Professional Documents
Culture Documents
2010 CISM The How To Pass On Your First Try Certification Study Guide PDF
2010 CISM The How To Pass On Your First Try Certification Study Guide PDF
This Exam Preparation book is intended for those preparing for the
Certified Information Security Manager certification.
Do not underestimate the value of your own notes and study aids.
The more you have, the more prepared you will be.
Ivanka Menken
Executive Director
The Art of Service
1
Copyright The Art of Service│Brisbane, Australia│Email:service@theartofservice.com
Web: http://theartofservice.com │eLearning: http://theartofservice.org │Phone: +61 (0)7 3252 2055
Write a review to receive any free eBook from our Catalogue -
$99 Value!
If you recently bought this book we would love to hear from you!
Benefit from receiving a free eBook from our catalogue at
http://www.emereo.org/ if you write a review on Amazon (or the online
store where you purchased this book) about your last purchase!
2
Copyright The Art of Service│Brisbane, Australia│Email:service@theartofservice.com
Web: http://theartofservice.com │eLearning: http://theartofservice.org │Phone: +61 (0)7 3252 2055
Table of Contents
FOREWORD ............................................................................................................ 1
2 EXAM SPECIFICS............................................................................................. 9
6
Copyright The Art of Service│Brisbane, Australia│Email:service@theartofservice.com
Web: http://theartofservice.com │eLearning: http://theartofservice.org │Phone: +61 (0)7 3252 2055
Notice of Rights
All rights reserved. No part of this book may be reproduced or transmitted in any form
by any means, electronic, mechanical, photocopying, recording, or otherwise, without
the prior written permission of the publisher.
Notice of Liability
The information in this book is distributed on an “As Is” basis without warranty. While
every precaution has been taken in the preparation of the book, neither the author nor
the publisher shall have any liability to any person or entity with respect to any loss or
damage caused or alleged to be caused directly or indirectly by the instructions
contained in this book or by the products described in it.
Trademarks
Many of the designations used by manufacturers and sellers to distinguish their
products are claimed as trademarks. Where those designations appear in this book,
and the publisher was aware of a trademark claim, the designations appear as
requested by the owner of the trademark. All other product names and services
identified throughout this book are used in editorial fashion only and for the benefit of
such companies with no intention of infringement of the trademark. No such use, or
the use of any trade name, is intended to convey endorsement or other affiliation with
this book.
7
Copyright The Art of Service│Brisbane, Australia│Email:service@theartofservice.com
Web: http://theartofservice.com │eLearning: http://theartofservice.org │Phone: +61 (0)7 3252 2055
1 Certified Information Security Manager
8
Copyright The Art of Service│Brisbane, Australia│Email:service@theartofservice.com
Web: http://theartofservice.com │eLearning: http://theartofservice.org │Phone: +61 (0)7 3252 2055
2 Exam Specifics
After passing the exam, the candidate has five years to apply for
certification. This is done by completing the certification and verifying
work experience. Experience required two years in information
security management. This requirement can be substituted with the
achievement of one of the following:
Certification Information Systems Auditor (CISA) in good
standing.
Certification Information Systems Security Professional
(CISSP) in good standing.
Postgraduate degree in information security or related
field.
9
Copyright The Art of Service│Brisbane, Australia│Email:service@theartofservice.com
Web: http://theartofservice.com │eLearning: http://theartofservice.org │Phone: +61 (0)7 3252 2055
Partial credit to fulfill the requirement is possible with one of the
following:
One full year of information systems management
experience.
One full year of general security management experience.
Skill-based security certification.
10
Copyright The Art of Service│Brisbane, Australia│Email:service@theartofservice.com
Web: http://theartofservice.com │eLearning: http://theartofservice.org │Phone: +61 (0)7 3252 2055
3 Information Security Governance
At the core of every effort are the customer's goals and objectives for
their business. These are the valued products and services that the
customer provides to the marketplace. To make this provision,
possible, technologies and IT services are in place to provide support
in production, administration, and communication. Security
Management provides the policies, classifications, and guidelines for
protecting the informational and physical assets of the enterprise.
