2008 CISM Review Course - PowerPoint PPT Presentation

Loading...

PPT – 2008 CISM Review Course PowerPoint presentation | free to view - id: 1f51d8-ZDc1Z



Loading


The Adobe Flash plugin is needed to view this content

Get the plugin now

View by Category
About This Presentation
Title:

2008 CISM Review Course

Description:

... being relocated, firewall upgrades) do not inadvertently create ... A business dependency assessment reviews what resources are used to conduct ... – PowerPoint PPT presentation

Number of Views:227
Avg rating:3.0/5.0
Slides: 120
Provided by: sdo84
Category:

less

Write a Comment
User Comments (0)
Transcript and Presenter's Notes

Title: 2008 CISM Review Course


1
2008 CISM? Review Course
CHAPTER 4Information Security Program Management
2
Definition
  • What is information security program management?
  • Information security program management includes
    directing, overseeing and monitoring
    information-security-related activities in
    support of organizational activities.

3
Objective
  • The objective of this job practice area is to
    focus on the tasks and knowledge necessary for
    the ISM to effectively manage information
    security within the organization
  • This job practice area represents 24 of the CISM
    examination (approximately 48 questions)

4
Information Security Program Tasks
  • Manage internal and external resources
  • Finances
  • People
  • Equipment
  • Systems
  • Ensure compliance with the organizations
    information security policies and standards
  • Processes/Procedures
  • Standards

5
Information Security Program Tasks
  • 3. Ensure the performance of contractually agreed
    (e.g., with joint ventures, outsourced providers,
    business partners, customers, third parties)
    information security controls

6
Information Security Program Tasks
  • Manage contracted services and controls
  • Joint ventures
  • Outsourced providers
  • Business partners
  • Customers
  • Third parties
  • 5. Ensure that information security is an
    integral part of the systems development process
    and acquisition processes

7
Tasks (continued)
  • 6. Ensure that information security is maintained
    throughout the organizations processes (e.g.,
    change control, mergers and acquisitions) and
    life-cycle activities (e.g., development,
    employment, procurement)
  • 7. Provide information security advice and
    guidance (e.g., risk analysis, control selection)
    to the organization.

8
Tasks (continued)
  • 8. Provide information security awareness,
    training and education to stakeholders (e.g.,
    business process owners, users, information
    technology)
  • 9. Monitor, measure, test and report on the
    effectiveness and efficiency of information
    security controls and compliance with information
    security policies
  • 10. Ensure that noncompliance issues and other
    variances are resolved in a timely manner

9
Importance of Security Management
  • Achieving adequate levels of information security
    at a reasonable cost requires thorough, efficient
    and effective management.
  • Properly designed, implemented and managed
    information security provides critical support
    for many business functions that would not be
    feasible without it.

10
Baselines and Metrics
  • Appropriate and sustainable baseline security
    controls should be established and supported by
    management
  • There should also be an understanding that
    outstanding risk or threat situations, at times,
    may create the need for additional control
    investments
  • The ISM should strive to use information security
    metrics that concisely demonstrate to management
    the importance of information security
  • Obtain independent assurance from external audits
    and assessments

11
Outcomes of EffectiveSecurity Management
(continued)
  • Business Process Assurance
  • The ISM must understand and integrate all
    organizational assurance functions to ensure that
    business processes operate as intended and are
    adequately protected from compromise end to end

12
Outcomes of Effective Security Management
(continued)
  • The ISM is expected to deliver outcomes that
    include demonstrating
  • The program adds tactical and strategic value to
    the organization
  • The program is being operated efficiently and
    with concern to cost issues
  • Management has a clear understanding of
    information security drivers, activities,
    benefits and needs

13
Outcomes of Effective Security Management
(continued)
  • Information security knowledge and capabilities
    are growing as a result of the program
  • The program fosters cooperation and goodwill
    between organizational units
  • There is awareness by the information security
    stakeholder and provider understanding their
    roles, responsibilities and expectations
  • The ISM must also
  • Provide defined interfaces between functions
  • Establish clear channels of communication

14
Organizational Roles and Responsibilities
  • In many cases, suboptimal management support of
    information security is the result a lack of
    understanding by senior management
  • Support for information security programs may in
    other cases be limited for financial or other
    reasons
  • The ISM must
  • Recognize constraints
  • Prioritize and maximize the effects of available
    resources
  • Work with management to develop additional
    resources if possible

15
  • Summary of Information Security Manager
    Responsibilities

16
Summary of Information Security Manager
Responsibilities (continued)
  • The ISM must develop and maintain comprehensive,
    well-managed security program which normally
    addresses the following issues
  • A security strategy with senior management
    acceptance and support
  • A security strategy intrinsically linked with
    business objectives
  • Security policies that are complete and
    consistent with strategy
  • Complete standards for all relevant policies
  • Complete and accurate procedures for all
    important operations

17
Summary of Information Security Manager
Responsibilities (continued)
  • Clear assignment of roles and responsibilities
  • Information assets that have been identified and
    classified by criticality and sensitivity
  • Effective controls that have been designed,
    implemented and maintained
  • Effective monitoring processes in place
  • Effective compliance and enforcement processes
  • Tested, functional, incident and emergency
    response capabilities
  • Tested business continuity/disaster recovery plans

