CISM Certified Information Security Manager

Transcription

1 CISM Certified Information Security Manager Firebrand Custom Designed Courseware

2 Chapter 3 Information Security Program Development and Management

3 Course Flow Chapter One Information Security Governance Directs changes to Chapter Four Information Security Incident Management Influenced by Enforced by Chapter Two Information Risk Management Directs development of Chapter Three Develop and Manage a Security Program

4 Exam Relevance Ensure that the CISM candidate Understands how to manage the information security program in alignment with the information security strategy The content area in this chapter will represent approximately 25% of the CISM examination (approximately 50 questions). ISACA CISM Review Manual Page 140

5 Chapter 3 Learning Objectives Develop and maintain plans to implement an information security program that is aligned with the information security strategy Ensure alignment between the information security program and other business functions Identify internal and external resources required to execute the information security program Ensure the development of information security architectures ISACA CISM Review Manual Page 140

6 Learning Objectives cont. Ensure the development, communication, and maintenance of standards, procedures and other documentation that support information security policies Design and develop a program for information security awareness, training and education Integrate information security requirements into contracts and third party agreements ISACA CISM Review Manual Page 140

7 Definition Information security program management includes: Directing Overseeing Monitoring Information-security-related activities in support of organizational objectives. ISACA CISM Review Manual Page 157

8 Security Strategy and Program Relationship The security strategy is the long term plan of creating a security structure that will support the business goals of the organization The security program outlines the steps necessary to implement the security strategy The security program should be defined in business terms ISACA CISM Review Manual Page 158

9 Information Security Management Information Security management is primarily concerned with Ongoing, day-to-day operations of a security department Budget for security Planning Business case development for security projects Staff development and training ISACA CISM Review Manual Page 158

10 Importance of Security Management Achieving adequate levels of information security means: Implementing cost effective security solutions Supporting business operations Strategic planning and alignment between security and the business Compliance and reporting ISACA CISM Review Manual Page 158

11 Definition Information security program development is the integrated set of: Activities Projects Initiatives to implement the information security strategy ISACA CISM Review Manual Page 158

12 Effective Security Management Effective security management must demonstrate value to the organization Compliance with policies and procedures Cost effective Improved audit results Business process assurance ISACA CISM Review Manual Page 158

13 Security Program Development The elements essential to ensure successful security program design and implementation: A well defined and clear information security strategy Cooperation and support from management and stakeholders Effective metrics to measure program effectiveness ISACA CISM Review Manual Page 158

14 Outcomes of Information Security Program Development As seen in Chapter One, objectives for information security governance include: Strategic alignment Risk management Value delivery Resource management Assurance process integration Performance measurement ISACA CISM Review Manual Page 159

15 Governance of the Security Program Acceptance and support for the strategy and the objectives of the security program is the responsibility of executive management Everyone is responsible for compliance with security requirements

16 Information Security Program Development ISACA CISM Review Manual Page 160

17 Developing an Information Security Road Map The CISM must consider the security program from the perspective of: Data Applications Systems Facilities Processes

18 Defining Security Program Objectives Whether or not there is an existing information security program, there are some basic program components: Understand management s security objectives Develop key goal indicators (KGIs) that reflect and measure business priorities Ways to measure whether the program is heading in the right direction ISACA CISM Review Manual Page 160

19 Inventory of Information Systems Document all aspects of the information systems including: System categorization System description including system boundaries Network diagram and data flows Software and hardware inventory Users and system owners Business risk assessment System risk assessment Contingency plan System security plan ISACA CISM Review Manual Page 161

20 Elements of a Security Program Road Map A vital element of the information security program is the roles and responsibilities matrix (RACI - Responsible, Accountable, Consulted, Informed) Policy Development Business Continuity Incident Management CEO CISO CIO VP HR I R A C I C R I I A R C ISACA CISM Review Manual Page 166

21 Risk Elements of a Security Program Road Map An understanding of the general risk appetite of an organization and a review to discover any gaps or determine whether the information security program is operating at acceptable levels Current Risk Level Acceptable Risk Level Potential Loss due to Equipment Failure 75,000 50,000 25,000 0 ISACA CISM Review Manual Page 168

