cissp - 1 information security & risk management

7/23/2019 CISSP - 1 Information Security & Risk Management

http://slidepdf.com/reader/full/cissp-1-information-security-risk-management 1/60

CISSP (Certifed Inormation Systems Security Proessional)Kelly Handerhan, Subject Matter E!ert"ellyhanderhan#$mail%comC&SP, CISSP, PMP



The 10 Domains of CISSP

CISSP Course Syllabus Cha!ter ' Inormation Security o*ernance and

+is" Mana$ement Cha!ter -!erations Security

Cha!ter . Cry!to$ra!hy Cha!ter / &ccess Control Cha!ter 0 Physical Security Cha!ter 1 2elecommunications

Cha!ter 3 4e$al, Ethics and In*esti$ations Cha!ter 5 Sot6are 7e*elo!ment Security Cha!ter 8 9usiness Continuity and 7isaster

+eco*ery Plannin$ Cha!ter ': Security &rchitecture and 7esi$n

2



Exam Specifics

0: ;uestions (0 are <beta= and are not$raded)

1 hours to com!lete the eam

>ou can mar" ?uestions or re*ie6 >ou 6ill be !ro*ided 6ith '<6i!e= board

5'' and a !en% materials% >ou 6ill alsoha*e access to an on@screen calculator%

Many test centers !ro*ide ear!lu$s ornoise cancellin$ head !hones% Call yourcenter ahead o time to *eriy

;uestions are 6ei$hted (+ememberAsecurity transcends technolo$y)

3



The CISSP Mindset

>our +ole is a +is" &d*isor

7o B-2 f Problems

ho is res!onsible or securityD

Ho6 much security is enou$hD

&ll decisions start 6ith ris" mana$ement% +is"

mana$ement starts 6ith Identiyin$Faluatin$ yourassets%

<Security 2ranscends 2echnolo$y=

Physical saety is al6ays the frst choice

2echnical ;uestions are or Mana$ers% Mana$ement?uestions are or technicians

Incor!orate security into the desi$n, as o!!osed toaddin$ it on later

4ayered 7eenseG

4



Test Taking Tips

I you ha*ent already, SCHE74E 2HE 2ES2GGG

Start 6ith the ?uestion mar"% -ten thebe$innin$ o the scenario is a distraction

Choose an ans6er or EFE+> ?uestion% E*enthose you mar" or re*ie6, just in case yourun out o time%

9e cautious about chan$in$ ans6ers% >ourfrst instinct is oten ri$ht% 2rust yoursel andyour "no6led$e and 6hat 6e do in class%7ont second $uessG

2a"e 9rea"s as needed% Plan on 0: ?uestions!er hour%

5



Information Securityand Risk Management



Agenda

Jundamentals o Security 2y!es o &ttac"s

+is" Mana$ement

Security 9lue!rints

Policies, Standards, Procedures, uidelines

+oles and +es!onsibilities

S4&s

7ata Classifcation Certifcation &ccreditation and &uditin$

Kno6led$e 2ranser

7



Well Knon Exploits

8



The !ole of Info"mation

Sec#"it$ Within an%"gani&ation Jirst !riority is to su!!ort the mission o

the or$aniation

+e?uires jud$ment based on ris"tolerance o or$aniation, cost andbeneft

+ole o the security !roessional is thato a ris" ad*isor, not a decision ma"er%

9



Planning Horizon

Strategic Goals

Over-arching - supported by tactical goals and operational

Tactical Goals

id-Ter! - lay the necessary "oundation to acco!plish Strategic Goals

Operational Goals

#ay-to-day - "ocus on productivity and tas$-oriented activities

10



Sec#"it$ '#ndamentals

C@I@& 2riad

Confdentiality

Inte$rity

&*ailability



Confidentialit$

Prevent unauthorized disclosure Social En$ineerin$

2rainin$, Se!aration o 7uties, EnorcePolicies and Conduct Fulnerability

&ssessments

Media +euse

Pro!er Sanitiation Strate$ies

Ea*esdro!!in$

Encry!t

Kee! sensiti*e inormation oL the net6or"



Integ"it$

Detect modication ofinformation

Corru!tion Intentional or Malicious Modifcation

Messa$e 7i$est (Hash)

