Information security and risk management

The candidatewillbe expected tounderstandthe planning, organization, and roles ofindividuals inidentifying andsecuringan organization’s information assets; the development and use of pol

From theCISSP®CBK®, the definition of thisdomain—InformationSecurity & Risk Managemententailstheidentifica¬

tion ofanorganization’s information assets and the development, documentation,andimplementationofpolicies, stan¬

dards,procedures and guidelinesthatensureconfidentiality,integrity and availability Management tools such as dataclassification, risk assessment, and risk analysisareused to identify the threats,classifyassets, and to rate theirvul¬

nerabilitiesso thateffectivesecuritycontrolscan be implemented

Riskmanagement is the identification, measurement, control, and minimization ofloss associatedwithuncertaineventsor risks.It includesoverall securityreview,riskanalysis; selectionandevaluation of safeguards, costbenefit

analysis, management decision, safeguard implementation, and effectiveness review

The candidatewillbe expected tounderstandthe planning, organization, and roles ofindividuals inidentifying andsecuringan organization’s information assets; the development and use of policies statingmanagement viewsand

positiononparticular topicsandtheuse of guidelines, standards, andproceduresto supportthe policies; security

awarenesstrainingtomakeaware oftheimportance of informationsecurity,itssignificance,and thespecificsecu¬

rity-related requirementsrelativetotheirposition; the importance of confidentiality, proprietary and privateinforma¬

tion; employment agreements; employee hiring andterminationpractices;andrisk managementpracticesand tools toidentify, rate,andreducethe riskto specificresources

i

Domain Objectives—This slideprovidesgood insight towhat the CISSP candidate should understand and be able to

do at the end of this domain

DOMAIN OBJECTIVES ;

; ® Security PlanningandOrganization

; 3Roles of IndividualsinaSecurity Program

: •Differencesbetween Policies,Standards,Guidelines,

and Procedures as relatedto Security

i ® Security AwarenessthroughouttheOrganization

9 RiskManagementPractices and Tools

2

•Availability—Theconceptofavailabilityrefers tothe

providingofaccess to the informationsystemand datawhenrequired bythebusiness Availability is differentforeachorganizationand,often,foreach department

in anorganization.Somedepartments mayrequire

continuousavailabilitywhereanoutageof seconds is

alreadyacrisis, whereas other areas may be contentwitha basic level of availability, forexample during

normalbusiness hours, whereasystem failurewould

be seenas an inconvenience andnotcause a critical

impacton theoperations.Acompleteinformation

securityprogram must understand and address thesedifferences

INFORMATION SECURITY TRIAD

Availability

Aw-A

* Integrity—Thereare twoconceptswewilladdress

throughintegrity, theproteetioiLofJatajmtfprocesses

fromimpropermodFIciHoiTrahdlheconceptof ensur¬

ingthe operations of the informationsystemarereli¬

able andperformingasexpected.Thismeans thatthesystemwill process transactions correctly and pre¬

serve theconfidence oftheorganizationinthe quality

ofthe data and processing

•Confidentiality—Is theconceptof protecting informa¬

tion fromimproperdisclosureand protecting thesecrecyand privacy of sensitive dataso that the intel¬

lectualproperty,and reputation of an organization isnotdamagedandthat data related to individuals is not

released in violationof regulationsorthe privacy policy

ofthe organization

3

9 AICTRIAD—The overarching goals of informationsecurity

effortsare addressedthroughthe AIC TRIAD Nearly allinfor¬

mationsecurityefforts arebasedon one or more of the ele¬

ments oftheTRIAD.The AIC TRIAD forms the foundation of

whatwe are trying to accomplishthroughour security poli¬

cies, standards, procedures, baselines,andguidelines It’s

important to remember this includes all IT security efforts

including outsourcing

V/

U

This fairly basic,butauthoritativedocumentprovides thefoundations forthe securitymanagementprogram within the i:

organization.From theoverarchingsecurity policyflowsa 1,

ratherlonglist offunctional policies.These notes provide a Ip

list of whatis normally considered as the minimum functional H

policies required inagoodsecurity managementprogram

Naturally theyare tailoredtothe organization and reflect the

organization’spriorities Additional functional policies mayexist dependingonthe requirementsoftheorganization

3 InformationSecurityManagementincludes—

° Introduction—Informationsecurity managementincludes

manyareas It begins with a formal governance structure

which provides authority andresponsibility todifferent staff

membersand sections It also includes an overarching secu¬

rity policy that isendorsed/signedbyseniormanagement

0 Baselines

9 Guidelines

3 PrinciplesandRequirements—Address thecoreobjectives

ofan information security program.Hereare the main learn¬

ingpoints youshouldgetfromthis section:

