Donald JG Chiarella, PhD, CISM, CDMP, PEM, CHS-CIA, MBA
Domain 1- Information Security Governance Domain 2 – Information Risk Management and Compliance Domain 3 – Information Security program Development and Management Domain 4 – Information Security Incident Management
Definition – rules, processes, or laws by which businesses are managed, operated, and controlled Defining Information Information Concepts Info Security –deals with content, info, knowledge Outcomes – strategic alignment, risk mgt, value delivery, resource mgt, performance mgt, integration.
Effective Info Security Governance Business Goals and Objectives Roles and Responsibilities Outcomes and Responsibilities Sr. Mgt commitment and support Establish Reporting and communication channels Governance, Risk Mgt, Compliance Business Model for Info Security
Info Security Concepts and Technology Complexity of network Computer Based Info System Business Info System Info Security Concepts Attacks Trends of Attacks Cyber Attack evolution Increase in Malicious Software Global Attack Trend More than Just Computer Security
Scope and Charter Assurance Process Integration Third Party Relationship Implementation Metrics Type of Metrics
Definition of a Strategy Information Strategy? Participants Alternate View Common Pitfalls Objectives Goals Desired State of Security Prevalent Standards and Frameworks Capability Maturity Model (CMM)
COBIT Balanced Scorecard SABSA ISO/IEC 17799/ISO Other Approaches Risk Objectives Optimizing risk cost
Info Security Strategy Development Determine current state of security Info Security strategy development Elements of Strategy Constraints Action Plan Policy Development Standards Development Key Goal Indicator Key Risk Indicator Key Performance Indicator Info Security Governance Assurance
An example Addition Policy Samples Action Plan Immediate goals Info Security Program Objectives
Risk Mgt Why Risk Mgt? Risk Mgt Process Outcomes of Risk Mgt Risk Appetite Information Asset Examples Information Asset Owners Information Asset Inventory
Information Classification Purpose of Asset Classification Basis for Classifications Sensitivity and Criticality of Data Asset Classification and BCM, DRP Relationship between Risk, Impact, Sensitivity, and Criticality Management of Classified Information
Asset Valuation Asset Valuation Approaches Purpose and Benefits of Asset Valuation Relationship of valuation and impact assessment Methodology methods such as risk assessment, information resource valuation
Legal, Regulatory, and Organizational Compliance Legal and Regulatory Factors Operational Compliance Risk Threat Identification Threat Categories Vulnerability Assessment Risk Identification Risk Estimate Factors Likelihood
Risk Assessment Introduction Risk Analysis vs. Risk Assessment vs. Risk Mgt Risk rating Matrix Risk Assessment methodology Risk IT Framework based on COBIT Octave Method NIST Probabilistic Risk Assessment Factor Analysis of Information Risk (FAIR) Aggregated Risk and Cascading Risks Risk Identification Methodology Operational Risk Areas Qualitative Risk Analysis Probability Scales Quantitative Risk Analysis
Semi-quantitative risk analysis Probability Distribution Subjective vs. Objective probability
Risk Response Techniques Risk Prioritization Risk Mgt options Negative Risk Strategies Risk Avoidance Risk Transference Risk Mitigation Risk Acceptance Residual Risk Documenting Risk
Controls Identify possible controls Risk mgt action Risk control strategy selection Risk control life cycle Categories of control Control types Architectural Layer Info Security principles Cost Benefit Analysis Cost Benefit The Cost Benefit Analysis (CBA) Formula Other Feasibility Approaches Baseline
Business Impact Analysis Impact Analysis & Risk Assessment Recovery Time Objectives (RTO) Recovery Point Objective (RPO) Gap Analysis
Enterprise Risk Mgt Methodologies What is enterprise risk mgt? Characteristics of enterprise risk mgt Why ERM is important Enterprise Risk Mgt – integrated framework ERM and Project Mgt ERM and system development life cycle Risk monitoring and communication Reporting Risk
InfoSec Program Overview InfoSec Mgt Trends IS Program Critical Components Importance of IS program Outcomes of IS program
InfoSec Program Objectives IS Program Objectives Defining Objectives
IS Program Concepts Technology Resources
Scope and Charter of an InfoSec Program
InfoSec Mgt Framework IS Mgt Framework COBIT ISO/IEC27001
InfoSec Framework Components IS Framework Components Operational Components Management Components Administrative Components Educational and Informational Components
Defining an Information Security Program Roadmap IS program roadmap Elements of a roadmap Gap analysis for a roadmap
InfoSec Infrastructure and Architecture Objectives of IS Architecture
Architecture Implementation SABSA
