cissp- security and risk management

ASM EDUCATIONAL CENTER INC. (ASM)WHERE TRAINING, TECHNOLOGY & SERVICE CONVERGE

WWW.ASMED.COM

CISSP- SECURITY & RISK MANAGEMENT

OVERVIEW OF DOMAIN:

Addresses the framework and policies, concepts, principles, structures, and standards required for the effective protection and management of information assets.

It touches the issues of governance, organization behavior and security awareness, in general.

Enterprise-wide business continuity/disaster recovery plans (BC/DRP) are also discussed comprehensively.

It also emphasizes the power of administrative, technical and physical controls required for the effective protection of the confidentiality, integrity, and the availability of information assets.

SECURITY & RISK MANAGEMENT

C.I.AThe Triad

Confidentiality Integrity Availability

C

I A


Confidentiality: Ensures that Data and System resources are private and remain secure against

unauthorized access. Confidentiality can be enforced by the use of passwords, activating firewalls, and

the use of encryption to secure data. Confidentiality supports the principle of least privilege and need-to-know. A security architect must use and important measure such as data classification to

ensure confidentiality. Encryption may also be used to restrict the usability of information in the event it is

accessed by an unauthorized user.


Integrity: Integrity is about the trustworthiness and correctness of data. Ensuring the prevention of modification of data by unauthorized users. Prevention of the unauthorized or unintentional modification of data by

authorized users. Applies to both data at rest and in transit. Controls such as “segregation of duties” may be employed to enforce integrity.


Availability: Information resources must be available and accessible by authorized users at

all times. Availability may be affected by Denial-of-service attacks. Loss of service in times of disasters of all kinds may also affect availability. Controls such as up-to-date and active malicious code detection mechanisms

and a robust business continuity plan may help loss of service.

Security Governance: Organizational or corporate governance has existed since time immemorial to ensure the

efficient running via control structures. Since information security has become an integral part of every organization, it is

absolutely necessary for a governance structure to be in place. Information security must also be properly aligned with the mission of the organization. Information security governance provides a platform for upper management and the board

of directors (BOD) to exercise their oversight on enterprise risk management to required acceptable level.

The intent of governance is to provide some guarantee that certain appropriate mechanisms are in place to reduce risks (please note that risk cannot be completely eliminated).

Executive management must be fully committed to provide the investments required for any information security activities.


The IT Governance Institute (ITGI) defines IT governance as being “the responsibility of the board of directors and executive management”.

The ITGI also proposes that information security governance must be considered part of IT governance and that the BOD should: Be informed about security Set direction to drive policy and strategy Provide resources to security efforts Assign management responsibilities Set priorities Support changes required Define cultural values related to risk assessment Obtain assurance from internal and external auditors Insists that security investments are made measurable and reported on for program effectiveness.


In addition, the ITGI suggests that the management should: Write security policies with business input Ensure that roles and responsibilities are clearly defined and understood Identify threats and vulnerabilities Implement security infrastructures and control frameworks (standards, guidelines, baselines, and

procedures) Ensure that policy is approved by the governing body Establish priorities and implement security projects in a timely manner Monitor breaches Conduct periodic reviews and tests Reinforce awareness education as critical Build security into the systems development life cycle.


Security Governance: Goals, Mission, and Objectives of the Organization

Information security must support and enable the vision, mission and the business objective of the organization.

Must ensure the interrelationships among risk assessment, policy implementation, response controls, promoting awareness, monitoring effectiveness, etc., etc.


Security Governance: Organizational Processes

Acquisitions and mergers Divestitures and spinoffs Governance committees

Security Roles and Responsibilities Today’s organizational structure Role of the Information Security Officer Communicate risks to executive management


Security Governance: Information Security Strategies

Strategic planning – Long term (3 to 5 years) and must be aligned with business objectives. Tactical planning – Short term ( 6 to 18 months) used to achieve specific goals. May consist of

multiple projects. Operational and project planning – Specific plans with milestones, dates, and accountabilities

provide communication and direction for project completion.