8 Describe the twotypesof requirementsforagoodsecu¬

0 OrganizationalRolesand Responsibilities

® RiskManagementandAnalysis

Ethics

• Understand and be ableto explaindifferencesbetweenkey

international ITsecuritystandards

8 Understand thetypesof securityblueprints and howtheysupportastrongsecurity policy

i5

the considerations for functional controls We will talk

aboutlheselrTgreater detailon later slides

0 They shouldbelayeredand meeta specific securityrequirement

0 Theyshouldnotbe depend on another control

3 Theyshould fail safe, thatisthat,intheevent ofa

failure,theymaintain the security of the systems

0 Assurance Requirements—Assurancemechanismsconfirm that security solutions areselectedappropri¬ately,performingasintended,andarehavingthe

desiredeffect.Manyassurancemechanismswillbe

reviewedthroughoutthis course within their respec¬tivedomains i.e., IDS’s,Auditlogs, BCP Tests, etc.However, someareapplicable especially totheareaof

ITsecurity,such asinternaland external audits

Some criteria are usedtoevaluatethe operation of securitysolutions:

3 Internal/ExternalAuditReports

3 IIA’s Red Book, Yellow Book, etc (the Institute of

InternalAuditors,www.theiia.org)

° Periodic Reviewby Management

3 SecurityReviews (Internal),Checklists,Supervision

3 ThirdPartyReviews

8 Attack and Penetration Tests

° SecuritySolutions—All security solutions should be

designedwith two focus areas; the functional requirements of

thesolution,and theassurancerequirementsthat the func¬

tional solution isworking correctly.Nosolution is complete

unless it addresses bothofthesetwoareas For example: a

complete“firewallsolution" would behavingthefirewallhan¬

dlingtrafficanddenyingorpermittingaccesscorrectly—the

functionalrequirement—and, the“loggingandmonitoring”

aspect addressingtheassurancerequirementsofthe firewall

solutionby ensuringthat the firewall isworking properlyand

providing the expectedlevel of protection in relation to the

risks that the firewallwas intendedtocontrol

8 FunctionalRequirements—Functionalrequirements

are thethings mostoftenthoughtabout whenconsid¬

ering securitycontrols.The riskassessment provides

3 Each type of organizationhasdifferingsecurityrequirements—Informationsecurityrequirementsdiffergreatly between government,military,and commercial ventures.Eachhasa different set ofpriorities dependingon their overallmission Eveninthecommercialworld, it’s very unlikely that

twobusinesses willhave exactlythesamesecurityrequire¬ments Businesses within the sametypeof industry may nothave similar requirements sincetheir business flowsandinformationaccessrequirements may be very different.Furthermore,theircompanyculturemay limitordictate what

is,or is not acceptable.Allthese and many otherconsidera¬tionsweighinto theselectionof securitycontrolsandassur¬ance mechanisms

ORGANIZATIONAL & BUSINESS

REQUIREMENTS

8 Focus onthe mission ofthe

organization

8 Eachtypeof organization

hasdiffering security

requirements

0 Security mustmake

senseandbe cost

effective 0 Securitymust make sense andbe cost effective—Security

solutionsmust be developedwithdue consideration of themission andenvironmentofthebusiness.-Hiskanalysis,

determiningthevalue of information systemsanffassets,and

0 Focuson the mission of the organization—ITSecurity

3 Structure—ITgovernanceoccursat manydifferentlevelsoftheorganizationandisalayered approach The Board ofDirectors provide direction to theexecutiveswithin the com¬pany The executives turn that direction into policies

Managerstake those policies and produce standards, base¬lines, and guidelines Team leaders taketjjesestandards,baselines, and guidelines and formprocedureswithin their

organizations.The individual workersarecritical tothis lay¬ered structureastheyare notonlytheones that must imple¬menttheseprocedures,butarealso most likely to betheoneswho first notice violations and unusual events within theoperationsofour ITsystems

8 Stakeholdersand their values playakeyroleintheITgov¬

ernancestructure aswell Stakeholdersincludestockhold¬

ers,managers, employees, customers of the company,suppliers,and possibly thegovernmentand public at large.The value theseindividualsplaceonthetrust,confidence,andsecurityofthe company’sITinfrastructurewillbereflectedthroughouttheorganization

3 Processes—Thesecurityprofessional should have agood

understanding ofthe securityprinciples mentioned below

3 Processesshould followinternationallyaccepted “BestPractices."

IT SECURITY GOVERNANCE

0 IntegralPart of OverallCorporateGovernance

8 ThreeMajorParts

ITSecurityGovernance—Thebulletson this slidecoverthe

goalsof IT security governance.ITsecurity governance ispart

ofthe overall governance of the company In years gone by,

many executives considered IT security asbeingtoo difficult,

technical, and well below theirareasof responsibility

Therefore,manypassedtheseresponsibilitiesto their already

overworked ITdepartments whowere neithertrainednor struc¬

tured for these duties.Often,theend result was not favorable

J Integral Partof OverallCorporateGovernance—ITsecurity

governancemustbefully integratedinto theoverall

risk-based threat analysis of the company Itgoeswell beyond the

traditionalthreats to the IT assets and actually considersthe

potential damageto the informationon those IT assets and

the effects thatsuchdamage mayhaveon theorganization

and its ability toaccomplishitsgoalsand objectives

3 Governanceensuresthat the IT infrastructure of the

company:

