isaca-cism-courseware

ISACA

CISM Certification

Certified Information Security

Manager Courseware

4/17/2015

1

CISM

®

Firebrand Accelerated

Training

2015 CISM



_{Review Course}

4/17/2015

4

Agenda

 This introduction will address: • The CISM Certification

• Course format

• Examination format

• Introduction of Attendees

• To set the scene – Recent Incidents

This is NOT a Death-By-PowerPoint

Seminar

4/17/2015

6

But it IS a Seminar

CISM

 Certified Information Security Manager

• Designed for personnel that have (or want to have) responsibility for managing an

Information Security program

• Tough but very good quality examination • Requires understanding of the concepts

behind a security program – not just the definitions

4/17/2015

8

CISM Exam Review Course Overview

 The CISM Exam is based on the CISM job practice.

• The ISACA CISM Certification Committee oversees the development of the exam and ensures the currency of its content.

 There are four content areas that the CISM candidate is expected to know.

CISM Qualifications

 To earn the CISM designation, information security professionals are required to:

• Successfully pass the CISM exam

• Adhere to the ISACA Code of Professional Ethics

• Agree to comply with the CISM continuing education policy

4/17/2015

10

Daily Format

 Lecture and Sample questions  Domain structure

•Learning Objectives •Content

•Sample Questions

Please note that the information in every domain overlaps with the information in other domains – during the course we will introduce topics that are expanded upon in latter domains

Domain Structure

Information Security Governance

Information Risk

Management and Compliance

Information Security Program Development and Management Mandates

Deploys

Reports To

4/17/2015 12

Course Structure

Start Time Breaks Meals End of Day

End of class on last day

Logistics

Fire Escapes • Assembly point

4/17/2015

14

The Examination

Description of the Exam

The exam consists of 200 multiple choice questions that cover the CISM job practice areas.

Four hours are allotted for completing the exam

See the Candidate’s Guide to the CISM Exam and Certification

4/17/2015

16

Examination Job Content Areas

 The exam items are based on the content in 4 information security areas

• Information Security Governance 24%

• Information Risk Management and Compliance 33%

• Information Security Program Development and Management 25%

• Information Security Incident Management 18%

Examination Job Content Areas

Information Security Governance, 24% Information Risk Management and Information Security Program Development and Information Security Incident Management, 18%

4/17/2015

18

2015 Exam Dates

 The exam will be administered three times in 2015

• The 1st exam date is June 13

• April 21 is deadline for registration • The 2nd _{exam date is Sept 12}

• The 3rd _{exam date is Dec 12}

• Many examination locations worldwide •Register at www.isaca.org

Examination Day

 Be on time!!

• The doors are locked when the instructions start – approximately 30 minutes before examination start time.

 Bring the admission ticket (sent out prior to the examination from ISACA) and an

4/17/2015

20

Completing the Examination Items

• Bring several #2 pencils and an eraser • Read each question carefully

• Read ALL answers prior to selecting the BEST answer

• Mark the appropriate answer on the test answer sheet.

• When correcting an answer be sure to thoroughly erase the wrong answer before filling in a new one.

• There is no penalty for guessing. Answer every question.

Grading the Exam

 Candidate scores are reported as a scaled score based on the conversion of a

candidate’s raw score on an exam to a common scale.

 ISACA uses and reports scores on a common scale from 200 to 800. A candidate must receive a score of 450 or higher to pass.

4/17/2015

22

Introduction of Classmates

4/17/2015

24

Stuxnet

Part of “Operation Olympic Games”, a 2006 operation designed to disrupt Iran’s nuclear programme

General James E Cartwright, head of CyberOps inside the US Strategic Command developed the Stuxnet plan

• Stage 1: Plant code that extracts maps of the air-gapped networks supporting nuclear labs & reprocessing plants in Iran • Stage 2: Payload development by NSA’s Foreign Affairs

Directorate & IDF’s Intelligence Corps Unit 8200 • Code named: “The Bug”

• Stage 3: Test against P-1 centrifuges

• Stage 4: Plant the worm in Natanz via spies, and tricked insiders ( engineers to maintenance workers – anyone with physical access to the plant). This was in 2008

The Op was successful

• ICS were infected & high-speed centrifuges were infected • Iranians blamed themselves or suppliers for observed problems

Stuxnet

20x more complex than any piece of previous malware Array of capabilities

• Increase pressure inside nuclear reactors while telling system operators everything was normal

Does not carry a forged security clearance (used by malware to escalate privilege). It had a real clearance, stolen from one of the most Globally-reputable

technology companies

Exploited 20 zero-day vulnerabilities

Target – specific. It remained dormant until target was sighted. Target was the P-1 centrifuges. May have shut down 1000 centrifuges in Natanz,

4/17/2015

26

GhostNet

GhostNet represents a network of compromised computers resident in high-value political, economic, and media locations spread across numerous countries worldwide

GhostNet

4/17/2015

28

GhostNet

Malware retrieving a sensitive document

• This screen capture of the Wireshark network analysis tool shows an infected computer at the Office of the Dalai Lama uploading a sensitive document to one of the CGI network’s control servers.

GhostNet

4/17/2015 30

GhostNet

gh0st RAT demonstration https://www.youtube.com/watch?v=6p7FqSav6 Ho

Technical Social Engineering

The purpose of social engineering is to

transparently install malicious software or to trick you into handing over sensitive

information.