The Complete & Effective Security Program Oversight Committee Representation

Security council vision statement Mission statement Security program oversight End users Executive management Information Systems Security Professionals


The Complete & Effective Security Program Control Frameworks

Many organizations adopt control frameworks to ensure security and privacy. Frameworks provide: Consistency, Metrics, Standards, etc. (31). NIST SP 800-53 revision 4 is such a framework made up of 285 controls under 19 families.


The Complete & Effective Security Program Due Care

Exercising a “prudent man’s judgment” to protect an organization’s assets. Failure to exercise due care leads to legal liabilities (negligence) that may be civil, criminal, or both.

Due Diligence Investigative steps taken by management, all in an effort to protect the assets of the organization. Due diligence complements the execution of due care.


Compliance – HIPAA, GLBA, PCI-DSS, etc. Governance, Risk Management, and Compliance (GRC) Legislative and Regulatory Compliance Privacy Requirements Compliance


The Many Facets of Cyber laws Computer crimes are relatively new in our society Many laws and regulations, albeit inadequate, try to handle the many challenges faced

in this arena of crime Judicial systems are experiencing growing pains at the complexities of these crimes and

inadequate resources to handle them, human and otherwise.

The Crux of Computer Crime Laws Cyber laws around the world deals with incidents such as unauthorized modification or

destruction of data, disclosure of sensitive information, unauthorized access, and the distribution of malware, among many other.

Laws have been created to deal with certain categories of computer crimes


Computer CrimesTo be able to deal effectively with computer crimes we need to understand the general

categories of computer crimes: Computer as a target

Involves sabotage of computers and networks Involves stealing of information such as intellectual property or marketing information that are stored on

computers Examples of crimes in this category may include DoS attacks, sniffers, and password attacks.

Computer as the instrument Where computers are used as a means to perpetrate crimes or create chaos for an organization Includes theft of money from online bank accounts and fraudulent use of credit card information as well as

telecommunications fraud.


Computer Crimes Computer as incidental to other crimes

Involves crimes where computers are not really necessary for such crimes to be committed. Instead computers facilitate these crimes and make them difficult to detect.

Examples of crimes in this category may include money laundering and unlawful activities on bulletin board systems.

Crimes associated with the prevalence of computers Includes crimes resulting from the popularity of computers Crime of this category are usually traditional in nature, but the targets are ever evolving Examples include copyright violations of computer programs, software and movie piracy, and black

marketing of computer peripherals.


Computer CrimesPlease bear in mind that although computer crimes can be categorized, a single criminal transaction can result in multiple crime categories. Therefore, there can be an overlap between such classifications.


Motivation for Computer Crimes Grudge (against a company or an individual Political reasons (terrorist activities, info warfare) Financial reasons Business (competitive intelligence) Fun (script kiddies)

M -motiveO - opportunityM - means


Global Legal and Regulatory Issues Computer/Cyber Crime

CryptoLocker Ransomware – Spreads via email and propagates rapidly. Encrypts various file types and then a pop-up window appears to inform user about the actions performed on computer and, therefore demand a monetary payment for files to be decrypted.

Child Pornography Scareware – A user might visit an infected site and the scareware would lock up the computer and threaten that laws have been violated. Then an extortion sets into motion.

Fake or Rogue Anti-Virus Software – Victims are scared into purchasing anti-virus software that would allegedly remove viruses from their computers via a pop-up window. By clicking on the pop message, the computer is then infected with all kinds of malware.


Global Legal and Regulatory IssuesLicensing and Intellectual Property Unlike criminal laws, intellectual property laws do not look at what is right or wrong. Instead,

intellectual property laws help to define how individuals or organizations can protect the resources that are rightfully theirs.

Intellectual property laws also helps to define the course of action that an individual or an organization should take in case this law is violated.

But to be able to prosecute the offender, the individual or the organization should be able to prove that he/she/it did everything possible to protect the resources.