0 Meets the A.I.C requirements

3 Supports thestrategiesand objectives of the company

•Includes service levelagreementswhen outsourced

ThreeMajor Parts—

0 Leadership—IT security requires technical skills, but it also

requires muchmore.It requires the ability to earn the trust

and confidence ofthe decision makers within the company

Securityleaders must befullyintegratedinto the company

leadership, where their voices canbe heard withoutfiltering

by competing interests.Lastly,theITsecurityleader must

understandthe company—probablybetterthan anyone else

This isbecausetheITprofessionalmustunderstand the

information/data,whoproducesit,where it is stored, who

needs it—when and how, and everything about how the

company operates.Ifthat istrue,then the IT security

professionafmust certainly understand everything already

mentionedaswellas all theITnetworksthat provide these

services, their strengths and weaknesses, as well as all the

threatstothem The successfulITsecurity professional

mustalsounderstand the networks that connect totheirs

and the risks these connections bring This quick look at the

requirements forITsecurity professionalsindicatesthat it

certainly takesastrong, confident, and technically proficient

professional to accomplishthisjob

8 Supervision (logs and monitoring)

9 Securityaudits and reviews (includingpenetration

tests)

0 I/Ocontrols

3 Antivirusmanagement

The InternationalOrganizationfor Standardization (ISO) and the

InternationalElectrotechnical Commission (IEC) 17799:2005Code of Practice forSecurityInformationManagementpro¬

videsa broad base of securitycontrols that providesapoint of

reference forcompletenessofthecomponentswithinthe blue¬prints.TheISO/IEC17799:2005 referencestandard does nothowever, provide all oftheguidancethatis'required for aneffective, holistic security architecture

InternationalSecurityStandard ISO 27001, titled“Information

Security Management—SpecificationWithGuidance for Use,”has been launchedinreplacement of BS7799-2.ISO27001provides the foundation for thirdpartyaudit,and is integratedwith several otherISOmanagementstandards suchasISO

ISO17799—Is basedupon the British Standard 7799-1,

whichwas publishedinMay1999.Thefirstversion of ISO

17799was published and adoptedinDecember 2000.Themost current version is ISO17799:2005

ISO I77QQ & ISO 27001

•ISO 17799

— Code ofPractice—Guidance andSupport

— ManagementFocus

•ISO 27001:2005

— Management System Standard (Certifiable

andMeasurable Requirements)

* Normallycoverseveralsecuritydomains

0 A comprehensive way tolook atsecurityUsed to identifyand design securityrequirements—Each

componentshoulddirectlyreflectapolicydecision Theplans should bemutuallysupportive All areas should beconsidered evenifthey donot apply tothat specifictopic

An effectivesecurityarchitecture willalwaysbe ableto“con¬

nectthedots” between the business decisions of theorgani¬

zation, how these are reflected in theprinciples,policies andstandards of theorganization,how these have been turnedinto requirements, and how therequirementsmaptotheblueprints

•eCommerce Solutions

Usedto identifyand design security requirements

•InfrastructureSecurity Blueprints

[i

IO

Security Blueprints—Provide a structure for organizingrequire¬

mentsandsolutions.Theyare used to ensure that security is

considered from a holistic view A holisticsecurityarchitecture

can only becreatedbya professional security architect (such as

an InformationSystems SecurityArchitecture Professional

(ISSAP®))aftercarefullyconsideringa wide range of threats,

vulnerabilities, and organizational requirements

9 Security blueprintsare discussed inbothISO17799:2005

and ISO27001:2005.However, many vendorsarenow using

the term“securityblueprint” to referencea wide range of

documentsrelating to their products

•Normally used by architectswhendesigningan overall lay¬

eredsecuritysolution

•Data Warehouses

•Supply ChainManagement systems

•Production systems, etc

•The Security Blueprints providea method of organizingthe requirements and the resultingcomponentsofa secu¬

rityarchitecture Thisapproachcanbe usedtoaddress

the security requirements ofa specific topicor acrosstheenterprise.Certainlynotall topicswillapply equallyorevenatallinthedifferentareasofthe company However,blueprints giveusa way to thinkaboutthem and to make

aninformeddecision asopposed to havingan item over¬

a policy around e-mail usage;subscribetonews

services that warn of new threats;reevaluatethenetwork architecture; host bestpracticesseminarsfor users;oh,andusevirus blockingsoftware, and,

probably,firewalls.”

0 Regulatory requirements

8 Allaspectsofsecurityacrosstheentire infrastructure

8 The security policy approved by seniormanagement

A definitionofHolisticSecurityArchitecture, from theCIO

website, The ABCs ofSecurity,by ScottBerinato and Sarah

Scalet, would be:

“Holisticsecuritymeansmakingsecurity partof

everything and not making it itsownthing It "

meanssecurity isn’ta~ddedTolhe“enterprise;it’s

woveninto the fabric of the application Here’s an

example The nonholistic thinker sees a virus threat

and immediately starts spending money on virus¬

blocking software The holisticsecurityguru will set

#

» Policy—Hereare theobjectivesforournextsection:

