CISM Certified

Information Security
Manager ®
An I SACA Certification

1
About Your Instructor
Kelly Handerhan, CISM, CISA CRISC, CISSP, PMP, etc.
[email protected]
703-568-1663

2
The Preliminaries

Start and finish Course style

Coffee and breaks Lunch

3
Let’s Get To Know Each Other
• Your name and surname
• Your organization
• Your profession (title, function, job responsibilities)
• Your experience with the InfoSec/IT Audit/ITSM
• Your personal “Brush with Greatness”

4
 ISACA.org
Information Systems Audit and Control Association

COBIT®, CISA®, CISM®, CRISC® and CGEIT® are registered trademarks

of ISACA.
Overview of the
CISM Certification

6
Course Objectives
• Introduction to CISM certification
• The role of a CISM
• Understanding the IT Security domains and related concepts
• Presenting business value and requirements of IT Security
• Understanding of ISACA RISK IT Framework structure, concepts,
definitions, and processes dedicated to risk management
Main goal:
• Preparing students to CISM exam
Secondary Goal:
• Awareness of IT Security best practices

7
Earning Your CISM

8
CISM Domain Structure (1/2)
• Domain 1
• Information Security Governance
• Domain 2
• Information Risk Management and Compliance
• Domain 3
• Information Security Program Development and Management
• Domain 4
• Information Security Incident Management

9
CISM Domain Structure (2/2)
Domain 1
Information Security Governance

Mandates
Domain 2
Information Risk Management
and Compliance

deploys
reports to
Domain 3
Information Security Program
Development and Management
requires
Domain 4
Information Security Incident
Management
10
About the CISM Exam (1/2)
• The CISM certification is designed to meet the growing demand for
professionals who can integrate Information Security (IS) with discrete IS
control skills
• The technical skills and practices the CISM certification promotes and
evaluates are the building blocks of success in this growing field, and the CISM
designation demonstrates proficiency in this role
• The CISM certification/ designation reflects a solid achievement record in
managing information security, as well as in such areas as risk analysis, risk
management, security strategy, security organization etc.
• Certification launched: 2003
• Number of individuals certified: 23000

11
About the CISM Exam (2/2)
• CISM exam questions are developed with the intent of measuring
and testing practical knowledge and the application of general
concepts and standards
• PBE & CBE (only pencil & eraser are allowed)
• 4 hour exam
• 200 multiple choice questions designed with one best answer
• No negative points
• No pre-requisite for exam (only for attending to exam)

12
Earning the CISM Qualification
• Candidate who pass the CISM exam are not automatically CISM-
certified/ qualified and cannot use the CISM designation.
• Al current requirements are present in official CISM “Application
for CISM Certification” document:
• www.isaca.org/cismapp
○After passing the exam, the following requirements must also be
met within 5 years of passing exam. You will not be certified until
you
○ ✔ Have documented the relevant work experience* in the CISM
Job Practice Areas.
✔ Submit the CISM Certification Application including Application
Processing Fee. 13
After You Pass…
• Prior to doing so, the following requirements must be met:
✔ Pass the CISM Exam within the last 5 years.
✔ Have the relevant work experience* in the CISM Job Practice
Areas.
✔ Submit the CISM Certification Application including Application
Processing Fee.

14
Summary
• ISACA CISM Review Manual Structure
• CISM Domain Structure
• About the CISM Exam
• Recommended reading for CISM Exam
• Earning the CISM qualification

15
 Domain1
Information Security
Governance
Domain 1 Agenda
• Principles of Information Security
• Corporate Governance
• Understanding GRC
• Information Security Strategy and Roadmap
• Information Security Frameworks
• Information Security Program
• Project Management
• Policies, Standards, Guidelines and Procedures
• Roles and Responsibilities
• Ethics
• Summary and Review
17
Principles of Information Security

18
The Goal of Information Security
• The goal of information security is to protect the organization’s
assets, individuals, mission and vision
• In order to achieve this, organization has to do:
• Asset identification
• Classification of data/information and systems according to criticality and
sensitivity
• Application of appropriate controls

19
What is Security?

20
The Information Security Triad

Integrity Availability

Security Performance

Confidentiality

21
Security vs. Business
• Security must be aligned with business needs and direction
• Security is embedded into the business functions and acts as a
internal part of business operations providing:
• Strength
• Resilience
• Protection
• Stability
• Consistency
• Reliability
• Security must be treated, discussed, and maintained as a business
issue

22
Corporate Governance

8/89 | 26/432
23
Corporate Governance
• Ethical corporate behavior by directors or others charged with
governance in the creation and presentation of value for al
stakeholders
• The distribution of rights and responsibilities among different
participants in the corporation, such as board, managers,
shareholders and other stakeholders
The Organization for Economic Co-operation and Development (OECD) states: “Corporate governance involves a set of
relationships between a company’s management, its board, its shareholders and other stakeholders. Corporate
governance also provides the structure through which the objectives of the company are set, and the means of attaining
those objectives and monitoring performance are determined.”

24
Business Goals and Objectives
• Corporate governance is the set of responsibilities and practices
exercised by the board and executive management
• Information security governance is a subset of corporate
governance
• Goals include:
• Providing strategic vision and direction
• Reaching security and business objectives
• Ensure that risks are managed appropriately and proactively
• Verify that the enterprise’s resources are used responsibly

25
Six Basic Outcomes of Effective Security Governance

• Strategy Alignment
• Risk Management
• Value Delivery
• Resource Management
• Performance Measurement
• Integration

26
Benefits of Information Security Governance
Effective information security governance can offer many benefits to
an organization, including:
• Compliance and protection from litigation or penalties
• Cost savings through better risk management
• Efficient utilization of security investments that support organization’s
objectives
• Reduced risks and potential business impacts to an acceptable level
• Better oversight of systems and business operations
• Opportunity to leverage new technologies to business advantage
• Business value generated through the optimization o security
investments with organizational objectives
27
Performance and Governance
• Governance is only possible when metrics are in place to
determine whether critical organizational objectives are achieved
• Those metrics are used for
o Measuring
• Monitoring
• Controlling
• Reporting
• Enterprise-wide measurements should be developed that will be
consistent in all organization activities

28
Understanding GRC (Governance, Risk
and Compliance)

29
What is GRC?
• In response to widescale fraud and the unethical behavior of
numerous organizations in the early 2000’s, the Open Compliance &
Ethics Group (OCEG) provided a set of published, open source
standards addressing Principled Performance through GRC
• Includes standards, guidelines, tools and online resources to address
governance, risk management, compliance and ethics (GRC) for global
corporations and other organizations
• Directs organizations to meet objectives through
• Sound, principled leadership
• Addressing the unknown elements of the business
• Maintaining compliance with laws and ethical behavior
https://www.oceg.org

30
31
Governance
● Corporate Governance
○ Providing strategic vision and direction
○ Reaching security and business objectives

○ Ensure that risks are managed appropriately and proactively

○ Verify that the enterprise’s resources are used responsibly

● Governance answers four questions:

○ 1.Are we doing the right things? IF the answer is no to any of these
questions, how do we close the gap
○ 2.Are we doing them the right way? between current state and desired
state?
○ 3.Are we getting them done well?
○ 4.Are we getting the benefits? 32
Risk

33
Compliance

34
 Liabilities

● Who is responsible for the security

within an organization?
○ Senior management
● Are we liable in the instance of a loss?
○ Due Diligence

○ Due Care

○ Prudent Person Rule

35
The Information Security Strategy and
Road Map

36
What is a Security Strategy?
“An information security and risk management (ISRM) strategy
provides an organization with a road map for information and
information infrastructure protection with goals and objectives that
ensure capabilities provided are aligned to business goals and the
organization’s risk profile.”

--The ISACA Journal 2010

37
The Desired State of Security
The desired state of security should be defined in terms of
• It should be clear to all stakeholders what the intended security
state is
• The desired state according to COBIT
• “Protecting the interests of those relying on information, and the
processes, systems and communications that handle, store and deliver the
information, from harm resulting from failures of availability,
confidentiality and integrity”
• Focuses on IT-related processes from IT governance, management
and control perspectives

38
Information Security Strategy Objectives
• The Information Security Strategy forms the basis for the
plan(s) of action required to achieve security objectives
• The long-term objectives describe the “desired state”
• Should describe a well-articulated vision of the desired
outcomes for a security program
• Information Security Strategy objectives should be stated in
terms of specific goals directly aimed at supporting business
activities
• Security Strategy must
• Be defined
• Be measurable
• Provide guidance 39
Business Case Development
Included in the Business Case:
• Reference
• Context (business objectives/opportunities)
• Value Proposition
• Focus
• Deliverables
• Dependencies (CSFs)
• Project metrics (KPIs, KGIs)
• Workload
• Requires resources
• Commitments

40
Gap Analysis

41
Gap Analysis using the CMMI

Repeatable

42
Closing the Gap: Information Security Strategy
● Long term perspective to help
move the organization from
current state to desired state as
detailed in gap analysis
● Standard throughout the
organization
● Aligned with business
strategy/direction Compare the

Understands the culture of the

Two
●
organization
● Reflects business needs and
priorities
43
Elements of a Strategy
● A security strategy needs to include
○ Resources needed
○ Constraints
○ A road map (A broad plan for achieving the organizational goals)
■ Includes people, processes, technologies and other resources
■ A security architecture: defining business drivers, resource
relationships and process flows
○ Achieving the desired state is a long-term goal of a series of projects
or program

44
Objectives of an Information Security Strategy
• Begin with an understanding of the long-term objectives of the
organization. Strategy should describe a well-articulated vision of
the desired outcomes for a security program through SMART
objectives

45
Information Security Road Map
Information Security Frameworks

47
 Frameworks: ISO 27001
● Standard Framework for implementing and managing an ISMS
based on the PDCA model

● Requires senior management to

○ Systematically examine the organization's information
security risks, taking account of the threats, vulnerabilities,
and impacts;
○ Design and implement a coherent and comprehensive suite
of information security controls and/or other forms of risk
treatment (such as risk avoidance or risk transfer) to
address those risks that are deemed unacceptable;
○ Adopt an overarching management process to ensure that
the information security controls continue to meet the
organization's information security needs on an ongoing
basis.

48
ISO 27000 Standards
• Which standard to use from the ISO 27000 series and when
• 27001: A framework designed to develop, build, implement, assess and improve an ISMS (Information
Security Management System)
• 27002: Describes the implementation of the controls referenced in Appendix A of ISO 27001.
• Specifies 15 Domains, 35 control objectives (each of which is supported by at least one control) and 114 controls
• 27003:2017: Provides practical guidance for the implementation of an Information Security Management
System (ISMS) in an organization based on ISO/IEC 27001.
• ISO/IEC 27004:2016 provides guidelines intended to assist organizations in evaluating the information
security performance and the effectiveness of an information security management system in order to fulfil
the requirements of ISO/IEC 27001. It establishes:
• The monitoring and measurement of information security performance
• the monitoring and measurement of the effectiveness of an information security management system (ISMS) including its
processes and controls
• The analysis and evaluation of the results of monitoring and measurement
• ISO 27005: Provides guidelines for Information Security Risk Management for organizations following ISO
27001 Framework

49
ISO 27002: The 14 Domains
ISO 27001 Appendix A/ISO 27002 Controls
ISMS Structure Physical and Environmental Security
Security Policy Operations Security
Organization of Information Security Communications Security
Human Resources Security Information Systems Acquisition, Development,
Maintenance
Asset Management Supplier Relationships
Asset Control Information Security Incident Management
Cryptography Information Security Aspects of Business Continuity
Compliance

50
Other Common Frameworks
● SABSA(Sherwood Applied Business ● Model originated at the Institute
Security Architecture) for Critical Information
● TOGAF (The Open Group Architecture Infrastructure Protection
Framework) ● Publications from NIST and ISF
● COBIT (Control Objectives for ● US Federal Information Security
Information and related Technology) Management Act (FISMA)
● COSOERM and COSO IC ● Securing quality
● Business Model for Information Security ● ISO standards on quality (ISO
● Six Sigma 9001:2000)

51
Information Security Program

52
 What is a Security Program?
● “A security program identifies, manages and protects the organization’s assets while aligning to
information security strategy and business goals, thereby supporting an effective security posture.”