Intellectual Property Laws Copyright Protects “original works of authorship” Protects expression of an idea rather than the idea itself Author controls how work is distributed, reproduced or modified Source code and object code are all copyrightable Copyright lasts for the length of author’s life plus additional 70 years after the person dies. Patent A patent is a legal document issued to an inventor granting the inventor exclusive rights to the inventor for an invention. The patent provides the inventor the right to exclude any other person from practicing an invention for a specified period. Invention must be novel (possess newness) and non-obvious. In the USA, patents are issued by the US Patent and Trade Office.


Intellectual Property Laws Trade Secret Maintains confidentiality of proprietary business-related data

Owner must adequately protect such data Owner has invested substantial resources to produce such data Data must provide competitive value, be proprietary to a company, and important for its

survival Trademark Protects word, name, symbol, sound, shape, color or combinations thereof which identifies a

product or company and distinguishes it from others Protects the “look and feel” of a company


Global Legal and Regulatory Issues Import/Export

Governmental laws that restrict import and export regimes Terrorism is suspected in most cases National security concerns, etc., etc.

Trans-Border data Flow Similar concerns as above

Privacy Very thorny issue here and abroad Data breaches – many recent examples

Relevant Laws and Regulations HIPAA, GLBA, FERPA (Family Educational Rights Privacy Act), etc.


Understand Professional Ethics Regulatory Requirements for Ethics Programs Topics in Computer Ethics Common Computer Ethics Fallacies Hacking and Hacktivism Ethics Codes of Conduct and Resources (ISC)2 Code of Professional Ethics Support Organization’s Code of Ethics


Develop & Implement Security Policy Policy – High level management directives Security policy – Defines how security is to be managed Standards – Describes the specific requirements Procedures – Step-by-step approach to accomplish a task Guidelines – Recommendations (usually discretionary) Baselines – Uniform ways of implementing a safeguard Implementations – Must be well communicated


Policies, Standards, Procedures, Guidelines, & Baselines:Document Example Mandatory or Discretionary

Policy Protect the CIA of PII by hardening the OS

Mandatory

Standard Use rugged Toshiba laptop hardware

Mandatory

Procedure Step 1: Install pre-hardened OS image

Mandatory

Guidelines Patch installation may be automated via the use of an installer script

Discretionary

Baselines Use the Windows Hardening benchmark

Discretionary


Business Continuity (BC) & Disaster Recovery (DR) Requirements

Project Initiation and Management Develop and Document Project Scope and Plan Conduct the Business Impact Analysis (BIA) Identify and Prioritize Assess exposure to Outages Recovery Point Objectives (RPO)


BC - Proper Planning An organization is more vulnerable after a disaster hits Organization still has responsibilities even after a disaster (protection of confidential and sensitive assets) Recovery is more than just having an offsite location

People must be trained to know what to do Various recovery procedures need to be developed and documented Understand organization’s vulnerabilities, true threats, and business impact of different types of disasters

Being proactive Implementing redundant power supplies Backing up communication mechanisms Identifying single points of failures Recognizing necessary fault tolerant solutions ETC., etc…….


Business Continuity Planning (BCP) How an organization can stay in business even in a crippled state Plan contains steps for continuing critical business functions using alternative mechanisms until normal

operations can be resumed at the primary site or elsewhere. Reduce overall impact of business interruption

Disaster Recovery Planning (DRP) How to survive a disaster and how to handle the recovery process Emergency response responsibilities and procedures Plan lists and describes the efforts to resume normal operations at the primary site of business. BCP and DRP may sound like the same thing, BUT they are not the same.


Business Continuity Planning (BCP) Business Continuity (BC): represents the final response of the organization when faced

with an interruption of its critical operations More than 50% of all organizations that close their doors for more than a week never

reopen, due to lack of planning. BC is designed to get the organization’s most critical services up and running as quickly as

possible. DR rather focuses on resuming operations at the primary site; BCP concentrates on

resuming critical functions at an alternate site.