8 Describe the purpose of organizationalpolicy

8 List thesupportingelements of policyimplementation

8 Understand the purpose and differences ofguidelines,policies, procedures,baselines andstandards

* Describetheenvironment within whichthe security

policyexists

DOMAIN AGENDA

® Principles and Requirements

0 Policy

® OrganizationalRoles and Responsibilities

•RiskManagementandAnalysis

PolicyOverview—Theenvironment within which everycom¬panyoperatesisa complex web of laws, regulations, require¬

ments,competitors,andpartners.Theseare changing

frequentlyand interactwith each other; often inunpredictable

ways In addition to these outsideforces,seniormanagement

must considerthosewithin the organizationsuchas morale,labor relations, productivity, cost,cashflow, and many oth¬ers.Withinthis environment,managementmustdevelop andpublishthe overall security statement and directives Fromthe security team perspective, thesedirectives should beaddressedthroughsecurity policies andtheir- supporting ele¬mentssuchas standards, baselines andguidelines,toensure

aproper implementation of a security program

POLICY OVERVIEW

Organizational Goals Regulations

Policy Overview—Standards, baselines, procedures,and

guidelineswill be discussedinthe next few slides

POLICY OVERVIEW

(CONT . )

DverarchingOrganizationalPolicy

Functional ImplementingPolicies

(Management’s Security Directives)

understood Ifitstoo generic, it maybemeaningless andirrelevant Thelengthand content ofthiscritical document is

asuniqueasthe company itself,and must becreatedwiththatinmind One sizedoes not fit all—oreventwo

8 It isgood tointroducean appendix outlining the“termsof

reference.”This isanauthoritative documentandas suchwillbe referencedfrequentlyif written properly Therefore,anythingwe candothat reduces confusion without addingcomplexity is an advantage

•Policiesareofno value if not read, available,andcurrent.Policies must be posted in a location that isavailableto

every employee for review They must be current, andreflectnew laws andregulations.Allemployeesmustbe

keptaware of the policiesthroughan annual review.A

record of this review with each employee should be

maintained

0 Documentscompliance—Policydocuments how the company

is complying with laws,regulations,and standards of duecare

0 Creates securityculture—Policyestablishes the internalenvironment for thesecurityprogram.Explainswhat assetsand principles theorganizationconsiders valuable

“Security is essential to thisI

company and its future”

J.T.Lock, CEO

14

° ProvidesManagement’s GoalsandObjectivesin

Writing—Theorganizationalpolicy mandates the security

needswithin the company Onepolicydoesnotfit everycom¬

pany’srequirements.Although two firms may be similar, as

wediscussedearlier—theyareuniqueand then alsoare their

securityrequirements.Theoverarching security policyshould

bekept “high-level”and short If it istoo complex,it will be

difficultto getstaffed andapprovedand it may not be reador

\

•Establishes thesecurity activity/function—Itshould alsoestablishasecuritygroupwithinthecompany andgrantitappropriatelevelsofresponsibility One mustbecarefulnot

to gettoo specific to address every detail.One problem with

being toodetailed isthat ifa situation arises later anditisnotclearlystatedin the policy, thenmanywillassume that it

isnotcoveredbythe intent of thepolicyand do whatthey

will.Therefore,it isnormallyagoodproactivemeasuretoincludea “catch all clause” that explains how issues not

specificallyaddressed in thepolicywillbe adjudicated

8 Holds individuals personallyresponsible/accountable—

Agoodsecurity policymakes each employee accountable fortheir actions, fromtop management tothenewhire It'simportant forseniormanagementto setagoodexampleandfollowtheirown policies After all, if they are unwillingto

followthe policythen maybeno one else is either

s Addressespotential futureconflicts—Awell thought-outsecurity policy anticipates situations and providesguidance

toprotectthe organization It shouldestablishprovisions for

resolvingconflicts between competing interestsorpeoplewonderingwhat is, or is not,permitted

MANAGEMENT’S SECURITY

POLICY (CONT . )

$

•Anticipatesandprotectsfromsurprises

3 Establishes thesecurity activity/function

•Holds individualspersonallyresponsible/accountable

* Addressespotentialfuture conflicts

j

J 0

Anticipates and protects fromsurprises—Anticipates

situationsandprotectsthe company and employees from

'surprises’ caused by lack of awareness ofmanagement

expectationsorethicalguidelines

§

21

employment.Thesecuritypolicy is a key document that must

beread/re-readaspartof theawareness training

0 Mandates an incident response plan—Genericallycovers

incident response and mandates the authority for, and devel¬

opmentof, a detailed incident response plan.Thesecurity

policyshould also contain overallinformation/instructionsonhowincidents will be handled

9 Establishes processesfor exception handling,rewards,discipline—Apolicy providesthe authority forthe securityand humanresourcesareastoenforcegoodpractice and dis¬ciplinaryactionif necessary Naturally, this should be alast

resortbecause good employees areexpensivetohire andhard to findinmostcases.However,thepolicyshould pro¬vide the H.R.departmentandmanagementthat final option

Apolicy ofthis nature isa reference point for other personsandagenciestoknow the intent ofmanagement—thiscanbeimportant in alegal settingwhich could certainlyoccurforavariety ofreasons

MANAGEMENT’S SECURITY

POLICY (CONT . )