18
Summary of Information Security Manager
Responsibilities (continued)
  • Appropriate security approval in change
    management processes
  • Risks that are properly identified, evaluated,
    communicated and managed
  • Adequate security awareness of all users and
    training as needed
  • The development and delivery of the activities
    that can positively influence security
    orientation of culture and behavior of staff
  • Understanding and addressing regulatory and legal
    issues

19
Summary of Information Security Manager
Responsibilities (continued)
  • Addressing security issues with third-party
    service providers
  • Resolving noncompliance issues and other
    variances in a timely manner
  • Developing security strategy, overseeing security
    program and initiatives, liaising with business
    process owners for ongoing alignment
  • Ensuring risk and business impact assessments,
    developing risk mitigation strategies, enforcing
    policy and regulatory compliance
  • Monitoring utilization and effectiveness of
    security resources

20
Information Security Manager Responsibilities
(continued)
  • Developing and implementing monitoring and
    metrics approaches, and directing and monitoring
    security activities
  • Developing methods for knowledge capture and
    dissemination, and developing metrics for
    effectiveness and efficiency
  • Liaising with other assurance providers, and
    ensuring gaps and overlaps are identified and
    addressed
  • An effective ISM should be familiar with
    pertinent approaches and standards (e.g., ISO
    17799) and utilize relevant elements in selecting
    the management approach best suited to the
    organization

21
Board of Directors
  • It is the responsibility of the board to provide
    a level of oversight of the ongoing activities of
    information security
  • It is the legal and ethical responsibility of
    directors to exercise due care in protecting the
    organizations assets, therefore it makes sense
    for the board to be involved in information
    security

22
Executive Management
  • Executive management should set the tone for
    information security management within the
    organization.
  • The executive management team will often look to
    the ISM to assist in defining the security needs
    of the organization.
  • Visible executive involvement is important to the
    success of an information security management
    program.

23
Information Security Steering Committee
  • Comprised of senior representatives of affected
    groups.
  • Facilitates consensus on priorities and
    trade-offs
  • Effective communications channel
  • Influences organizational behavior toward a
    security culture

24
Information Technology Interface
  • The ISM must
  • Develop a strong working relationship with IT
  • Foster an environment of rapport, trust and
    communication
  • IT must ensure that policies and standards are
    met
  • These standards commonly encompass implementation
    of control mechanisms in the network, systems and
    application environments ensuring that
    technology operations address security needs
  • The ISM must work with IT to determine solutions
    that fulfill security requirements

25
Business Unit Managers
  • The ISM must engage business unit management when
    developing the information security program.
  • Their responsibility for front-line business
    operations make them critical in implementing
    business operations that meet security needs as
    well as identifying and escalating security
    incidents and other concerns
  • The ISM must ensure that business unit managers
    recognize and meet their responsibilities in
    ensuring secure day-to-day operational security
  • Business unit managers should be on the
    information security steering committee

26
Business Unit Managers (continued)
  • Most organizations also have business units
    responsible for developing new products/services.
  • The ISM must engage in the development process
    for any products or services related to the
    organizations information resources
  • The product-development business unit should
    utilize an established baseline of standing
    security requirements for every new development
    project and develop additional controls to
    safeguard against application-specific risks
  • Early involvement in the product development
    cycle helps ensure that resources and time are
    allocated for effective controls implementation

27
Human Resources
  • HR within most organizations has significant
    information security responsibilities concerning
    employee policy distribution, education and
    enforcement
  • The ISM needs to work with HR to establish the
    means to administer employee education on and
    agreement to computer resource usage policies and
    procedures
  • The ISM must ensure that HR and legal departments
    are involved in any action involving monitoring
    of an employees actions or suspected abuse of
    computing resources

28
Legal Department
  • Information security issues cross lines of
    compliance, liability, corporate responsibility
    and due diligence
  • All of these areas are the domain of the legal
    department in most organizations
  • By ensuring that the legal department has ongoing
    awareness of information security issues and
    acting with their consensus, the ISM can help
    protect against legal liability

29
The Information Security Management Framework
  • Conceptual representation of an information
    security management structure that describes the
    combination of technical, operational, management
    and physical security controls in relation to the
    organizations technical and operational
    environments
  • The framework should fundamentally describe the
    information security management components (e.g.,
    roles, policies, standard operating procedures,
    management procedures, security architectures)
    and their interactions

30
Technical Components and Architecture
  • Native Control Technologies
  • Security features built into a product.
    Otherwise known as Out of the box security
    features that are integrated with business
    information systems.
  • Generally configured and operated by IT

31
Technical Components and Architecture (continued)
  • Supplemental Control Technologies
  • Components that are added on to an information
    systems environment
  • Usually provide some function that is not
    available in the native components (network
    intrusion detection), or that is more appropriate
    to implement outside of primary business
    application systems
  • Tend to be more specialized than native control
    technologies

32
Technical Components and Architecture (continued)
  • Management Support Technologies
  • Automate a security related procedure, provide
    management information processing, or increase
    management efficiency
  • Examples include security information management
    (SIM) tools, compliance monitoring scanners and
    security event analysis systems
  • Used by information security group independent of
    information technology