Where Do We Start From:Project Initiation Management Support sought Make a business case

Cost vs. benefit Regulatory requirement Current inherent vulnerabilities of organization Ramifications of similar organizations not having such plans Business issues of partners, insurance, and obtaining capital


Where Do We StartSenior Executive Management’s Role

Due diligence and Due care Drive all phases of the plan Consistent support and final approval Ensure that testing takes place Create a budget for this work


Why Is BCP/DRP a Hard Sell to Mgmt. Resource intensive and takes years to complete Direct return on investment (ROI) not perceived Rather a drain on organization’s bottom line

Importance of Plan Organization could vanish if not prepared Capability of staying “up and running”, avoiding any significant down time Lack of plan could affect insurance, liability, and business opportunities Part of business decisions today (Partners need to know, Shareholders/Board of trustees demand it, A

Regulatory MUST) 9/11 Has Fueled Change of Attitudes About BCP


Who Does It?BCP/DRP Teams Group that will perform risk assessment and analysis Representatives from different organization’s departments Analysis must be performed before developing plan A BCP coordinator must be appointed to oversee and execute:

A Business Impact Analysis Plan development and implementation Testing and plan maintenance


BC Team Organization Emphasis should be on generalized business and technology skills BC team should have representatives from:

Senior management Corporate functional units, including HR, Legal, and Accounting IT managers and a few technical specialists with broad technical skill sets InfoSec managers and a few technical specialists

BC team members cannot also be on the DR team


BC Team Organization BC team may be divided into sub-teams:

BC management team Operations team Computer setup (hardware) team Systems recovery (OS) team Network recovery team Applications recovery team Data management team Logistics team


BC Team Organization BC Management team:

Command and control group responsible for all planning and coordination Facilitates the transfer to the alternate site Handles communications, business interface, and vendor contact functions

Operations team: Works to establish core business functions needed to sustain critical business operations

Computer setup (hardware) team: Sets up hardware in the alternate location


BC Team Organization Systems recovery (OS) team:

Installs operating systems on hardware, sets up user accounts and remote connectivity with network team

Network recovery team: Establishes short- and long-term networks, including hardware, wiring, and Internet

and intranet connectivity Applications recovery team:

Responsible to get internal and external services up and running


BC Team Organization Data management team:

Responsible for data restoration and recovery Logistics team:

Provides any needed supplies, materials, food, services, or facilities needed at the alternate site


BC Planning process Develop the BC planning policy statement Review the BIA Identify preventive controls Develop relocation strategies Develop the continuity plan Testing, training, and exercises Plan maintenance


BC Planning process Purpose:

Executive vision Primary purpose of the BC program

Scope: Organizational groups and units to which the policy applies

Roles and responsibilities: Identifies key players and their responsibilities

Resource requirements: Allocates specific resources to be dedicated to the development of the BC


BC Planning process Training requirements:

Training for various employee groups Exercise and testing schedule:

Stipulation for the frequency and type of testing for the BC plan Plan maintenance schedule:

Frequency of review and who is involved Special considerations:

Overview of information storage and retrieval plans and who is responsible


Review the BIA BIA contains the prioritized list of critical business functions Should be reviewed for compatibility with the BC plan BIA is usually acceptable as it was prepared and released by the

Contingency Planning Management Team Contingency Planning Management Team (CPMT).


Identify Preventive Controls Preventive controls should already have been identified and implemented as part of the

ongoing information security activities BC team should review and verify that data storage and recovery techniques are

implemented, tested, and maintained


Forming the Disaster Recovery Team Should include members from IT, InfoSec, and other departments DR team is responsible for planning for DR and for leading the DR process when a disaster

is declared Must consider the organization of the DR team and the needs for documentation and

equipment


Forming the Disaster Recovery Team DR team

Should include representatives from every major organizational unit Should be separate from other contingency-related teams May include senior management, corporate support units, facilities, fire and safety,

maintenance, IT, InfoSec May be advisable to divide the team up into sub teams.