11
Copyright The Art of Service│Brisbane, Australia│Email:service@theartofservice.com
Web: http://theartofservice.com │eLearning: http://theartofservice.org │Phone: +61 (0)7 3252 2055
The goal of Enterprise IT Management is to create value for the
customer. The definition of value begins with the desired business
outcomes of the customer, but is also dependent on the perception of
value for the customer. From a business and/or IT perspective, the
questions often asked to determine and define value are:
What is the business?
Who is the customer?
What does the customer value?
Who needs our products and services?
How are our products and services used?
What makes our products and services valuable?
12
Copyright The Art of Service│Brisbane, Australia│Email:service@theartofservice.com
Web: http://theartofservice.com │eLearning: http://theartofservice.org │Phone: +61 (0)7 3252 2055
enterprise, the systems and communication mediums used to deliver
that information, and providing protection from harm due to failures in
confidentiality, integrity, and availability.
13
Copyright The Art of Service│Brisbane, Australia│Email:service@theartofservice.com
Web: http://theartofservice.com │eLearning: http://theartofservice.org │Phone: +61 (0)7 3252 2055
often found when greater availability is provided to the user base.
14
Copyright The Art of Service│Brisbane, Australia│Email:service@theartofservice.com
Web: http://theartofservice.com │eLearning: http://theartofservice.org │Phone: +61 (0)7 3252 2055
Plan
Implement
Evaluate
Maintain
15
Copyright The Art of Service│Brisbane, Australia│Email:service@theartofservice.com
Web: http://theartofservice.com │eLearning: http://theartofservice.org │Phone: +61 (0)7 3252 2055
Repressive – intended to reduce or stop the security
incident from occurring again. Disabling accounts after
several sequential failed login attempts is an example of
repressive measures.
Corrective – intended to repair the damage resulting from
a security incident. Restoring, roll-back, and back-out
procedures are examples of corrective measures.
16
Copyright The Art of Service│Brisbane, Australia│Email:service@theartofservice.com
Web: http://theartofservice.com │eLearning: http://theartofservice.org │Phone: +61 (0)7 3252 2055
improve the Information Security Management System to meet its
objectives and ensure the confidentiality, integrity, and availability of
information assets.
17
Copyright The Art of Service│Brisbane, Australia│Email:service@theartofservice.com
Web: http://theartofservice.com │eLearning: http://theartofservice.org │Phone: +61 (0)7 3252 2055
Oversight versus Implementation.
Assigning authority versus Authorizing action.
Enacting policy versus Enforcing policy.
Accountability versus Responsibility.
Strategic planning versus Project planning.
Resource allocation versus Resource utilization.
18
Copyright The Art of Service│Brisbane, Australia│Email:service@theartofservice.com
Web: http://theartofservice.com │eLearning: http://theartofservice.org │Phone: +61 (0)7 3252 2055
support the stakeholder's requirements and obligations. Governance
over security may have elements specifically dedicated to the meeting
the requirements of security independently or is in cooperation with
other governance efforts such as architecture, IT, and process.
19
Copyright The Art of Service│Brisbane, Australia│Email:service@theartofservice.com
Web: http://theartofservice.com │eLearning: http://theartofservice.org │Phone: +61 (0)7 3252 2055
3.2.2 Scope and Charter of Governance
20
Copyright The Art of Service│Brisbane, Australia│Email:service@theartofservice.com
Web: http://theartofservice.com │eLearning: http://theartofservice.org │Phone: +61 (0)7 3252 2055
3.2.3 Business Function Relationships
21
Copyright The Art of Service│Brisbane, Australia│Email:service@theartofservice.com
Web: http://theartofservice.com │eLearning: http://theartofservice.org │Phone: +61 (0)7 3252 2055
human resources, legal, risk management, audit,
operations, and public relations, to provide effective
communication of the security program and ensuring
continual alignment with organizational objectives.
Chief Information Security Officer – may or may not be a
named position, but is responsible for providing an
authoritative voice to address information security
concerns.
22
Copyright The Art of Service│Brisbane, Australia│Email:service@theartofservice.com
Web: http://theartofservice.com │eLearning: http://theartofservice.org │Phone: +61 (0)7 3252 2055
limiting the impact of security incidents and potential threats.
23
Copyright The Art of Service│Brisbane, Australia│Email:service@theartofservice.com
Web: http://theartofservice.com │eLearning: http://theartofservice.org │Phone: +61 (0)7 3252 2055
customers who are not in direct control of the enterprise.