M&C

7i$ital Si$natures



A(aila)ilit$

Provide Timely and reliableaccess to resources +edundancy, redundancy, redundancy

Pre*ent sin$le !oint o ailure

Com!rehensi*e ault tolerance (7ata,Hard 7ri*es, Ser*ers, Bet6or" 4in"s,

etc)



*est P"actices +to p"otect C,I,A-

Se!aration o 7uties (S-7) Mandatory Facations ob rotation 4east !ri*ile$e Beed to "no6 7ual control

15



Defense in Depth

&lso Kno6n as layered 7eense

Bo -ne 7e*ice 6ill P+EFEB2 an

attac"er 2hree main ty!es o controls

2echnical (4o$ical)

&dministrati*e

Physical



!isk

E*ery decision starts 6ith loo"in$ at ris"

7etermine the *alue o your assets

4oo" to identiy the !otential or loss

Jind cost eLecti*e solution reduce ris"to an acce!table le*el (rarely can 6eeliminate ris")

Sae$uards are !roacti*e Countermeasures are reacti*e



!isk Definitions

&sset &nythin$ o Falue to the com!any

Fulnerability & 6ea"nessN the absence o asae$uard

2hreat Somethin$ that could !ose loss to all or!art o an asset

2hreat &$ent hat carries out the attac"

E!loit &n instance o com!romise

+is" 2he !robability o a threat materialiin$

Controls Physical, &dministrati*e, and 2echnicalProtections Sae$uards Countermeasure



So#"ces of !isk

ea" or non@eistin$ anti@*irus sot6are

7is$runtled em!loyees

Poor !hysical security

ea" access control

Bo chan$e mana$ement

Bo ormal !rocess or hardenin$

systems

4ac" o redundancy

Poorly trained users



!isk Management

Processes o identiyin$, analyin$,

assessin$, miti$atin$, or transerrin$

ris"% Its main $oal is the reduction o!robability or im!act o a ris"% Summary to!ic that includes all ris"@

related actions Includes &ssessment, &nalysis,

Miti$ation, and -n$oin$ +is" Monitorin$

20



!isk Management

+is" Mana$ement% +is" &ssessment

% Identiy and Faluate &ssets

% Identiy 2hreats and Fulnerabilities

% +is" &nalysis% ;ualitati*e

% ;uantitati*e

% +is" Miti$ation+es!onse% +educe &*oid

% 2ranser

% &cce!t +eject

% -n$oin$ +is" Monitorin$

%

21



!isk Assessment

4oo"s at ris"s or a s!ecifc !eriod in time andmust be reassessed !eriodically

+is" Mana$ement is an on$oin$ !rocess 2he ollo6in$ ste!s are !art o a +is"

&ssessment !er BIS2 5::@.: System Characteriation 2hreat Identifcation Fulnerability Identifcation Control &nalysis

4i"elihood 7etermination Im!act analysis +is" determination Control +ecommendation +esults 7ocumentation



!isk Anal$sis

7eterminin$ a *alue or a ris"

;ualitati*e *s% ;uantitati*e

+is" Falue is Probability O Im!act Probability Ho6 li"ely is the threat

to materialieD

Im!act Ho6 much dama$e 6illthere be i it doesD Could also be reerred to as li"elihood

and se*erity%



!isk Anal$sis

;ualitati*e &nalysis (subjecti*e, jud$ment@based) Probability and Im!act Matri

;uantitati*e &nalysis (objecti*e, numbersdri*en &F (&sset Falue) EJ (E!osure Jactor) &+- (&nnual +ate o -ccurrence) S4E (Sin$le 4oss E!ectancy)&F O EJ &4E (&nnual 4oss E!ectancy) S4EO&+- Cost o control should be the same or less than

the !otential or loss



.#alitati(e Anal$sis

Subjecti*e in Bature ses 6ords li"e <hi$h=

<medium= <lo6= to

describe li"elihood andse*erity (or !robabilityand im!act) o a threate!osin$ a

*ulnerability 7el!hi techni?ue is

oten used to solicitobjecti*e o!inions

25



.#antitati(e Anal$sis

More e!erience re?uired than 6ith;ualitati*e

In*ol*es calculations to determine a dollar

*alue associated 6ith each ris" e*ent 9usiness 7ecisions are made on this ty!eo analysis

oal is to the dollar *alue o a ris" and

use that amount to determine 6hat thebest control is or a !articular asset Becessary or a costbeneft analysis