33
Technical Components and Architecture (continued)
  • Analysis of Technical Components and Architecture
  • When analyzing technical security architecture,
    the ISM must use a clearly defined set of
    measurable criteria to enable tracking of
    performance metrics
  • A few possible criteria for analyzing technical
    security architecture and components might
    include
  • Control placement
  • Control efficiency
  • Control policy
  • Control implementation

34
Security Operations Components
  • Because many operational components to fall
    outside of the information security domain (e.g.,
    patching procedures), the ISM should leverage IT,
    business units and other resources to ensure that
    operational needs are thoroughly covered
  • For each operational component, the ISM should
  • Identify the component owner
  • Collaborate to document key information needed
    for effective fulfillment of the component

35
Management Components
  • Management components of an information security
    management program include
  • Requirement and policy establishment
  • Strategic implementation activities
  • Oversight of execution
  • These are generally activities that take place
    less frequently than operational components
  • These activities are most often the
    responsibility of middle and senior management
  • Some issues, particularly those around oversight,
    can escalate to the board level

36
Management Components (continued)
  • The ISM should be flexible in making adjustments
    to policies and objectives during the initial
    stages of the program
  • After requirements are established, the ISM must
    develop strategies that
  • Ensure that strategic decisions are made in
    support of operational and technical
    implementation
  • Address needs such as financial support,
    personnel hiring, and establishing realistic
    timelines

37
Management Components (continued)
  • Management oversight forums might occur monthly,
    quarterly or annually
  • An appropriate frequency for oversight activities
    that is driven by the rate of change in the
    involved program
  • Channels outside of the established management
    oversight process in the event that an issue is
    too significant to wait

38
Administrative Components (continued)
  • Because the optimal number of resources is almost
    never available, efforts must be prioritized
  • The ISM should work with the steering committee
    and executive management to determine priorities
    and to establish consensus on what project items
    to delay because of resource constraints
  • Spikes in activity or unexpected project efforts
    can often be addressed with third-party resources

39
Measuring Information Security Risk and Loss
  • Protect resources from undue impact by accidental
    or malicious threats
  • Most organizations experience security breaches
  • Any information security program must therefore
    also strive to detect and minimize the impact
    associated with detrimental events

40
Measuring Support of Organizational Objectives
  • How many information security objectives were
    successfully completed in support of
    organizational goals?
  • Were there organizational goals that were not
    fulfilled because information security objectives
    were not met?
  • Measurements of compliance achievement are often
    tied to the results of internal or external
    audits

41
Measuring Compliance
  • Continuous Auditing techniques or more frequent
    audits (manual compliance monitoring) may be
    needed with higher frequency and/or broader
    scope than achievable with incremental audits
  • In addition to actual point-in-time compliance,
    the program should be measured on the
    effectiveness of resolving identified compliance
    issues
  • Audit results
  • Breaches

42
Measuring Operational Productivity
  • The ISM must maximize operational productivity
  • Productivity can be improved through
  • Automation technologies
  • Outsourcing of low-value operational tasks
  • Leverage of other organizational units
  • The ISM should set periodic goals for increasing
    the productivity of the information security
    management program
  • Goals should be reviewed to determine the
    productivity gains achieved
  • Analyze data such as hourly employee cost and
    effort expended per task to demonstrate the value
    of productivity improvement initiatives to senior
    management

43
Measuring Security Cost-Effectiveness
  • The information security program must be
    financially sustainable
  • Otherwise, security controls degrade due to poor
    maintenance and support
  • Financial constraints are a common reason for
    security lapses, including failure to plan for
    ongoing maintenance requirements
  • Maximize the value of each security investment to
    control information security expenses and ensure
    sustainable achievement of objectives

44
Measuring Security Cost-Effectiveness (continued)
  • This process begins with accurate cost
    forecasting and budgeting
  • Track budget and progress
  • Measure the ongoing cost-effectiveness of
    security components, most often accomplished by
    tracking cost/result ratios
  • Calculate the total cost of producing a specific
    result

45
Measuring Security Cost-Effectiveness (continued)
  • Measure true cost of security mechanisms
  • Costs of vulnerability assessment
  • Per-user costs for workstation security controls
  • Per-mailbox costs for e-mail spam and virus
    protection
  • ISM must regularly consider the total cost of
    technical security components
  • Purchase and implementation costs are only part
    of the total cost

46
Measuring Organizational Awareness
  • Personnel actions can present threats that can
    only be mitigated through education and awareness
  • Implement processes to track the ongoing
    effectiveness of awareness programs
  • Record initial training, acceptance of policies
    and usage agreements, and ongoing awareness
    updates are useful metrics
  • Track need for training

47
Measuring Organizational Awareness (continued)
  • Employee testing can indicate awareness program
    effectiveness
  • Conducting additional quizzing on a random sample
    of employees several months after training will
    help determine the longer-term effectiveness of
    awareness training

48
Measuring Effectiveness of Technical Security
Architecture
  • Measure the effectiveness of the technical
    security architecture
  • Technical security metrics can be categorized for
    reporting and analysis purposes by protected
    resource and geographic location