Impact on reputation and product value resulting from
security failures.
Failure to set reasonable expectations related to the
importance of security.
24
Copyright The Art of Service│Brisbane, Australia│Email:service@theartofservice.com
Web: http://theartofservice.com │eLearning: http://theartofservice.org │Phone: +61 (0)7 3252 2055
Cost classification – identifies the end purpose of the cost
and includes:
o Capital/operational – required accounting
methodologies from the business and regulatory
agencies.
o Direct/Indirect – defines whether cost assignment
should be direct to the customer or shared across
multiple customers.
o Fixed/variable – identifies whether the cost is fixed
in time or price and to minimize the level variability
when cost is not fixed.
Cost units – identifies the unit of consumption that can be
tracked.
25
Copyright The Art of Service│Brisbane, Australia│Email:service@theartofservice.com
Web: http://theartofservice.com │eLearning: http://theartofservice.org │Phone: +61 (0)7 3252 2055
to the enterprise. Many of these regulatory bodies provide only
guidelines or best practices, without given direct input on the solutions
to implement. In some cases, compliance is rated based on the
maturity of the implementation; where some parts of the
implementation may be more or less mature than others.
28
Copyright The Art of Service│Brisbane, Australia│Email:service@theartofservice.com
Web: http://theartofservice.com │eLearning: http://theartofservice.org │Phone: +61 (0)7 3252 2055
for Standardization (ISO) to provide a range of controls
needed when using information systems to preserve
confidentiality, integrity, and availability of information.
Trust Services (SysTrust) Principles and Criteria for
Systems Reliability - a joint venture between the American
Institute of Certified Public Accountants (AICPA) and
Canadian Institute of Chartered Accountants (CICA) to
raise the assurance of services by public accountants
through the principles of availability, security, integrity, and
maintainability.
Standard of Good Practice for Information Security –
developed by the Information Security Forum (ISF)
members to address security in terms of security
management, critical business applications, computer
installations, networks, and systems development.
Information Security Governance: Call to Action – a report
from the Corporate Governance Task Force to provide a
plan of action to deal with cyber security issues and
concerns.
29
Copyright The Art of Service│Brisbane, Australia│Email:service@theartofservice.com
Web: http://theartofservice.com │eLearning: http://theartofservice.org │Phone: +61 (0)7 3252 2055
vulnerabilities for security.
30
Copyright The Art of Service│Brisbane, Australia│Email:service@theartofservice.com
Web: http://theartofservice.com │eLearning: http://theartofservice.org │Phone: +61 (0)7 3252 2055
and unavailability falls within the job scope of the Information Security
Officer.
33
Copyright The Art of Service│Brisbane, Australia│Email:service@theartofservice.com
Web: http://theartofservice.com │eLearning: http://theartofservice.org │Phone: +61 (0)7 3252 2055
responsible for auditing and improvements to the security policy.
As the enterprise grows in size and depth, the more diverse the
solutions become. The governance structures can be hybrid.
34
Copyright The Art of Service│Brisbane, Australia│Email:service@theartofservice.com
Web: http://theartofservice.com │eLearning: http://theartofservice.org │Phone: +61 (0)7 3252 2055
4 Information Risk Management
35
Copyright The Art of Service│Brisbane, Australia│Email:service@theartofservice.com
Web: http://theartofservice.com │eLearning: http://theartofservice.org │Phone: +61 (0)7 3252 2055
one or more threats.
36
Copyright The Art of Service│Brisbane, Australia│Email:service@theartofservice.com
Web: http://theartofservice.com │eLearning: http://theartofservice.org │Phone: +61 (0)7 3252 2055
Trusted source – is its design, implementation, and
maintenance performed by people who are committed to
maintaining the security policy?
Independent – is its design, implementation, and
maintenance dependent on the existence of other controls
and countermeasures?
Distinct – does it work without overlapping other controls
and countermeasures?
Consistent application – can the control or
countermeasure be applied in the same manner across
the organization?
Simple and Public – is the control or countermeasure
easily accessible and implementable by the general
population (employees)?
Cost-effective – is the cost of implementation better than
the cost of not implementing?
Reliability – will it serve its purpose under multiple
circumstances?
Sustainable – will it continue to function as expected over
time and/or adapt as changes or new elements are
introduced to the environment?