53
Information Security Program
● Provides the means for achieving strategy
● Policies/Standards/Procedures/Guidelines
● Roles and Responsibilities
● SLA's Service Level Agreements/Outsourcing
● Data Classification/Security
● C&A (Certification and Accreditation) aka Assessment and Authorization
● Auditing

54
 Centralization: Better
Control, Better Security, Ease
SF of Admin, More Consistency
Decentralized: Better
Alignment with business
objectives
LA

Security
Policy
DC

HQ --DALLAS CHI

NYC
MIA
Project Management

56
The Importance of Project Management
Documents of the Project Management Lifecycle
Project Management: Initiating
• Formalized selection and approval of the project
• Documents
• Business Case
• Project Charter
• Stakeholder Register
• Identification of Stakeholders
• Stakeholder Register
What is a Business Case?
• A business case is designed to convince key stakeholders of the
benefits of undertaking a particular project.
• It is an essential PM Document and starting point for the project
charter.
• Includes a brief description of what, why, how and when the project
will solve the needs of the customer
• Ideally, it will identify define in easy to understand terms the need for
the project in such a way that key stakeholders will have buy-in for
the project
Project Management: Planning
• Develop the approach and provide the documents to execute, monitor and close the project. These
documents are consolidated into the Project Management Plan
• Methodology to approach creation of Scope, Cost, Schedule, Risk, Quality baselines
• Define metrics to assess process
• Define the target estimates for scope, time, schedule through the development of baselines
• Define processes of change management, requirements analysis, variance analysis, and other means of
managing the process.
Project Management: Execution
• PM directs and manages the work of
the project per the Project
Management Plan
• Work performance data is collected
• Deliverables are produced
• Risks are managed based on the risk
management plan
• Through Quality Assurance project
processes are audited
• Change requests are validated
Project Management: Monitoring and Controlling
• Examine the baselines vs. work performance data (plan vs. actual) through
variance analysis
• Determine if the project is meeting its objectives and make changes as necessary
• Verify scope through Quality Control (Inspect the Product)
• Validate deliverables through Customer Acceptance
• Assess contracts and SLAs to ensure third parties providing as promised
• Change requests are evaluated and approved or denied through the integrated
change control process defined in the PM Plan
• Provide reports and forecasts
Project Management: Closing
• Transfer the product, service or result to the customer
• Bring the project or phase to an orderly close
• Close procurements according to contracts or disputes are handled
accordingly
• Debrief Project Team
• Conduct Lessons Learned
• Archive Project Files
Documents of the Project Management Lifecycle
Policies, Procedures, Standards
and Guidelines
Types of Policy
• Three main types of policies exist:
● Corporate Policy

● System Specific Policy

● Issue Specific Policy

67
System and Issue Specific Policies
System Specific Policies Issue Specific Policies
● Web Servers must be configured according to a ● Change Management Policy
consistent image with baseline configuration
approved by Director of IT and Director of
Marketing ● Acceptable Use Policy
● Multifactor authentication must always be used ● Privacy
when accessing domain controllers
● Data/System Ownership
● Client systems must be validated periodically
against a baseline image ● Separation of Duties (SOD)
● Etc. ● Mandatory Vacations
● Job rotation
● Least privilege
● Need to know
● Dual control
● M of N control

68
• Data Owners: Often the LoB (Lines of Business)—Business units,
COULD BE senior management, but doesn’t have to be. Determine
classification and access of data. Chooses the risk response and is
ultimately accountable for the protection of data. Data custodian: Is
responsible for protecting and maintaining the data
Standards
● Mandatory
● Created to support policy, while providing more specifics
details.
● Reinforces policy and provides direction
● Can be internal or external

70
Procedures
● Mandatory
● Step by step directives on how to accomplish an end-result.
● Detail the “how-to” of meeting the policy, standards and
guidelines

71
Guidelines
● Not Mandatory
● Suggestive in Nature
● Recommended actions and guides to users
● “Best Practices”

72
 Baselines
● Mandatory
● Minimum acceptable security configuration for a system or process
● The purpose of security classification is to determine and assign the
necessary baseline configuration to protect the data

73
Information Security Policy Framework

74
Assessing the Program with a Balanced Scorecard
The Balanced scorecard addresses 4 key areas of
performance:
● Financial metrics - provide information about financial
performance both revenue and expenses
● Customer metrics - assess the extent to which the
company is meeting customer needs and expectations
● Internal process measures - provide insight into the
efficiency of internal processes and allow leaders to
identify and correct problems
● Measures of learning and growth - give managers
information about employee satisfaction and
development

75
Roles and Responsibilities

76
Steering Committee

● Oversight of Information Security Program

● Acts as Liaison between Management, Business, Information
Technology, and Information Security
● Assess and incorporate results of the risk assessment activity
● into the decision-making process
● Ensures all stakeholder interests are addressed
● Oversees compliance activities

77
Senior Management’s Responsibilities
● Senior Management is ultimately responsible to:
○ Provide oversight
○ Provide funding and support
○ Ensure testing (and that appropriate results are achieved)
○ Prioritize business functions
○ Establish a common vision/strategy/framework for the
enterprise
○ “Sign off” on Policy, BIA and other organizational documents

78
Chief Information Officer (CIO)

● Strategic Planning
● Policy Development
● Technology Assessments
● Process Improvement
● Acquisitions
● Capital Planning
● Security

79
Information Security Manager

● Functional Manager, responsible for achieving for determining the

“how”

● Play a leading role in introducing an appropriate, structured

methodology

● Act as major consultants in support of senior management

80
Business Managers
● Responsible for business operations. The individual lines of business are our
customers

● Provide direction to ensure security is implemented in such a way as to meet

business objectives

● Responsible for security enforcement and direction

● Responsible for day-to-day

○ Monitoring
○ Reporting
○ Disciplinary actions
○ Compliance
81
 Security Practitioners

● Responsible for proper implementation of security requirements

in their IT systems

● Support or use the risk management process to identify and assess new
potential risk and implement new security controls as needed to
safeguard their IT systems

82
Auditors
● Objective Evaluation of controls and policies to ensure that they are
being implemented and are effective.
● If internal auditing is in place, auditors should not report to the head of
a business unit, but rather to the Chief Operating Officer or some other
entity without direct stake in result
● Auditors document and do not modify

83
Security Trainers
● Must understand the risk management
process
● Develop appropriate training materials
● Conduct security trainings and
awareness programs catered to roles
within the organization
● Incorporate risk assessment into training
programs to educate the end users
● Encourage users to report violations

84
Ethics

85
 Ethical Standards
● Responsibility to all stakeholders
• Customers
• Partners
• Suppliers
• Management
• Owners
• Employees
• Community
• Rules of behavior
• Legal
• Corporate
• Industry
• Personal
86
Ethics Plan of Action
• Develop a corporate guide to computer ethics for the organization
• Develop a computer ethics policy to supplement the computer
security policy
• Add information about computer ethics to the employee handbook
• Find out whether the organization has a business ethics policy, and
expand it to include computer ethics
• Learn more about computer ethics and spread what is learned

87
ISACA Code of Ethics
• Required for all certification holders
• Support the implementation of, and encourage compliance with, appropriate
standards, procedures and controls for information systems
• Perform their duties with objectivity, due diligence and professional care, in
accordance with professional standards and best practices
• Serve in the interest of stakeholders in a lawful and honest manner, while
maintaining high standards of conduct and character, and not engage in acts
discreditable to the profession
• Maintain the privacy and confidentiality of information obtained in the course
of their duties unless disclosure is required by legal authority
• Such information shall not be used or personal benefit or released to inappropriate
parties

88
Summary and Review

89
Domain 1 Summary
• Principles of Information Security
• Corporate Governance
• Understanding GRC
• Information Security Strategy and Roadmap
• Information Security Frameworks
• Information Security Program
• Project Management
• Policies, Standards, Guidelines and Procedures
• Roles and Responsibilities
• Ethics

90
 Review Questions
QUESTION NO: 1
• Which of the following should be the FIRST step in developing an
information security strategy?
• A. Perform a technical vulnerabilities assessment
• B. Analyze the current business strategy
• C. Perform a business impact analysis
• D. Assess the current levels of security awareness
Prior to assessing technical vulnerabilities or levels of security awareness,
an information security
manager needs to gain an understanding of the current business strategy
and direction 91
 Review Questions
QUESTION NO: 2
Senior management commitment and support for information
security can BEST be obtained through presentations that:
• A. use illustrative examples of successful attacks.
• B. explain the technical risks to the organization.
• C. evaluate the organization against best security practices.
• D. tie security risks to key business objectives.
Senior management seeks to understand the business justification for
investing in security. This can best be accomplished by tying security to
key business objectives
92
 Review Questions
Question 3
Minimum standards for securing the technical infrastructure should
be defined in a security:
• A. strategy.
• B. guidelines.
• C. model.
• D. architecture.
Hardware, software, firmware and the configurations of the
technical environment are defined as architecture

93
 Review Questions
Question 4
Which of the following are seldom changed in response to
technological changes?
• A. Standards
• B. Procedures
• C. Policies
• D. Guidelines
Policies are high-level statements of objectives. Because of
their high-level nature and statement of broad operating
principles, they are less subject to periodic change.
94
 Review Questions
• QUESTION NO 5
• Investments in information security technologies should be based on:
• A. vulnerability assessments.
• B. value analysis.
• C. business climate.
• D. audit recommendations.
Investments in security technologies should
be based on a value analysis and a sound
business case
95
 Domain 2
Information Risk Management

96
 Chapter 2 Risk Management Agenda
• Risk Introduction
• The Risk Management Life Cycle
• IT Risk Identification
• IT Risk Assessment
• Risk Response and Mitigation
• Risk and Control Monitoring and
Reporting

97
Risk Introductions

98
Essential Risk Definitions
● Asset: Something of tangible or intangible value and is worth protecting
● Vulnerability: A weakness in the design, implementation, operation or internal control of a process that
could expose a system to adverse threats—A lack of adequate controls
● Threat: Something that could pose loss to all or part of an asset
● Probability: The likelihood the risk will occur
● Impact: The damage caused if the risk event occurs. Sometimes referred to as severity
● Threat Agent: What carries out the attack
● Exploit: An instance of compromise
● Risk: The combination of the probability of an event and its consequence. Risks are often seen as an
adverse event that can threaten an organization’s assets or exploit vulnerabilities and cause harm.
*****REMEMBER: Risks are always in the future. Once a risk has happened it is an incident

99
Additional Risk Definitions
● Inherent Risk: With all business endeavors there is some degree of risk
● Residual Risk: Risk that remains after a control has been implemented. Ultimately risk should be mitigated
until the residual risk is within the level that management is willing to accept (management’s risk tolerance)
● Secondary Risk: One risk response may cause a second risk event
● Risk Appetite: Senior management’s approach to risk (Seeking, Neutral, Averse)
● Risk Tolerance: The acceptable level of variation that management is willing to allow for any particular risk.
● Risk Profile: An organizations current exposure to risk
● Risk Threshold: A quantified limit beyond which your organization is not willing to go
● Risk Capacity: Amount of risk an organization can absorb without threatening its viability
● Risk Utility: The positive oucome desired from taking a risk
● Controls: Proactive and Reactive mechanisms put in place to manage risks.

100
Types of Risk
● Systemic Risk: Category of risk that describes threats to a system, market or economic segment.
Markets with interconnected institutions and interdependent operations, such as finance, are most
susceptible to systemic risk
● Contagious Risk: Events that happen to several business partners in a short time frame
○ DYN DoS led to loss of availability to Amazon, Twitter, Google, etc.
○ Widespread loss of trust and confidence in the payment and settlement systems
● Obscure Risk: Risk that has not yet occurred and is unlikely or difficult to fathom (Sometimes
known as a black swan event)
○ Visibility: Be in a position that it can observe anything going wrong
○ Recognition: Have the capability to recognize an observed event as something wrong

101
Wait…What the Heck is That?!?

102
Risk Governance Objectives
Effective risk governance helps ensure that risk management
practices are embedded in the enterprise, enabling it to secure
optimal risk – adjusted return.

Risk governance has four main objectives:

1.Establish and maintain a common risk view.
2.Integrate risk management into the enterprise.
3.Make risk-aware business decisions.
4.Ensure that risk management controls are implemented and
operating correctly.

