cissp- security and risk management
TRANSCRIPT
ASM EDUCATIONAL CENTER INC. (ASM)WHERE TRAINING, TECHNOLOGY & SERVICE CONVERGE
WWW.ASMED.COM
CISSP- SECURITY & RISK MANAGEMENT
OVERVIEW OF DOMAIN:
Addresses the framework and policies, concepts, principles, structures, and standards required for the effective protection and management of information assets.
It touches the issues of governance, organization behavior and security awareness, in general.
Enterprise-wide business continuity/disaster recovery plans (BC/DRP) are also discussed comprehensively.
It also emphasizes the power of administrative, technical and physical controls required for the effective protection of the confidentiality, integrity, and the availability of information assets.
SECURITY & RISK MANAGEMENT
C.I.AThe Triad
Confidentiality Integrity Availability
C
I A
SECURITY & RISK MANAGEMENT
Confidentiality: Ensures that Data and System resources are private and remain secure against
unauthorized access. Confidentiality can be enforced by the use of passwords, activating firewalls, and
the use of encryption to secure data. Confidentiality supports the principle of least privilege and need-to-know. A security architect must use and important measure such as data classification to
ensure confidentiality. Encryption may also be used to restrict the usability of information in the event it is
accessed by an unauthorized user.
SECURITY & RISK MANAGEMENT
Integrity: Integrity is about the trustworthiness and correctness of data. Ensuring the prevention of modification of data by unauthorized users. Prevention of the unauthorized or unintentional modification of data by
authorized users. Applies to both data at rest and in transit. Controls such as “segregation of duties” may be employed to enforce integrity.
SECURITY & RISK MANAGEMENT
Availability: Information resources must be available and accessible by authorized users at
all times. Availability may be affected by Denial-of-service attacks. Loss of service in times of disasters of all kinds may also affect availability. Controls such as up-to-date and active malicious code detection mechanisms
and a robust business continuity plan may help loss of service.
Security Governance: Organizational or corporate governance has existed since time immemorial to ensure the
efficient running via control structures. Since information security has become an integral part of every organization, it is
absolutely necessary for a governance structure to be in place. Information security must also be properly aligned with the mission of the organization. Information security governance provides a platform for upper management and the board
of directors (BOD) to exercise their oversight on enterprise risk management to required acceptable level.
The intent of governance is to provide some guarantee that certain appropriate mechanisms are in place to reduce risks (please note that risk cannot be completely eliminated).
Executive management must be fully committed to provide the investments required for any information security activities.
SECURITY & RISK MANAGEMENT
The IT Governance Institute (ITGI) defines IT governance as being “the responsibility of the board of directors and executive management”.
The ITGI also proposes that information security governance must be considered part of IT governance and that the BOD should: Be informed about security Set direction to drive policy and strategy Provide resources to security efforts Assign management responsibilities Set priorities Support changes required Define cultural values related to risk assessment Obtain assurance from internal and external auditors Insists that security investments are made measurable and reported on for program effectiveness.
SECURITY & RISK MANAGEMENT
In addition, the ITGI suggests that the management should: Write security policies with business input Ensure that roles and responsibilities are clearly defined and understood Identify threats and vulnerabilities Implement security infrastructures and control frameworks (standards, guidelines, baselines, and
procedures) Ensure that policy is approved by the governing body Establish priorities and implement security projects in a timely manner Monitor breaches Conduct periodic reviews and tests Reinforce awareness education as critical Build security into the systems development life cycle.
SECURITY & RISK MANAGEMENT
Security Governance: Goals, Mission, and Objectives of the Organization
Information security must support and enable the vision, mission and the business objective of the organization.
Must ensure the interrelationships among risk assessment, policy implementation, response controls, promoting awareness, monitoring effectiveness, etc., etc.