Technical Social Engineering is a chained

exploit. Human nature and software vulnerabilities are both exploited.

4/17/2015

32

Technical Social Engineering

Operation Aurora

Targeted 34 companies in the financial, technology & defense sectors

Never before seen level of sophistication outside the defense industry. Prior to this, commercial attacks were SQL-injection or wireless breach based

Highly sophisticated & coordinated hack attack against Google’s corporate network

• Targeted & stole IP (source code repositories) • Accessed Gmail accounts of human rights

4/17/2015

34

Operation Aurora

Used several pieces of malware, levels of encryption, stealth programming & zero-day exploits in IE, Word, Excel & Adobe PDFs

• Attack was obfuscated & avoided common detection methods

Tailored to target a small number of corporate users

• sending a malicious document attached to an email or

• sending a spoofed email message with a link to a malicious website

Infected machines will typically have the following components installed:

• %System%\[RANDOM].dll: main file. Runs as a service and has back door capabilities • %System%\acelpvc.dll: Streams live desktop feed to the attacker

• %System%\VedioDriver.dll: Helper dll for acelpvc.dll

Operation Aurora

Siphoned off live feed and/or data to C & C servers in Illinois, Texas & Taiwan

One C&C server was hosted by RackSpace Designed to occur during a holiday season when co. SOC & IRTs would be thinly staffed

4/17/2015

36

Operation Aurora – Tojan.Hydraq

Infects Win2K, Win7, Win2003, Win2008, Vista, XP

Creates 2 files

• Creates a service RASxxxx

•Registers service by creating a registry subkey

•Modifies this registry entry:

• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\Current Version\SvcHost\”netsvcs”

•Opens a backdoor allowing a remote attacker to do a number of things

Operation Aurora – Google Case Study

Initial attack occurred when company executives visited a

malicious site

Via clicked URL sent by email/IM or Via social networking sites

Drive-by Download

IE exploited via zero-day exploit

4/17/2015

38

Operation Aurora – Google Case Study

Shell code 3X encrypted

Downloaded encrypted binary code in 2 encrypted .exe’s from

external node Opened backdoor Established encrypted covert channel masquerading as SSL connection “Beachead”

into other parts of the corporate

network

ICEFOG Advanced Persistent Threat

A threat actor

Emerging trend of cyber-mercenary teams of 10s to 100s available for hire to perform surgical hit-and-run ops

• Going after the supply chain & compromising target with surgical precision

Relies on spear phishing emails that attempt to trick a victim into opening a malicious attachment or visiting a malicious website

4/17/2015

40

4/17/2015

1

ISACA

®

Trust in, and value from,

information systems

2015 CISM



_{Review Course}

Chapter 1

Information Security

Governance

4/17/2015

3

Course Agenda

Priorities for the CISM Corporate Governance

Information Security Strategy Information Security Program Elements of a Security Program Roles and Responsibilities

Evaluating a Security Program Reporting and Compliance Ethics

The CISM Candidate understands:

• Effective security governance framework • Building and deploying a security strategy

aligned with organizational goals • Manage risk appropriately

• Responsible management of program resources

4/17/2015

5

Chapter 1 Learning Objectives

Align the organization’s Information security strategy with business goals and objectives

• Obtain Senior Management commitment Provide support for:

• Governance

• Business cases to justify security

• Compliance with legal and regulatory mandates • Organizational priorities and strategy

• Identify drivers affecting the organization • Define roles and responsibilities

• Establish metrics to report on effectiveness of the security strategy

The Priorities for the CISM

Candidate in Chapter One

4/17/2015

7

CISM Priorities

The CISM must understand:

• Requirements for effective information security governance

• Elements and actions required to:

• Develop an information security strategy • Plan of action to implement it

The First Question

In your own words, please describe what information Security is, what is the purpose or value of information security in relation to the business

4/17/2015

9

Information Security

Information is indispensable to conduct business effectively today

Information must be: • Available

• Have Integrity of data and process • Be kept Confidential as needed

Protection of information is a responsibility of the Board of Directors

Information Security

Information Protection includes: •Accountability

•Oversight •Prioritization •Risk Management

4/17/2015

11

Information security is much more than just IT security (more than technology)

Information must be protected at all levels of the organization and in all forms

• Information security is a responsibility of everyone

• In all forms – paper, fax, audio, video,

microfiche, networks, storage media, computer systems

Information Security Governance Overview

Benefits of effective information security governance include:

• Improved trust in customer relationships • Protecting the organization’s reputation • Better accountability for safeguarding

information during critical business activities • Reduction in loss through better incident

4/17/2015

13

The First Priority for the CISM

Remember that Information Security is a business-driven activity.