49
Measuring Operational Performance
  • Measures of security operational performance
    include
  • Average time to detect, escalate, isolate and
    contain incidents
  • Average time between vulnerability detection and
    resolution
  • Quantity, frequency and severity of incidents
    discovered post hoc
  • Average time between vendor release of
    vulnerability patches and their application
  • Percentage of systems audited within a certain
    period
  • Number of changes released without full change
    control approval

50
Common Information Security Management Challenges
  • Information security is a relatively new function
    within many organizations
  • Even for mature information security programs,
    the requirements and demands are rapidly
    changing, driven by technical and regulatory
    pressures
  • The ISM should be cognizant of
  • Common challenges to effective information
    security management
  • The reasons behind those challenges
  • Strategies for addressing them

51
Inadequate Management Support
  • Lack of management support is most common in
    smaller organizations and those that are not in
    security-intensive industries
  • Misunderstanding of the organizations dependence
    on information systems and of the threat and risk
    environment is common
  • The ISM must utilize resources, such as industry
    statistics, organizational impact and dependency
    analyses, and reviews of common threats to the
    organizations information resources
  • In addition, management may need guidance
    concerning
  • What is expected of them
  • Information security approaches that industry
    peers are taking

52
Inadequate Funding
  • Some funding-related issues that the ISM may need
    to address include
  • Management not recognizing the value of security
    investments
  • Security being viewed as a low-value cost center
  • Management not conceptually understanding where
    existing money is going
  • The organizational need for a security investment
    not being understood
  • The need for more awareness of industry trends in
    security investment
  • If additional funding to close financial gaps is
    not available, employ strategies that minimize
    the impact of the financial shortfall on the
    organizations information risk posture

53
Inadequate Staffing
  • The root causes of funding issues extend to the
    challenge of inadequate staff levels to meet
    security program requirements
  • Manage resources to demonstrate the level of
    effort currently expended
  • Demonstrating high or growing levels of
    productivity also help demonstrate that the
    information security program is utilizing
    resources effectively and efficiently

54
Determining The State of Information Security
Management
  • Regular assessment of the current state of an
    existing information security management program
  • Periodically reevaluate the effectiveness of the
    program relative to the changes in organizational
    demands, environment and constraints
  • The results of such analysis should be shared
    with the information security steering committee

55
Evaluating Compliance Requirements
  • Key considerations include
  • Are information security compliance requirements
    clearly defined?
  • Is there close communication between compliance
    and information security?
  • Does the information security program integrate
    compliance requirements into policies, standards,
    operations, and success metrics?
  • Do the programs technical, operational, and
    managerial components align with components
    required by regulatory standards?
  • What have been the results of audit and
    compliance reviews of the information security
    management program?
  • Are program compliance deficiencies tracked,
    reported, and addressed timely?

56
Evaluating Security Operations Management
  • Are there documented SOPs for security-related
    activities such as access management, security
    systems maintenance, event analysis and incident
    response?
  • Is there a schedule of regularly performed
    procedures, e.g., technical configuration review?
    Does the program provide for records of scheduled
    activities?
  • Is there separation of duties between system
    implementers, security administrators and
    compliance personnel?
  • Does the program provide for operational metrics
    reporting that provide management with needed
    oversight? Are there other oversight mechanisms
    in place?
  • Does management regularly review security
    operations? Is there a forum for operational
    issues to be escalated to management for
    resolution?

57
Evaluating Technical Security Management
  • Are there technical standards for the security
    configuration of individual network, system,
    application and other technology components?
  • Do standards exist that address architectural
    security issues such as topology, communication
    protocols and compartmentalization of critical
    systems?

58
Evaluating Technical Security Management
(continued)
  • Are standards a collaborative effort between
    technology and security staff?
  • Do procedures exist to regularly evaluate and
    report on compliance with technical standards?
  • Is separation of development and production
    technology environments enforced?
  • Do systems enforce separation of duty, especially
    where high levels of administrative access are
    concerned?
  • Is there reliable and comprehensive visibility
    into system activities, configurations,
    accessibility and security-related events? Is
    this visibility continual or intermittent?

59
Controls
  • Controls are a major part of a program. The
    choice of controls should be based on a number of
    considerations including
  • Effectiveness
  • Expensive or restrictiveness to business
    activities,
  • What the optimal form of control is
  • Controls for physical elements, such as
    administrative processes and procedures, are just
    as critical as technical controls
  • Most security failures can ultimately be
    attributed to failures of management, but
    management problems typically do not have
    technical solutions
  • The ISM must thus avoid placing excessive focus
    and reliance on technology

60
Controls
  • Security policies, standards or procedures that
    are too restrictive and do not enable the
    organization to meet its business objectives and
    restrict access to information resources too
    stringently will be quickly circumvented.
  • The objective is to balance the need for controls
    with the requirements of the business
  • Therefore, it is essential that the ISM
  • Have a suitable business perspective
  • Understand the risks to the organizations
    information resources
  • Interpret the information security policies
  • Implement security controls that consider all of
    these aspects