103
Context of IT Risk Management
• Risk Management: Coordinated activities to direct and control the enterprise with regard to risk
• Understanding of the organization and its context, or environment includes:
• Intent and capability of threats
• Assets
• Relationship of vulnerabilities
• Vulnerability to changes in economic or political conditions
• Changes to market trends and patterns
• Emergence of new competition
• Impact of new legislation
• Existence of potential natural disaster
• Constraints caused by legacy systems and antiquated technology
• Strained labor relations and inflexible management

104
ISACA’s Risk Management Life Cycle
• Cyclical process
• Process based on the complete cycle of all the elements
• Continuous process with refinement, adaptation and improvement
and maturity

105
 The Risk Management Lifecycle
● Risk Identification: ● Risk Mitigation/Response
Reduce
● Asset Value*Threat*Vulnerability ○

○ Identify and determine the value ○ Accept

for assets ○ Transfer
○ Identify Threats and Vulnerabilities ○ Avoid
○ Use Risk Scenarios and Create the ○ Reject
Risk Register
● Risk Assessment (Value) ● Ongoing Controls Evaluation
○ Analysis (Probability X Impact =
Loss Potential)
○ Qualitative vs. Quantitative
○ Evaluation (Loss Potential vs. Cost
of Countermeasure)
106
Risk Identification

107
Risk Identification

108
Methods to Identify Risk

Risk Assessment Process

109
Methods to Identify Risk
• Sources of risk documentation
• Audit reports Incident reports
• Interviews with SMEs Public media
• Annual reports
• Press releases
• Vulnerability assessments and penetration tests
• Business continuity and disaster recovery plans
• Interviews and workshops
• Threat intelligence services
110
Risk Culture and Communication
• Benefits of open communication
• Risk aware business decisions
• Assistance in executive management’s understanding of the actual
exposure to risk
• Awareness among all internal stakeholders of the importance of integrating
risk management into their daily duties
• Transparency to external stakeholders regarding the actual level of risk and
risk management processes in use

111
Alignment with Business Goals and Objectives

• The first and most important step for a CISM is to understand the
business. Review organizational vision and strategy FIRST
• Look beyond IT—Risk is measured by the impact the risk has on the
business, not on a particular system
• In order for risk to be integrated into the enterprise, senior
management must be supportive and involved.
● If management funds and supports the risk management processes we will
have what we need to be successful
● Good metrics mean that we have attainable objectives which will help us
accomplish our goals
● Good communication and transparency helps us make risk-aware business
decisions 112
Organizational Structures and Impact on Risk

2nd line
Governance

113
Administrative Risk Controls
• Segregation of duties
• Job rotation
• Mandatory vacations
• Dual Control, M of N Control
• Secure state
• Principle of Least Privilege
• Need to know
• AUP
• Data/System Ownership 114
Assets
• Information
• Reputation
• Brand
• Intellectual property
• Facilities
• Equipment
• Cash and investments
• Customer lists
• Research
• People
• Service/business process
115
Assets
• Contributing factors to calculating asset value include:
• Financial penalties for legal non-compliance
• Impact on business processes
• Damage to reputation
• Additional costs for repair/replacement
• Effect on third parties and business partners
• Injury to staff or other personnel
• Violations of privacy
• Breach of contracts
• Loss of competitive advantage
• Legal costs

116
Threats
• Internal threats
• Personnel
• External threats
• Natural events
• Theft
• Sabotage/terrorism
• Criminal acts
• Software errors
• Mechanical failures
• Accidents
• Emerging threats

117
Vulnerabilities
• Applications
● Poorly written applications
● Lack of testing
● Reused Code
• Personnel
• Weak (or poorly enforced policies)
• Susceptibility to natural disasters
• Natural events
• Difficulty in protecting against emerging threats
118
Risk Ownership
• Ownership & accountability must be assigned to the risk owner
• Risk owner determines necessary controls
• Owner is determined following the identification of risk
• Also responsible for control monitoring
• Manager or senior official who will bear responsibility for
• Determining the risk response
• Monitoring effectiveness of the control
• Monitoring and controlling the risk
• Controls may be managed by IT, but owner is responsible for risk-related
decisions

119
The IT Risk Register
• Purpose: To consolidate all information about risk into a central
repository
• Lists all known risk
• Severity, source, and potential impact
• Risk owner
• Current status and disposition
• Information gathered by audits, vulnerability assessments, penetration tests,
etc.

120
Risk Register

121
Risk Scenarios: Business-related Risk
• IT risk assessment report must express risk in terms that management can understand
• Use business terms
• Refrain from highly technical/IT-specific terminology
• Business processes and initiatives
• IT risk assessment process must be aligned with the direction of the business Risk should be examined with changes
to business processes

• Management of IT operations
• Risk depends on culture
• IT management should be active in mitigating risk
• Required for all certification holders
• Support the implementation of, and encourage compliance with, appropriate standards, procedures and controls for
information systems
• Perform their duties with objectivity, due diligence and professional care, in accordance with professional standards
and best practices

122
Risk Scenarios Hardware
Risk associated are:
Hardware includes: ● Outdated hardware
• Central processing units (CPUs)
• Motherboards ● Poorly maintained hardware
• RAM ROM
Misconfigured hardware Poor
• Networking components
• Firewalls and gateways architecture
• Keyboards
• Monitors ● Lack of documentation Lost,
misplaced or stolen
hardware
123
Risk Scenarios Software
• Risk associated with software includes:
• Logic flaws or semantic errors
• Bugs (semantic errors)
• Lack of patching
• Lack of access control
• Disclosure of sensitive information
• Improper modification of information
• Loss of source code
• Lack of version control
• Lack of input and output validation

124
Risk Scenarios Software Applications Risk associated:
Operating systems Risk associated: ● Poor or no data validation
• Unpatched vulnerabilities
• Poorly written code Exposure of sensitive data
• Complexity Misconfiguration Improper modification of data
• Weak access controls
• Lack of interoperability Logic flaws
• Uncontrolled changes
● Software bugs Lack of
logs
● Lack of version control Loss
125
Risk Scenarios Utilities
Software utilities risk associated:
Environmental utilities risk associated:
• Power interruptions ● Use of outdated drivers
• Losses ● Unavailability of drivers
• Generators
• Batteries ● Unpatched drivers
• HVAC
• Water ● Use of insecure
• Secure operational area components
● Unpatched vulnerabilities

126
Risk Network Components
Risk associated with:
• Network configuration and management
• Network equipment protection
• The use of layered defense
• Suitable levels of redundancy
• Availability of bandwidth
• Use of encryption for transmission of sensitive data
• Encryption key management
• Use of certificates to support public key infrastructure
• Damage to cabling and network equipment
• Tapping network connections and eavesdropping on communications
• Choice of network architecture
• Documentation of network architecture

127
Risk Scenarios: Network Components
Risk associated with:
• Firewalls:
• Packet Filters
• Stateful Firewalls
• Proxy Servers
• Domain name system
• Rogue DNS
• Poisoning
• Wireless access point
• Rogue Access Points
• Evil Twin
• Routers
• Switches
• VLANs

128
Risk Scenarios: Data Ownership
Risk associated with:
• Clear ownership of data can be a significant risk
• Staff awareness of risk associated with improper data management
• Review processes and policies and compliance

129
Risk Scenarios: 3rd Party Risk
Third-party Management

Data and business process ownership remains with the organization doing the outsourcing, including security requirements

Risks associated with outsourcing include:

• Hiring and training practices of the supplier

• Reporting and liaison between the outsourcing organization and supplier

• Time to respond to any incidents
• Liability for non-compliance with terms of the contract
• Nondisclosure of data or business practices

• Responding to requests from law enforcement

• Length of contract and terms for dissolution/termination of contract 130

 Risk Scenarios: The Cloud
Risk Associated with third-party Management
Don’t forget: LIABILITY CANNOT BE TRANSFERRED
• Unauthorized access to customer and business data
• Security risks at the vendor
• The character of the vendor’s employees
• The security of the vendor’s technology
• The access the vendor has to their data
• Compliance and legal risks
• Where the data resides
• Who is allowed to access it
• How it is protected
• Risks related to lack of control
• Availability risks

131
Risk Assessment

132
Risk Assessment

133
Risk Identification vs. Risk Assessment
• Risk identification
• The process of determining and documenting the risk that an enterprise
faces
• Documentation of assets and their values
• Risk Assessment
• A process used to identify and evaluate risk and its potential effects
• Assessing critical functions and defining controls in place

134
Risk Assessment Methodologies
• Risk analysis provides data necessary for risk response activity
• Two main methods
• Quantitative
• Qualitative
• Hybrid: Semi-quantitative

135
Qualitative Risk Assessment
• Used to priorities risks
• Feedback based on a range of subjective values:
• Very low
• Low
• Moderate
• High
• Very high
• Results usually conveyed in a table that compares likelihood with
impact
• Problem: Though qualitative analysis is quick and easy to perform, it
does not provide hard numerical values and doesn’t fully justify the
expense of controls 136
Quantitative Risk Assessment
• Based on numerical calculations
• Suitable for cost-benefit analysis and is the basis for justification
of control selection
• Can be difficult to place a quantitative value on subjective
elements of risk such as customer confidence and reputation
• Calculating the cost of an event
• Unpredictable depending on many factors
• Threat/vulnerability pairings
• Be aware of relationships between threats and vulnerabilities

137
Example of Qualitative Probability and Impact Matrix

138
Quantitative Analysis Formulas and Terms

⚫ (AV) Asset Value: Dollar figure that represents what the asset is worth to the organization
⚫ (EF) Exposure Factor: The percentage of loss that is expected to result in the manifestation of a particular risk
event.
⚫ (SLE) Single Loss Expectancy: Dollar figure that represents the cost of a single occurrence of a threat instance
⚫ (ARO) Annual Rate of Occurrence: How often the threat is expected to materialize
⚫ (ALE) Annual Loss Expectancy: Cost per year as a result of the threat
⚫ (TCO) Total Cost of Ownership is the total cost of implementing a safeguard. Often in addition to initial costs,
there are ongoing maintenance fees as well.
⚫ (ROI) Return on Investment: Amount of money saved by implementation of a safeguard. Sometimes referred
to as the value of the safeguard/control.

139
System Development Lifecycle (SDLC)

140
Business Continuity and Disaster Recovery Management

Purpose is to enable a business to continue offering critical services in

the event of a disruption
Identify business processes of strategic importance
Risk assessment based on these processes
Primary responsibilities of senior management
BCP/DRP solutions may differ based on scenario

141
Business Continuity Plan/Disaster Recovery Plan

Business continuity plan Disaster recovery plan

Business continuity focuses The recovery of business and IT services
on continuing critical
following a disaster or incident within a
business
operations in the event of a crisis predefined schedule and budget
and having plans in place to Review along with the BCP to
support those operations until the ensure they are up to date, reflect risk
business can return to normal scenarios and have been tested
operations
Business impact analysis
Examines the impact of
an outage over time

142
Essential BCP/DRP Terms
• Recovery Time Objective (RTO ): Amount of time necessary to return
to full operation. Can be specified for a system, a process, or an
offsite facility
• Acceptable Interruption Window (AIW): An Acceptable Interruption
Window is the maximum time allowed for restoration, when
interrupted, of critical systems or applications of an organization, so
that its business goals are not negatively affected
• Recovery Point Objective (RPO): Tolerance for data loss—i.e. how
current data must be

143
Exception Management Practices

Cases may exist where exceptions to policies, procedures and

standards are needed
Only allowed through a documented, formal process that requires
approval from senior management
Should be removed when no longer needed

144
 IT Risk Assessment Report
Results of risk assessment should indicate gaps between current risk state and desired
state
Risk assessment report should provide management documentation of risk along with
recommendations for addressing any outstanding risk issues
Justifiable and linked with results of the risk assessment
Document process used and results of the risk assessment State risk levels and priorities

145
 IT Risk Assessment Report
The risk assessment report normally includes:
Objectives of the risk assessment process
Scope and description of the area subject to assessment External context and factors
affecting risk
Internal factors or limitations affecting risk assessment Risk assessment criteria
Risk assessment methodology used Resources and references
used
Identification of risk, threats and vulnerabilities Assumptions used in the risk
assessment
Potential of unknown factors affecting assessment
Results of risk assessment Recommendations and conclusions

146
Risk Ownership and Accountability
Each risk must be linked to an owner
Makes decision on the best response to the identified risk

Owner must be at a level in the organization where they can make the
necessary decision and can be accountable
Ownership with an individual is needed for accountability

147
 Summary
●During risk assessment, the risk practitioner has a responsibility to
assess or determine the severity of each risk facing the organization.
●The risk practitioner should also validate the work of the previous

phase and ensure that, as much as possible, all risk is identified,

assessed, documented and reported to senior management.

