, etc.
 This should be done at least annually, comparing how the organizations profile may
have changed

_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 102

Assessment of Risk and Impact Continued


 Risk assessment is the process to identify and evaluate the risk and it’s
potential impact on an organization
 BIA is the exercise to determine the impact of losing access to a
resource for any time.
 Resource Dependency Assessment: This is a substitute to the BIA,
usually less costly to an organization, but still trying to determine the
impact that the loss of a resource may have to the organization

_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 103

Outsourcing and Service Providers


 Two general types: Outsourcing Security services or IT Services
 Most security requirements are still the same, just should be a part of the IS
Management program.
 Usually the decision is based on economics

 Concerns over outsourcing


 Loss of essential skills
 Low visibility into the security process
 New attack vectors
 Viability of the 3rd party
 Potentially poor service or unexpected costs

 Allowing 3rd party access

_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 104

Cloud Computing
 There are many different offerings of “cloud” computing. This can make
it difficult to define:
 NIST: a model for enabling convenient, on-demand network access to a shared pool
of configurable resources
 Advantages of the “cloud”
 Cost
 Scalability
 Reliability
 Performance
 Agility

_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 105

Cloud Computing Continued


 Security Considerations:
 Many companies that might not have given security a high importance could see
security improvements. (Depending on the reputation of the provider)
 There is a risk of the loss of sensitive information
 Location of the data can also be of concern
 Loss of connectivity

_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 106

Cloud Computing Continued


 Service Models:
 IaaS
 PaaS
 SaaS

 Deployment Model
 Private Cloud
 Community Cloud
 Public Cloud
 Hybrid Cloud

_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 107

Integration with IT Processes


 The IS Manager must ensure that the IS program interfaces with other
organizational assurance functions.
 There should be an on-going bidirectional communication between departments

 Change management should also be integrated with the aspects of


security concerns.

_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Review Questions:

1. Who is in the best position to develop the priorities and identify what risks and impacts
would occur if there were a loss or corruption of the organization’s information
resources?
A. Internal auditors
B. Security management
C. Business process owners
D. External regulatory agencies

2. The single most important concept for an information security architect to keep in mind
is:
A. Plan-do-check-act
B. Confidentiality, integrity, availability
C. Prevention, detection, correction
D. Tone at the top

3. Which of the following is the best method of managing risk inherent to wireless
networks?
A. Require private, key-based encryption to connect to the wireless networks
B. Enable auditing on every host that connects to a wireless network
C. Require that every host that connects to this network have a well-tested recovery
plan
D. Enable auditing on every connection to the wireless network

4. Which of the following is the most important element of a successful security awareness
training program?
A. Providing metrics for measuring effectiveness
B. Customized content for the security awareness program
C. The level of technical detail in the awareness program
D. Mapping the awareness training to a recognized security standard

5. If an information security manager has the responsibility of application security review,


which of the following additional responsibilities present a conflict of interest in
performing the review?
A. Operating system recovery
B. Application administration
C. Network change control
D. Host-based intrusion detection
6. Access controls that fail secure are used when:
A. It is necessary to ensure user system access
B. The controls policy specifies the requirement
C. There is a business reason to limit impact
D. It is indicated by a cost effectiveness analysis

7. Control policies addressing failure modes are a critical element to consider in security
architecture primarily because they:
A. Provide the requirements that mandate a number of architectural constraints
B. Provide an objective-oriented approach to overall control design
C. Express the systems’ capabilities required to meet business objectives
D. Are sub-policies that must be implemented at the functional or operation level

8. When designing an IDS, the information security officer should recommend that it be
placed:
A. Outside the firewall
B. On the firewall server
C. On a screened subnet
D. On the external router

9. Which of the following is most effective in preventing security weaknesses in operating


systems?
A. Patch Management
B. Change Management
C. Security Baselines
D. Configuration Management

10. Which of the following is most important for a successful information security program?
A. Adequate training on emerging security technologies
B. Open communication with key process owners
C. Adequate policies, standards and procedures
D. Executive management commitment

11. Which of the following would be the most important consideration when implementing an
IDS?
A. Tuning
B. Patching
C. Encryption
D. Packet Filtering
Answer Key:

1. C
Business process owners are in the best position to judge the risks and impacts since
they are the most knowledgeable concerning their systems.

2. C
The architect is expected to have a set of requirements and must concentrate on tools
with which to build. These are mechanisms for prevention, detection, and correction.

3. A
Encryption is the only preventive control. Prevention is preferred over detection and
recovery.

4. B
Customizing the content for the security awareness program is necessary to ensure
alignment with the goals of the organization.

5. B
Of the job functions listed, only application administration is sufficiently close to
application security review (where the outcome of a well-performed review could be
affected by potentially biased judgment as to the competence of individuals in the
corresponding organization).

6. B
When a control, such as a firewall, should fail (whether software related, or attack
related) then the default would be no access as opposed to failing open. In such a case,
the firewall that fails open no longer secures a network, whereas a firewall that fails
secure will block all traffic. This can also have a consequence of providing an outage for
network traffic; thus, it should be a feature that is specified in the controls policy for when
it should occur.

7. A
Control policy is one of the major requirements that architecture must address and is a
design constraint. Control objectives are broader than just failure modes, but may
include the requirements of behavior when they fail, which is only one aspect of design.

8. C
A screened subnet, like a DMZ, means that the majority of traffic has been filtered,
leaving only the required traffic to come to the IDS and then having it checked for
attacks.
9. A
Patch management is crucial in having vulnerabilities and bugs fixed.

10. D
All programs should be supported from the “Top-Down”.

11. A
Tuning is most important to alleviate getting a false positive, or worse, a false negative.

You might also like