61
Controls
  • Security controls for IT- and non-IT-related
    information processes
  • Includes secure marking, handling, transport and
    storage requirements for physical information
  • Includes considerations for handling and
    preventing social engineering
  • Environmental controls must also be considered so
    that otherwise secure systems are not subject to
    theft

62
Countermeasures
  • Countermeasures often provide specific
    protection, making them less efficient than
    broader, more general safeguards.
  • Countermeasures are not necessarily less
    cost-effective
  • Countermeasures deployed to address specific
    threats are often expensive both operationally
    and financially, and can become a distraction
    from core security operations
  • The ISM should thus deploy countermeasures only
    with clear justification, with due caution, and
    only when an existing or more general control
    cannot mitigate the threat

63
Audits
  • Integrate with internal and/or external auditing
    activities
  • Some audits (i.e., regulatory audits) are
    compulsory
  • Others are voluntary, as when an independent
    auditor makes an attestation to compliance with
    an industry standard
  • Ensure that time and resources are allocated to
    address audit activities
  • Procedures should be established in advance for
    scheduling, observation of employee activities,
    and provision of configuration data from
    technical systems
  • Audit findings provide strong, independent
    feedback for the steering committee and/or
    management to utilize in assessing the
    effectiveness of the information security
    management program

64
Periodic Threat Analysis
  • Technical and behavioral threats evolve as a
    result of internal and external factors
  • ISM needs to perform threat analysis at least
    annually by evaluating changes in the technical
    and operating environments of the organization

65
Periodic Threat Analysis (continued)
  • Internal factors such as new business units, new
    or upgraded technologies, changes to products and
    services, and changes in roles and
    responsibilities deserve special attention
  • As new threats are identified and prioritized in
    terms of impact, evaluate the ability of existing
    controls to mitigate risks associated with new
    threats
  • The technical security architecture may need to
    be modified, a threat-specific countermeasure may
    be deployed, or a compensating mechanism or
    process may be implemented until mitigating
    controls are developed

66
Ongoing Technical Vulnerability Analysis
  • An organizations technical environment should be
    continually monitored for new vulnerabilities
  • Regularly scheduled scanning
  • Ensure that changes to existing technical
    environments (e.g., installation of a new
    service, hosts being relocated, firewall
    upgrades) do not inadvertently create
    architectural vulnerabilities

67
Periodic/Incremental Risk Assessment
  • As threats and vulnerabilities emerge, analyze
    and communicate the impact on the organizations
    risk posture
  • The ISM should also recognize that asset values
    and risk characteristics can also change,
    requiring re-analysis of risk posture
  • Periodic risk assessment results should be
    provided to the steering committee and/or senior
    management for use in guiding information
    security priorities and activities

68
Periodic Resource Dependency Analysis
  • A business dependency assessment may be a less
    costly alternative to using a BIA to provide the
    basis for allocating available resources
  • A business dependency assessment reviews what
    resources are used to conduct business, e.g., the
    first step of a BIA
  • The critical assets and resources are identified
    and provide a high-level basis for allocating
    protection efforts

69
Outsourced Security Providers
  • The use of external security services vendors can
    provide
  • Specialist skills as needed
  • Longer-term staff augmentation while recruiting
    for open positions
  • Offloading of routine daily tasks
  • Outsourced security service providers can deliver
    a range of services (e.g., assessment and audit,
    engineering, operational support, security
    architecture and design, advisory services)

70
Legal and Regulatory Requirements
  • Information security programs must be guided by
    legal and regulatory requirements of the
    organization
  • Compliance with compulsory government standards,
    appropriate due diligence and technological
    support of legal policies
  • Legal standards related to privacy of information
    and transactions
  • The collection and handling of audit records
  • e-mail retention policies
  • Incident investigation procedures
  • Cooperation with legal authorities

71
Physical and Environmental Factors
  • The level of security that hardware and software
    controls provide should depend on the
  • Sensitivity of data that can be accessed
  • Significance of applications processed
  • Cost of equipment and availability of backup
    equipment
  • A wide range of physical security controls are
    available to implement physical security
  • Electronic locks
  • Cameras
  • Motion Detectors

72
Physical and Environmental Factors (continued)
  • Physical security policies and control devices
    are needed
  • Access should be provided on an as-needed basis
  • Unrelated equipment and supplies (e.g., paper and
    printing supplies) should not be stored along
    with sensitive computing infrastructure
  • Computing environments must implement systems to
    monitor and control environmental factors such as
    temperature and humidity

73
Physical and Environmental Factors (continued)
  • Personal computers used in open areas may need
    special controls
  • Laptops and portable devices must also be
    protected against theft or loss
  • Electronic and print media should also be
    protected
  • Geographical concerns also need to be considered

74
Ethics
  • Implement ethics training to provide guidance on
    what the organization considers appropriate and
    legal behavior
  • This approach is common when individuals are
    required to engage in activities of sensitive
    nature such as monitoring user activities,
    penetration testing and having access to
    sensitive data
  • Information security personnel must be sensitive
    to potential conflicts of interest or activities
    that may be perceived as detrimental to the
    organization