22 Elements of a Security Program Road Map Ability to link the security program with business objectives and demonstrate justification for the evolution from a security concept towards a security architecture and finally into the selection and implementation of security tools and technologies Security Context Security Concept Logical Architecture Physical Architecture Component ISACA CISM Review Manual Page 173

23 Security Programs and Projects The overall security program will almost always consist of a series of individual projects designed to meet security objectives Security Program Policy Creation Project Firewall Implementation project Awareness Sessions ISACA CISM Review Manual Page 176

24 Program Objectives Implement the objectives of the security strategy Operational controls Technical controls Administrative controls ISACA CISM Review Manual Page 166

25 Security Program and Project Development A gap analysis will identify a series of projects required to implement the information security program Each project should have time, budget, milestones, deliverables, and measurable results Each project should be clearly defined and integrated with other projects and departments HR, Finance, Physical security ISACA CISM Review Manual Page 168

26 Security Program and Project Development cont. Security projects should be prioritized so that: Most important projects are given priority Projects do not overlap or cause a delay for other projects Resources are appropriately allocated Results are documented and reported to management ISACA CISM Review Manual Page 175

27 Security Project Planning Determine project needs Oversight / timelines Equipment Personnel (skills) Outsourcing or contract staff Infrastructure Networks, databases, facilities, etc. ISACA CISM Review Manual Page 175

28 Selection of Controls Controls are Technical Managerial Physical Tools designed to provide reasonable assurance that: Business objectives will be achieved Undesirable events will be prevented or detected and corrected ISACA CISM Review Manual Page 182

29 Common Control Practices Common control practices include: Logical Access control Principle of least privilege / need to know Compartmentalization to minimize damage Domains Segregation of duties Transparency

30 Security Program Elements Policies Standards Procedures Guidelines Outsourced security providers Facilities Environmental security Technologies Personnel security Organizational structure

31 Acceptable Use Policy An acceptable use policy Should provide a user-friendly summary of what should and should not be done to comply with policy Must detail in everyday terms the obligations of all users Must be communicated to all users Must be read and understood by all users Should be provided to new personnel ISACA CISM Review Manual Page 181

32 Acceptable Use Policy cont. Rules of use for all personnel include the policies and standards for Access control Classification of data Marking and handling of documents Reporting requirements and disclosure constraints Rules regarding and Internet use ISACA CISM Review Manual Page 181

33 Standards Standards ensure that systems are configured and operated in a similar manner Compliance with standards should be automated Ensure that system configurations do not (intentionally or unintentionally) deviate from policy compliance Standards are used to implement policy Deviations from a standard must have formal approval ISACA CISM Review Manual Page 193

34 Procedures Procedures provide a defined, step-by-step method of completing a task i.e., new user registration / user ID creation; incident management Allow actual activity to be reviewed for compliance with the required procedures Helps ensure consistency of operations

35 Guidelines Provide recommendations for better security practices: Password creation, use of social media Are only recommendations, not mandatory

36 Technology One of the most important elements of a security program Without the right tools, an effective security program is not feasible Many tools available

37 Personnel Security Protect staff from being harmed Duress alarms, cameras Having the right people: Skills / Education required Awareness Management and oversight Disciplinary action when required Separation of duties ISACA CISM Review Manual Page 176

38 Training and Skills Matrix Determine the level of training needed by staff according to job responsibilities Develop training matrix Perform gap analysis Manager Administrator User Level III CISM CCSP SEC + Level II SEC + GSEC Awareness Level I Awareness SEC + Awareness ISACA CISM Review Manual Page 176

39 Outsourced Security Providers Outsourcing security and monitoring may have many benefits Provide necessary expertise Monitor all corporate systems Correlate activity from several systems Centralized reporting ISACA CISM Review Manual Page 195