SECURITY & RISK MANAGEMENT
Security Governance: Organizational Processes
Acquisitions and mergers Divestitures and spinoffs Governance committees
Security Roles and Responsibilities Today’s organizational structure Role of the Information Security Officer Communicate risks to executive management
SECURITY & RISK MANAGEMENT
Security Governance: Information Security Strategies
Strategic planning – Long term (3 to 5 years) and must be aligned with business objectives. Tactical planning – Short term ( 6 to 18 months) used to achieve specific goals. May consist of
multiple projects. Operational and project planning – Specific plans with milestones, dates, and accountabilities
provide communication and direction for project completion.
SECURITY & RISK MANAGEMENT
The Complete & Effective Security Program Oversight Committee Representation
Security council vision statement Mission statement Security program oversight End users Executive management Information Systems Security Professionals
SECURITY & RISK MANAGEMENT
The Complete & Effective Security Program Control Frameworks
Many organizations adopt control frameworks to ensure security and privacy. Frameworks provide: Consistency, Metrics, Standards, etc. (31). NIST SP 800-53 revision 4 is such a framework made up of 285 controls under 19 families.
SECURITY & RISK MANAGEMENT
The Complete & Effective Security Program Due Care
Exercising a “prudent man’s judgment” to protect an organization’s assets. Failure to exercise due care leads to legal liabilities (negligence) that may be civil, criminal, or both.
Due Diligence Investigative steps taken by management, all in an effort to protect the assets of the organization. Due diligence complements the execution of due care.
SECURITY & RISK MANAGEMENT
Compliance – HIPAA, GLBA, PCI-DSS, etc. Governance, Risk Management, and Compliance (GRC) Legislative and Regulatory Compliance Privacy Requirements Compliance
SECURITY & RISK MANAGEMENT
The Many Facets of Cyber laws Computer crimes are relatively new in our society Many laws and regulations, albeit inadequate, try to handle the many challenges faced
in this arena of crime Judicial systems are experiencing growing pains at the complexities of these crimes and
inadequate resources to handle them, human and otherwise.
The Crux of Computer Crime Laws Cyber laws around the world deals with incidents such as unauthorized modification or
destruction of data, disclosure of sensitive information, unauthorized access, and the distribution of malware, among many other.
Laws have been created to deal with certain categories of computer crimes
SECURITY & RISK MANAGEMENT
Computer CrimesTo be able to deal effectively with computer crimes we need to understand the general
categories of computer crimes: Computer as a target
Involves sabotage of computers and networks Involves stealing of information such as intellectual property or marketing information that are stored on
computers Examples of crimes in this category may include DoS attacks, sniffers, and password attacks.
Computer as the instrument Where computers are used as a means to perpetrate crimes or create chaos for an organization Includes theft of money from online bank accounts and fraudulent use of credit card information as well as
telecommunications fraud.
SECURITY & RISK MANAGEMENT
Computer Crimes Computer as incidental to other crimes
Involves crimes where computers are not really necessary for such crimes to be committed. Instead computers facilitate these crimes and make them difficult to detect.
Examples of crimes in this category may include money laundering and unlawful activities on bulletin board systems.
Crimes associated with the prevalence of computers Includes crimes resulting from the popularity of computers Crime of this category are usually traditional in nature, but the targets are ever evolving Examples include copyright violations of computer programs, software and movie piracy, and black
marketing of computer peripherals.
SECURITY & RISK MANAGEMENT
Computer CrimesPlease bear in mind that although computer crimes can be categorized, a single criminal transaction can result in multiple crime categories. Therefore, there can be an overlap between such classifications.
SECURITY & RISK MANAGEMENT
Motivation for Computer Crimes Grudge (against a company or an individual Political reasons (terrorist activities, info warfare) Financial reasons Business (competitive intelligence) Fun (script kiddies)
M -motiveO - opportunityM - means
SECURITY & RISK MANAGEMENT
Global Legal and Regulatory Issues Computer/Cyber Crime
CryptoLocker Ransomware – Spreads via email and propagates rapidly. Encrypts various file types and then a pop-up window appears to inform user about the actions performed on computer and, therefore demand a monetary payment for files to be decrypted.