• Security is here to support the interests and needs of the organization – not just the desires of security

• Security is always a balance between cost and benefit; security and productivity

4/17/2015

15

Business Goals and Objectives

Corporate governance is the set of

responsibilities and practices exercised by the board and executive management Goals include:

–Providing strategic direction

–Reaching security and business objectives –Ensure that risks are managed appropriately –Verify that the enterprise’s resources are used

responsibly

Outcomes of Information Security Governance

The six basic outcomes of effective security governance:

• Strategic alignment • Risk management • Value delivery

4/17/2015

17

Benefits of Information Security Governance

Effective information security governance can offer many benefits to an organization, including:

• Compliance and protection from litigation or penalties • Cost savings through better risk management

• Avoid risk of lost opportunities

• Better oversight of systems and business operations • Opportunity to leverage new technologies to business

advantage

Performance and Governance

Governance is only possible when metrics are in place to:

• Measuring • Monitoring • Reporting

On whether critical organizational objectives are achieved

4/17/2015

19

Information Security

Strategy

Developing Information Security Strategy

Information Security Strategy • Long term perspective

• Standard across the organization

• Aligned with business strategy / direction • Understands the culture of the organization • Reflects business priorities

4/17/2015

21

Elements of a Strategy

A security strategy needs to include:

• Resources needed • Constraints

• A road map

•Includes people, processes, technologies and other resources

•A security architecture: defining business

drivers, resource relationships and process flows Achieving the desired state is a long-term goal of a series of projects

Objectives of Security Strategy

The objectives of an information security strategy must

• Be defined

• Be supported by metrics (measureable) • Provide guidance

4/17/2015

23

The Goal of Information Security

The goal of information security is to protect the organization’s assets, individuals and mission

This requires:

• Asset identification

•Classification of data and systems according to criticality and sensitivity •Application of appropriate controls

*Information is an asset only to the degree it supports the primary purpose of the business

Defining Security Objectives

The information security strategy forms the basis for the plan(s) of action required to achieve security objectives

The long-term objectives describe the “desired state”

Should describe a well-articulated vision of the desired outcomes for a security program Security strategy objectives should be stated in terms of specific goals directly aimed at

4/17/2015

25

Business Linkages

Business linkages

• Start with understanding the specific objectives of a particular line of business • Take into consideration all information flows

and processes that are critical to ensuring continued operations

• Enable security to be aligned with and support business at strategic, tactical and operational levels

Business Case Development

The Business case for initiating a project must be captured and communicated: • Reference • Context • Value Proposition • Focus • Deliverables • Dependencies • Project metrics • Workload • Required resources • Commitments

4/17/2015

27

The Information Security

Program

Question:

What steps/elements are

necessary to develop an

4/17/2015

29

Security Program Priorities

Achieve high standards of corporate governance

Treat information security as a critical business issue

Create a security positive environment Have declared responsibilities

Security versus Business

Security must be aligned with business needs and direction

Security is woven into the business functions • Provides

•Strength •Resilience •Protection

4/17/2015

31

Security Program Objectives

Ensure the availability of systems and data • Allow access to the correct people in a

timely manner

Protect the integrity of data and business processes

• Ensure no improper modifications Protect confidentiality of information • Unauthorized disclosure of information

•Privacy, trade secrets,

What is Security

A structured deployment of risk-based controls related to:

• People • Processes • Technology

4/17/2015

33

Security Integration

Security needs to be integrated INTO the business processes

The goal is to reduce security gaps through organizational-wide security programs Integrate IT with:

• Physical security • Risk Management

• Privacy and Compliance

• Business Continuity Management

Security Program

Starts with theory and concepts • Policy

Interpreted through: • Procedures

• Baselines • Standards

4/17/2015

35

Architecture

Information security architecture is similar physical architecture

• Requirements definition • Design / Modeling

• Creation of detailed blueprints • Development, deployment

Architecture is planning and design to meet the needs of the stakeholders

Security architecture is one of the greatest needs for most organizations

Information Security Frameworks

Framework • Template • Structure

• Measurable / Auditable

• Project Planning and Management • Strategic, Tactical and Operational

4/17/2015

37

Using an Information Security Framework

Effective information security is provided through adoption of a security framework

− Defines information security objectives − Aligns with business objectives

− Provides metrics to measure compliance and trends

− Standardizes baseline security activities enterprise-wide

The Desired State of Security

The “desired state of security” must be

defined in terms of attributes,

characteristics and outcomes

• It should be clear to all stakeholders what the intended security state is

4/17/2015

39

The Desired State cont.

The desired state according to COBIT (Control Objectives for Information and related

Technology)

• “Protecting the interests of those relying on information, and the processes, systems and communications that handle, store and deliver the information, from harm resulting from failures of availability, confidentiality and integrity”

• Focuses on IT-related processes from IT

governance, management and control perspectives

The Maturity of the Security Program Using CMM

 0: Nonexistent—No recognition by organization of need for security

 1: Ad hoc—Risks are considered on an ad hoc basis—no formal processes

 2: Repeatable but intuitive—Emerging understanding of risk and need for security

 3: Defined process—Companywide risk management policy/security awareness

 4: Managed and measurable—Risk assessment standard procedure, roles and responsibilities assigned, policies

4/17/2015

41

Using the Balanced Scorecard

The Four Perspectives of the Balanced Scorecard

Vision and Strategy Learning and Growth Internal Business Processes Financial Customer

The ISO27001:2013 Framework

The goal of ISO27001:2013 is to:

Establish Implement Maintain, and

Continually improve

An information security management system Contains:

4/17/2015

43

Examples of Other Security Frameworks

SABSA (Sherwood Applied Business Security Architecture)

COBIT COSO

Business Model for Information Security

• Model originated at the Institute for Critical Information Infrastructure Protection

Examples of Other Security Frameworks

• ISO standards on quality (ISO 9001:2000) • Six Sigma

• Publications from NIST and ISF • US Federal Information Security

4/17/2015

45

Constraints and Considerations for a Security

Program

Constraints

Legal—Laws and regulatory requirements Physical—Capacity, space, environmental

constraints

Ethics—Appropriate, reasonable and customary Culture—Both inside and outside the

organization

Costs—Time, money

Personnel—Resistance to change, resentment

against new constraints

Constraints and Considerations for a

Security Program cont.