26



Mitigating !isk

2hree &cce!table +is" +es!onses +educe 2ranser

&cce!t Secondary +is"s

+esidual +is"s

Continue to monitor or ris"s Ho6 6e decide to miti$ate businessris"s becomes the basis or Securityo*ernance and Policy



Sec#"it$ /o(e"nance

2he I2 o*ernance Institute in its BoardBriefng on IT Governance, 2nd Edition, defnesSecurity governance as ollows:

“Security governance is the set oresponsiilities and practices e!ercised y theoard and e!ecutive "anage"ent with thegoal o providing strategic direction, ensuringthat o#ectives are achieved, ascertaining that

ris$s are "anaged appropriately and veriyingthat the enterprise%s resources are usedresponsily&'

28

l



Sec#"it$ *l#ep"ints

or achieving !Security"overnance#

9S 3388, IS- '3388, and 3::: Series C-9I2 and C-S- -C2&FE I2I4

29

C%*IT d C%S%



C%*IT and C%S%

C-9I2 (Control -bjecti*es orInormation and related 2echnolo$y%

C-S- (Committee o S!onsorin$-r$aniations)

30

ITI



ITI

Inormation 2echnolo$y Inrastructure 4ibrary (I2I4) isthe de acto standard or best !ractices or I2 ser*icemana$menet

0 Ser*ice Mana$ement Publications

Strate$y 7esi$n 2ransition -!eration Continual Im!ro*ement

OOhile the Publications o I2I4 are not testable, itQs !ur!oseand com!rehensi*e a!!roach are testable% It !ro*ides best!ractices or or$aniation and the means in 6hich toim!lement those !ractices

31



*S 2233 IS% 12233 52000



*S 22334 IS% 122334 52000Se"ies

9S 3388@', 9S 3388@ &bsorbed by IS- '3388 +enamed IS- 3:: to ft into the IS-

numberin$ standard

33

IS% 52000 S i



IS% 52000 Se"ies

IS- 3::' Establishment, Im!lementation,Control and im!ro*ement o the ISMS% Jollo6s the

P7C& (Plan, 7o, Chec", &ct)

IS- 3:: +e!laced IS- '3388% Pro*ides

!ractical ad*ice or ho6 to im!lement securitycontrols% ses ': domains to address ISMS%

IS- 3::/ Pro*ides Metrics or measurin$ thesuccess o ISMS

IS- 3::0 & standards based a!!roach to ris"mana$ement

IS- 3388 7irecti*es on !rotectin$ !ersonalhealth inormation

34

The Plan #o &hec$ 'ct (P#&') odel



( )

IB2E+ES2E7P&+2IES

InormationSecurity+e?uirements

&ndE!ectations

IB2E+ES2E7P&+2IES

Mana$edInormationSecurity

35

App"oach to Sec#"it$



App"oach to Sec#"it$Management

2o!@7o6n &!!roach

Security !ractices are directed andsu!!orted at the senior

mana$ement le*el

9ottom@! &!!roach

2he I2 de!artment tries toim!lement security

36

Senior anage!ent

Sta""

iddle anage!ent

Senior anage!ent

Sta""

iddle anage!ent

Info"mation Sec#"it$



Info"mation Sec#"it$Management P"og"am Senior mana$ementQs In*ol*ement o*ernance PoliciesStandardsProceduresuidelines

+oles and +es!onsibilities S4&Qs Ser*ice 4e*el

&$reements-utsourcin$

7ata ClassifcationSecuritiy CR& (Certifcation and &ccreditation &uditin$

37

Senio" Management !ole



Senio" Management !ole

CE-, CS-, CI-, etc ltimately res!onsible or Security 6ithin

an or$aniation

7e*elo!ment and Su!!ort o Policies &llocation o +esources 7ecisions based on +is" Prioritiation o business !rocesses