40 Third-party Service Providers When using a third party: Ensure data is stored and secured adequately in the service provider environment Define data destruction and data sanitization processes Create channels of communication and liaison with outsourced firm Maintain accountability in the service provider organization for policy enforcement Remember that prime liability for data protection is with the organization, not with the outsourced firm ISACA CISM Review Manual Page 195

41 Facilities Secure operational areas Server rooms Equipment rooms Administrator, developer, and operator work areas Consider factors such as: Age of building (fire codes) Shared facility with other companies ISACA CISM Review Manual Page 207

42 Facilities Security Physical controls may include: Smart cards or access controls based on biometrics Security cameras Security guards Fences Lighting Locks Sensors ISACA CISM Review Manual Page 207

43 Information Security Concepts Access Control Identification Authentication Authorization Accounting / Auditability Criticality Sensitivity Trust Models ISACA CISM Review Manual Page 162

44 Access Control Controlling who and what has access to the facilities, systems, people and data of the organization Ensuring the right people have the right level of access Preventing inappropriate use, modification or destruction of organizational resources Tracking all activity to the responsible entity ISACA CISM Review Manual Page 162

45 Identification Access control starts with knowing who or what is accessing our systems, data, facilities or other resources. Unique (trackable to the correct person/process) Removed when no longer required i.e., IDs, customer account numbers, fingerprints ISACA CISM Review Manual Page 162

46 Authentication Validating the claimed identity is the person requesting access really who they say they are? Knowledge (password) Ownership (Token, smartcard, badge) Characteristic (biometrics) ISACA CISM Review Manual Page 162

47 Authorization Granting the authenticated user the correct level of permissions needed Read Write Execute Create Delete ISACA CISM Review Manual Page 162

48 Accounting / Auditability Logging, monitoring and tracking of activity Ability to associate activity with a specific user Audit log: Protection Review Analysis ISACA CISM Review Manual Page 162

49 Criticality How much is the ability of the organization to deliver its products and services dependent on: Information? Information systems? What would the extent of the impact be on the business (quantitatively and qualitatively) if they were not available This is a measure of the criticality of the resource ISACA CISM Review Manual Page 162

50 Sensitivity How much is the organization dependent on the accuracy or confidentiality requirements for: Information? Information systems? This is a measure of the sensitivity of the resource ISACA CISM Review Manual Page 162

51 Trust Models Multi-level security Users have different levels of trust (access) Domains of trust Departmentalization/compartmentalization Security perimeters Trusted links between systems ISACA CISM Review Manual Page 162

52 Technology-based Security Technology-based controls Many technologies available Are used to implement controls Have controls built into their implementation Must be enabled Must be monitored / updated ISACA CISM Review Manual Page 162

53 Technologies There are numerous technologies relevant to security that the CISM should be familiar with including: Firewalls Routers and switches IDS, NIDS, HIDS Cryptographic techniques (PKI, DES) Digital signatures Smart cards ISACA CISM Review Manual Page 162

54 Security in Technical Components Native control technologies Security features built into equipment and applications. Access control on switches, routers Error handling in applications Many products feature Out-of-the-box security features that can be configured to protect business information systems Generally configured and operated by IT ISACA CISM Review Manual Page 207

55 Security in Technical Components cont. Supplemental control technologies Security control devices added to an information system IDS (Intrusion Detection Systems), Firewall, PKI (Public Key Infrastructure) Operate as a form of layered defense ISACA CISM Review Manual Page 162

56 Security intechnical Components cont. Management supports technologies Provide support for management to monitor systems and controls Examples include security information event management (SIEM) tools, compliance monitoring scanners and security event analysis systems Are often used by information security groups independently of information technology ISACA CISM Review Manual Page 162

57 Security in Technical Components cont. The effectiveness of the security technologies must be evaluated Use clear, repeatable metrics Evaluate: Control placement Control effectiveness Control efficiency Control policy Control implementation ISACA CISM Review Manual Page 162

58 Operations Security Operational security Monitoring of systems Maintenance of systems Procedures Change control Backups User access management Patch Management Usually performed by IT administrators ISACA CISM Review Manual Page 162