Constraints

Organizational structure—How decisions are

made and by whom, turf protection

Resources—Capital, technology, people Capabilities—Knowledge, training, skills,

expertise

Time—Window of opportunity, mandated

4/17/2015

47

Elements of a Security Program

Elements of Risk and Security

The next few slides list many factors that go into a Security program.

4/17/2015

49

Risk Management

The basis for most security programs is Risk Management:

• Risk identification • Risk Mitigation

• Ongoing Risk Monitoring and evaluation The CISM must remember that risk is

measured according to potential impact on the ability of the business to meet its mission – not just on the impact on IT.

Information Security Concepts

Access Architecture Attacks Auditability Authentication Authorization Availability Business impact analysis Confidentiality Countermeasures Criticality Data classification Exposures Gap analysis

4/17/2015

51

Information Security Concepts cont.

Identification Impact Integrity Layered security Management Nonrepudiation Risk / Residual risk Security metrics Sensitivity Standards Strategy Threats Vulnerabilities Enterprise architecture Security domains Trust models

Security Program Elements

Policies Standards Procedures Guidelines Controls—physical, technical, procedural Technologies Personnel security Organizational structure Skills

4/17/2015

53

Security Program Elements cont.

Training Awareness and education Compliance enforcement Outsourced security providers Other organizational support and assurance providers

Facilities

Environmental security

Third Party Agreements

Ensure that security requirements are addressed in all third party agreements Service Level Agreements

Jurisdiction in case of dispute

Right to audit or obtain independent verification of compliance

4/17/2015

55

Roles and Responsibilities

Roles and Responsibilities of Senior

Management

Board of directors

• Information security governance / Accountability Executive management

• Implementing effective security governance and defining the strategic security objectives

• Budget and Support Steering committee

4/17/2015

57

Senior Management Commitment

To be successful, information security must have the support of senior management • Budget

• Direction/ Policy

• Reporting and Monitoring

A bottom-up management approach to information security activities is much less likely to be successful

How can we obtain continued

Senior Management support for

4/17/2015

59

Steering Committee

Oversight of Information Security Program Acts as Liaison between Management, Business, Information Technology, and Information Security

Ensures all stakeholder interests are addressed

Oversees compliance activities

CISO Chief Information Security Officer

Responsibilities

• Responsible for Information security-related activity

• Policy

• Investigation • Testing • Compliance

4/17/2015

61

Business Manager Responsibilities

• Responsible for security enforcement and direction in their area

• Day to day monitoring • Reporting

• Disciplinary actions • Compliance

IT Staff Responsibilities

• Responsible for security design, deployment and maintenance

• System and Network monitoring • Reporting

• Operations of security controls • Compliance

4/17/2015

63

Centralized versus Decentralized

Security

Which is better?

Consistency versus flexibility

Central control versus Local ownership Procedural versus responsive

Core skills versus distributed skills Visibility to senior management versus visibility to users and local business units

4/17/2015

65

Audit and Assurance of Security

Objective review of security risk, controls and compliance

Assurance regarding the effectiveness of security is a part of regular organizational reporting and monitoring

Evaluating the Security Program

Metrics are used to measure results Measure security concepts that are important to the business

Use metrics that can be used for each reporting period

4/17/2015

67

Effective Security Metrics

Set metrics that will indicate the health of the security program

• Incident management

• Degree of alignment between security and business development

•Was security consulted

•Were controls designed in the systems or added later

Effective Security Metrics cont.

Choose metrics that can be controlled

• Measure items that can be influenced or managed by local managers / security • Not external factors such as number of

viruses released in the past year • Have clear reporting guidelines • Monitor on a regular scheduled basis

4/17/2015

69

Key Performance Indicators (KPIs)

Thresholds to measure

• Compliance / non-compliance • Pass / fail

• Satisfactory / unsatisfactory results

A KPI is set at a level that indicates action should / must be taken

• Alarm point

End to End Security

Security must be enabled across the

organization – not just on a system by system basis

Performance measures should ensure that security systems are integrated with each other

4/17/2015

71

Correlation Tools

The CISM may use Security Event and Incident Management (SEIM, SIM, SEM) tools to

aggregate data from across the organization Data analysis

Trend detection Reporting tools

4/17/2015

73

Regulations and Standards

The CISM must be aware of National • Laws

•Privacy • Regulations

•Reporting, Performance Industry standards

• Payment Card Industry (PCI) • BASEL II

Effect of Regulations

Requirements for business operations • Potential impact of breach

•Cost

•Reputation

• Scheduled reporting requirements •Frequency

4/17/2015

75

Reporting and Analysis

Data gathering at source • Accuracy

• Identification

Reports signed by Organizational Officer

4/17/2015 77

Ethical Standards

Rules of behaviour • Legal • Corporate • Industry • Personal

Ethical Responsibility

Responsibility to all stakeholders • Customers

• Suppliers • Management • Owners • Employees

4/17/2015

79

ISACA Code of Ethics cont.

Required for all certification holders Support the implementation of, and encourage compliance with, appropriate standards, procedures and controls for information systems.

Perform their duties with objectivity, due diligence and professional care, in

accordance with professional standards and best practices.

ISACA Code of Ethics cont.

Serve in the interest of stakeholders in a lawful and honest manner, while maintaining high standards of conduct and character, and not engage in acts discreditable to the

profession.