Forming the Disaster Recovery Team Sub-teams may include:

Disaster management team: command and control, responsible for planning and coordination

Communications: public relations and legal representatives to interface with senior management and general public

Computer recovery (hardware): recovers physical computing assets Systems (OS) recovery: recovers operating systems Network recovery: recovers network wiring and hardware


Forming the Disaster Recovery Team Sub-teams (continued):

Business interface: works with remainder of organization to assist in recovery of non-technology functions

Logistics: provides supplies, space, materials, food, services, or facilities needed at the primary site

Other teams needed to reestablish key business functions as needed


Disaster Recovery Team Guidelines are found in NIST Contingency Planning Guide for Information Technology

Systems Planning process steps:

Develop the DR planning policy statement Review the business impact analysis (BIA) Identify preventive controls Develop recovery strategies Develop the DR plan document Test, train, and rehearse Plan maintenance


Disaster Recovery Team Purpose:

Provide for the direction and guidance of any and all DR operations Must include executive vision and commitment

Business disaster recovery policy should apply to the entire organization Scope:

Identifies the organizational units and groups of employees to which the policy applies Roles and responsibilities:

Identifies the key players and their responsibilities


Disaster Recovery Team Resource requirements:

Identifies any specific resources to be dedicated to the development of the DR plan Training requirements:

Details training related to the DR plan Exercise and testing schedules:

Specifies the frequency of testing of the DR plan Plan maintenance schedules:

Details the schedule for review and update of the plan


Disaster Recovery Team Special considerations:

May include issues such as information storage and retrieval plans, off-site and on-site backup schemes, or other issues

Review the BIA within the DR context Ensure that the BIA is compatible with the DR specific plans and operations BIA is usually acceptable as it was prepared and released by the Contingency Planning Management Team Contingency Planning Management Team (CPMT).


Business Impact Analysis (BIA) Identify organization’s critical business functions Identify functions resource requirements Calculate how long these functions can operate without such resources Identify vulnerabilities and threats to the functions Calculate risk for each different business function Develop backup solutions based on tolerable outage times Develop recovery solutions for the organization’s individual departments and for the

organization as a whole


Identifying the Most Critical FunctionsIf Function “X” Is Not Up and Running……….. How much will this affect the revenue stream? How much will this affect the production environment? How much will it increase operational expenses? How much it affect the organization’s reputation and public confidence? How much will the organization possibly lose its competitive edge? How much will it result in violations of contract agreements or regulations? What delayed costs could be endured? What hidden costs are not accounted for?


Identifying InterdependenciesIt is difficult but very important When the activities of functions A and B are mutually reliant on each other to successfully

complete operational activities. When activities of function B cannot be performed without the input from the activities of

function A. Failure to receive input from A results in incomplete or inadequate implementation of B activities.

Identifying interdependencies is difficult because an organization truly needs to understand how its functions work together

Many times there are subtle interdependencies that are easily missed in the equation


Identifying Functions’ ResourcesCritical Items for Certain Functions to Run….. Specific types of technologies Necessary software Communication mechanisms Electrical power Safe environment for workers Access to specific outside entities Networked production environment Physical production environment Specific supplies Interdepartmental communications Etc., etc.


Identifying Vulnerabilities and ThreatsThreats Types Man-made

Strikes, riots, fires, terrorism, hackers, vandals, burglars

Natural Fires, tornado, floods, hurricanes, earthquakes

Technical Power outage, device failure, loss of communication lines


Categories Disaster Types Non-disaster

Disruption of service Device failure Software malfunction

Disaster Entire facility unusable for a day or more

Catastrophe Facility totally destroyed

SECURITY & RISK MANAGEMENTSurvival Without Resources?Maximum Tolerable Downtime (MTD) NIST Guidelines Non-essential = 30 days Normal = 7 days Important = 72 hours Urgent = 24 hours Critical = Minutes to hoursEach Function/Resource Must Have an MTD Calculated It outlines the criticality of individual function and resources It also helps indicate which function or resources need backup options developed

Hot swappable devices Software and data backups Facility space


Alternate SitesOrganization-owned & Subscription Services (Exclusive Use Strategies): Hot site - fully configured computer facility with all services, communication links, and

physical plant operations. Warm site - similar to hot site, but software and/or client workstations may not be included Cold site - provides only rudimentary services and facilities, no computer hardware Mobile site – configured like hot site except that this is on wheels.

The major deciding factor for exclusive use strategies is cost.