Child Pornography Scareware – A user might visit an infected site and the scareware would lock up the computer and threaten that laws have been violated. Then an extortion sets into motion.
Fake or Rogue Anti-Virus Software – Victims are scared into purchasing anti-virus software that would allegedly remove viruses from their computers via a pop-up window. By clicking on the pop message, the computer is then infected with all kinds of malware.
SECURITY & RISK MANAGEMENT
Global Legal and Regulatory IssuesLicensing and Intellectual Property Unlike criminal laws, intellectual property laws do not look at what is right or wrong. Instead,
intellectual property laws help to define how individuals or organizations can protect the resources that are rightfully theirs.
Intellectual property laws also helps to define the course of action that an individual or an organization should take in case this law is violated.
But to be able to prosecute the offender, the individual or the organization should be able to prove that he/she/it did everything possible to protect the resources.
SECURITY & RISK MANAGEMENT
Intellectual Property Laws Copyright Protects “original works of authorship” Protects expression of an idea rather than the idea itself Author controls how work is distributed, reproduced or modified Source code and object code are all copyrightable Copyright lasts for the length of author’s life plus additional 70 years after the person dies. Patent A patent is a legal document issued to an inventor granting the inventor exclusive rights to the inventor for an invention. The patent provides the inventor the right to exclude any other person from practicing an invention for a specified period. Invention must be novel (possess newness) and non-obvious. In the USA, patents are issued by the US Patent and Trade Office.
SECURITY & RISK MANAGEMENT
Intellectual Property Laws Trade Secret Maintains confidentiality of proprietary business-related data
Owner must adequately protect such data Owner has invested substantial resources to produce such data Data must provide competitive value, be proprietary to a company, and important for its
survival Trademark Protects word, name, symbol, sound, shape, color or combinations thereof which identifies a
product or company and distinguishes it from others Protects the “look and feel” of a company
SECURITY & RISK MANAGEMENT
Global Legal and Regulatory Issues Import/Export
Governmental laws that restrict import and export regimes Terrorism is suspected in most cases National security concerns, etc., etc.
Trans-Border data Flow Similar concerns as above
Privacy Very thorny issue here and abroad Data breaches – many recent examples
Relevant Laws and Regulations HIPAA, GLBA, FERPA (Family Educational Rights Privacy Act), etc.
SECURITY & RISK MANAGEMENT
Understand Professional Ethics Regulatory Requirements for Ethics Programs Topics in Computer Ethics Common Computer Ethics Fallacies Hacking and Hacktivism Ethics Codes of Conduct and Resources (ISC)2 Code of Professional Ethics Support Organization’s Code of Ethics
SECURITY & RISK MANAGEMENT
Develop & Implement Security Policy Policy – High level management directives Security policy – Defines how security is to be managed Standards – Describes the specific requirements Procedures – Step-by-step approach to accomplish a task Guidelines – Recommendations (usually discretionary) Baselines – Uniform ways of implementing a safeguard Implementations – Must be well communicated
SECURITY & RISK MANAGEMENT
Policies, Standards, Procedures, Guidelines, & Baselines:Document Example Mandatory or Discretionary
Policy Protect the CIA of PII by hardening the OS
Mandatory
Standard Use rugged Toshiba laptop hardware
Mandatory
Procedure Step 1: Install pre-hardened OS image
Mandatory
Guidelines Patch installation may be automated via the use of an installer script
Discretionary
Baselines Use the Windows Hardening benchmark
Discretionary
SECURITY & RISK MANAGEMENT
Business Continuity (BC) & Disaster Recovery (DR) Requirements
Project Initiation and Management Develop and Document Project Scope and Plan Conduct the Business Impact Analysis (BIA) Identify and Prioritize Assess exposure to Outages Recovery Point Objectives (RPO)
SECURITY & RISK MANAGEMENT
BC - Proper Planning An organization is more vulnerable after a disaster hits Organization still has responsibilities even after a disaster (protection of confidential and sensitive assets) Recovery is more than just having an offsite location
People must be trained to know what to do Various recovery procedures need to be developed and documented Understand organization’s vulnerabilities, true threats, and business impact of different types of disasters
Being proactive Implementing redundant power supplies Backing up communication mechanisms Identifying single points of failures Recognizing necessary fault tolerant solutions ETC., etc…….