148
Risk Mitigation

149
Risk Response and Mitigation

150
Aligning Risk Response with Business Objectives

Management is responsible for evaluating and responding to the

recommendations included in the risk report provided following risk
assessment.
Management must always be aware of the drivers for risk management, such
as compliance with regulations and the need to support and align the risk
response with business priorities and objectives.

151
Risk Response Options
Four options for risk response:
Risk acceptance
Risk mitigation
Risk avoidance
Risk transfer

152
Risk Acceptance
• A conscious decision made by senior management to recognize the
existence of risk and knowingly decide to allow (assume) the risk to
remain without (further) mitigation
• Management responsible for impact of the risk event
• Defined as the amount of risk that senior management has
determined is within acceptable or permissible bounds
• Not the same as risk ignorance, which is the failure to identify or
acknowledge risk
• Risk tolerance: An exception when senior management decides to
exceed risk acceptance levels

153
Risk Acceptance
• Examples of risk acceptance:
• It is predicted that a certain project will not deliver the required business
functionality by the planned delivery date. Management may decide to
accept the risk and proceed with the project.
• A particular risk is assessed to be extremely rare but very important
(catastrophic), and approaches to reduce it are prohibitive. Management
may decide to accept this risk.

• Risk acceptance often based on poorly calculated risk levels

• Level of risk and impact is always changing, so regular reviews are
needed 154
Risk Mitigation
• Risk mitigation means that action is taken to reduce the frequency and/or impact of a risk
• May require the use of several controls until it reaches levels of risk acceptance or risk tolerance
• Examples of risk mitigation:
• Strengthening overall risk management practices, such as implementing sufficiently mature risk management processes
• Deploying new technical, management or operational controls that reduce either the likelihood or the impact of an adverse
event
• Installing a new access control system
• Implementing policies or operational procedures
• Developing an effective incident response and business continuity plan (BCP)
• Using compensating controls

155
Risk Avoidance
• Risk avoidance means exiting the activities or conditions that give rise to risk
• Applies when no other risk response is adequate
• Examples of risk avoidance are:
• Relocating a data center away from a region with significant natural hazards
• Declining to engage in a very large project when the business case shows a notable risk of failure
• Declining to engage in a project that would build on obsolete and convoluted systems because there is no
acceptable degree of confidence that the project will deliver anything workable
• Deciding not to use a certain technology or software package because it would prevent future expansion

156
Risk Sharing/Transfer
• Risk transfer is a decision to reduce loss through sharing the risk of
loss with another organization (ex., purchasing insurance)
• Partnerships with another organization are an example
• Decision should be reviewed on a regular basis

157
Analysis Techniques
• Analysis techniques can help management to determine the best risk response Considerations for selecting a
response include:
• The priority of the risk as indicated in the risk assessment report
• The recommended controls from the risk assessment report
• Any other response alternatives that are suggested through further analysis
• The cost of the various response options, including: requirements for compliance with regulations
or legislation
• Alignment of the response option with the strategy of the organization
• Possibility of integrating the response with other organizational initiatives
• Compatibility with other controls in place
• Time, resources and budget available

158
Cost-Benefit Analysis
• Used to justify expense associated with the control
• Factors used in calculating the total cost of the control:
• Cost of acquisition
• Ongoing cost of maintenance
• Cost to remove/replace control
• Factors used in calculating benefit realized from the control:
• Reduced cost of risk event
• Reduced liability
• Reduced insurance premiums Increased customer confidence
• Increased shareholder confidence
• Trust from financial backers Faster recovery
• Better employee relations (safety)

159
Return on Investment
• ROI is often used as a method of justifying an investment
• The investment is expected to pay for itself within a set time period
• Can be difficult to determine cost of control because it is hard to
predict the likelihood of an attack
• Return on security investment refers to ROI in relation to payback
for security controls
• Cost may or may not provide a direct benefit in the future, like the purchase
of insurance

160
Secondary Risk
• New controls present benefits as well as new risk and
vulnerabilities
• Example: An access control system
• Pro: Protects from unauthorized access
• Con: Affects normal users who forget passwords, resulting in increased denial
of service and more calls for technical assistance

161
Control Design & Implementation
• Controls may be proactive (safeguards) or reactive
(countermeasures)
• Risk assessment should determine the effectiveness of current
controls to mitigate risk
• In cases where current controls are not sufficient, controls must be
adjusted or new controls implemented

162
Control Groups
• Technical (Logical)
• Firewalls
• Encryption
• ACLs
• Physical
• Door locks
• Security Guard
• Mantraps
• Managerial (Administrative)
• Policy
• Directives
• Standard Operating Procedures

163
Administrative, Technical & Physical Controls

164
Control, Design & Implementation

165
Control Activities, Objectives, Practices, & Metrics
• Reducing IT risk to acceptable risk levels requires measurement
and monitoring
• This phase supports the risk and control monitoring and reporting
phase by putting mechanisms into place to measure risk and
controls

166
167
Risk and Control Monitoring and
Reporting

168
Risk and Control Monitoring and Reporting

169
Risk and Control Monitoring and Reporting

• A risk response is designed and implemented based on a risk

assessment that was conducted at a single point in time
• Because of the changing nature of risk and associated controls,
ongoing monitoring is an essential step of the risk management life
cycle.
• Controls can become less effective
• The operational environment may change, and
• New threats, technologies and vulnerabilities may emerge

170
Monitoring Controls

• The purpose of control monitoring is to verify whether the control

is effectively addressing the risk.
• The purpose of risk monitoring is to collect, validate and evaluate
goals and metrics, to monitor that processes are performing as
expected, and to provide reporting.
• Monitoring may be done through self-assessment or independent
assurance reviews.
• The risk practitioner should encourage management and process
owners to positive ownership of control improvement.

171
Monitoring Controls
The steps to monitoring controls are:
1. Identify and confirm risk control owners and stakeholders.
2. Engage with stakeholders and communicate the risk and information security requirements and objectives for
monitoring and reporting.
3. Align and continually maintain the information security
• Monitoring and evaluation approach with the IT and enterprise approaches.
4. Establish the information security monitoring process and procedure.
5. Agree on a life cycle management and change control process for information security monitoring and reporting.
6. Request, prioritize and allocate resources for monitoring information security.

172
Results of Control Assessments

• The effectiveness of control monitoring is dependent on the:

• Timeliness of the reporting—Are data received in time to take corrective
action?
• Skill of the data analyst—Does the analyst have the skills to properly
evaluate the controls?
• Quality of monitoring data available—Are the monitoring data accurate and
complete?
• Quantity of data to be analyzed—Can the risk practitioner find the important
data in the midst of all the other log data available?

173
Key Risk Indicators (KRIs)
• KRIs are used by organizations to determine their risk exposure vs. risk tolerance
• By measuring the risks and their potential impact on business performance, organizations can create alerts that allow monitoring, management
and mitigation of key risks.
• Effective KRIs help to:
• Identify the biggest risks.
• Quantify those risks and their impact.
• Put risks into perspective by providing comparisons and benchmarks.
• Enable regular risk reporting and risk monitoring.
• Alert key people in advance of risks unfolding.
• Help people to manage and mitigate risks.
• Benefits of KRIs
• Provide early warning
• Provide backward-looking view on risk events
• Enable documentation and analysis of trends
• Provide an indication of risk appetite and tolerance
• Increase the likelihood of achieving strategic objectives
• Assist in optimizing risk governance

174
Key Risk Indicators (KRIs)
• Examples of KRIs:
• Quantity of unauthorized equipment or software detected in scans
• Number of instances of SLAs exceeding thresholds
• High average downtime due to operational incidents
• Average time to deploy new security patches to servers
• Excessive average time to research and remediate operations incidents
• Number of desktops/laptops that do not have current antivirus signatures or have not run a full scan within scheduled periods
• KRIs support:
• Risk appetite
• Risk identification
• Risk mitigation
• Risk culture
• Risk measurement and reporting
• Regulatory compliance

175
KRI Optimization

176
Data Collection and Extraction Tools & Techniques
• Internal Data Sources Include:
• Audit reports
• Incident reports
• User feedback
• Observation
• Interviews with management
• Security reports
• Logs

177
Logs
• Analysis of log data should answer the following:
• Are the controls operating correctly?
• Is the level of risk acceptable?
• Are the risk strategy and controls aligned with business strategy and priorities?
• Are the controls flexible enough to meet changing threats?
• Is correct risk data being provided in a timely manner?
• Is the risk management effort aiding in reaching corporate objectives?
• Is the awareness of risk and compliance embedded into user behaviors?
• Logs may contain sensitive information and may be needed for forensic purposes
• Logs should not contain too much information

178
Security Event & Incident Management (SEIM)

179
External Sources of Information

• External data sources can include:

• Media reports
• Computer emergency response team (CERT) advisories
• Security company reports
• Regulatory bodies
• Peer organizations

180
Summary
• As risk is identified and assessed, the risk owners select the appropriate response to the risk and create risk
action plans to implement or modify controls selected to mitigate risk.
• As controls to mitigate risk are designed and developed, the risk owner also mandates the development of the
ability to monitor and report on the effectiveness of the controls.
• Regular monitoring and reporting on risk is essential to management, and the use of KPIs and KRIs assists management
in the monitoring of trends, compliance and issues related to risk.
• Risk management is a never-ending process.
• IT risk and controls should be continuously monitored and reported on to ensure continued efficiency and
effectiveness.

181
 Domain 3
Information Security
Program Development
and Management

182
Domain 3 Information Security Program Development and Management
Agenda
• Information Security Concepts
• Information Security Frameworks
● ISO 27001
● COBIT
• Information Security Architecture
• Security Program Operations
• Third Party Governance
• Cloud Integration
• IT Service Management
• Control Integration
• Policies, Procedures, Standards, Guidelines
• Certification and Accreditation/Authorization
• Metrics and Monitoring

183
Information Security Program
Concepts

184
Information Security Program

• As defined by ISACA the goal of this domain is to “Develop and

maintain an information security program that identifies, manages
and protects the organization’s assets while aligning to information
security strategy and business goals, thereby supporting an effective
security posture.”
• Is best coordinated by the Chief Operating Officer, as this individual
should properly see the need for balance between information
security and business operations

185
 Process
Technology

People

186
Information Security Program Elements

- Training
Technology - Awareness Process
- HR Policies
- Background Checks
- Roles / responsibilities
- Mobile Computing
- Social Engineering
- Social Networking
- Acceptable Use
- Policies
- Performance Mgt

- System Security - Risk Management

- UTM. Firewalls - Asset Management
- IDS/IPS People - Data Classification
- Data Center - Info Rights Mgt
- Physical Security - Data Leak Prevention
- Vulnerability Assmt - Access Management
- Penetration Testing - Change Management
-Application Security - Patch Management
- Secure SDLC - Configuration Mgmt
- SIM/SIEM - Incident Response
- Managed Services - Incident Management

187
 Essential Information Security Practices

• MANAGEMENT COMMITMENT ● VULNERABILITY ASSESSMENT

• RISK MANAGEMENT ● PENETRATION TESTING
• ASSET INVENTORY AND MANAGEMENT
• CHANGE MANAGEMENT ● APPLICATION SECURITY TESTING

• INCIDENT RESPONSE AND MANAGEMENT ● DEVICE MANAGEMENT

• CONFIGURATION MANAGEMENT ● LOG MONITORING, ANALYSIS AND MANAGEMENT
• TRAINING AND AWARENESS
• CONTINUOUS AUDIT ● SECURE DEVELOPMENT
• METRICS AND MEASUREMENT