75
Culture/Regional Variances
  • The ISM should be aware of differences in
    perceptions, customs and appropriate behaviors
    across different regions and cultures
  • Policies, controls and procedures should be
    developed and implemented with respect to these
    differences
  • Elements that might be culturally offensive to
    others should be avoided
  • Work with HR to develop strategies for addressing
    differences across the regions and cultures
    represented within the organization

76
Logistics
  • Some of the logistic issues that an ISM needs to
    be able to manage include
  • Cross-organizational strategic planning and
    execution
  • Project and task management
  • Coordination of committee meetings and activities
  • Developing schedules of regularly performed
    procedures
  • Resource prioritization
  • Coordination of security resources and activities
    with larger projects and operations

77
Security Management Metrics and Monitoring
  • Monitor security programs and controls
  • Some monitoring is technical and
    quantitativesome by necessity is imprecise and
    qualitative
  • Technical metrics can be used to provide
    quantitative monitoring and can include elements
    such as
  • Number of unremediated vulnerabilities
  • Number of closed audit items
  • Number or percentage of user accounts in
    compliance with standards
  • Perimeter penetrations
  • Unresolved security variances

78
Security Management Metrics and Monitoring
(continued)
  • As information resources change over time, it is
    important to be aware that both the security
    baseline and the resources must adapt to changing
    threats and new vulnerabilities
  • Develop a consistent, reliable method to
    determine the overall ongoing effectiveness of
    the program ways to do this can include
  • Conduct and track risk assessments
  • Penetration testing
  • Regular vulnerability scans

79
Security Management Metrics and Monitoring
  • Effective metrics
  • Require that a baseline is established for each
    measurement
  • Should have SMART attributes (i.e., specific,
    measurable, attainable, repeatable and
    time-dependent)
  • Should be used to chart progress
  • In addition to monitoring automated security
    activities, the organizations change management
    activities also should feed into the monitoring
    program
  • Metrics are important, but are little use if
    adverse trends are not dealt with in a timely
    manner

80
Security Management Metrics and Monitoring
(continued)
  • The ISM needs to have a process in place whereby
    metrics are regularly reviewed and any unusual
    outcomes are reported
  • An action plan to react to the unusual activity
    should be developed as well as a proactive plan
    to address trends in activity that may lead to a
    security breach or failure

81
Security Management Metrics and Monitoring
(continued)
  • The ISM must also monitor security activities in
    infrastructure and business applications
  • Since vulnerability to security breaches exist
    all the time, continuous monitoring of security
    activities is a prudent business process
  • Continuous monitoring of IDSs and firewalls can
    provide real-time information of attempts to
    breach perimeter defenses
  • Training help desk personnel must escalate
    suspicious reports that may be the first signs of
    a breach or an attack
  • A variety of methods and techniques that are
    tailored to the organization must be used

82
Security Management Metrics and Monitoring
(continued)
  • Other after-the-fact monitoring techniques
    include
  • Event logging
  • Log reviews
  • Compliance assessments
  • Network- and host-based IDS
  • Penetration testing
  • Should consolidate various security
    event-monitoring techniques into a single console
    that the security team monitors

83
Control Testing and Modification
  • Changes to the technical or operational
    environment can often modify the protective
    effect of controls or create new weaknesses that
    existing controls are not designed to mitigate
  • Periodic testing of controls should be
    implemented to ensure that mechanisms continually
    enforce policies and procedural controls are
    being carried out consistently and effectively
  • After implementation, acceptance testing must be
    conducted to ensure that prescribed policies are
    enforced by the mechanisms

84
Control Testing and Modification (continued)
  • Changes to operational procedures should also
    undergo review and approval by appropriate
    stakeholders
  • Requisite changes to process inputs, activity
    steps, approvals or reviews, and process results
    should be considered and modifications to related
    processes and technologies should be coordinated
  • Workload considerations should also be taken into
    consideration to ensure that changes to
    operational controls do not overload resources
    and impact operational quality
  • If additional training is required to implement
    changes, it should be coordinated and completed
    prior to implementation of change

85
Third-Party Service Providers
  • Obtaining services from outside provides does not
    relinquish the security responsibility of the
    organization, nor does it imply delegated
    responsibility
  • Some common issues to be considered include
  • Isolation of external party access to resources
  • Integrity and authenticity of data and
    transactions
  • Protection against malicious code or content
  • Privacy/confidentiality agreements and procedures
  • Security standards for transacting systems
  • Data transmission confidentiality
  • Identity and access management of the third party
  • Incident contact and escalation procedures

86
Integration Into The Life Cycle Process
  • Achieving effective information systems security
    is easiest when risk and protection
    considerations are included in the SDLC
  • This process generally consists of
  • Establishing requirements
  • Solution architecture and design
  • Proof of concept
  • Full development and coding
  • Integration testing, deployment
  • Quality and acceptance testing
  • Maintenance
  • Systems end-of-life

87
Integration Into The Life Cycle Process
(continued)
  • Defined baseline security controls should be a
    standing requirement for all new systems
    development
  • The ISM should refer to industry and regional
    sources to determine a baseline set of
    appropriate security functions
  • Supplemental controls may be warranted based on
    vulnerability, threat and risk analysis, and
    these controls should be included in the
    requirements-gathering process