Minimal manual intervention – is it automated fully or
partially to ensure that the need for manual work is
minimal?
Ease of use – is its use or applicability easy to use?
Secure – is the control and countermeasure itself safe
from exploitation or attack?
37
Copyright The Art of Service│Brisbane, Australia│Email:service@theartofservice.com
Web: http://theartofservice.com │eLearning: http://theartofservice.org │Phone: +61 (0)7 3252 2055
Protection – does it protect the confidentiality, integrity, and
availability of assets as expected?
Reversibility – can the control and countermeasures be
“backed out” when an issue arises?
Safe – are any additional issues created when the control
or countermeasure is applied?
Clean – it leaves no residual data as a result of its function.
38
Copyright The Art of Service│Brisbane, Australia│Email:service@theartofservice.com
Web: http://theartofservice.com │eLearning: http://theartofservice.org │Phone: +61 (0)7 3252 2055
Classification of data, or information, can be required by law,
regulations, or rules.
39
Copyright The Art of Service│Brisbane, Australia│Email:service@theartofservice.com
Web: http://theartofservice.com │eLearning: http://theartofservice.org │Phone: +61 (0)7 3252 2055
Person responsible for determining appropriate usage of
the information.
Person responsible for classifying the data.
Person responsible for the business outcome of using the
information or information system.
In the early 1990s, the most prevalent attacks were SYN attacks;
TCP/IP protocol manipulation caused when an overwhelming number
of open-ended session requests would be sent to a service, causing
the service to focus on processing these requests while delaying
legitimate requests. The result was that systems were virtually
unusable by valid users and applications of the service.
41
Copyright The Art of Service│Brisbane, Australia│Email:service@theartofservice.com
Web: http://theartofservice.com │eLearning: http://theartofservice.org │Phone: +61 (0)7 3252 2055
acquiring access or redirect communications.
43
Copyright The Art of Service│Brisbane, Australia│Email:service@theartofservice.com
Web: http://theartofservice.com │eLearning: http://theartofservice.org │Phone: +61 (0)7 3252 2055
to transfer or insert into the system or is attached to
another program to allow replication and distribution.
Worms – self-propagating code which exploit
vulnerabilities in systems or applications. Similar to viruses
without the need for human interaction.
Trojan Horses – any program that appears to the user as
desirable but are, in the end, harmful.
Spyware – hidden applications intended to track user's
activity, obtain personal data and even monitor system
inputs.
44
Copyright The Art of Service│Brisbane, Australia│Email:service@theartofservice.com
Web: http://theartofservice.com │eLearning: http://theartofservice.org │Phone: +61 (0)7 3252 2055
saved. When the file containing the hashed password is found, the
password cracker compares every possible password combination
against the hash. This is done by using or creating a list of possible
combinations, hash them, and compare the hash to stored password
on the file. The length and complexity of the password has an impact
on the time required to test every combination, ranging from minutes
to years.
Password crackers are easily obtainable and are useful for both
hackers and system administrators. System administrators use
password crackers to identify the strength of a particular password. If
the password is weak, a request can be made to the user to change
to a stronger password.
45
Copyright The Art of Service│Brisbane, Australia│Email:service@theartofservice.com
Web: http://theartofservice.com │eLearning: http://theartofservice.org │Phone: +61 (0)7 3252 2055
The Hellman concept is based on enciphering the plaintext with all
possible keys whose results are organized into chains. Only the first
and last elements are loaded into memory. As the number of stored
chains increased, so did the frequency of generating the same results
with different keys.
4.3.6 Spoofing/Masquerading
47
Copyright The Art of Service│Brisbane, Australia│Email:service@theartofservice.com
Web: http://theartofservice.com │eLearning: http://theartofservice.org │Phone: +61 (0)7 3252 2055
4.3.7 Sniffers, Eavesdropping, and Tapping
4.3.8 Emanations
48
Copyright The Art of Service│Brisbane, Australia│Email:service@theartofservice.com
Web: http://theartofservice.com │eLearning: http://theartofservice.org │Phone: +61 (0)7 3252 2055
mechanisms such as TEMPEST.