188
Security Program Requirements

• Must develop an enterprise security architecture at conceptual,

logical, functional, and physical levels
• Must manage risk to acceptable levels
• Risk develops the Business Case that convinces mgmt. security should be
performed
• Must be defined in business terms to help non-technical
stakeholders understand and endorse program goals
• Must provide security-related feedback to business owners and
stakeholders
• Must address risks in relation to the five categories of assets (See
next slide) 189
Enterprise Information Security Program

190
Information Security Program Concepts
• An IS Program includes the practical elements that make the information security
strategy possible.
• Provides the means for closing the gap between current state and desired state

Determine Desired
Outcome

Determine Perform Gap Develop Strategy Develop Program to

Manage Security Program
to Ensure Objectives are
Analysis
Desired State to Close Gaps Implement Strategy
Met

Determine
Risk Management
Current State Activities

191
Essential Elements of an Information Security Program
• An IS Program allows the execution of a well-planned IS strategy,
which is closely aligned with business goals
• Management and key stakeholders must be directly involved in its
development
• Effective metrics must be established to determine the efficacy of the
program and implemented controls

192
An Information Security Program should...
• Provide Strategic Alignment with business objectives
• Use risk management as the foundation for security related decisions
• Deliver value to stakeholders
• Manage resources efficiently and effectively
• Provide integration with other assurance functions (operational
security, physical security, facility security, etc.)
• Use performance measurements to provide a means of measuring
progress and monitoring activities

193
Information Security
Frameworks
Security Program are Based on Frameworks

• ISO 27000 Series

• COBIT
• COSO
• TOGAF
• Zachman
• SABSA

195
ISO 27001/27002

196
ISO 27001 Culture and Controls

• ISO27001 is a culture one has to build in the organization which

would help to:
• Increase security awareness within the organization
• Identify critical assets via the Business Risk Assessment
• Provide a framework for continuous improvement
• Bring confidence internally as well as to external business partners
• Enhance the knowledge and importance of security-related issues at the
management level
• Combined framework to meet multiple client
requirements/compliance requirements

197
ISO 27002 Code of Practice

198
COBIT 5 ®

• A comprehensive framework that helps enterprises to achieve their

objectives for the governance and management of IT in the enterprise
• Assists in maintaining a balance between benefits, risks and resource usage
• Allows a holistic approach to IT governance and management to provide
the greatest benefit
• Allows the needs of both internal and external stakeholders to be met.
• A generic framework that can benefit organizations of all size, whether
commercial, not-for-profit, or public sector
• 5 main principles and 34 processes

199
 COBIT 5 Principals
®

• Principle 1: Meeting Stakeholder Needs

• Principle 2: Covering the Enterprise End
to End
• Principle 3: Applying a Single Integrated
Framework
• Principle 4: Enabling a Holistic Approach
• Principle 5: Separating Governance from
Management

200
Information Security
Architecture

201
Purpose of Architecture
• Ensure that HW, SW, FW all fulfill a stated business objective
• Components work well together
• Consistency throughout the enterprise
• Resources are used effectively and efficiently
• Infrastructure is scalable
• Existing elements can be upgraded
• Additional elements can be added

202
Components of an IS Framework
• Operational components
• Management components
• Administrative components
• Educational components

203
Operational Components
• Identity and access management
• Security event monitoring and analysis
• System patching procedures
• Configuration management and change control procedures
• Security metrics collection and evaluation
• Maintenance of security controls and support technologies
• Incident response, investigation and resolution
• Secure disposal of data and storage devices

204
Management Components
• Strategic between the business and Information Security
• Development of policies, procedures, standards, guidelines, baselines
• Ensure testing and review of incident response and business
continuity plans
• Ensuring roles and responsibilities are clearly defined (RACI matrix)
• Periodic analysis of assets, threats, vulnerabilities and risks
• Ongoing communication with business units for guidance and
feedback for IS teams

205
RACI Matrix

206
Administrative Components
• Financial
• Budgeting
• TCO Analysis
• ROI
• HR management
• On-boarding and off-boarding of employees
• Performance management
• Employee education and development
• 3rd Party Governance
• Evaluation and selection criteria determination for vendors
• Development and evaluation of contracts and SLA
• Audit
• Functional management
• Balance project efforts and ongoing operational overhead with

207
Educational Components
• General security training and awareness is the responsibility of HR
and is often associated with employee orientation and initial new-hire
training
• Role-based issues and responsibilities are addressed within the
business unit
• Online testing can help ensure that information was understood

208
Security Program Operations

209
Security Program Operations
• Event Monitoring
• Vulnerability management
• Secure engineering and development
• Network protection
• Endpoint protection and management
• Identity and access management
• Security incident management and BCP
• Security awareness training
• Managed security services providers
• Data Security
• Cloud Resource Management

210
Event Monitoring
• Event monitoring is the practice of examining the events that are
occurring on information systems, including applications, operating
systems, database management systems, end-user devices, and every
type and kind of network device, and being aware of what is going on
throughout the entire operating environment.
• Log Reviews
• Honeypots
• IDS/IPS
• SEIM Systems
• Threat Intelligence from external sources
Gregory, Orchestration
• Peter H.. CISM Certified Information Security Manager All-in-One Exam Guide (Kindle Locations 7128-7130). McGraw-Hill Education. Kindle Edition.

211
 Vulnerability Management
• Vulnerability management is the practice of periodically examining
information systems (including but not limited to operating systems,
subsystems such as database management systems, applications, and
network devices) for the purpose of discovering exploitable
vulnerabilities, related analysis, and decisions about remediation.
Organizations employ vulnerability management as a primary activity
to reduce the likelihood of successful attacks on their IT environment.
• Security Scan
• Vulnerability Assessment
• Penetration Test
Gregory, Peter H.. CISM Certified Information Security Manager All-in-One Exam Guide (Kindle Locations 7161-7165). McGraw-Hill Education. Kindle Edition.

212
Secure Engineering and Development
• Security can add value at each stage of the development cycle:
• Conceptual : Feasibility studies and initial risk assessments--Broad understanding of security framework
• Requirements:
• Functional Analysis---Customer provides the requirements of the system or product—functional requirements should include
security
• System Analysis—Developers determine the security specifications and plan for implementation of security checkpoints
• Design: Developers plan for implementation of security per requirements. Security is provided for in budget and schedule. Design
reviews will help ensure that security remains a focus
• Security checkpoints are created along the way.
• Engineering and development: Developers Implement determined security within the code. Unit testing ensures structure and logic
of code. in the right direction.
• Testing: Certification ensures the technical security features of a product meet the developer’s description. If so, the pr oduct is
verified. Accreditation/Authorization is senior management’s decision to implement the product, as it solves the problem it was
designed to solve. The product is now validated.

213
Secure Engineering and Development: STRIDE
Threat Mitigation

Spoofing Authentication

Tampering Integrity Verification (Hashes/Message

Digests/CRCs)
Repudiation Non-Repudiation (Digital Signatures))

Information Disclosure Confidentiality Through Encryption

Denial of Service High Availability/Redundancy/Fault

Tolerance
Escalation of Privilege Authorization

214
 Network Protection: Segmentation (1/6)
• Routers: Segment the network into small networks based on broadcast traffic, security or
bandwidth needs
• VLANS
• Firewalls: Boundary devices
• Packet Filters: Screening Router—router with an ACL configured—FAST…all or nothing
• Black listing: all traffic is allowed, except what’s explicit denied on a “black list”
• White listing all traffic is denied, except what’s explicit allowed on a “white list”
• Stateful Firewalls: Aware of the “state” of the connection—anomalies in function of protocols
• Application Proxies: Understand specific applications such as web services (HTTP and HTTPS.) Content
inspection
• Web Proxies
• Mail Proxies LAN
(Trusted)
• DMZ DMZ FW
• Air gaps FW (Screened Internet
Subnet) (untrusted)
Semi-
Trusted
Network Protection: Firewalls (2/6)
• Firewalls: Allow/Block traffic in order to enforce network policy--based on rules called ACLs (Access Control Lists)
• Usually, firewalls are placed on the perimeter of a network and allow or deny traffic based on company or network
policy.
• Can be hardware or software based
● Static Packet Filters: Base decisions on Source/Destination IP Address and Port
● Stateful inspection. Knowledge of who initiated the session. Can block unsolicited replies.
● Protocol Anomaly firewalls— can block traffic based on syntax being different than the RFC would specify
● Application Proxies/Kernel Proxies: Make decisions on Content, Active Directory Integration, Certificates, Time

216
 Network Protection: Wireless Networks (3/6)
• Encryption AP
• WEP Wired Equivalent Privacy--WEAK AP 1
• WPA—Wi-Fi Protected Access—A 2
AP
little better and backwards with WEP AP 3
• WPA II Much Stronger, strong keys, Wi-Fi AP
strong algorithms Client 4 Active
LAN RADIUS Directory
• Authentication: Proof of identity
VPN VPN (Remote runs on
• 802.1x VPN
Client VPN Access) Domain
• Centralized Management: Ease of Admin, Controller
Better Security, Consistency:::RADIUS
Dial-Up
• Decentralized: Flexibility and Better Client RAS
alignment with business objectives—Every
single access point is administered
individually
217
Network Protection: Services (4/6)
• DNS—uses records and cache to provide name resolution
• Pharming—modification of records
• Cache Poisoning—modification of cache
• DNSSec—uses keys to authenticate other DNS Servers
• DHCP---Automatic assignment of IP addresses
• Discover—broadcast to learn who is DHCP Service
• Offer—All DHCP servers respond and offer an IP address
• Request—Client requests an IP from the FIRST server who offered an IP address
• Acknowledge—DHCP Server grants the client the IP address removes the IP address from its
scope
• LDAP—Lightweight Directory Access Protocol—Authentication Servers (Domain
Controllers)
• Web Services—very susceptible to cross-site scripting, DoS
• Mail Services—very susceptible to DoS and Confidentiality Breaches
218
Network Protection: Inspection and Detection
(5/6)
• Sniffers: Capture Packets on the network
• IDS/IPS
• Honeypots/Honeynets
• Log reviews
• Internal audit
• External audit

219
Network Protection: NAC (Network Access Control) (6/6)
• Verifies Health of System
• Relies on Client-side and Server-side software
• Uses a SHV (System Health Validator) on server
• Client presents a Certificate of Health
• Can provide Denial of access, quarantine or redirection to a
remediation network

220
 NAT (Network Address Translation)

10.0.0.1
10.0.0.2
Router 63.17.85.1
10.0.0.3 10.0.0.100 Internet
(Network Address
LAN Translation)

Private Internal IP Addresses

10.0.0.0
172.16.0.0-172.31.0.0
192.168.1.0
Endpoint Protection (Desktops, Laptops, Tablets, etc.)
• Hardening systems includes:
• Remove unnecessary services
• Patch systems
• Rename guest and administrative accounts
• Review default settings and configurations
• Install anti-malware and monitoring software
• Images are often used to deploys baseline O/S and applications
• Configuration management requires changes to be controlled and documented
• Remote access tools are often used by the network team to provide assistance and remote admin if needed
• Many devices have remote destruction capabilities in case of loss or compromise
• Data should be encrypted for the sake of privacy
• VDI relies on highly controlled servers running the apps users work with. Client systems work as terminals or thin
clients

222
Data Security
• Confidentiality:
• Data at Rest: Encryption
• Data in Motion: Secure Transport Protocols➔ SSL/TLS, SSH, IPSec
• Data in Use: Homomorphic Encryption
• Integrity
• Hashes/Message Digests
• Availability
• Redundancy
• Non-Repudiation
• Digital Signatures---Hash (integrity) encrypted with the sender’s private key (authenticity)
• Data traversing unsecured networks can have end-to-end security through the
use of VPNs
223
Identity and Access Management
• Identity Proofing
• Account Provisioning
• User Identifies—username or account number
• User Authenticates--multifactor
• User is Authorized—assigned rights and permissions—Best
implemented through RBAC, or Role-based Access Control
• User is Audited/Accountable
• Account is Deprovisioned

224
Auditing
• Ensures security controls are in place and are performing as expected
• Can be internal or external
• Five Components:
• Objective
• Scope
• Approach
• Constraints
• Result

225
Third Party Governance

226
Third-Party Providers
● Internet service providers, call centers, data processing centers, etc.
● Vicarious liability imposes legal responsibility on an entity when the
entity had nothing to do with actually causing the injury.
○ Often applied through “Respondent Superior” when a superior is
liable for the actions of his or her employees
● Laws are evolving.
○ Is an ISP responsible for what it’s customers do?
○ Is a software service that provides P2P sharing liable when its
customers use that software to violate copyright restrictions?