Alternate SitesOther Options: Reciprocal agreements Prefabricated facility Time-share


Results from the BIA

Result contains: Identified critical functions and required resources MTD for each function and resource Identified threats and vulnerabilities Impact the company will endure with each threat

Calculation of risk Protection and recovery solutions

Document and present to management for approval

The results from the BIA are used to create a BCP/DRP.


BCP/DRP Plan design and development – Some Items to include Emergency response Personnel responsibility/notification Backups and off-site storage Communications Utilities Logistics and supplies Documentation Business resumption planning


Implementation Training Testing/Drills and assessment Recovery procedures Maintenance


Training Systematic approach to training is required to support the BCP/DRP plans A sufficient number of qualified staff members must be cross-trained to ensure coverage Trained staff must also have the required credentials to be able to execute the actions

required by the plan


Testing and DrillsTesting Characteristics Testing helps to indicate if an organization can actually recover Testing should be an annual affair or after significant changes have occurred in the

environment Identifies items that need to be improved upon (expect mistakes)Action Decide on the type of drill (Classroom/tabletop or Functional) Create a disaster scenario Create goals to be accomplished during drill Run drill Report results to management

SECURITY & RISK MANAGEMENTTypes of Tests Checklist Test

Copies of BCP/DRP distributed to functional managers They review parts that address their department

Structured Walk-Through A meeting is held where functional managers go (walk) through the entire plan

Simulation Test Carry out or practice a disaster scenario Could involve the actual offsite facility

Parallel Test Test conducted including parallel processing from offsite facility

Full-Interruption Test Original site shut down All processing takes place at offsite facility


Recovery Procedures Procedures on what to do, when to do, and in which sequence Procedures should cover several different types of events Copies of recovery plans should be kept offsite or another safe location Employees must be taught and drilled The least critical department/function/resources should be moved first to restored

primary location


BCP/DRP Plan Maintenance Ongoing maintenance of the BC/DR plan is a major commitment for an

organization

Maintenance includes: Effective after-action review meetings Plan review and maintenance Ongoing training of staff involved in incident response Rehearsal process to maintain readiness of the BC/DR plan


The After-Action Review After-action review (AAR): a detailed examination of events that occurred from incident

detection to recovery Identify areas of the BC/DR plans that worked, didn’t work, or need improvement AAR’s are conducted with all participants in attendance AAR is recorded for use as a training case AAR brings the BCP/DRP teams’ actions to a close


The After-Action Review (AAR) AAR serves several purposes:

Documents the lessons learned and generates BC/DR plan improvements Is a historical record of events, for possible legal proceedings Becomes a case training tool Provides closure to the incident


Manage Personnel Security Employment Candidate Screening Employment Agreements and Policies Employee Termination Processes Vendor, Consultant, and Contractor Controls Privacy


Risk Management Concepts Organizational Risk Management Concepts Risk Assessment Methodologies Identify Threats and Vulnerabilities Risk Assessment/Analysis Countermeasure Selection Implementation of Risk Countermeasures Types of Controls Access Control Types Controls Assessment/Monitoring and Measuring


Risk Analysis Quantitative Analysis (ALE=SLE x ARO)

ALE = Annualized Loss Expectancy (A dollar amount that estimates the loss potential from a risk in a span of year)

SLE = Single Loss Expectancy (A dollar amount that is assigned to a single event that represents the company’s potential loss)

ARO = Annualized Rate of Occurrence (Frequency of a threat expected to occur in a period of one year) Qualitative Analysis (Delphi Method) Quantitative vs. Qualitative (Pros & Cons) Protection Mechanisms/Countermeasures Selection Total Risk vs. Residual Risk Risk Control Strategies


Risk Control StrategiesAvoidance

Apply safeguards that eliminate or reduce the remaining uncontrolled risks for a particular vulnerability.

Transfer Transfer risks to outside entities or other areas of the organization.

Acceptance Understand the consequences and accept risk.