SECURITY & RISK MANAGEMENT
Business Continuity Planning (BCP) How an organization can stay in business even in a crippled state Plan contains steps for continuing critical business functions using alternative mechanisms until normal
operations can be resumed at the primary site or elsewhere. Reduce overall impact of business interruption
Disaster Recovery Planning (DRP) How to survive a disaster and how to handle the recovery process Emergency response responsibilities and procedures Plan lists and describes the efforts to resume normal operations at the primary site of business. BCP and DRP may sound like the same thing, BUT they are not the same.
SECURITY & RISK MANAGEMENT
Business Continuity Planning (BCP) Business Continuity (BC): represents the final response of the organization when faced
with an interruption of its critical operations More than 50% of all organizations that close their doors for more than a week never
reopen, due to lack of planning. BC is designed to get the organization’s most critical services up and running as quickly as
possible. DR rather focuses on resuming operations at the primary site; BCP concentrates on
resuming critical functions at an alternate site.
SECURITY & RISK MANAGEMENT
Where Do We Start From:Project Initiation Management Support sought Make a business case
Cost vs. benefit Regulatory requirement Current inherent vulnerabilities of organization Ramifications of similar organizations not having such plans Business issues of partners, insurance, and obtaining capital
SECURITY & RISK MANAGEMENT
Where Do We StartSenior Executive Management’s Role
Due diligence and Due care Drive all phases of the plan Consistent support and final approval Ensure that testing takes place Create a budget for this work
SECURITY & RISK MANAGEMENT
Why Is BCP/DRP a Hard Sell to Mgmt. Resource intensive and takes years to complete Direct return on investment (ROI) not perceived Rather a drain on organization’s bottom line
Importance of Plan Organization could vanish if not prepared Capability of staying “up and running”, avoiding any significant down time Lack of plan could affect insurance, liability, and business opportunities Part of business decisions today (Partners need to know, Shareholders/Board of trustees demand it, A
Regulatory MUST) 9/11 Has Fueled Change of Attitudes About BCP
SECURITY & RISK MANAGEMENT
Who Does It?BCP/DRP Teams Group that will perform risk assessment and analysis Representatives from different organization’s departments Analysis must be performed before developing plan A BCP coordinator must be appointed to oversee and execute:
A Business Impact Analysis Plan development and implementation Testing and plan maintenance
SECURITY & RISK MANAGEMENT
BC Team Organization Emphasis should be on generalized business and technology skills BC team should have representatives from:
Senior management Corporate functional units, including HR, Legal, and Accounting IT managers and a few technical specialists with broad technical skill sets InfoSec managers and a few technical specialists
BC team members cannot also be on the DR team
SECURITY & RISK MANAGEMENT
BC Team Organization BC team may be divided into sub-teams:
BC management team Operations team Computer setup (hardware) team Systems recovery (OS) team Network recovery team Applications recovery team Data management team Logistics team
SECURITY & RISK MANAGEMENT
BC Team Organization BC Management team:
Command and control group responsible for all planning and coordination Facilitates the transfer to the alternate site Handles communications, business interface, and vendor contact functions
Operations team: Works to establish core business functions needed to sustain critical business operations
Computer setup (hardware) team: Sets up hardware in the alternate location
SECURITY & RISK MANAGEMENT
BC Team Organization Systems recovery (OS) team:
Installs operating systems on hardware, sets up user accounts and remote connectivity with network team
Network recovery team: Establishes short- and long-term networks, including hardware, wiring, and Internet
and intranet connectivity Applications recovery team:
Responsible to get internal and external services up and running
SECURITY & RISK MANAGEMENT
BC Team Organization Data management team:
Responsible for data restoration and recovery Logistics team:
Provides any needed supplies, materials, food, services, or facilities needed at the alternate site
SECURITY & RISK MANAGEMENT
BC Planning process Develop the BC planning policy statement Review the BIA Identify preventive controls Develop relocation strategies Develop the continuity plan Testing, training, and exercises Plan maintenance
SECURITY & RISK MANAGEMENT
BC Planning process Purpose:
Executive vision Primary purpose of the BC program
Scope: Organizational groups and units to which the policy applies
Roles and responsibilities: Identifies key players and their responsibilities
Resource requirements: Allocates specific resources to be dedicated to the development of the BC
SECURITY & RISK MANAGEMENT
BC Planning process Training requirements:
Training for various employee groups Exercise and testing schedule:
Stipulation for the frequency and type of testing for the BC plan Plan maintenance schedule:
Frequency of review and who is involved Special considerations:
Overview of information storage and retrieval plans and who is responsible
SECURITY & RISK MANAGEMENT
Review the BIA BIA contains the prioritized list of critical business functions Should be reviewed for compatibility with the BC plan BIA is usually acceptable as it was prepared and released by the
Contingency Planning Management Team Contingency Planning Management Team (CPMT).