50
Copyright The Art of Service│Brisbane, Australia│Email:service@theartofservice.com
Web: http://theartofservice.com │eLearning: http://theartofservice.org │Phone: +61 (0)7 3252 2055
4.3.11 Data Remanence
51
Copyright The Art of Service│Brisbane, Australia│Email:service@theartofservice.com
Web: http://theartofservice.com │eLearning: http://theartofservice.org │Phone: +61 (0)7 3252 2055
analysis of the data.
Further masking the remnants of any electromagnetic
representation of the data with each rewrite.
52
Copyright The Art of Service│Brisbane, Australia│Email:service@theartofservice.com
Web: http://theartofservice.com │eLearning: http://theartofservice.org │Phone: +61 (0)7 3252 2055
4.3.13 Dumpster Diving
53
Copyright The Art of Service│Brisbane, Australia│Email:service@theartofservice.com
Web: http://theartofservice.com │eLearning: http://theartofservice.org │Phone: +61 (0)7 3252 2055
4.3.15 Theft
54
Copyright The Art of Service│Brisbane, Australia│Email:service@theartofservice.com
Web: http://theartofservice.com │eLearning: http://theartofservice.org │Phone: +61 (0)7 3252 2055
4.4 Risk Assessments and Analysis
56
Copyright The Art of Service│Brisbane, Australia│Email:service@theartofservice.com
Web: http://theartofservice.com │eLearning: http://theartofservice.org │Phone: +61 (0)7 3252 2055
Quantitative risk assessments are conducted through a simple
process of:
1. Obtaining management approval.
2. Building an assessment team.
3. Review of information currently available within the
organization.
57
Copyright The Art of Service│Brisbane, Australia│Email:service@theartofservice.com
Web: http://theartofservice.com │eLearning: http://theartofservice.org │Phone: +61 (0)7 3252 2055
4.4.5 Assessment Methodologies
Qualitative Assessments
NIST SP 800-30
NIST SP 800-66
OCTAVE
FRAP – Facilitated Risk Analysis Process
CRAMM – CCTA Risk Analysis and Management Method
Quantitative Assessments
Spanning Tree Analysis
Failure Modes and Effect Analysis
58
Copyright The Art of Service│Brisbane, Australia│Email:service@theartofservice.com
Web: http://theartofservice.com │eLearning: http://theartofservice.org │Phone: +61 (0)7 3252 2055
Product – the minimal specifications required by the
resource to meet business outcomes.
60
Copyright The Art of Service│Brisbane, Australia│Email:service@theartofservice.com
Web: http://theartofservice.com │eLearning: http://theartofservice.org │Phone: +61 (0)7 3252 2055
NPV/k (k represents the level of funds available)
Value can be applied to all information and represents the cost of the
information and its perceived importance to the organization from
internal or external perspectives. The value of the information can
change over time. A change in value can be the result of a changing
environment, modification of the information itself, improper
disclosure, or miscalculated value to the organization. The
information's value should be evaluated periodically to determine its
currency in the organization.
61
Copyright The Art of Service│Brisbane, Australia│Email:service@theartofservice.com
Web: http://theartofservice.com │eLearning: http://theartofservice.org │Phone: +61 (0)7 3252 2055
information derived data collections such as checklists or surveys.
More objective value is determined by metrics, or statistical
measures.
62
Copyright The Art of Service│Brisbane, Australia│Email:service@theartofservice.com
Web: http://theartofservice.com │eLearning: http://theartofservice.org │Phone: +61 (0)7 3252 2055
5 Information Security Program Development
5.1.1 Strategies
63
Copyright The Art of Service│Brisbane, Australia│Email:service@theartofservice.com
Web: http://theartofservice.com │eLearning: http://theartofservice.org │Phone: +61 (0)7 3252 2055
tasks reduces the risk of inappropriate or unintended disclosure of
information. Mandatory vacations provide similar benefits as rotating
and separation of duties by providing opportunities to understand the
day-to-day performance of specific functions.