® Ensuresemployeesand

contractorsareaware of

organizational policy

andchanges

Mandatesan incident

response plan

•Establishes processes forexception

handling,rewards,discipline

Security Violation Reprimand

TO: I.M Wrong FOR: Falling to follow established policies

16

9 Ensuresemployeesandcontractorsareaware of organi¬

zational policy and changes—Establishesa process that

ensures allemployeesand contractorsareawareoforganiza¬

tionalpolicyandchangesastheyoccur Thesecurityawareness

program mustbeginthedayan individual is hired and contin¬

ually providerefreshertraining throughoutthe periodof

PolicyInfrastructure—Thehighlevel policies of theorganiza¬

tionare theninterpretedintoa number of functional policiesthat assist in the implement of the intent of the overall policy.Dependingon the cultureandthe risks faced bythe organiza-

: tion,there may benumerousfunctional policies

9 Functional Policies—Flow fromtheoverarching policyof

theorganizations and create the foundation for the proce¬dures, standards, andbaselines toaccomplishthesecurityobjectives.Functional policiesgaintheir credibility fromsen¬

iormanagement’ssignatureon theoverarchingpolicy thatestablished thegoalor objective

9 Examples of functionalpoliciescouldinclude:

8 DataClassification

POLICY INFRASTRUCTURE

® Functional Policies

•Implement andinterpret

thehighlevelsecurity

policiesofthe

organization

Functional Policies Functional Policies

Management's Security Policy

"Security is essential to this

company and its future"

J.T Lock CEO

17 •Certification andAccreditation

Policy Implementation—Standards,procedures,baselines,and

guidelines turnthe objectives andgoalsestablished by manage¬ment inthe overarching and functional policies into “actionable”and enforceable actions for the employees.Wewilltalk abouteach of theseinmore detailonthe next fewslides, but it is

importantto note that in daily interactionswithinorganizations,

theseare what causethe most challenges for theITsecuritystaff.Fewwilldirectlychallengethe policy that senior manage¬menthas created However, manywillchallenge how policy isinterpretedinthe standards, procedures, baselines, and guide¬lines implemented Therefore, it is wise to becareful inselec¬

tions andinterpretations toensurethefullsupportofthe policy(and therebysenior management) Several timesanaggressiveindividual has over-stepped their authority with an aggressive

(but well-intentioned) standard and caused the entire securityprogram to be re-evaluated

shipbyallowing forlargeblank purchaseagreementswithven¬dors and allows for standardized training furtherreducing

costs.Standardscanalso beguidelinescreatedbygovern¬

ment,industrialorotherorganizationsthat have beenformally

adoptedas astandard

8 Standardsare essential so that acommonbasis can beestablished andimplemented Havingacommonbasis for theoverallorganizationis better thanhavingeachindividual

department operatingundertheirownseparate(andinsome

casesnon-compliant) environment This helps reduce the

seamsthatcan develop between sections, departments, andsubordinateorganizations.However, it’salso useful to notethat if a vulnerability to the selectedtargetis exploitedbya

threatagent,the entire organization is at risk This needs to

beconsideredbythe security designerswhendesigningthenetwork and buildinplaces tocontrol this risk

Procedures—Are the way toensurethat the intent of policyisenforcedthrougha mandated seriesof stepsthat must be fol¬lowed to accomplishatask.

5 Required Step-by-step Actions—Proceduresare statements

of step-by-step actions tobe performed to accomplish asecurity requirement,process,orobjective.Theyare oneofthe mostpowerfultools availableinsecurityarsenals andmustbe usedwisely.For instance,password changing,

incidentresponse, and BCPprocedures

•Reducemistakes ina crisis

8 Ensure important steps are not missed

8 Provides for placeswithin the process to doassurance

.V

CorporateProcedures

50

Baselines—Are thebenchmarks used toensure that amini¬

mumlevel of security configurationisprovidedacross multiple

implementations ofthesystemsand many differentproducts

•Establishconsistent implementationof securitymechanisms—Baselinesare descriptions of howtoimple¬mentsecuritymechanismstoensurethat implementationsresult in a consistent level of security throughout the organi¬zation Differentsystems(platforms) have different methods

of handlingsecurityissues Baselinesare createdtoinform

usergroups about how to set-up the security for each plat¬formsothat the desired level ofsecurityis achievedconsistently

a Platformunique—Baselinesare thegreat“leveier” ofsecu¬rity levels between different security products, including fromdifferentvendors This is becomingmore importantas more

andmore“hybrid”productsareenteringthe security market,combiningservices into“multi-functional”devices, anddefy¬

ing many ofour currentdefinitionssuchas the roles ofaswitchand router

Configuration

51

Theyarewhite papers, best practices,or formats fora secu¬

rityprogram that may beusedbyanorganization.However,

caremustbeused toensure that careless useof wordsin

policiesdon’tmoveaguideline from a bestpracticeinto therealm ofacompany standard unless that is the intent Forexample,an overarchingstatement in asecuritypolicy signed

bytheCEOstatingthat“this companywillfollowtherecom¬mendations of the ISO 17799guideline”justmadeISO17799

mandatorywithin that organization

8 Guidelinesare often used to help provide structure to asecu¬

rityprogram, to outline recommendations forprocurement

and deployment of acceptable products andsystems |

0 StrategicPlanning—Focuseson thehigh-level,

long-rangerequirements of theorganizationand arepart of

thecompany’s long-termplan Examplesofthis areour overarching security policy

5 Tactical LevelPlanning—Aremore mid-term andfocuson events thatwillaffect the entireorganization

Many ofour functionalplansfit intothis category

0 Operational Planning—Focuses on“fightingfires”atthe keyboard level Thisisplanning for the near-termthat directly affects theabilityofthe organization toaccomplishitsObjectives