SECURITY & RISK MANAGEMENT
Identify Preventive Controls Preventive controls should already have been identified and implemented as part of the
ongoing information security activities BC team should review and verify that data storage and recovery techniques are
implemented, tested, and maintained
SECURITY & RISK MANAGEMENT
Forming the Disaster Recovery Team Should include members from IT, InfoSec, and other departments DR team is responsible for planning for DR and for leading the DR process when a disaster
is declared Must consider the organization of the DR team and the needs for documentation and
equipment
SECURITY & RISK MANAGEMENT
Forming the Disaster Recovery Team DR team
Should include representatives from every major organizational unit Should be separate from other contingency-related teams May include senior management, corporate support units, facilities, fire and safety,
maintenance, IT, InfoSec May be advisable to divide the team up into sub teams.
SECURITY & RISK MANAGEMENT
Forming the Disaster Recovery Team Sub-teams may include:
Disaster management team: command and control, responsible for planning and coordination
Communications: public relations and legal representatives to interface with senior management and general public
Computer recovery (hardware): recovers physical computing assets Systems (OS) recovery: recovers operating systems Network recovery: recovers network wiring and hardware
SECURITY & RISK MANAGEMENT
Forming the Disaster Recovery Team Sub-teams (continued):
Business interface: works with remainder of organization to assist in recovery of non-technology functions
Logistics: provides supplies, space, materials, food, services, or facilities needed at the primary site
Other teams needed to reestablish key business functions as needed
SECURITY & RISK MANAGEMENT
Disaster Recovery Team Guidelines are found in NIST Contingency Planning Guide for Information Technology
Systems Planning process steps:
Develop the DR planning policy statement Review the business impact analysis (BIA) Identify preventive controls Develop recovery strategies Develop the DR plan document Test, train, and rehearse Plan maintenance
SECURITY & RISK MANAGEMENT
Disaster Recovery Team Purpose:
Provide for the direction and guidance of any and all DR operations Must include executive vision and commitment
Business disaster recovery policy should apply to the entire organization Scope:
Identifies the organizational units and groups of employees to which the policy applies Roles and responsibilities:
Identifies the key players and their responsibilities
SECURITY & RISK MANAGEMENT
Disaster Recovery Team Resource requirements:
Identifies any specific resources to be dedicated to the development of the DR plan Training requirements:
Details training related to the DR plan Exercise and testing schedules:
Specifies the frequency of testing of the DR plan Plan maintenance schedules:
Details the schedule for review and update of the plan
SECURITY & RISK MANAGEMENT
Disaster Recovery Team Special considerations:
May include issues such as information storage and retrieval plans, off-site and on-site backup schemes, or other issues
Review the BIA within the DR context Ensure that the BIA is compatible with the DR specific plans and operations BIA is usually acceptable as it was prepared and released by the Contingency Planning Management Team Contingency Planning Management Team (CPMT).