38

ia)ilities



ia)ilities 4e$al liability is an im!ortant consideration or ris"

assessment and analysis% &ddresses 6hether or not a com!any is res!onsible or

s!ecifc actions or inaction%

ho is res!onsible or the security 6ithin an or$aniationD Senior mana$ement

&re 6e liable in the instance o a lossD 7ue dili$ence Continuously monitorin$ an or$aniations

!ractices to ensure they are meetin$eceedin$ the securityre?uirements%

7ue care Ensurin$ that <best !ractices= are im!lemented and

ollo6ed% Jollo6in$ u! 7ue 7ili$ence 6ith action% Prudent man rule &ctin$ res!onsibly and cautiously as a

!rudent man 6ould 9est !ractices -r$aniations are ali$ned 6ith the a*ored

!ractices 6ithin an industry

39

%"gani&ational Sec#"it$



%"gani&ational Sec#"it$Polic$ aka Program Policy Mandatory Hi$h le*el statement rom mana$ement

Should su!!ort strategic $oals o anor$aniation E!lain any le$islation or industry s!ecifc

dri*ers

&ssi$ns res!onsibility Should be inte$rated into all businessunctions

Enorcement and &ccountability

40

Iss#e and S$stem Specific



Iss#e and S$stem SpecificPolic$ Issue S!ecifc !olicy, sometimes called

Junctional Im!lementation !olicy 6ouldinclude com!anyQs stance on *arious

em!loyee issues% &P, Email, Pri*acy6ould all be co*ered under issue s!ecifc System S!ecifc !olicy is $eared to6ard

the use o net6or" and system

resources% &!!ro*ed sot6are lists, useo fre6alls, I7S, Scanners,etc

41

%the" T$pes of Policies



%the" T$pes of Policies

+e$ulatory &d*isory Inormati*e

42

Security Policy #ocu!ent *elationships



Standards Procedures 9aselines uidelines

Junctional (Issue andSystem S!ecifc) Policies

Pro$ram or-r$aniational Policy

4a6s, +e$ulationsand 9est Practices

M an a g em

en t ’ s S e c

ur i t y S t a t

em en t

D r i v e r

s

Management’sSecurity Directives

43

Standa"ds



Standa"ds

Mandatory Created to su!!ort !olicy, 6hile

!ro*idin$ more s!ecifcs% +einorces !olicy and !ro*ides direction Can be internal or eternal

44

P"oced#"es



P"oced#"es

Mandatory Ste! by ste! directi*es on ho6 to

accom!lish an end@result%

7etail the <ho6@to= o meetin$ the!olicy, standards and $uidelines

45

/#idelines



/#idelines

Bot Mandatory Su$$esti*e in Bature +ecommended actions and $uides to

users <9est Practices=

46

*aselines



*aselines

Mandatory Minimum acce!table security

conf$uration or a system or !rocess

2he !ur!ose o security classifcation isto determine and assi$n the necessarybaseline conf$uration to !rotect the

data

47

Pe"sonnel Sec#"it$ Policies



Pe"sonnel Sec#"it$ Policies+examples-

Hirin$ Practices and Procedures 9ac"$round Chec"sScreenin$ B7&Qs Em!loyee Handboo"s Jormal ob 7escri!tions &ccountability 2ermination

48

!oles and !esponsi)ilities



!oles and !esponsi)ilities

SeniorEecuti*e Mana$ement CE- Chie 7ecision@Ma"er CJ- +es!onsible or bud$etin$ and fnances CI- Ensures technolo$y su!!orts com!anyQs objecti*es IS- +is" &nalysis and Miti$ation

Steerin$ Committee 7efne ris"s, objecti*es anda!!roaches

&uditors E*aluates business !rocesses

7ata -6ner Classifes 7ata

7ata Custodian 7ay to day maintenance o data

Bet6or" &dministrator Ensures a*ailability o net6or"resources

Security &dministrator +es!onsible or all security@relatedtas"s, ocusin$ on Confdentiality and Inte$rity