59 Technologies Access Control Lists Access control lists (ACLs) Designate levels of access accorded to users, processes Based on either the rights of the users or the protection levels accorded to the protected resource ISACA CISM Review Manual Page 162

60 Filtering and Content Management Data Loss Prevention (DLP) Scans documents s, etc. for sensitive data. Will block unauthorized transmission of data Web Filtering Scans web, , and IM traffic for inappropriate content Blocks mobile code, inappropriate links, cookies, etc. ISACA CISM Review Manual Page 162

61 Technologies - SPAM filtering to weed out unsolicited May contain malicious code Causes network and storage congestion Disables links and potentially malicious attachments ISACA CISM Review Manual Page 162

62 Technologies Databases and DBMS Databases Electronic storage of data May be accessed remotely Need stringent security controls architecture, access, backup, journaling Database Management System (DBMS) Manages the database (retrieves, updates, logs, organizes data) Ensures changes meet with rules ISACA CISM Review Manual Page 162

63 Environmental Security Heating, ventilation and humidity controls Reliable power supplies ISACA CISM Review Manual Page 162

64 Encryption Allows data to be stored, transmitted or displayed in a secure format unreadable except to authorized personnel Changes the format/structure of the data Provides Confidentiality Integrity Authenticity Access control Non-repudiation ISACA CISM Review Manual Page 162

65 Technologies Cryptography Symmetric key algorithms Use the same key to encrypt and decrypt a message Fast and excellent for confidentiality ISACA CISM Review Manual Page 162

66 Technologies Cryptography cont. Asymmetric Use a mathematically-related key pair Private key (only known to key owner) Public key (can be distributed freely) Provide Confidentiality Proof of origin / non-repudiation (digital signatures) Integrity Access control ISACA CISM Review Manual Page 162

67 Technologies Encryption cont. Protect data at various levels Application layer encryption PGP Session / transport layer encryption SSH, SSL, TLS Network Layer encryption IPSEC Link layer encryption ISACA CISM Review Manual Page 162

68 Technologies Hashing Algorithms Compute a fixed length value from a message that can be used to verify message integrity Message has not be altered or changed Either intentionally or accidentally Are used in digital signatures ISACA CISM Review Manual Page 162

69 Technologies Operating Systems Provide interface between hardware and user applications Manage the use of system resources ISACA CISM Review Manual Page 162

70 Technology - Firewalls Regulate traffic flows between networks Operate at various network layers Application proxies Session layer proxies Network layer Packet Filtering ISACA CISM Review Manual Page 162

71 Due Diligence Standard of due care Reasonable security controls are in place ISACA CISM Review Manual Page 192

72 Policies Provide authority and direction for security program from management High level versus functional policies Are interpreted by standards, procedures, baselines What are the characteristics of effective policies? What makes a policy effective? ISACA CISM Review Manual Page 193

73 Compliance Monitoring Policy compliance Standards compliance Resolution of non-compliance Compliance enforcement ISACA CISM Review Manual Page 193

74 Emerging Technologies The CISM must be aware of emerging technologies and their impact on the information security program: Virtual environments Cloud computing Mobile computing Apple and Android Apps VOIP SCADA (ICS) networks ISACA CISM Review Manual Page 197

75 Risk Assessment Business Impact Analysis Vulnerability assessments Threat assessments Resource dependency assessments ISACA CISM Review Manual Page 194

76 Intrusion Detection Policies and Processes The CISM should understand and manage intrusion detection systems and procedures, including: Personnel who run and monitor intrusion detection systems have adequate training Intrusion detection software and hardware runs continuously Intrusion detection software can be easily modified to adapt to changing environments Intrusion detection systems do not impose excessive overhead, especially excessive network overhead ISACA CISM Review Manual Page 162

77 Intrusion Detection Systems An organization should ideally use two types of intrusion detection systems (IDSs) Host-based Network-based Sensors should be suitably placed to provide adequate coverage of the network typology ISACA CISM Review Manual Page 162