J Theseplansmustbeintegrated—Plans and actions from allthree levels must worktogether.Thatoccurswith detailedplanning

8 Seamlesstransition between levels—Actions mustseam¬lesslytransition between the different levels

3 Three levels of Security

Planning

— StrategicPlanning

— Tactical LevelPlanning

— Operational Planning

3 These plansmustbeintegrated

19 Seamless transition between levels

0 OrganizationalRoles and Responsibilities—Themainlearning points ofthis sectioninclude:

9 Understand and beable to explain the various rolesand responsibilities of all people in anorganizationasrelatedtosecurity

9 Explainthe importanceofpersonnel security to a good

IT security program

9 Be abletoexplainkeyconsiderationsofa goodper¬

sonnelsecurityprogram

DOMAIN AGENDA

Principles and Requirements

•Policy

OrganizationalRoles andResponsibilities

RiskManagementand Analysis

•Ethics

,AV

O

24

° ifEveryonehas arole andresponsibility—Securityis not

;!a function of asinglepersonnor of one group orteam

Everyone must beaware of theirresponsibilityand rolein

creatinga secure environment Asecurity programcontainsmanyimportant elementsas seen earlier Each must beaddressedthroughthesecurityprogram and not overlooked

orforgotten.Theymustbe clearly communicated and must

beclearlyunderstoodbyall

9 Specific securityfunctionsmustbeassigned—Specificsecurity functions mustbeassigned to designated security

professionalsas their primarydutysuchas:

0 InformationSystems SecurityProfessionals—Information

securityprofessionalsareresponsible forthe design, imple¬mentation,management,and review of theorganization’s

security policies, standards, baselines,procedures,and

guidelines

0 Owners—Individualdataand systemownersplayakey role

inthe security program Theyare the bestqualified people toperformtasks essential toour securityefforts;such asinfor-mation classification, setuseraccessconditions, anddecide

businesscontinuitypriorities.They authoffzeappropriatesecurityprogramsconsistentwith the organization’s securitypolicy,determine appropriate sensitivityorclassificationlev¬els basedon established classification criteria, and determine

accessprivilegesbasedon need to know and other criteria

•Custodians—Responsibleforensuring the security oftheinformationentrustedtothembythe informationowners

Custodians have care of information thatdoes not belong tothemdirectly—suchas emailserversand data backups Acus¬

todian must beaware of the risks to information and espe¬

ciallythe threat of socialengineering

SPECIFIC ROLES AND RESPONSIBILITIES

126

3 ExecutiveManagement—Publish and endorse security pol¬

icyestablishing goals,objectives, and overall responsibility

forasset protection.Seniormanagementsetsthe tone for the

information security program and bears ultimate responsibility

for any security breaches andacceptanceofriskmitigation

the right purpose,andif theyarehavingthedesiredoutcome

* Users—Responsibletouseresourcesappropriatelyand in•

compliancewithprocedures, and to preserve the availability,

integrity,andconfidentialityofassets

•IS/ITFunction—Responsible forimplementing andadhering

to securitypolicies as well as buildingthesystemsandnetworks thatincorporatesecurity bestpractices

Background Checks/Security Clearances—Normallythereare legalconcernswhen itcomesto backgroundchecks It

is important to respect the rights of individuals and the laws

ofthecountrywhere peoplearehired—but it is agoodprac¬tice to check as much as possible into the background of a

potential employeeto preventhiringthe wrongperson into atrusted role

a Follow-up onReferences andEducationalRecords—

Naturally, laws supersede any company policyand individual’s

rightsmustbe protected However, it is important that efforts

be made toverifythe informationprovidedbyprospective

employees includingfollowing-upwithreferences,verifying

educational records, etc

0 Sign Employment Agreements—Non-disclosure agree¬

ments;business ethics, including telephone and Internetacceptable usage policies,etc.,should beapartofthehiring

processand mustbeginwithsecurityawareness training onthe first day of employment This should include havingthemread appropriatepoliciesandproceduresandsign