Maintain the privacy and confidentiality of information obtained in the course of their duties unless disclosure is required by legal authority. Such information shall not be used

4/17/2015

81

ISACA Code of Ethics cont.

Maintain competency in their respective fields and agree to undertake only those activities, which they can reasonably expect to complete with professional competence. Inform appropriate parties of the results of work performed; revealing all significant facts known to them.

Support the professional education of

stakeholders in enhancing their understanding of information systems security and control.

Practice Question

1. The PRIMARY purpose of a security strategy is to provide:

A. The basis for determining the security architecture for the organization.

B. The intent and direction of management. C. Guidance for users on how to comply with

4/17/2015

83

Practice Question

2. The BEST method of improving security compliance is:

A. To make it easier for employees to follow security rules.

B. To have comprehensive organization-wide security policies.

C. To have an active security awareness program. D. To inform all staff about legal regulations and

legislation..

Practice Question

3. The MOST important task of the CRISC

regarding compliance with regulations is to:

A. Develop the policies and standards to be followed by the organization.

B. Ensure that accurate and complete data is used in reporting procedures

C. Provide guidance to business units on the legal requirements for compliance.

4/17/2015

85

Practice Question

4. The MOST important consideration in the development of security policies is that:

A. The policies reflect the intent of Senior Management.

B. The policies are legal.

C. All employees agree with the policies.

D. That the correct procedures are developed to support the requirements of policy.

17/04/2015

4/17/2015

1

ISACA

®

Trust in, and value from,

information systems

2015 CISM



_{Review Course}

Chapter 2

Information Risk

Management and

17/04/2015 4/17/2015 3

Course Agenda

Information Asset Classification

Identify regulatory, legal and other requirements Identify risk, threats and vulnerabilities

Risk treatment

Evaluate security controls Integrate risk management into business processes Report non-compliance and other changes in risk

Ensure that the CISM candidate…

Manages information risk to an acceptable level to meet the business and compliance requirements of the organization

The content area in this chapter will represent approximately 33% of the CISM examination

(approximately 66 questions).

17/04/2015

4/17/2015

5

Chapter 2 Task Statements

Establish an information asset classification and ownership process

Ensure risk, threat and vulnerability assessments are conducted periodically Evaluate security controls

Identify gaps between current and desired state

Chapter 2 Task Statements cont.

Integrate risk, threat and vulnerability identification and management into the organization

Monitor existing risk to ensure changes are identified and managed appropriately

Report information risk management levels to management.

17/04/2015

4/17/2015

7

Information Asset

Classification

Information Asset Classification

Need to know what information to protect Need to know who is responsible to

protect it • Ownership

17/04/2015

4/17/2015

9

Roles and Responsibilities

Information protection requires clear assignment of responsibilities

• Information owner

• Information System owner

• Board of Directors / Chief Executive Officer • Users

• Information Custodians • Third Party Suppliers

Roles and Responsibilities

Information security risk management is an integral part of security governance

• Is the responsibility of the board of directors or the equivalent to ensure that these

efforts are visible

Management must be involved in and sign off on acceptable risk levels and risk

17/04/2015

4/17/2015

11

Information Classification Considerations

Business Impact and reliance of business on information and information system

• Understand business objectives •Availability of data / systems •Sensitivity of data / systems

Information asset protection may be required by legislation

• Privacy

•Consumer data •Employee data • Financial accuracy

17/04/2015

4/17/2015

13

Asset Valuation

Information Asset valuation may be based on: • Financial considerations

•Liability for lost data

•Cost to create or restore data •Impact on business mission • Reputation

•Customer or supplier confidence

Valuation Process

Determine ownership Determine number of classification levels Develop labeling scheme

Identify all information types and locations

17/04/2015

4/17/2015

15

Information Protection

Ensure that data is protected consistently across all systems

Protect data in all forms – paper, electronic, optical, fax,

Protect data at all times: • Storage

• Transmission • Processing • Destruction

Information Asset Protection

Policies

• Communicated • Enforced

• Clean desk / Clear screen

• Need to know – Least privilege Procedures

17/04/2015

4/17/2015

17

Risk Management

Definition of Risk

Risk is a function of the likelihood of a threat-source exercising a vulnerability and the resulting impact of that adverse event on the mission of the organization.

• Asset • Threat

17/04/2015

4/17/2015

19

Why is Risk Important

Risk management is a fundamental function of Information Security

• Provides rationale and justification for virtually all information security activities Prioritization of Risk allows the development of a security roadmap

Risk Management Definition

What is risk management?

The systematic application of management policies, procedures and practices to the tasks of:

• Identifying • Analyzing • Evaluating • Treating

17/04/2015

4/17/2015

21

Risk Management Objective

• The objective of risk management is to

identify, quantify and manage

information security risk.

• Reduce risk to an acceptable level

through the application of risk-based,

cost-effective controls.