227
Procurement Documents
● Request for Information (RFI)
● Request for Quote (RFQ)
● Request for Proposal (RFP)
● Invitation for Bid (IFB)
● Contracts
● MOAs
● SLAs

228
Service Level Agreements
● Usually a legally binding contract that offers guarantees usually
centering on performance and reliability of procured systems, as well as
response times from the vendor.
● Could also be used internally from department to department
● A form of risk transference
● Metrics should be clearly defined in the SLA
● Usually offer some sort of financial compensation if the metrics are not
met

229
Contracts
● Legally binding agreement between parties
● Should be in writing and modified in writing
● Five elements necessary for a contract to be legally binding:
● Competency/Capacity
● Consideration
● Offer
● Legal
● Acknowledgement
● Breaches are violations of contract
● Damages are often awarded in response to a breach of contract

230
Cloud Integration

231
CLOUD COMPUTING NIST SP 800-145
• “Cloud computing is a model for enabling ubiquitous, convenient on-demand
network access to a shared pool of configurable computing resources (e.g.,
networks, server, storage, applications, and services) that can be rapidly
provisioned and released with minimal management effort or service provider
interaction.”
--NIST Definition of Cloud Computing
Cloud Drivers
• Scalability
• Mobility
• Elasticity
• Cost-Savings
• Risk Transference/Reduction
• Reduced Infrastructure
• Less Overhead
• Pay as you go
• Shifting Capital Expenditure to Operational Expenditure
• Allows company to match capacity to need, as well as pay as they go (monthly) for only the services that they use
Security Risks
• Distributed
• Laws vary from jurisdiction to jurisdiction
• Multitenant
• Shared physical resources make incident response, forensics, destruction, etc
difficult
• Responsibility cannot be transferred
• Customer is still legally liable for protection of the resource—DATA OWNER
MAINTAINS RESPONSIBLE IN ALL CLOUD MODELS
• Privacy
• The degree of privacy enforcement must be specified in SLA
• CSA may have higher requirements than the enterprise
Deployment Models
• Public
• Private
• Hybrid
• Community

235
Cloud Service Models
SaaS
Software

Paas

Iaas
SaaS
• Software as a Services provides the consumer the ability to use the provider’s applications
running on a cloud infrastructure. The applications are accessible from various client devices
through an interface like a web browser or a program interface
PaaS
• Platform as a Service: provides the customer the capability to deploy
onto the cloud infrastructure consumer-created or acquired
applications created using programming languages, libraries, services
and tools supported by the provider. • Server scripting environment
• Management system database
• Server software
• Technical support
• Storage
• Network Access
• Design and development tools
• Hosting

238
IaaS
• The capability provided is to provision processing, storage, networks
and other fundamental computing resources where the consumer is
able to deploy and run software including applications and operating
systems. The consumer doesn’t control the infrastructure, but does
control the OS, storage, deployed apps and configuration settings.
•CPU
•Memory
•Disk storage local or SAN
•operating
•Switches, all or part of the VLAN
IT Service Management

240
IT Service Management 1/2
• IT service management (ITSM) is the set of activities that ensures the delivery of IT services is efficient and effective,
through active management and the continuous improvement of processes.
• Service desk: Provides a single point of contact for customers—can be a collection point services like incident,
configuration, change management and others
• Incident management: ITIL defines an incident this way: “An unplanned interruption to an IT Service or reduction in the
quality of an IT service.”
• Problem management: Multiple incidents which seem to have a similar root cause are considered a “problem”
• Change management: Ensures that proposed changes to the IT environment have a formal process for consideration.
(Request, review, approve, implement, verify, post-change review)
• Emergency change management should have a formal process when a change is urgently necessary
• Configuration management: Configuration management (CM) is the process of recording and maintaining the
configuration of IT systems. Each configuration setting is as configuration item (CI). CIs usually include
• Release management: The part of the SDLC where changes in application are made available to end-users

241
Gregory, Peter H.. CISM Certified Information Security Manager All-in-One Exam Guide (Kindle Locations 8297-8306). McGraw-Hill Education. Kindle Edition.
IT Service Management 2/2
• Service-level management: The set of activities that verfifies whether IS
operations is the objectives for service to its customers--achieved through
continuous monitoring, as well as periodic reviews of IT service delivery.
• Financial management: Budgeting, capital investment, expense management,
project accounting and project return on investment (ROI)
• Capacity management: Addresses scalability and the ability to meet customer
needs
• Service continuity management: Ensures capability of IT Services to continue in
the event of a disaster or catastrophe
• Availability management: Provides high availability to critical resources through
redundancy, resiliency and fault tolerance
• Asset Management: Asset management is the collection of activities used to
manage the inventory, classification, use, and disposal of assets.

242
Policies, Procedures, Standards
and Guidelines

243
Policies
•
A set of policies are principles, formulated or adopted by an organization to reach its
strategic goals and typically published in a booklet or other form that is widely accessible.

Policies are designed to influence and determine all major decisions and actions, and all
activities take place within the boundaries set by them.
• Three main types of policies exist:
• The Corporate (Organizational) Security Policy can be thought of as a blueprint for the whole
organization’s security program. It is the strategic plan for implementing security in the organization.
• A System-specific policy is concerned with a specific or individual computer system. It is meant to
present the approved software, hardware, and hardening methods for that specific system.
• An Issue-specific policy is concerned with a certain functional aspect that may require more attention.
For this reason, a separate policy is prepared for that issue to explain with details the required level of
security, and the instructions that all staff in the organization must abide by to achieve this level.

•http://www.businessdictionary.com/definition/policies-and-procedures.html 244
Standards
⚫ Mandatory
⚫ Created to support policy, while providing more specifics details.
⚫ Reinforces policy and provides direction
⚫ Can be internal or external

245
Procedures
⚫ Mandatory
⚫ Step by step directives on how to accomplish an end-result.
⚫ Detail the “how-to” of meeting the policy, standards and guidelines

246
Guidelines
⚫ Not Mandatory
⚫ Suggestive in Nature
⚫ Recommended actions and guides to users
⚫ “Best Practices”

247
Baselines
⚫ Mandatory
⚫ Minimum acceptable security configuration for a system or process
⚫ The purpose of security classification is to determine and assign the necessary baseline
configuration to protect the data

248
Policies, Procedures, Standards

• Policy Objective: Describes ‘what’ needs to be accomplished

• Policy Control: Technique to meet objectives
• Procedure: Outlines ‘how’ the Policy will be accomplished
• Standard: Specific rule, metric or boundary that implements policy
• Example 1:
• Policy: Computer systems are not to be exposed to illegal,
• inappropriate, or dangerous software
• Policy Control Standard: Allowed software is defined to include ...
• Policy Control Procedure: A description of how to load a computer with required software.
• Example 2:
• Policy: Access to confidential information is controlled
• Policy Control Standard: Confidential information SHALL never be emailed without being encrypted
• Policy Guideline: Confidential info SHOULD not be written to a
• memory stick
• Discussion: Are these effective controls by themselves?

249
Certification and Accreditation

250
Certification and Accreditation
• Certification is the technical evaluation of the product’s security mechanisms in a
particular environment. Once having passed the certification process, the system is now
verified

• Accreditation: A formal declaration by an AO Authorizing Official (Title that has replaced

Designated Accrediting Authority--DAA) that information systems are approved to operate
at an acceptable level of risk based on the implementation of an approved set of technical,
managerial, and procedural safeguards. Once accredited, the system is now validated.

251
Traditional Evaluation Criteria

252
 Common Criteria ISO 15408

➢Protection Profile: Requirements from Agency or Customer

➢Target of evaluation: System Designed by Vendor
➢Security target Documentation describing how ToE meets Protection Profile
➢Evaluation Assurance Level (EAL 1-7) Describes the level to which ToE meets
Protection Profile 253
Common Criteria Evaluation Assurance Levels
• EAL 1 – Functionally tested
• EAL 2 – Structurally tested
• EAL 3 – Methodically tested and checked
• EAL 4 – Methodically designed, tested, and
reviewed
• EAL 5 – Semi formally designed and tested
• EAL 6 – Semi-formally verified designed and
tested
• EAL 7 – Formally verified designed and tested
254
 Certification & Accreditation
• Certification:
• A process that ensures systems and major applications adhere to formal
and established security requirements that are well documented and
authorized.
• It is usually performed by QA or someone with technical expertise

• Accreditation/Authorization:
• A formal declaration by an AO Authorizing Official (Title that has replaced
Designated Accrediting Authority--DAA) that information systems are
approved to operate at an acceptable level of risk based on the
implementation of an approved set of technical, managerial, and
procedural safeguards.

255
Monitoring and Metrics

256
Metrics and Monitoring

• A metric is a measurement of a process or entity based on its

performance in relation to desired objectives
• Utilizing metrics properly requires collecting these measurements
and examining them in the context of the overall information
security program
• Monitoring is the continuous or regular evaluation of a system or
control to determine its operation or effectiveness. Can be
quantitative or qualitative

257
 Monitoring Function: Metrics

Strategic Metrics:
P roject P lan
Budget Metrics Strate gic
Risk performance Metrics
Disaster Recovery Test results Operational Metrics:
Audit results Vulnerability S c a n results
Regulatory compliance results Server configuration
Standards compliance
IDS monitoring results
Firewall log analysis
Metrics P atch management status
Tactical Metrics:
Policy compliance
Exceptions to policy/standards Tactical Ope rational
C h a n ge s in process Metrics Me trics
Incident management
Domain 3 Information Security Program Development and Management Review

● Information Security Concepts

● Information Security Frameworks
● ISO 27001
● COBIT
● Information Security Architecture
● Security Program Operations
● Third Party Governance
● Cloud Integration
● IT Service Management
● Control Integration
● Policies, Procedures, Standards, Guidelines
● Certification and Accreditation/Authorization
● Metrics and Monitoring
259
Review Questions

260
Review Question 1
When contracting with an outsourcer to provide security
administration, the MOST important contractual element is the:
A. right-to-terminate clause.
B. limitations of liability.
C. service level agreement (SLA)
D. financial penalties clause.
Service level agreements (SLAs) provide metrics to which outsourcing firms can
be held accountable. This is more important than a limitation on the
outsourcing firm's liability, a right-to terminate clause or a hold- harmless
agreement which involves liabilities to third parties.
Review Question 2

On which of the following should a firewall be placed?