78 IDS / IPS Intrusion detection and prevention systems should: Identify and record any attempts to exploit a system by an attacker Adequately protect networks and systems from security breaches Be monitored and maintained daily Protect logs for use in future investigations ISACA CISM Review Manual Page 162

79 Password Cracking Many tools available Software Hardware (keystroke loggers) Should be forbidden by policy except for extraordinary, authorized purposes Brute force attacks Dictionary attacks Rainbow tables Restrict access to password files Store passwords as hashed values ISACA CISM Review Manual Page 162

80 Vulnerability Assessments Discover potential weaknesses or gaps in the security controls Open ports or services Lack of training Improper rule-base configurations Poor incident handling ISACA CISM Review Manual Page 194

81 Vulnerability Assessments cont. A vulnerability assessment can include assessing Network visibility and accessibility Information leakage Presence of unneeded software and/or utilities Unpatched equipment Application-level vulnerabilities (including databases) Weak security policies and standards ISACA CISM Review Manual Page 194

82 Vulnerability Assessments cont. Assessment Tools Scans May indicate many false positives Require analysis to determine true level of vulnerability Testing inline, integrated test facility Observation ISACA CISM Review Manual Page 194

83 Penetration Testing Attempt to exploit a perceived vulnerability Usually more focused than a vulnerability scan Indicates whether the vulnerability does pose a serious risk of breach Allows determination of potential impact Can be done by external or internal testing teams Must have prior approval ISACA CISM Review Manual Page 194

84 Penetration Testing cont. Risk of system failure / interruption Areas to test Web applications Firewalls / proxy devices Operating systems Applications and Utilities Physical access ISACA CISM Review Manual Page 194

85 Cloud Computing (NIST) A model for enabling quick, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction ISACA CISM Review Manual Page 197

86 Five Essential Characteristics of Cloud On-demand self-service Broad network access Resource pooling Elasticity Measured service ISACA CISM Review Manual Page 197

87 Services Software-as-a-Service (SaaS) Infrastructure as a Service (IaaS) Platform as a Service (PaaS) Identity as a Service (IdaaS) Disaster Recovery as a Service (DRaaS) ISACA CISM Review Manual Page 198

88 Cloud Advantages Optimized Resource Utilization Cost savings Better responsiveness Faster cycle of innovation Reduced time for implementation Resilience ISACA CISM Review Manual Page 199

89 Third Party Security Reviews Advantages Objective Not influenced by that is how we have always done it around here excuse Expertise May not be available in-house Disadvantages Need Non-disclosure agreements Cost

90 Security Management Considerations Change Management Release Management Configuration Management ISACA CISM Review Manual Page 202

91 Controls Logical access control Secure failure Least privilege Compartmentalization Segregation of duties Transparency Trust/Lack of Trust ISACA CISM Review Manual Page 205

92 Measuring Control Effectiveness Implementation of new or enhanced controls Reporting Reassessment of risk Reporting to management Covered in Detail in Chapter One ISACA CISM Review Manual Page 213

93 Challenges in Developing an Information Security Program The process of setting a program in place and measuring its results requires a great deal of cooperation among everyone in the organization who handles data Information security program development is not usually hampered by technology choices available, but rather by people, processes and policy issues that conflict with program objectives and see security as a hindrance to business operations ISACA CISM Review Manual Page 216

94 Challenges in Developing an Information Security Program cont. The challenges faced by the CISM while developing a security program may include: Organizational resistance due to: Changes in areas of responsibility A perception that increased security will impact productivity and access Unfair monitoring / restrictions Lack of adequate budget, personnel, skills or support Unanticipated problems with existing controls, systems or ongoing projects ISACA CISM Review Manual Page 216

95 Reasons for Security Program Failure Poorly understood requirements Lack of understanding about what is important and why Lack of funding or resources Lack of will to make security a priority Too much technical focus ISACA CISM Review Manual Page 216

96 Organizational Structure Who should security report to Normal reporting Incident reports Adequate: Budget Authority Scope ISACA CISM Review Manual Page 218