88
Monitoring and Communication (continued)
  • Some commonly monitored event types include
  • Failed access attempts to resources
  • Processing faults that may indicate system
    tampering
  • Outages, race conditions and faults related to
    insufficient resources
  • Changes to system configurations, particularly
    security controls
  • Privileged system access and activities
  • Technical security component fault detection

89
Documentation
  • Creation and maintenance of security-related
    documentation including
  • Policies, standard operating procedures and
    technical standards
  • Technical diagrams of infrastructure,
    applications and data flows
  • Risk analyses, recommendations and related
    documentation
  • Security system designs, configuration policies
    and maintenance documentation
  • Operational records such as shift reports and
    incident tracking reports
  • Each document should be assigned an owner who is
    responsible for updating documentation (or
    templates in the case of operational records)

90
General Rules of Use /Acceptable Use Policy
  • Acceptable Use Policy
  • User-friendly summary of what should and should
    not be done to comply with policy
  • Detail in everyday terms the obligations of all
    users
  • Must be communicated to all users
  • Must be read and understood by all users
  • Should be provided to new personnel

91
General Rules of Use /Acceptable Use Policy
(continued)
  • Rules of use for all personnel typically include
    the policies and standards for
  • Access control
  • Classification
  • Marking and handling of documents
  • Reporting requirements and disclosure constraints
  • May also include rules regarding email and
    internet use

92
The Change Management Process
  • The ISM should identify all change management
    processes used by the organization
  • Must have process for notification that changes
    are taking place that may impact security
  • The ISM needs to implement processes in which
    security implications are considered in each
    change management process that the organization
    supports
  • If an application is developed internally, it is
    important that security is introduced early in
    development cycle to
  • Minimize vulnerabilities
  • Ensure compliance with the organizations security
    standards

93
The Change Management Process (continued)
  • Ensuring that technical specifications include
    the security requirements set forth in the
    organizations standards comply with policy is
    critical
  • Testing and QA plans must also be subject to the
    ISMs review to ensure that security elements are
    properly tested and certified
  • For software developed for critical operations,
    it is sometimes necessary to do a code review in
    addition to the QA testing process

94
The Change Management Process (continued)
  • As changes are made to systems and processes over
    time, there is often a tendency for security
    controls to become less effective
  • Therefore, it is critical for the ISM to be
    involved with the change management process and
    ensure that new vulnerabilities are not
    introduced during the change process
  • It is also important that security controls and
    countermeasures are updated regularly and are
    adapted to organizational changes
  • Decentralized organizations can pose a special
    challenge

95
Vulnerability Assessments
  • Vulnerability assessments are key tools to assess
    the effectiveness of the information security
    program in managing risk
  • Vulnerability assessments typically include
  • Scanning various security controls for
    vulnerabilities
  • Testing the controls in place to determine their
    effectiveness
  • Penetration testing to locate vulnerabilities
  • Creating recommendations to reduce
    vulnerabilities and improve security
  • Remediation activities and tracking progress
  • Vulnerability assessment tools are effective in
  • Identifying the exploitable vulnerabilities
  • Allowing proactive and preventive measures to be
    taken to protect the networks and systems

96
Vulnerability Assessments (continued)
  • A vulnerability assessment can include assessing
  • Network visibility and accessibility
  • Information leakage
  • Configuration weaknesses in operating systems
  • Presence of unneeded software and/or utilities
  • Security policy configurations
  • Unpatched original equipment manufacturer (OEM)
    vulnerabilities
  • Application-level vulnerabilities (including
    databases)
  • Poorly configured security controls
  • Weak security policies and standards

97
Due Diligence
  • Due diligence the standard of due care
  • Involves taking steps that would be taken by a
    reasonable person of similar competency in
    similar circumstances
  • Some due diligence components include
  • Senior management support
  • Comprehensive policies, standards and procedure
  • Appropriate security education, training and
    awareness
  • Periodic risk assessments

98
Due Diligence
  • Effective backup and recovery processes
  • Implementation of adequate security controls
  • Effective monitoring and metrics
  • Effective compliance
  • Testing business continuity and disaster recovery
    plans
  • Periodic independent reviews of the
    infrastructure
  • Due diligence regarding contracts and agreements
    must also take place

99
Culture, Behavior and Security Awareness
(continued)
  • Influencing behavior of staff to improve security
  • Security awareness and training has recently been
    mandated by a number of regulatory bodies and is
    a requirement in certain industry segments in
    some parts of the world
  • Recent studies conducted by the US Military have
    also shown that by far, the most cost-effective
    improvements in overall security have come from
    user education and training

100
Culture, Behavior and Security Awareness
(continued)
  • Employee awareness should start from the point of
    joining the organization and continue regularly
  • Techniques for delivery need to vary to keep them
    fresh and may also need to be converged into
    other organization training programs
  • The ISM is an internal consultant to the various
    departments within the organization

101
Culture, Behavior and Security Awareness
(continued)
  • Addressing cultural differences
  • Recognize that the what is viewed as reasonable
    in one country may not be acceptable in another
  • Privacy laws may be much more stringent in other
    countries and may prohibit the sharing of
    personal information
  • Work with legal and human resources to identify
    potential conflicts and work toward solutions.