A. Web server
B. Intrusion detection system (IDS) server
C. Screened subnet
D. Domain boundary
A firewall should be placed on a (security) domain boundary. Placing it on a web server or
screened subnet, which is a demilitarized zone (DMZ), does not provide any protection.
Since firewalls should be installed on hardened servers with minimal services enabled, it is
inappropriate to have the firewall and the intrusion detection system (IDS) on the same
physical device.
Review Question 3
When a proposed system change violates an existing security standard, the
conflict would be BEST resolved by:
A. calculating the residual risk
B. enforcing the security standard.
C. redesigning the system change.
D. implementing mitigating controls.
Decisions regarding security should always weigh the potential loss from a risk against the existing controls. Each
situation is unique; therefore, it is not advisable to always decide in favor of enforcing a standard. Redesigning the
proposed change might not always be the best option because it might not meet the business needs. Implementing
additional controls might be an option, but this would be done after the residual risk is known.
Review Question 4
An information security program should be sponsored by:
A. infrastructure management.
B. the corporate audit department.
C. key business process owners
D. information security management.
The information security program should ideally be sponsored by business managers, as represented by key business process
owners. Infrastructure management is not sufficiently independent and lacks the necessary knowledge regarding specific business
requirements. A corporate audit department is not in as good a position to fully understand how an information security program
needs to meet the needs of the business. Audit independence and objectivity will be lost, impeding traditional audit functions.
Information security implements and executes the program. Although it should promote it at all levels, it cannot sponsor the effort
due to insufficient operational knowledge and lack of proper authority.
Review Question 5
Which of the following is MOST effective in preventing weaknesses from
being introduced into existing production systems?
A. Patch management
B. Change management
C. Security baselines
D. Virus detection
Change management controls the process of introducing changes to systems. This is often the point at which a
weakness will be introduced. Patch management involves the correction of software weaknesses and would
necessarily follow change management procedures. Security baselines provide minimum recommended settings
and do not prevent introduction of control weaknesses. Virus detection is an effective tool but primarily focuses on
malicious code from external sources, and only for those applications that are online.
 Domain 4
Information Security
Incident Management

266
 Domain 4 Information Security Incident
Management: Agenda
• The goal of this domain is to develop and prepare the ability to plan, respond and recover
from disruptive events affecting our information assets
• Making the Case for Incident Response Planning
• Incident Management Process Flow
• Developing the Incident Response Plan
• Incident Response Devices
• BCP Concepts
• BCP Frameworks
• Business Continuity Processes
• BCP Sub-Plans
• BCP Roles and Responsibilities

267
Making the Case for Incident
Response Planning

268
Security Incident Response Definitions
• Event: a Change in state
• Incident: An event or events that have a negative impact on the
company and its security
• Incident Handling: Involves all the processes associated with
addressing events and incidents.
• Incident Response; The last step of incident management,
encompassing planning, coordination and appropriate mitigation,
containment and recovery strategies

269
The Importance of Incident Response Planning
• Occurrences are increasing
• Losses are escalating
• Increase in vulnerable and misconfigured systems
• Legal and regulatory groups may require
• Growing sophistication of attackers

270
Outcomes of Incident Response Planning
• Impact on the business will be minimized
• Effective plans are in place and understood by stakeholders
• Incidents are identified and contained, as well as identification of root
causes, enabling recovery within the AIW (Acceptable Interruption
Window)

271
Responsibilities of the CISM for Incident Response
• The CISM is responsible for
• Development of Incident management policy:
• Set expectations
• Maintain the consistency and reliability of services
• Provide documentation for roles and responsibilities
• Set requirements for identified alternatives for important functions
• Development of incident management and response plans
• Handling and coordinating incident response activities
• Verifying, validating and reporting of countermeasures
• Planning, budgeting and program development for all matters related to IS
incident management

272
Incident Management and Response Teams
• Emergency action team: designated evacuation and safety team
• Damage assessment team: Qualified team who assesses the extent of the
damage to physical assets and determines salvage capability of resources
and assets
• Emergency management team: Coordinates the actions of other recovery
teams and makes key decisions when necessary
• Relocation team: Responsible for coordination of process of moving to
offsite facility, and back to the restored facility or facility of permanence
• Security team: Often called the CIRT responsible for monitoring the system
and communication links, containing security threats, resolving issues that
impede recovery

273
Incident Management Process
Flow

CMU/SEI “Defining Incident Management Processes” ISACA CISM Study Guide 2015, p. 231

274
Incident Management

Prepare

Protect
Respond

Triage Detect

275
Prepare
• Defines the preparation work that has to be completed prior to having any capability to
respond to incidents:
• Coordinate planning and design
• Identify incident management requirements
• Obtain funding and sponsorship
• Develop Implementation Plan
• Coordinate implementation
• Develop Policies, processes and plans
• Establish Incident handling criteria
• Define Criticality
• Evaluate Incident management capability
• Define post-mortem review
• Define process change procedure

276
Protect
• Protect and secure critical data, services, processes, resources when
responding to incidents
• Also includes a proactive plan for improvement on a predetermined
schedule
• Implement changes to mitigate/limit the scope of the incident
• Implement infrastructure protection improvements as indicated from
post-mortem reviews or other process improvement reviews
• Conduct proactive reviews and assessments of existing infrastructure

277
Detect
Identify unusual/suspicious activity that might compromise critical business functions
or infrastructure
Proactive detection—conduct detective monitoring regularly Honeypots
Scan for unauthorized servers or hosts Analyze network traffic

Review audit logs and files

Reactive detection is essential as well to be able to quickly detect and attack Intrusion detection

Review audit logs and files

278
Triage
• Helps direct response to areas of highest criticality through the following sub-
processes
• Categorization: Uses pre-defined criteria to determine and label the type of
incident
• Correlation: Determine/report other relevant information
• Prioritization: enables minimization of impact to the most critical business
function
• Assignment: to the Incident Response Team (can also be referred to as the IMT—
Incident Management Team)

279
Respond
Steps taken to address, contain, resolve or mitigate an incident
Technical response Collect data Analyze incident
Research corresponding technical mitigation techniques Isolate affected systems

Deploy patches and workaround

Management Response: Activities that require supervisory or mgmt. intervention— notification, interaction,
escalation or approval—business and senior managers
Legal response—Activity that relates to the investigation, prosecution, liability copyright and privacy issues

280
 Developing the
Incident Response
Plan

University of California, “Responding to Computer Security Incidents”

ISACA CISM Study Guide 2015 p. 234

281
Assessing Current Incident Response Capability
•Survey

•Self Assess

•External Assessment

•Evaluate Threats
• Natural
• Technical
• Man-made

•Evaluate Vulnerabilities
•Technology
•People
•Processes
•Controls

•Incident History

•Current State vs. Desired State

282
Elements of an Incident Response Plan
Preparation

Lessons Identification
Learned

Triage Containment

Eradication

283
Preparation
• Develop an incident response prior to an incident
• Develop Approach/Methodology
• Establish policy
• Develop deterrence strategies
• Determine criteria on when to report an incident to law enforcement
• Ensure necessary tools are available

284
Identification
● Verify an actual incident has occurred (violation analysis)
● Assign ownership
● Establish chain of custody
● Determine severity of incident and escalate as necessary

285
Containment
• Once the incident has been identified and verified, the Incident
Response Plan, aka Incident Management Plan is to be activated
• Notify IRT
• Notify affected stakeholders
• Obtain agreement of any actions taken that would affect availability
of services
• Obtain and preserve evidence
• Document actions from this point forward
• Control and manage communications to the public
286
Eradication
• Determine the root cause of the incident and eliminate it
• Determine signs and causes
• Remove root cause
• Improve defenses by implementing proactive techniques
• Perform vulnerability analysis to determine additional weaknesses

287
Recovery
• Restore affected systems or services to a condition specified by the
Service Delivery Objectives or BCP
• Restore to normal operations
• Validate actions taken were successful
• Involve system owners in testing
• Facilitate system owners to declare operations have been restored to
normal

288
Lessons Learned
• At the end of incident response processes, team is de-briefed and
report must be developed to share what has happened
• Document the report
• Analyze issues which occurred during incident responses
• Propose improvement
• Present reports to stakeholders

289
Incident Detection Devices

290
Protocol Analyzers (Sniffers) and Intrusion Detection Systems

291
 A B

Switch

C D
SNIFFER
Promiscuous
Port Span/Mirror Mode
Sniffer + Analysis
Engine
=
Intrusion Detection
System
 Sniffers, Intrusion Detection, Intrusion Prevention

A C E

SWITCH SWITCH
F
B D

G
PORTSPAN: SNIFFER (PROMISCUOUIS
ALL TRAFFIC IS MODE)
MIRRORED OUT OF THE
ADMIN PORT
+
ANALYSIS ENGINE ROUTER
=
IDS/IPS
Intrusion Detection Systems
Software is used to monitor a network segment or an individual computer
Used to detect attacks and other malicious activity
Dynamic in nature The two main types:
Host-based based (local host only)
Network-based (packet sniffer + analysis engine)

294
Types of IDS
Network-based IDS
Monitors traffic on a network segment
Computer or network appliance with NIC in promiscuous mode Sensors communicate with a central management console
Most appropriate placement for an IDS is in the DMZ

Host-based IDS (WRAPPERS)

Small agent programs that reside on individual computer

Detects suspicious activity on one system, not a network segment

295
Analysis Engine Methods
Pattern Matching
• Rule-Based Intrusion Detection
• Signature-Based Intrusion Detection
• Knowledge-Based Intrusion Detection

Profile Comparison
• Statistical-Based Intrusion Detection
• Anomaly-Based Intrusion Detection
• Behavior-Based Intrusion Detection
296
IDS vs. IPS
• IDS: Passive:
• Page or email administrator
• Log event

• IPS: Active
• Send reset packets to the attacker’s connections
• Change a firewall or router ACL to block an IP address or range
• Re-configure router or firewall to block protocol being used for attack

297
IDS Issues
• May not be able to process all packets on large networks
• Missed packets may contain actual attacks
• IDS vendors are moving more and more to hardware-based systems
• Cannot analyze encrypted data
• Switch-based networks make it harder to pick up all packets
• A lot of false alarms
• Not an answer to all prayers
• Firewalls, anti-virus software, policies, and other security controls are still
important

298
Business Continuity

299
300
Business Continuity and Disaster Recovery Planning
● Concepts
● Frameworks
● NIST 800-34

301
BCP Concepts

University of California, “Responding to Computer Security Incidents”

ISACA CISM Study Guide 2015 p. 234
302
BCP vs. DRP: Concepts
• Business Continuity Planning: Focuses on sustaining operations and protecting the viability
of the business following a disaster, until normal business conditions can be restored. The
BCP is an “umbrella” term that includes many other plans including the DRP. Long Term
focused

• Disaster Recovery Planning: goal is to minimize the effects of a disaster and to take the
necessary steps to ensure that the resources, personnel and business processes are able to
resume operations in a timely manner. Deals with the immediate aftermath of the disaster,
and is often IT focused. Short Term focused

303
BCP Relationship to Risk Management

304
Categories of Disruptions
• Non-disaster: Device malfunction or short-term disruption of service
• Emergency: Imminent threat to life or property
• Disaster: Building is unusable for a day or longer
• Catastrophe : Building is destroyed

305
BCP Frameworks

University of California, “Responding to Computer Security Incidents”

ISACA CISM Study Guide 2015 p. 234
306
BCP Frameworks
Standards help solve issues of inconsistency in terms, definitions and
documents (within the organization)
The following institutes will provide guidance on BCP/DRP:
 DRII (Disaster Recovery Institute International)
 NIST 800-34 rev 1
 ISO 27031
 BCI GPG (Business Continuity International Good Practice Guidelines)
 ISC2.org Four Processes of Business Continuity

307
7 Phases of Business Continuity Plan NIST SP 800-34 Revision 1

BCP Policy

Business Impact Analysis ID Preventative Controls

Develop on IS Create Contingency

Contingency Plan Strategies

Testing, Training Maintenance

and Exercises
308
NIST SP 800-34 revision 1

309
Business Continuity Planning
Processes

University of California, “Responding to Computer Security Incidents”

ISACA CISM Study Guide 2015 p. 234
310
Business Continuity Planning Processes

1. Project scope and planning

2. Business impact assessment
3. Continuity planning
4. Approval and implementation

311
Step 1: Project Scope and Planning
• Acquire BCP Policy Statement from Senior Management
• Business Organization Analysis: Structured analysis of
the business organizational assets. FIRST
• BCP Team Creation, including Project Manager. Should
be cross-functional team, including representation of
senior management
• An assessment of the resources available and commitment
to support the BCP Process from Senior Management
• An analysis of the legal and regulatory landscape that
governs an organization’s response to a catastrophic event

312
Step 1: Project Initiation

• Must have BCP Policy and commitment of support from SENIOR

MANAGEMENT
• Representatives from each of the organization’s departments
responsible for the core services performed by the business
• Representatives from the key support departments identified by the
organizational analysis
• IT representatives with technical expertise in areas covered by the
BCP
• Security representatives with knowledge of the BCP process
• Legal representatives familiar with corporate legal, regulatory, and
contractual responsibilities
• Representatives from senior management

313
 Step 1: Project Scope and Planning: Legal and
Regulatory Compliance

• Senior management has the ultimate legal responsibility. They may be:
• Held responsible and liable under various laws and regulations
• Sued by their stockholders if not managing with due diligence and due
care
• Sued by employees or families in the event of injury or loss of life

314
BCP Regulatory Examples

315
Step 2: Business Impact Assessment
• Risk Identification
• Internal vs. 3rd Party
• Probability and Impact
• Categorizes processes/resources based on criticality
• Defines quantitative metrics to assist with prioritizing recovery
focus
• BIA will help prioritize recovery priorities