Risk Management Overview

Risk is the probability of occurrence of an event or transaction causing financial loss or damage to • Organization • Staff • Assets Quantitative and Qualitative Measures

17/04/2015

4/17/2015

23

Risk Management Overview

Risk management is the process of ensuring that the impact of threats exploiting vulnerabilities is within

acceptable limits at an acceptable cost At a high level, this is accomplished by

• Balancing risk against mitigation costs

• Implementing appropriate countermeasures and controls

Defining the Risk Environment

The most critical prerequisite to a successful risk management program is understanding the

organization including: − Key business drivers

− The organization’s SWOT (strengths, weaknesses, opportunities and threats)

− Internal and external stakeholders − Organizational structure and culture − Assets (resources, information, customers,

17/04/2015

4/17/2015

25

Threats to Information and Information

Systems

Threats to information and information systems are related to:

• Availability • Confidentiality • Integrity

•Non-repudiation

Threat Analysis

Intentional versus Unintentional attacks • Natural

• Man-made

• Utility / Equipment Threats affected by

17/04/2015

4/17/2015

27

Aggregate Risk

Aggregate risk must be considered

• Aggregate risk is where a several smaller risk factors combine to create a larger risk (the perfect storm scenario)

Cascading Risk

Cascading risks are the effect of one incident leading to a chain of adverse events (domino effect)

17/04/2015

4/17/2015

29

Identification of Vulnerabilities

Weaknesses in security controls • Patches not applied

• Non-hardened systems • Inappropriate access levels • Unencrypted sensitive data

• Software bugs or coding issues (buffer overflow)

• Physical security

The Effect of Risk

An exploit of a vulnerability by a threat may lead to an exposure.

An exposure is measured by the impact it has on the organization or the ability of the

17/04/2015

4/17/2015

31

Impact

Examples of direct and indirect financial losses: Direct loss of money (cash or credit)

Criminal or civil liability

Loss of reputation/goodwill/image Reduction of share value

Conflict of interests to staff or customers or shareholders

Impact cont.

Examples of direct and indirect financial losses: Breach of confidence/privacy

Loss of business opportunity/competition Loss of market share

Reduction in operational efficiency/performance Interruption of business activity

17/04/2015

4/17/2015

33

Risk Management Process

Risk Identification (Assessment

and Analysis) _Treatment Risk (Control

Selection) Evaluation and Assessment

Risk Assessment Methodology

Quantitative

• Determine the impact of a single event •Single Loss Expectancy

•SLE = Asset Value x Exposure Factor • Calculate frequency of events

17/04/2015

4/17/2015

35

Annualized Loss Expectancy (ALE)

ALE is the calculated cost of risk per year from a single event

• ALE = SLE x ARO

Used to justify expense of implementing controls to reduce risk levels

Cost of controls should not be greater than benefit realized by implementing the control

Qualitative Risk Assessment

Determine risk levels through scenario-based analysis

Rank risk levels according to frequency and impact (Low (1), Moderate (2), High (3))

Impact

oo

d

Low Moderate High

17/04/2015

4/17/2015

37

Data Gathering Techniques

Surveys / Questionnaires Observation

Workshops

Delphi techniques

Results of Risk Assessment

Documentation of risk levels • Risk register

Determination of threat and vulnerability levels

Forecast of impact and frequency of events Recommendations for risk mitigation

17/04/2015

4/17/2015

39

Alignment of Risk Assessment and BIA

Risk Assessment measures Impact and Likelihood

Business Impact Analysis measures Impact over Time

Related disciplines – but not the same

BIA must be done periodically to determine how risk and impact levels increase over time • Set priorities for critical business functions

17/04/2015

4/17/2015

41

Risk Treatment

Risk Treatment takes the recommendations from the risk assessment process and selects the best choice for managing risk at an

acceptable level • Residual Risk • Risk Acceptance • Cost / Benefit • Priorities

• Balance between security and business

Risk Treatment

Risk Treatment Options

• Reduction / mitigation – implement changes •Enhance managerial, technical, physical

and operational controls • Acceptance

17/04/2015

4/17/2015

43

Risk Mitigation and Controls

Controls (safeguards / countermeasures) are implemented in order to reduce a specified risk

−Existing controls and countermeasures can be evaluated

−New controls and countermeasures can be designed

Control Recommendations

Factors to be considered when recommending new or enhanced controls are:

Cost-benefit analysis Anticipated effectiveness

Compatibility with other controls, systems, and processes

Legislation and regulation

17/04/2015

4/17/2015

45

Cost Benefit Analysis of Controls

Cost-benefit analysis must consider the cost of the control throughout the full life cycle of the control or countermeasure including:

Acquisition / purchase costs

Deployment and implementation costs Recurring maintenance costs

Testing and assessment costs

Cost Benefit Analysis of Controls cont.

Cost benefit analysis includes costs of:

Compliance monitoring and enforcement Inconvenience to users

Reduced throughput of controlled processes

Training in new procedures or technologies as applicable

17/04/2015

4/17/2015

47

Risk Mitigation Schematic

Owners Countermeasures Threat Agents Threats Risk Assets To

Wish to minimize Value

Impose

To Reduce

Give Rise to

Wish to abuse and/or may damage To That

increase

Control Types and Categories

Controls may be: • Managerial • Technical • Physical

17/04/2015

4/17/2015

49

Control Types and Categories cont.