49

!esponsi)ilities of the



!esponsi)ilities of theIS% +es!onsible or !ro*idin$ C@I@& or all

inormation assets%

Communication o +is"s to Senior

Mana$ement +ecommend best !ractices to inuence

!olicies, standards, !rocedures, $uidelines

Establish security measurements

Ensure com!liance 6ith $o*ernment andindustry re$ulations

Maintain a6areness o emer$in$ threats

50

A#diting !ole



A#diting !ole

-bjecti*e E*aluation o controls and!olicies to ensure that they are bein$im!lemented and are eLecti*e%

I internal auditin$ is in !lace, auditorsshould not re!ort to the head o abusiness unit, but rather to le$al orhuman resources@@some other entity6ith out direct sta"e in result

51

Data Classification



7e*elo!ment o sensiti*ity labels ordata and the assi$nment o those labelsor the !ur!ose o conf$urin$ baseline

security based on *alue o data Cost Falue o the 7ata Classiy Criteria or Classifcation

Controls 7eterminin$ the baselinesecurity conf$uration or each

52

Conside"ations fo" Asset



al#ation

hat ma"es u! the *alue o an assetD Falue to the or$aniation 4oss i com!romised

4e$islati*e dri*ers $iabilities Falue to com!etitors &c?uisition costs &nd many others

53

Assessment



Identiy and Faluate &ssets Identiy 2hreats and Fulnerabilities

Methodolo$ies -C2&FE an a!!roach 6here analysts identiy assets

and their criticality, identiy *ulnerabilities and threatsand base the !rotection strate$y to reduce ris"

J+&P Jacilitated +is" &nalysis Process% ;ualitati*eanalysis used to determine 6hether or not to !roceed6ith a ?uantitati*e analysis% I li"elihood or im!act is

too lo6, the ?uantitati*e analysis i ore$one% BIS2 5::@.: +is" mana$ement uide or Inormation

2echnolo$y systems

54

!isk Anal$sis



$

;ualitati*e Subjecti*e analysis to hel! !rioritie !robability and

im!act o ris" e*ents% May use 7el!hi 2echni?ue

;uantitati*e Pro*idin$ a dollar *alue to a !articular ris" e*ent% Much more so!histicated in nature, a ?uantitati*e

analysis i much more diTcult and re?uires a s!ecials"ill set

9usiness decisions are made on a ?uantitati*eanalysis

CanQt eist on its o6n% ;uantitati*e analysis de!endson ?ualitati*e inormation

55



+no,ledge Trans"er

',areness Training .ducation

/People are o"ten the ,ea$est lin$ in securing in"or!ation0 ',areness o" the need to protect in"or!ation training in thes$ills needed to operate the! securely and education insecurity !easures and practices are o" critical i!portance "orthe success o" an organization1s security progra!0

The Goal o" +no,ledge Trans"er is to !odi"y e!ployeebehavior

56

*eing Aa"e of the !#les



*eing Aa"e of the !#les

Security &6areness 2rainin$

Em!loyees cannot and 6ill not ollo6 thedirecti*es and !rocedures, i they do not

"no6 about themEm!loyees must "no6 e!ectations and

ramifcations, i not met

Em!loyee reco$nition a6ard !ro$ram

Part o due care

&dministrati*e control

57

Aa"eness6T"aining6



Aa"eness6T"aining6Ed#cation *enefits

-*erridin$ 9enefts

Modifes em!loyee beha*ior and im!ro*esattitudes to6ards inormation security

Increases ability to hold em!loyeesaccountable or their actions

+aises collecti*e security a6areness le*elo the or$aniation

58

Aa"eness6T"aining6



Aa"eness6T"aining6Ed#cation Implement

Im!lementation

9asic security trainin$ should be re?uired or allem!loyees%

&d*anced trainin$ may be needed or mana$ers%

S!ecialied trainin$ is necessary or systemadministrators and inormation systemsauditors%

S!ecialied trainin$ is normally deli*ered

throu$h eternal !ro$rams%

Should be re$arded as !art o careerde*elo!ment%

59

Info"mation Sec#"it$



$/o(e"nance and !isk Management

!e(ie Jundamentals o Security 2y!es o &ttac"s +is" Mana$ement

Security 9lue!rints Policies, Standards, Procedures,uidelines

+oles and +es!onsibilities

S4&s 7ata Classifcation Certifcation &ccreditation and &uditin$ Kno6led$e 2ranser

cissp - 1 information security & risk management

Documents