SECURITY & RISK MANAGEMENT
Business Impact Analysis (BIA) Identify organization’s critical business functions Identify functions resource requirements Calculate how long these functions can operate without such resources Identify vulnerabilities and threats to the functions Calculate risk for each different business function Develop backup solutions based on tolerable outage times Develop recovery solutions for the organization’s individual departments and for the
organization as a whole
SECURITY & RISK MANAGEMENT
Identifying the Most Critical FunctionsIf Function “X” Is Not Up and Running……….. How much will this affect the revenue stream? How much will this affect the production environment? How much will it increase operational expenses? How much it affect the organization’s reputation and public confidence? How much will the organization possibly lose its competitive edge? How much will it result in violations of contract agreements or regulations? What delayed costs could be endured? What hidden costs are not accounted for?
SECURITY & RISK MANAGEMENT
Identifying InterdependenciesIt is difficult but very important When the activities of functions A and B are mutually reliant on each other to successfully
complete operational activities. When activities of function B cannot be performed without the input from the activities of
function A. Failure to receive input from A results in incomplete or inadequate implementation of B activities.
Identifying interdependencies is difficult because an organization truly needs to understand how its functions work together
Many times there are subtle interdependencies that are easily missed in the equation
SECURITY & RISK MANAGEMENT
Identifying Functions’ ResourcesCritical Items for Certain Functions to Run….. Specific types of technologies Necessary software Communication mechanisms Electrical power Safe environment for workers Access to specific outside entities Networked production environment Physical production environment Specific supplies Interdepartmental communications Etc., etc.
SECURITY & RISK MANAGEMENT
Identifying Vulnerabilities and ThreatsThreats Types Man-made
Strikes, riots, fires, terrorism, hackers, vandals, burglars
Natural Fires, tornado, floods, hurricanes, earthquakes
Technical Power outage, device failure, loss of communication lines
SECURITY & RISK MANAGEMENT
Categories Disaster Types Non-disaster
Disruption of service Device failure Software malfunction
Disaster Entire facility unusable for a day or more
Catastrophe Facility totally destroyed
SECURITY & RISK MANAGEMENTSurvival Without Resources?Maximum Tolerable Downtime (MTD) NIST Guidelines Non-essential = 30 days Normal = 7 days Important = 72 hours Urgent = 24 hours Critical = Minutes to hoursEach Function/Resource Must Have an MTD Calculated It outlines the criticality of individual function and resources It also helps indicate which function or resources need backup options developed
Hot swappable devices Software and data backups Facility space
SECURITY & RISK MANAGEMENT
Alternate SitesOrganization-owned & Subscription Services (Exclusive Use Strategies): Hot site - fully configured computer facility with all services, communication links, and
physical plant operations. Warm site - similar to hot site, but software and/or client workstations may not be included Cold site - provides only rudimentary services and facilities, no computer hardware Mobile site – configured like hot site except that this is on wheels.
The major deciding factor for exclusive use strategies is cost.
SECURITY & RISK MANAGEMENT
Alternate SitesOther Options: Reciprocal agreements Prefabricated facility Time-share
SECURITY & RISK MANAGEMENT
Results from the BIA
Result contains: Identified critical functions and required resources MTD for each function and resource Identified threats and vulnerabilities Impact the company will endure with each threat
Calculation of risk Protection and recovery solutions
Document and present to management for approval
The results from the BIA are used to create a BCP/DRP.