102
Chapter 4 Practice Questions
  • 4-1. The change management procedure MOST likely
    to cause concern to the ISM is when
  • fallback processes are tested the weekend
    immediately prior to when the changes are made
  • users are notified via electronic mail of major
    scheduled system changes
  • a manual process is used by operations for
    comparing program versions
  • development managers have final authority for
    releasing new programs into production

103
Chapter 4 Practice Questions
  • 4-1. The change management procedure MOST likely
    to cause concern to the ISM is when
  • fallback processes are tested the weekend
    immediately prior to when the changes are made
  • users are notified via electronic mail of major
    scheduled system changes
  • a manual process is used by operations for
    comparing program versions
  • development managers have final authority for
    releasing new programs into production

104
Chapter 4 Practice Questions
  • 4-2. Which of the following would indicate that
    an automated production scheduling system has
    inadequate security controls ?
  • Control statements point to test libraries
  • Process failure automatically initiates
    configuration reset
  • Developers have read access to both production
    and test schedules
  • Scheduling personnel have the ability to initiate
    an emergency override

105
Chapter 4 Practice Questions
  • 4-2. Which of the following would indicate that
    an automated production scheduling system has
    inadequate security controls ?
  • Control statements point to test libraries
  • Process failure automatically initiates
    configuration reset
  • Developers have read access to both production
    and test schedules
  • Scheduling personnel have the ability to initiate
    an emergency override

106
Chapter 4 Practice Questions
  • 4-3. When a trading partner who has access to the
    corporate internal network refuses to follow
    corporate security policies, the information
    security manager should initiate which of the
    following ?
  • Revoke their access
  • Providing minimal access
  • Send a breach of contract letter
  • Contacting the partners external auditors

107
Chapter 4 Practice Questions
  • 4-3. When a trading partner who has access to the
    corporate internal network refuses to follow
    corporate security policies, the information
    security manager should initiate which of the
    following ?
  • Revoke their access
  • Providing minimal access
  • Send a breach of contract letter
  • Contacting the partners external auditors

108
Chapter 4 Practice Questions
  • 4-4. The MOST important in writing good
    information security policies is ensuring that
    they
  • Are easy to read and understand
  • Allow for flexible interpretation
  • Capture the intent of management
  • Change whenever operating systems are upgraded

109
Chapter 4 Practice Questions
  • 4-4. The MOST important in writing good
    information security policies is ensuring that
    they
  • Are easy to read and understand
  • Allow for flexible interpretation
  • Capture the intent of management
  • Change whenever operating systems are upgraded

110
Chapter 4 Practice Questions
  • 4-5. Which of the following would be the BEST
    approach when conducting a security awareness
    campaign?
  • Provide technical details on exploits
  • Target system administrators and the help desk
  • Provide customized messages for different groups
  • Target senior managers and business process owners

111
Chapter 4 Practice Questions
  • 4-7. Of these uses for security metrics, which
    allows an information security manager to
    demonstrate that control objectives are met ?
  • Demonstrating policy compliance
  • Charting frequency of failed hacking attempts
  • Satisfying requests from IT audit
  • Posting quarterly security activity

112
Chapter 4 Practice Questions
  • 4-7. Of these uses for security metrics, which
    allows an information security manager to
    demonstrate that control objectives are met ?
  • Demonstrating policy compliance
  • Charting frequency of failed hacking attempts
  • Satisfying requests from IT audit
  • Posting quarterly security activity

113
Chapter 4 Practice Questions
  • 4-7. Of these uses for security metrics, which
    allows an information security manager to
    demonstrate that control objectives are met ?
  • Demonstrating policy compliance
  • Charting frequency of failed hacking attempts
  • Satisfying requests from IT audit
  • Posting quarterly security activity

114
Chapter 4 Practice Questions
  • 4-8. Which of the following types of audit trails
    would be BEST for an organization if fraud
    detection were the primary requirement?
  • Firewall logs
  • Operating system logs
  • Application logs
  • Single sign-on logs

115
Chapter 4 Practice Questions
  • 4-8. Which of the following types of audit trails
    would be BEST for an organization if fraud
    detection were the primary requirement?
  • Firewall logs
  • Operating system logs
  • Application logs
  • Single sign-on logs

116
Chapter 4 Practice Questions
  • 4-9. Vulnerability assessments are a common
    method of determining potential weaknesses in
    systems. However, when performing a
    vulnerability assessment, the information
    security manager should also be MOST aware that
  • If a vulnerability is discovered it must be
    eliminated
  • New vulnerabilities are constantly introduced
  • Vulnerabilities provide no information on impacts
  • Continuous testing is required

117
Chapter 4 Practice Questions
  • 4-9. Vulnerability assessments are a common
    method of determining potential weaknesses in
    systems. However, when performing a
    vulnerability assessment, the information
    security manager should also be MOST aware that
  • If a vulnerability is discovered it must be
    eliminated
  • New vulnerabilities are constantly introduced
  • Vulnerabilities provide no information on impacts
  • Continuous testing is required

118
Chapter 4 Practice Questions
  • 4-10. Which of the following is the MOST
    important fun
About PowerShow.com