NDAsand acceptable usepolicies.Caremustbe takento

ensure that this doesn’t become so difficult or time consum¬

ingthatmanagementfindsways togetaround the policy

PERSONNEL SECURITY; HIRING

i'y-0 Coverpointssuchas keys, ID card,passwords,

equipmentloanedout toemployee (laptops,cell

sary risk.Therefore,all termination and disciplinaryactions v

mustbe pre-coordinatedwithin a confidential circle that

includestheH.R.and ITsecuritypersonnel.Whena tion is occurring, the individual’s accesstothe network,information,and assetsmustbestopped.Thisis best done

termina-by theITsecurity personnelwhile the individual isbeing

informed ofthe action However, one must be carefulto

followlocal lawsinthese matters

•The only waytoensure that all company property isreturnedis tokeepan accurate inventory of all equipmentgiven toa user—remote access tokens, keys, ID cards,cell-phones, pagers, credit cards,laptops,software,etc.Thismakes it easy to accountfor theseassets andrecover

them upon termination

° An Individual’s access tothe network should besus¬

pendedduring all periods of suspension from duties andconsidered whenseriousdisciplinaryactionsare pending

PERSONNEL SECURITY

•Low Level Checks

•Consult the Human Resources

Low Level Checks—If someone comes in at a low-leveljob

then subsequently moves to ahigherlevelposition,there should

befurtherchecks done The appropriateness ofbackground

checksmay have tofollowlegalstatutes, i.e., Privacylaws, etc

0 ConsulttheHuman Resources(H.R.) department—To

\ protect managementand thecompany,allpersonnelactions

should be processed through the H.R.department using

\r establishedprocedures.Asinglemanager should not be

'•

ThirdPartyConsiderations—All ofthese groups creatediffer¬

ent,but equally challengingsituations for our security efforts

Establish procedures that address these groups on anindivid¬

ual basistoensurethat EVERYONE withaccesstosystems,

information,assets,network, etc complies with the same (ormore) stringent securityasdo fulltime employees

9 Vendors/Suppliers—Oftenneedaccess tosystems,buthavelittlecontrolovertheir practicesunlessit isinthe contract

The granting of temporary IDs or access should be coordi¬

nated toensurethattheaccessis appropriateand removed atthe completion of the project

* Contractors—Maywork at thefacilityandbe “just anotheremployee.”However, much like vendors, theorganization

have little controlover their company’spractices

0 Temporary Employees—Bytheirnature theyposeincreased

risks They haveno vested interest in,orloyaltyto,theorganization

0 Customers—Aredemandingmore andmoreonline services

This increasessecurity challenges

THIRD PARTY CONSIDERATIONS

Personnel GoodPractices—Mustbe appliedappropriatelyin

our informationsecurityprogram based ontheculture andrisks in theorganization

0 JobDescriptions and Defined Roles andResponsibilities—Clearlydefinedjobdescriptions anddefinedroles andresponsibilities helpsensurethat everyoneknows whatan individual should bedoingandaids in detect¬

ingunusual behavior

3 LeastPrivilege/Need to Know—Theprinciple ofleast privi¬

lege and therequirementforneedtoknowshouldalwaysbeexecutedtominimizeaccessto informationand assets

0 Separation of Duties—Forcescollusion in order to manipu¬

late thesystemforunauthorized purposes

° JobRotation—(When possible)Breaks up collusion and pro¬

vides opportunities toreview authorizations and actions taken

bythe individual If our other security measures havefailed,

this givesus an opportunity to find the breachinsecuritybefore itgetsworse orgoesonexcessively long.Job rotation

alsoprovidestrained backups

0 Mandatory Vacations—Muchlike job rotation, mandatoryvacations provide the opportunity to detect fraud Also, whenpeopleare on vacation, theiraccesstothe site shouldsus¬

pended.Thispreventsworking fromhome (possibly coveringtheir tracks) and provides the much needed vacationthey

haveearned

PERSONNEL GOOD PRACTICES

9 JobDescriptions andDefinedRolesand

situations.Onecould easily use real eventswithin

organizationson almost any daywithoutviolatingprivacyorexposingmaterial weaknesses

•Topics include items suchas:

•Policies, standards, procedures,baselines, andguidelines

•Errors,accidents,and omissions

* Physicaland environmental hazards

ingtostayprofessionallycurrentin this ever-changing field

Therefore, trainingmust focus onskills neededin thework¬placefortheir currentjobunlessmanagementis specificallytryingtotrain them for anotherposition.Be carefultoensurethat training programs arenotdirectedatstaffthat merely

uses this asanavenuetoa betterpaying jobelsewhere

9 Trainingshould:

9 Focuson security-relatedjobskills

9 Specificallyaddresssecurity requirementsoftheorganization

9 Increase theabilitytoholdemployeesaccountablefortheir actions

9 Provide specialized ortechnical trainingasneededforspecificpersonnel, suchasconfiguringfirewalls

decisionmakingcapabilityandprocesses to obtain expertise

indecision making Therefore, education is normally provided

tomanagementpersonalandthosemoving into the manage¬mentranksto improvetheir ability to excel at these levels