Controls may be: • Directive • Deterrent • Preventative • Detective • Recovery • Corrective • Compensating

Security Control Baselines

Creating baselines of control can assist in developing a consistent security infrastructure Principles for developing baselines include

• Assess of the level of security that is appropriate for the organization

• Mandate a configuration for all systems and components attached to the organization’s

17/04/2015

4/17/2015

51

Ongoing Risk Assessment and Building Risk

Management into the Organization

Ongoing Risk Assessment

Monitor controls to ensure that they are working effectively

• Implemented as designed • Operating properly

• Producing the desired outcome (mitigating the risk they were installed to address)

17/04/2015

4/17/2015

53

Measuring Control Effectiveness

Determine metrics to measure control effectiveness

• Do regular monitoring and reporting

Aggregate data from several control points • Security Event Incident Monitoring (SEIM)

Measure control effectiveness in comparison to business goals and objectives

Building Risk Management In (Agenda)

Risk Management should be built in to business processes

• Change control

• Systems development life cycle (SDLC) • Ongoing monitoring and analysis

• Audit

• Business process re-engineering • Project management

17/04/2015

4/17/2015

55

Risk Related to Change Control

Uncontrolled / Unauthorized changes Changes implemented incorrectly • Backup

• Rollback

Changes that bypass / overwrite controls Interruption to service

Controlling Risk in Change Control

Oversight / Steering Committee Formal Change control process • Documentation of changes • Approvals

• Testing

17/04/2015

4/17/2015

57

Risk Management During SDLC

Integrate risk management throughout the SDLC

• Review risk levels as system is designed, developed, tested and implemented • Test the implemented security controls • Ensure the ability to log and monitor events

is built into all systems

Review all new systems for correct operation of controls and associated risk levels

Ongoing Risk Management Monitoring

and Analysis

Do risk assessment annually • More frequently in event of:

•Organizational changes •Regulation

•Incidents

Monitor controls frequently and report to management

17/04/2015

4/17/2015

59

Audit and Risk Management

Audit validates that risk is being managed correctly

• Compared with culture of organization • Policy

• Regulation • Best practices

Audit and Risk Management cont.

Validate that risk is within acceptable levels • Risk appetite

Threat and vulnerability analysis was done correctly

Controls are working correctly • Mitigating risk effectively

17/04/2015

4/17/2015

61

Risk in Business Process Re-Engineering

Review all major systems and business process changes for impact on risk levels Ensure that ability to monitor controls is built into business processes

• Enable reporting and compliance

Regular reporting to management on status of changes

• Ensure that changes do not bypass controls •Separation of duties, least privilege

Risk in Project Management

Risk of “Scope Creep” Risk of project overrun • Budget

• Time

• Failure to deliver expected results • Vendor compliance with requirements

17/04/2015

4/17/2015

63

Risk During Employment Process

Hiring Procedures

• Correct skills and experience • Background checks

•Criminal •Financial

•References from former employers / associates

New Employee Initiation

Require signing of

• Non-disclosure agreements (NDA) • Non-compete agreements

• Ethics statement Review security policy • Awareness training

17/04/2015

4/17/2015

65

Risk During Employment

Access Creep – adding more and more access • Violation of least privilege / need to know

Enforce compliance with controls Regular awareness sessions

Risk at Termination of Employment

Need to remove all access

Recover all organizational assets • ID cards

• Laptops

• Remote access tokens • Blackberry/ cellphone

17/04/2015

4/17/2015

67

Risks During Procurement

Need to purchase the ‘right’ equipment at the right price

• Improper buying practices •Influence

•Kickbacks

•Piracy / imitations

• Inappropriate relations / selection of vendors

Risk During Procurement cont.

Equipment not delivered according to specifications /contract terms

Equipment not configured / installed properly Vendor not providing contracted maintenance according to maintenance agreements

17/04/2015 4/17/2015 69

Reporting to Management

Regular reporting • Standard format • Scheduled basis

Consistent metrics to allow comparison of results over time

Reporting on an exceptional basis • Following an event

Documentation

Typical risk management documentation includes:

A risk register

An inventory of information assets Threat and vulnerability analysis Control effectiveness report Initial risk rating

17/04/2015

4/17/2015

71

Training and Awareness

The most effective control to mitigate risk is training of all personnel

• Awareness • Training • Education

Educate on policies, standards, practices Creates accountability

Training and Awareness

End users should receive training on

The importance of adhering to information security policies, standards, and procedures Clean desk policy

Responding to incidents and emergencies Privacy and confidentiality requirements

17/04/2015

4/17/2015

73

Training for End Users

Practical training topics • Clean desk policy

• Responding to incidents and emergencies • Privacy and confidentiality requirements • Handling sensitive data and intellectual

property

• The security requirements for access to IT systems

Practice Question

The PRIMARY purpose of a risk management program is

a) To eliminate risk

b) To reduce all risks to a minimal level of impact c) To satisfy regulatory requirements

d) To ensure risk levels are acceptable to senior management

17/04/2015

4/17/2015

75

Practice Question 2

The formula SLE x ARO relates to

a) Annualized Loss Expectancy (ALE) b) Risk acceptance levels

c) The frequency of attacks

17/04/2015

4/17/2015

1

ISACA

®

Trust in, and value from,

information systems

2015 CISM



_{Review Course}

Chapter 3

Information Security

Program Development and

17/04/2015 4/17/2015 3

Course Flow

Chapter One Information Security Governance Chapter Two Information Risk Management Chapter Three Develop and Manage a Security Program Chapter Four Information Security Incident Management Influenced by Enforced by Directs changes to Directs development of

Course Agenda

Learning objectives

Security Program Development Objectives

Role of the Information Security Manager

Information Security Program Development

17/04/2015

4/17/2015

5

Ensure that the CISM candidate…

Understands how to manage the information security program in alignment with the

information security strategy

The content area in this chapter will

represent approximately 25% of the CISM examination

(approximately 50 questions).