SECURITY & RISK MANAGEMENT
BCP/DRP Plan design and development – Some Items to include Emergency response Personnel responsibility/notification Backups and off-site storage Communications Utilities Logistics and supplies Documentation Business resumption planning
SECURITY & RISK MANAGEMENT
Implementation Training Testing/Drills and assessment Recovery procedures Maintenance
SECURITY & RISK MANAGEMENT
Training Systematic approach to training is required to support the BCP/DRP plans A sufficient number of qualified staff members must be cross-trained to ensure coverage Trained staff must also have the required credentials to be able to execute the actions
required by the plan
SECURITY & RISK MANAGEMENT
Testing and DrillsTesting Characteristics Testing helps to indicate if an organization can actually recover Testing should be an annual affair or after significant changes have occurred in the
environment Identifies items that need to be improved upon (expect mistakes)Action Decide on the type of drill (Classroom/tabletop or Functional) Create a disaster scenario Create goals to be accomplished during drill Run drill Report results to management
SECURITY & RISK MANAGEMENTTypes of Tests Checklist Test
Copies of BCP/DRP distributed to functional managers They review parts that address their department
Structured Walk-Through A meeting is held where functional managers go (walk) through the entire plan
Simulation Test Carry out or practice a disaster scenario Could involve the actual offsite facility
Parallel Test Test conducted including parallel processing from offsite facility
Full-Interruption Test Original site shut down All processing takes place at offsite facility
SECURITY & RISK MANAGEMENT
Recovery Procedures Procedures on what to do, when to do, and in which sequence Procedures should cover several different types of events Copies of recovery plans should be kept offsite or another safe location Employees must be taught and drilled The least critical department/function/resources should be moved first to restored
primary location
SECURITY & RISK MANAGEMENT
BCP/DRP Plan Maintenance Ongoing maintenance of the BC/DR plan is a major commitment for an
organization
Maintenance includes: Effective after-action review meetings Plan review and maintenance Ongoing training of staff involved in incident response Rehearsal process to maintain readiness of the BC/DR plan
SECURITY & RISK MANAGEMENT
The After-Action Review After-action review (AAR): a detailed examination of events that occurred from incident
detection to recovery Identify areas of the BC/DR plans that worked, didn’t work, or need improvement AAR’s are conducted with all participants in attendance AAR is recorded for use as a training case AAR brings the BCP/DRP teams’ actions to a close
SECURITY & RISK MANAGEMENT
The After-Action Review (AAR) AAR serves several purposes:
Documents the lessons learned and generates BC/DR plan improvements Is a historical record of events, for possible legal proceedings Becomes a case training tool Provides closure to the incident
SECURITY & RISK MANAGEMENT
Manage Personnel Security Employment Candidate Screening Employment Agreements and Policies Employee Termination Processes Vendor, Consultant, and Contractor Controls Privacy
SECURITY & RISK MANAGEMENT
Risk Management Concepts Organizational Risk Management Concepts Risk Assessment Methodologies Identify Threats and Vulnerabilities Risk Assessment/Analysis Countermeasure Selection Implementation of Risk Countermeasures Types of Controls Access Control Types Controls Assessment/Monitoring and Measuring
SECURITY & RISK MANAGEMENT
Risk Analysis Quantitative Analysis (ALE=SLE x ARO)
ALE = Annualized Loss Expectancy (A dollar amount that estimates the loss potential from a risk in a span of year)
SLE = Single Loss Expectancy (A dollar amount that is assigned to a single event that represents the company’s potential loss)
ARO = Annualized Rate of Occurrence (Frequency of a threat expected to occur in a period of one year) Qualitative Analysis (Delphi Method) Quantitative vs. Qualitative (Pros & Cons) Protection Mechanisms/Countermeasures Selection Total Risk vs. Residual Risk Risk Control Strategies
SECURITY & RISK MANAGEMENT
Risk Control StrategiesAvoidance
Apply safeguards that eliminate or reduce the remaining uncontrolled risks for a particular vulnerability.
Transfer Transfer risks to outside entities or other areas of the organization.
Acceptance Understand the consequences and accept risk.
Mitigation Putting in place some controls to reduce impact should vulnerabilities be exploited
SECURITY & RISK MANAGEMENT
Risk Management Concepts Cont’d Controls Assessment/Monitoring and Measuring Tangible and Intangible Asset Valuation Continuous Improvement Risk Management Frameworks
A risk framework is a guideline or recipe for how risk is to be assessed, resolved, and monitored. The primary example of a risk framework referenced by the CISSP exam is that defined by NIST in Special Publication 800-37.