316
Step 2: Business Impact Assessment: Identify Priorities

• Identifies and prioritizes all business processes/resources based on criticality

• Create an in-depth list of business processes and their impact on the
organization if UNAVAILABLE
• Often delegated to individual departments for accuracy and buy-in
• Criticality is driven by the amount of loss the organization will suffer if the
resource is unavailable
• MTD/MTO: Maximum Tolerable Downtime/Outage: Longest time the
function can be inoperable before causing a loss to senior management that
is unacceptable
• RTO Recovery Time Objective: This is the amount of time in which you think
you can feasibly recover the function in the event of a disruption (must be
less than MTD)
• RPO Recovery Point Objective: Tolerance for data loss

317
Goals of the BIA

318
Step 2: Business Impact Assessment: Risk
Associated with Procurements and the Cloud
• Evaluate CSP’s business continuity plan--Examine SLA
• Verify controls in place to meet obligations in person or through
independent audit made available as SOCs (Service Organizational
Controls)

319
Step 3: Continuity Planning: Strategy Development

• Examines the BIA for metrics and maps controls to meet the
objectives
• Determine appropriate responses:
• Reduce
• Assign/Transfer
• Accept
• Reject
• Some risks will have to be accepted (based on cost/benefit)
while other require a more active strategy

320
Step 3: Continuity Planning: Provisions and Processes
• BCP designs the specific procedures necessary to mitigate the risks to a level that is
acceptable to senior management.
• Three assets :
• People—first priority always
• Buildings/Facilities
• Hardening Provisions—mitigating harm to facility
• Alternate sites
• Mirrored
• Leased sites
• Cold
• Warm
• Hot
• Infrastructure
• Redundancy of Critical Systems and Services
• Recovery strategies
• Failover/Failback

321
Step 4: Plan Approval and Implementation
• Plan Approval
• If possible, CEO should endorse plan
• Otherwise another senior officer
• Indicates dedication of the business to the process of
business continuity planning
• Plan Implementation
• Create Implementation guide/schedule
• Deploy resources
• Supervise maintenance of plan
• Train and Educate Employees
• Distribute plan on need to know basis
• Everyone should get at least an overview

322
Disaster Recovery

323
Phases of a Disaster

1. Declaration: Communicate the state of the disaster to employees based on pre-defined

criteria and means.
2. Recovery: Focus is on the immediacy of the disaster. Human life comes first. Next, the
restoration of critical business services per the BIA, beginning with MOST critical services
first
3. Reconstitution: Return to a state of full operations at the permanent facility. Restore
operations beginning with LEAST critical
Disaster Recovery
• Strategy development: Examines the BIA for metrics and maps controls to meet the objectives
• Current State →Gap Analysis→ Desired State
• Provisions and processes
• People—first priority always
• Buildings/Facilities
• Infrastructure
• Plan testing and approval
• Checklist
• Structured Walkthrough/Tabletop
• Simulation
• Parallel
• Full Interruption
• Plan implementation
• Training and education

325
BCP Roles and Responsibilities

University of California, “Responding to Computer Security Incidents”

ISACA CISM Study Guide 2015 p. 234
326
Roles and Responsibilities
• Senior Executive Management
• Consistent support and final approval of plans
• Setting the business continuity policy
• Prioritizing critical business functions
• Allocating sufficient resources and personnel
• Providing oversight for and approving the BCP
• Directing and reviewing test results
• Ensuring maintenance of a current plan

327
Roles and Responsibilities
▪ Senior Functional Management
▪ Develop and document maintenance and testing strategy
▪ Identify and prioritize mission-critical systems
▪ Monitor progress of plan development and execution
▪ Ensure periodic tests
▪ Create the various teams necessary to execute the plans

328
Roles and Responsibilities
• BCP Steering Committee
• Conduct the BIA
• Coordinate with department representatives
• Should include:
• Business units
• Senior management
• IT department
• Security department
• Communications department
• Legal department

329
Disaster Recovery Teams
• Teams:
• Rescue: Responsible for dealing with the immediacy of disaster—employee
evacuation, “crashing” the server room, etc.
• Recovery: Responsible for getting the alternate facility up and running and
restoring the most critical services first.
• Salvage: Responsible for the return of operations to the original or
permanent facility (reconstitution)

330
 Developing the Teams
 Management should appoint members

 Each member must understand the goals of the plan and be familiar with the department
they are responsible for

 Agreed upon prior to the event:

 Who will talk to the media, customers, share holders
 Who will setup alternative communication methods
 Who will setup the offsite facility
 Established agreements with off-site facilities should be in place
 Who will work on the primary facility

331
Testing the Plan

University of California, “Responding to Computer Security Incidents”

ISACA CISM Study Guide 2015 p. 234
332
 Types of Tests
 Checklist Test
 Copies of plan distributed to different departments
 Functional managers review

 Structured Walk-Through (Table Top) Test

 Representatives from each department go over the plan

 Simulation Test
 Going through a disaster scenario
 Continues up to the actual relocation to an offsite facility

333
 Types of Tests

• Parallel Test
• Systems moved to alternate site, and processing
takes place there

• Full-Interruption Test
• Original site shut down
• All of processing moved to offsite facility

334
 Post-incident Review
• After a test or disaster has taken place:
• Focus on how to improve

• What should have happened

• What should happen next

• Not who’s fault it was; this is not productive

335
 Maintaining the BCP
• Keeping plan in date—Revisit at least once
per year or in the event of major change
• Make it a part of business meetings and
decisions
• Centralize responsibility for updates
• Part of job description
• Personnel evaluations
• Report regularly
• Audits
• As plans get revised, original copies should be
retrieved and destroyed
336
Incident Response Review

• Incident Management Processes

• Incident Response
• Incident Detection
• Sniffers
• IDS
• IPS
• Business Continuity
• Disaster Recovery
CISM Review

University of California, “Responding to Computer Security Incidents”

ISACA CISM Study Guide 2015 p. 234
338
Alignment with Business Objective

Know the business First

Always focus first on alignment with business objectives
o Ensures we use resources In areas that will impact the business the most
o Helps deliver value
o Governance is accountable for approval of the alignment

339
Governance
Governance is accountable for:
Risk Appetite
Goals:
• Providing strategic vision and direction
• Maintaining Compliance with Laws and Regulations
• Reaching security and business objectives
• Ensure that risks are managed appropriately and proactively
• Verify that the enterprise’s resources are used responsibly

340
Management
To Determine the “how”
Assesses, implements, and monitors
Risk Tolerance and Thresholds

341
Security Strategy should:
• Indicate necessary resources
• Constraints
• A roadmap
• Includes people, processes, technologies and other resources
• A security architecture: defining business drivers, resource relationships
and process flows
• Achieving the desired state is a long-term goal of a series of projects or
program
o Gap analysis examines difference between current state and desired state
▪ CMMI

342
 Security Program
Must determine goals first
• Basis for Security Program is Risk Management
• Elements of a security Program include
o Policies—brought statements from Senior management, not likely to change often
o Standards: Define policy—may change as technology or practices change
o Processes &Procedures
▪ Step-by-step guides
▪ Must be formally documented and repeatable and sustainable
o Guidelines
▪ Suggestions--Not mandatory
o Controls
Balanced Approach:
Technical, Administrative, Physical Controls
343
Managerial Controls
▪Separation of Duties
Mandatory Vacations
▪Principle of least privilege
• Limit administrative access
▪Need to Know
Dual Control
Policy Enforcement
Audit

344
 Technical Controls
Technical(Logical)
▪ Firewalls provide isolation between security zones (Trusted, untrusted,
semitrusted)
• Semi-trusted is DMZ (should include Web, Mail, DNS, honeypots, and
IDS)—screened subnet
▪ NAT/PAT
• Provides protection by obscuring internal systems and allowing them to
use a single external address
▪ Single sign on allows a user to have a single username/password to access
many
resources
• Kerberos is symmetric system that is ticket based to allow access.

345
Risk
ISACA’s Risk IT Lifecycle:
Identify: ID assets, threats, vulnerabilities
Assess: Determine Value—Qualitative and/or Quantitative
Mitigate: Respond: Reduce Accept Transfer
Monitor: Ongoing monitoring using KRIs and KPIs

346
 Incident Response
Incidence response goal is to minimize impact on the
business
• Investigate first---violation analysis
• Unless instructed to do so, don’t act…notify CIRT
• Best way to ensure controls will work is to test them—pen
tests and vulnerability assessments
o Most important is that objectives are defined
o Second should be signed approval from senior
management

347
Incident Response
Segment and affected system or network
o Do NOT turn off systems, reboot, or conduct
investigations
o Forensics requires collection of evidence from most to
least volatile
▪ Maintain chain of custody

348
Intrusion Detection
Intrusion Detection System
▪ HIDS—only examine a single host
▪ NIDS examine a network segment.
• Placed in DMZ and Internal network
▪ Can look for
• signatures (can’t detect zero day attacks)
• behaviors (can have false positives)

349
 Business Continuity
Business Continuity—Start with the BIA (prioritize based on Criticality
o Long term health of business no matter what
o Includes a DRP focused on IT and immediacy of the disaster
o All decisions stem from BIA (must be signed off from management)
▪ Assesses Criticality of processes/systems and prioritizes them)
o Protect human life first
o Must start with policy
o RTO—maximum amount of time a service can be inaccessible before the loss is
unacceptable to senior management
o RPO—tolerance for data loss
o Cold site---facility with nothing but power/plumbing
o Warm site—nothing proprietary, but would have basic business needs (furniture,
phones, etc
o Hot site---ready to go as soon as most current data is restored

350
Testing the BCP
Testing is essential—should mimic a disaster as much as possible.
▪ Only use resources at offsite facility or those located outside the
building
▪ 5 types of tests
• Checklist
Tabletop (structured Walkthrough)
• Simulation
• Parallel
• Full interruption

351
On Testing Day….
Testing Day:
Get a good night’s sleep before---don’t stay up all night cramming
Get up in plenty of time to get to testing center…If late for any reason, call!
Be mindful of the clock—200 questions in four hours
Choose the best answer. Trust your instincts
Limit the number of questions you change
Many questions are “MOST” or “BEST” which means multiple answers are
true…which one
solves the problem best, most efficiently or is most closely aligned with ISACA
*****Think alignment with business goals, risk management, cost/benefit analysis,
measure
objectives
352
Review Questions
1. Which of the following application systems should have the shortest
recovery time objective (RTO)?
A. Contractor payroll
B. Change management
C. E-commerce web site
D. Fixed asset system

353
2. Which of the following would BEST ensure the success of
information security governance within an
organization?
A. The steering committee approves all security projects.
B. The security policy manual is distributed to all managers.
C. Security procedures are accessible on the company intranet.
D. The corporate network utilizes multiple screened subnets.

354
3. Which of the following BEST indicates a successful risk
management practice?
A. Overall risk is quantified
B. Inherent risk is eliminated
C. Residual risk is minimized
D. Control risk is tied to business units

355
4. Which of the following is characteristic of decentralized information
security management across a
geographically dispersed organization?
A. More uniformity in quality of service
B. Better adherence to policies
C. More aligned to business unit needs
D. Less total cost of ownership

356
5. The BEST reason for an organization to have two discrete
firewalls connected directly to the Internet
and to the same DMZ would be to:
A. provide defense in-depth.
B. separate test and production.
C. permit traffic load balancing.
D. prevent a denial-of-service attack.

357
6. What is the BEST way to ensure that a corporate network is
adequately secured against external
attack?
A. Utilize an intrusion detection system.
B. Establish minimum security baselines.
C. Implement vendor recommended settings.
D. Perform periodic penetration testing.
412

358
17. Which of the following is the MOST effective in preventing
attacks that exploit weaknesses in
operating systems?
A. Patch management
B. Change management
C. Security baselines
D. Acquisition management

359
7. Which of the following is MOST indicative of the failure of
information security governance within an
organization?
A. The information security department has had difficulty filling
vacancies.
B. The chief information officer (CIO) approves changes to the
security policy.
C. The information security oversight committee only meets
quarterly.
D. The data center manager has final sign-off on all security
projects.

360
8. Which of the following is the MOST effective solution
for preventing internal users from modifying
sensitive and classified information?
A. Baseline security standards
B. System access logs
C. Role-based access controls
D. Intrusion detection system

361