IS Program Mgt Activities IS Program – Administrative Activities IS Program – Personnel, Roles, and Responsibilities Model for Roles, responsibilities Security Awareness, training, education Security Awareness Documentation Program development and Project Mgt Risk Mgt Business Case Development IS Program Budgeting
General Rules of use – acceptable use policy Information security problem mgt Vendor Mgt IS Program Mgt Evaluation Plan-do-check-act Legal and regulatory requirements Physical and environmental factors Ethics Culture and regional variances Logistics
Security Program Services and Operational Activities IS program services and operational activities Cross-organizational responsibilities IS Manager responsibilities IS responsibilities of other departments Incident response Security review and audits Management of security technology Due Diligence Managing and controlling access to information resources Vulnerability Reporting Compliance Monitoring and enforcement Risk and business impact assessment
Controls and Counter Measures Controls Control categories Control Design Considerations Control Types and Effects Controls Recommended by ISO/IEC Controls as strategy implementation resources Control Strength Control Methods Control recommendation Countermeasures
Physical and environmental controls Native control technologies Supplemental control technologies Management support technologies Technical Control components and architecture Control testing and modification Baseline controls
IS Program metrics and monitoring Metrics development Monitoring approaches Monitoring Security Activities in infrastructure Determining Success of IS investments Measuring information security risk and loss Measuring support of organizational objectives Measuring compliance Measuring operational productivity Measuring security cost-effectiveness Measuring organizational awareness Measuring effectiveness of technical security architecture
Measuring effectiveness of management framework and resources Measuring operational performance Monitoring and communication
Common Infosec Program Challenges Inadequate management support Inadequate funding Inadequate staffing
Incident Mgt Overview Definition Goal of Incident Mgt and Response Activities
Incident reponse procedures Outcomes of incident mgt Concepts Effective incident mgt Incident Mgt systems
Info Sec Manager IS manager responsibilities Senior Mgt Commitment
Incident Mgt Resources Policies and Standards Incident Mgt response technology concepts Personnel Roles and responsibilities Skills Personal Skills Technical Skills Awareness and education Audits Outsourced security providers
Incident Mgt objectives Desired State
Incident Mgt Metrics and Indicators Incident Mgt Metrics Strategic Alignment Risk Mgt Assurance Process Integration Value delivery Resource Mgt Performance Mgt
Defining incident mgt procedures Detailed Plan of Action for Incident Mgt
Current state of incident response capability History of Incidents Threats Vulnerabilities
Developing an incident response plan Elements of an incident response plan Gap analysis – basis for an incident mgt plan Business impact assessment Elements of a BIA Benefits of a BIA Escalation process for effective incident mgt Help desk process for identifying security incidents Incident Mgt and response team Organizing, training, and equipping the response staff Incident notification process Challenges in developing an incident mgt plan
Business Continuity and Disaster Recovery Procedures Recovery planning and business recovery procedures Recovery operations Recovery Strategies Addressing Threats Recovery Sites (1/2) Criteria for selecting alternative site Basis for recovery site selection Reciprocal agreements Alternatives for backup facilities Recovery of telecommunications Recovery Strategy Approach
Strategy Implementation Recovery Plan elements Integrating recovery objectives and impact analysis into incident response Risk acceptance and tolerance Business Impact Analysis Recovery time objectives (RTO) Recovery point objective (RPO) Service delivery objective (SDO) Maximum tolerable outage (MTO) Notification requirements
Supplies Telecommunication networks High availability considerations Insurance Updating recovery plans
Testing Incident Response and Business Continuity / Disaster recovery procedures Testing incidence response and recovery plans Periodic testing Periodic testing process Testing for Infrastructure and Business Critical applications Types of tests Test results Additional tests Test recovery metrics
Executing Response and Recovery Plans Ensuring execution as required Review of Response and Recovery plans Maintaining Business Continuity and Disaster Recovery Plan
Post Incident Activities and Investigation Identify cause and corrective action Documenting evidence Establishing post incident procedures Requirements of evidence Legal aspects of forensic evidence
Finis