Exam Relevance

Chapter 3 Learning Objectives

Develop and maintain plans to implement an information security program that is aligned with the information security strategy

Ensure alignment between the information security program and other business functions Identify internal and external resources

required to execute the information security program

17/04/2015

4/17/2015

7

Learning Objectives cont.

Ensure the development, communication, and maintenance of standards, procedures and other documentation that support information security policies

Design and develop a program for

information security awareness, training and education

Integrate information security

requirements into contracts and third party agreements

Definition

Information security program management includes:

• Directing • Overseeing • Monitoring

Information-security-related activities in support of organizational objectives.

17/04/2015

4/17/2015

9

Security Strategy and Program Relationship

The security strategy is the long term plan of creating a security structure that will support the business goals of the

organization

The security program outlines the steps necessary to implement the security strategy

The security program should be defined in business terms

Information Security Management

Information Security management is primarily concerned with

• Ongoing, day-to-day operations of a security department

• Budget for security • Planning

17/04/2015

4/17/2015

11

Importance of Security Management

Achieving adequate levels of information security means:

• Implementing cost effective security solutions

• Supporting business operations

• Strategic planning and alignment between security and the business

• Compliance and reporting

Definition

Information security program development

is the integrated set of: • Activities

• Projects • Initiatives

17/04/2015

4/17/2015

13

Effective Security Management

Effective security management must demonstrate value to the organization • Compliance with policies and procedures • Cost effective

• Improved audit results • Business process assurance

Reasons for Security Program Failure

Poorly understood requirements

• Lack of understanding about what is important and why

Lack of funding or resources

Lack of will to make security a priority Too much technical focus

17/04/2015

4/17/2015

15

Security Program Development Objectives

Program Objectives

Implement the objectives of the security strategy

• Managerial controls • Technical controls • Physical controls

17/04/2015

4/17/2015

17

Security Program Development

The elements essential to ensure successful security program design and

implementation:

A well defined and clear information security strategy

Cooperation and support from management and stakeholders

Effective metrics to measure program effectiveness

Security Program Development cont.

A well-executed security program will :

Support governance of information security Convert security initiatives into a practical real-world implementations

Provide proof that security implementations are meeting business and security needs Be flexible enough to adapt to changes in

17/04/2015

4/17/2015

19

Outcomes of Information Security

Program Development

As seen in Chapter One, objectives for

information security governance include:

Strategic alignment

Risk management Value delivery

Resource management

Assurance process integration Performance measurement

Governance of the Security Program

Acceptance and support for the

strategy and the objectives of the

security program is the responsibility of

executive management

Everyone is responsible for compliance

with security requirements

17/04/2015

4/17/2015

21

Role of the Information Security Manager

Role of the Information Security

Manager (Agenda)

Strategy Policy Awareness Monitoring Compliance Prevention Detection Correction

17/04/2015

4/17/2015

23

Strategy

The first step to development of an information security program (as seen in chapter one) is to align the security strategy with the objectives of the business

• Governance • Resources • Reporting • Compliance • Regulations

Policy

Policy provides: • Authority • Direction Requires: • Background • Scope

17/04/2015

4/17/2015

25

Creating Effective Policy

Ownership Up to date Exceptions

Enforceable / legal Non-technical

Reflects culture and mission of the organization

Awareness

People are the most important element of a security program, therefore they must:

•Understand their roles

•Be capable of performing their roles •Be provided adequate training •Be accountable for results

17/04/2015

4/17/2015

27

Implementation

Converts strategy to practical tools and techniques

• Controls • Safeguards

• Countermeasures

Monitoring

Review of security controls, countermeasures, safeguards Continuous or periodic testing Frequency is dependent on • Laws

• Business changes • Culture

17/04/2015

4/17/2015

29

Compliance

Compliance ensures that business processes and security measures meet the requirements of corporate policy, local regulations,

industry-based standards, and best practices. Compliance requires proof (not just theory) Testing, logging

Reporting

Information Security Program

Development

17/04/2015

4/17/2015

31

Developing an Information Security Road

Map

The CISM must consider the security program from the perspective of:

• Data

• Applications • Systems • Facilities • Processes

Defining Security Program Objectives

Whether or not there is an existing information security program, there are some basic program components:

Understanding management’s security objectives

Develop key goal indicators (KGIs) that reflect and measure business priorities

17/04/2015

4/17/2015

33

Inventory of Information Systems

Document all aspects of the information systems including:

• System categorization

• System description including system boundaries • Network diagram and data flows

• Software and hardware inventory • Users and system owners

• Business risk assessment • System risk assessment • Contingency plan

• System security plan

Challenges in Developing an Information

Security Program

The process of setting a program in place and measuring its results requires a great deal of cooperation among everyone in the

organization who handles data

Information security program development is not usually hampered by technology choices available, but rather by people, process and policy issues that conflict with program

17/04/2015

4/17/2015

35

Challenges in Developing an Information

Security Program cont.

The challenges faced by the CISM while developing a security program may include: • Organizational resistance due to:

•Changes in areas of responsibility

•A perception that increased security will impact productivity and access

•Unfair monitoring / restrictions

• Lack of adequate budget, personnel, skills or support

• Unanticipated problems with existing controls, systems or ongoing projects

Elements of a Security Program Road

Map

A vital element of the information security program is a roles and responsibilities matrix (RACI - Responsible, Accountable, Consulted, Informed)

CEO CISO CIO VP – HR

Policy Development I R A C Business Continuity I C R I Incident I A R C