This publication provides guidelines for applying the Risk Management Framework (RMF) to federal information systems. The six-step RMF includes security categorization, security control selection, security control implementation, security control assessment, information system authorization, and security control monitoring.
SECURITY & RISK MANAGEMENT
Threat Modeling Threat modeling is the security process where potential threats are identified,
categorized, and analyzed Threat modeling can be performed as a proactive measure during design and
development or as a reactive measure once a product has been deployed Whether a proactive or reactive measure, the process identifies the potential harm, the
probability of occurrence, the priority of concern, and the means to eradicate or reduce the threat.
Determining Potential Attacks and Reduction Analysis Technologies & Processes to Remediate Threats
SECURITY & RISK MANAGEMENT
Acquisitions Strategy and Practice Hardware, Software & Services
Organizations must implement supply chain risk management programs to proactively address certain exposures that disrupts such chain.
Manage Third-Party Governance (i.e. Cloud Computing, etc). When evaluating a third party for your security integration, consider the following processes: On-site assessment;
Document reviews; Process/Policy reviews Minimum Security & Service-Level Requirements
For all acquisitions, establish minimum security requirements. These should be modeled from your existing security policy.
When purchases are made without security considerations, the risks inherent in those products remain throughout their deployment lifespan.
SECURITY & RISK MANAGEMENT
Security Education, Training, & Awareness Policies define what an organization needs to accomplish with regards to information security. Formal security awareness training is usually included in organization’s information security
policies. Security awareness training is a method by which organizations inform employees and all
stakeholders about their roles, expectations involving their roles, in the observance of information security requirements.
Additionally, training provides guidance in the performance of certain risk management functions. Educated (security-aware) users help an organization to fulfill its security program objectives and,
in addition, facilitate certain regulatory compliance (such as HIPAA, SOX, GLBA, etc.), if so required.
SECURITY & RISK MANAGEMENTTraining Topics Corporate security policies The organization’s security program Regulatory compliance requirements for the organization Social engineering Malware Business continuity Disaster recovery Security incidence response Data classification Personnel security Appropriate use of computing resources Ethics Physical security, etc., etc.
SECURITY & RISK MANAGEMENT
Awareness Activities & Methods – Creating Culture of Awareness Formalized courses, delivered in the classroom , using slides, handouts, or books, or via a
computer-based training (CBT). Use of posters that call attention to security awareness, such as emphasizing on password
protection, personnel security, social engineering, among other issues. Business unit walk-through to aid employees to identify unacceptable practices, such as
posting passwords on post-it notes in conspicuous places, etc. Emphasis on maintaining “clean desk” practices as acceptable Use organizations intranet to post security reminders Appoint security awareness mentors to aid with FAQs and concerns from employees
SECURITY & RISK MANAGEMENT
Awareness Activities & Methods – Creating Culture of Awareness – cont’d
Sponsor an enterprise-wide security awareness day, complete with security activities, quizzes, prizes, and recognition of the winners.
Sponsor an event with an external partner such as the ISSA, ISACA, ISC2, SANS, etc. Provide trinkets for the users within an organizations. Consider a special event day, week, or month that coincides with industry or world
awareness events such as the Global Security Awareness Week (annually in September) and the Security Awareness Month (annually in October).
Provide security management videos, books/pamphlets, etc.
SECURITY & RISK MANAGEMENT
Job Training Security training to assist security personnel to enhance and develop their skills sets relative to the
performance of their core functions. Training must be clearly aligned with security risk management activities.
Performance Metrics It is important that the organization tracks performance relative to security for the purpose of both
enforcement and enhancement of risk management initiatives. Users must acknowledge their security responsibilities by signing off after the training and also provide
feedback. Measurement can include periodic walk-through of business units, periodic quizzes to keep staff up to date,
surprise visits by mentors, etc.
GOOD LUCK!ASM EDUCATIONAL CENTER INC. (ASM)
WHERE TRAINING, TECHNOLOGY & SERVICE CONVERGEWWW.ASMED.COM