Mitigation Putting in place some controls to reduce impact should vulnerabilities be exploited


Risk Management Concepts Cont’d Controls Assessment/Monitoring and Measuring Tangible and Intangible Asset Valuation Continuous Improvement Risk Management Frameworks

A risk framework is a guideline or recipe for how risk is to be assessed, resolved, and monitored. The primary example of a risk framework referenced by the CISSP exam is that defined by NIST in Special Publication 800-37.

This publication provides guidelines for applying the Risk Management Framework (RMF) to federal information systems. The six-step RMF includes security categorization, security control selection, security control implementation, security control assessment, information system authorization, and security control monitoring.


Threat Modeling Threat modeling is the security process where potential threats are identified,

categorized, and analyzed Threat modeling can be performed as a proactive measure during design and

development or as a reactive measure once a product has been deployed Whether a proactive or reactive measure, the process identifies the potential harm, the

probability of occurrence, the priority of concern, and the means to eradicate or reduce the threat.

Determining Potential Attacks and Reduction Analysis Technologies & Processes to Remediate Threats


Acquisitions Strategy and Practice Hardware, Software & Services

Organizations must implement supply chain risk management programs to proactively address certain exposures that disrupts such chain.

Manage Third-Party Governance (i.e. Cloud Computing, etc). When evaluating a third party for your security integration, consider the following processes: On-site assessment;

Document reviews; Process/Policy reviews Minimum Security & Service-Level Requirements

For all acquisitions, establish minimum security requirements. These should be modeled from your existing security policy.

When purchases are made without security considerations, the risks inherent in those products remain throughout their deployment lifespan.


Security Education, Training, & Awareness Policies define what an organization needs to accomplish with regards to information security. Formal security awareness training is usually included in organization’s information security

policies. Security awareness training is a method by which organizations inform employees and all

stakeholders about their roles, expectations involving their roles, in the observance of information security requirements.

Additionally, training provides guidance in the performance of certain risk management functions. Educated (security-aware) users help an organization to fulfill its security program objectives and,

in addition, facilitate certain regulatory compliance (such as HIPAA, SOX, GLBA, etc.), if so required.

SECURITY & RISK MANAGEMENTTraining Topics Corporate security policies The organization’s security program Regulatory compliance requirements for the organization Social engineering Malware Business continuity Disaster recovery Security incidence response Data classification Personnel security Appropriate use of computing resources Ethics Physical security, etc., etc.


Awareness Activities & Methods – Creating Culture of Awareness Formalized courses, delivered in the classroom , using slides, handouts, or books, or via a

computer-based training (CBT). Use of posters that call attention to security awareness, such as emphasizing on password

protection, personnel security, social engineering, among other issues. Business unit walk-through to aid employees to identify unacceptable practices, such as

posting passwords on post-it notes in conspicuous places, etc. Emphasis on maintaining “clean desk” practices as acceptable Use organizations intranet to post security reminders Appoint security awareness mentors to aid with FAQs and concerns from employees


Awareness Activities & Methods – Creating Culture of Awareness – cont’d

Sponsor an enterprise-wide security awareness day, complete with security activities, quizzes, prizes, and recognition of the winners.

Sponsor an event with an external partner such as the ISSA, ISACA, ISC2, SANS, etc. Provide trinkets for the users within an organizations. Consider a special event day, week, or month that coincides with industry or world

awareness events such as the Global Security Awareness Week (annually in September) and the Security Awareness Month (annually in October).

Provide security management videos, books/pamphlets, etc.


Job Training Security training to assist security personnel to enhance and develop their skills sets relative to the

performance of their core functions. Training must be clearly aligned with security risk management activities.

Performance Metrics It is important that the organization tracks performance relative to security for the purpose of both

enforcement and enhancement of risk management initiatives. Users must acknowledge their security responsibilities by signing off after the training and also provide

feedback. Measurement can include periodic walk-through of business units, periodic quizzes to keep staff up to date,

surprise visits by mentors, etc.

GOOD LUCK!ASM EDUCATIONAL CENTER INC. (ASM)

WHERE TRAINING, TECHNOLOGY & SERVICE CONVERGEWWW.ASMED.COM