A variety ofeducationmethods should be used and provided

to differentindividualswithin the organization to bring the

SecurityAwareness,Training and Education—Theseare three

differentconceptsapplyingtothe development ofstaff

Awarenessprogramsstart fromthe firstdayof employment

and address the requirements of policy, social engineering, and

securityrequirements.Training and educationare often expen¬

siveprograms required to ensure staff hasadequateskills to

maintain asecurity posture,maintain equipment, manageproj¬

ects,andotherkeybusinessoperations.Such programsare

oftendelivered justin timeasrequiredtousetraining budgets

effectively

9 AwarenessTraining—Providesemployeeswitha reminder

oftheirsecurity responsibilities

9 Variety ofmethodsare available

9 Videos

9 Newsletters

9 Posters

9 Briefings

9 Key-chains, trinkets,etc

9 The objective is tomotivatepersonnelto complywith

requirements ~~

9 Thecampaignmustbe creative, and the depth and

typeof topicsshouldtargettheaudiences appropri¬

ately,and frequently change

9 Rewardpracticessuchasprotecting the physicalarea

andequipment, protecting passwords, and reporting

securityviolations

9 Awareness Training efforts can quickly become stale,

mundane,and routine At some point, it loses its

effectiveness and the returns for the cost and effort are

marginal.To avoid this problem, vary the topicsas

Address the audience—Eachgrouphas differentinterestsandthe material youpresentwillbefilteredthrough theirpersonal bias.

0 Management—Overall costs savings (a Risk Analysis

willyieldthis type of information), the need toprotect

information,andthe need forefficientand effectivesecurity / - - 'r~:

0 Data Owner and Custodian—Easy tofollow

instructions

0 Operations Personnel—Non-intrusivesecurity

•User—Productivity, easy compliance, understanding

requirements

0 SupportPersonnel—Their role, cost-effectivecompliance

GOOD TRAINING PRACTICES

•Address the audience

Risk Management andAnalysis—A soundapproach toIT

securityisbasedon sound riskanalysisandgoodriskman¬

agement.A CISSPmusthavemasteryoftheconceptsandmethods addressedhere

9 Herearethe objectivesin this section:

•Definethe key riskmanagementterms

•Describe the importance of a riskanalysis

•Listexamplesof potentialthreats

•Describesometypesofrisk analysis

9 Describesafeguardselection principles

DOMAIN AGENDA

j

aPrinciples andRequirements

Policy

® OrganizationalRoles and Responsibilities

°Risk Management and Analysis

Asituation and method that may accidentally triggeravulnerability.

9 Commonthreat sourcesare natural, humanorenviron¬mental NOTE: The ‘threat source’ is also called the 'threat

securitypolicy

5 Likelihood—The probability thatapotentialvulnerabilitymay

be exercisedwithinthe construct ofanassociated threatenvironment

9 Countermeasure—A control to reduce risk—may bejecfint_

cal,operational or.manaqementcontrolsor acombination ofthese types

DEFINITION OF RISK FROM

NIST SP 800-qo

0 Risk is a function of the likelihood

ofagiventhreat-source's

exercisinga particular potential

vulnerability,and theresulting

impact of that adverse eventon the

toRisk and Countermeasures One key pointis the recogni¬tion thatsafeguardsmayalso containnew vulnerabilities thatthe informationsecurityprofessional must beawareof

° Asset—Somethingthat is valued bytheorganizationtoaccomplish its goals andobjectives.

* Threat—Anypotential danger to information oraninforma¬tionsystem

0 Examplesofthreats include,butarenotlimitedto:

* Unauthorizedaccess

RISK MANAGEMENT DEFINITIONS

Risk Management Definitions—To understand risk analysis,

the organization must work froma commonsetofterms

Understanding and usingterminology correctlyisimportant

especially when presenting riskanalysiseffortstoseniorman¬

agement.Thisand the next slideprovidesthe key terms used

inthis section Learnthemwell,howtheyare used, and when

each term is appropriate 0 Exposure—An opportunity for a threattocauseloss

A $

0 y ru.

* Attack—An intentional actiontrying tocauseharm.An attack

isan effortbya threatagenttolauncha threatbyexploitingavulnerabilityinan informationsystem.That explains the

importanceofunderstandingthecorrectterminology As

security professionals,CISSPsare theexpertsandare

expected touseprecise,correct terminology.Otherwise itmay affect theirreputationsand listenersstarttowonder ifthesecurity professional reallyknows whathe/sheistalking

about

9 CountermeasuresandSafeguards—Are thosemeasures

andactions thatare taken totryandprotect systems They

could be one ofseveraltypesofcontrols whichwe willtalkabout later

9 Risk—Isa“likelihood”or probability that some unwantedeventcouldoccur Possibility that a particular threat will

adverselyimpactaninformationsystemby exploitinga par¬ticular vulnerability

Severaltimes throughoutthiscourse we willsaythatwe cannot reduce risk to zero The next termanswers that issue

8 ResidualRisk—Isthe amount of riskremainingaftercoun¬

termeasuresandsafeguardsare applied

RISK MANAGEMENT TERMS

•Vulnerability—Is any weakness that could beexploited

Vulnerabilitiesexist in everyITsystem,product and applica¬

tion.Asecurity programwilladdress vulnerabilities by imple¬

menting safeguardsorcountermeasurestopreventthe

exploitation of a vulnerability, however the security person

must alwaysbeawareofthe risk ofnewvulnerabilitiesand the

inability to completely remove all vulnerabilitiesfromasystem