64
Copyright The Art of Service│Brisbane, Australia│Email:service@theartofservice.com
Web: http://theartofservice.com │eLearning: http://theartofservice.org │Phone: +61 (0)7 3252 2055
Cryptography
Environmental Security and Facilities
Business Continuity and Disaster Recovery
Telecommunications
Network Management
Application Development and Management
Operations Management
65
Copyright The Art of Service│Brisbane, Australia│Email:service@theartofservice.com
Web: http://theartofservice.com │eLearning: http://theartofservice.org │Phone: +61 (0)7 3252 2055
5.1.3 Managing Implementation
66
Copyright The Art of Service│Brisbane, Australia│Email:service@theartofservice.com
Web: http://theartofservice.com │eLearning: http://theartofservice.org │Phone: +61 (0)7 3252 2055
5.2 Security Controls
67
Copyright The Art of Service│Brisbane, Australia│Email:service@theartofservice.com
Web: http://theartofservice.com │eLearning: http://theartofservice.org │Phone: +61 (0)7 3252 2055
Maintenance
Media Protection
Physical and Environmental Protection
Planning
Personal Security
Risk Assessment
System and Services Acquisition
System and Communications Protection
System and Information Integrity
69
Copyright The Art of Service│Brisbane, Australia│Email:service@theartofservice.com
Web: http://theartofservice.com │eLearning: http://theartofservice.org │Phone: +61 (0)7 3252 2055
Deterrents such as the identification and authentication of a user,
service, or application, attempt to minimize the frequency and impact
of incidents.
70
Copyright The Art of Service│Brisbane, Australia│Email:service@theartofservice.com
Web: http://theartofservice.com │eLearning: http://theartofservice.org │Phone: +61 (0)7 3252 2055
procedural, or managerial.
71
Copyright The Art of Service│Brisbane, Australia│Email:service@theartofservice.com
Web: http://theartofservice.com │eLearning: http://theartofservice.org │Phone: +61 (0)7 3252 2055
Configuration Management
Vulnerability Management
Product Life-Cycle Management
Network Management
72
Copyright The Art of Service│Brisbane, Australia│Email:service@theartofservice.com
Web: http://theartofservice.com │eLearning: http://theartofservice.org │Phone: +61 (0)7 3252 2055
Management of credentials
Management of users
Rights usage
Denial of rights and access
73
Copyright The Art of Service│Brisbane, Australia│Email:service@theartofservice.com
Web: http://theartofservice.com │eLearning: http://theartofservice.org │Phone: +61 (0)7 3252 2055
A history of passwords should be maintained to avoid
repeating old passwords.
Many facilities will have multiple zones defined, with different levels of
security applied to them, often contributing to a defense-in-depth
solution.
74
Copyright The Art of Service│Brisbane, Australia│Email:service@theartofservice.com
Web: http://theartofservice.com │eLearning: http://theartofservice.org │Phone: +61 (0)7 3252 2055
5.2.3 Technical Controls
The technical type describes the mechanisms used within the digital
infrastructure to enforce the security policy. Technology controls
include a combination of firewalls, filters, operating systems,
applications, and routing protocols. Different considerations include:
User controls
Network access
Remote access
System access
Application access
Malware control
Encryption
User controls are directly associated with the user and typically
revolve around authentication factors. The factors represent:
Something the user knows.
Something the user has.
Something the user is or does.
76
Copyright The Art of Service│Brisbane, Australia│Email:service@theartofservice.com
Web: http://theartofservice.com │eLearning: http://theartofservice.org │Phone: +61 (0)7 3252 2055
the system is validated as well as access to the individual files.
77
Copyright The Art of Service│Brisbane, Australia│Email:service@theartofservice.com
Web: http://theartofservice.com │eLearning: http://theartofservice.org │Phone: +61 (0)7 3252 2055
Take-grant model – Uses graphs to illustrate the security
permissions taken and granted between objects.
Bell-LaPadua model – a lattice-based model designed to
enforce the military's Mandatory Access Control (MAC)
mode with two rules:
o Simple security rule - information can only flow
from lower levels of security to higher levels.
o * Property rule - users can never write information
to lower clearance level.
79
Copyright The Art of Service│Brisbane, Australia│Email:service@theartofservice.com
Web: http://theartofservice.com │eLearning: http://theartofservice.org │Phone: +61 (0)7 3252 2055
The trusted computing system must be continuously
protected against unauthorized changes.
80
Copyright The Art of Service│Brisbane, Australia│Email:service@theartofservice.com
Web: http://theartofservice.com │eLearning: http://theartofservice.org │Phone: +61 (0)7 3252 2055
o Label Integrity Policy.
o Policy on exportation of Labeled Information to
Single-Level Devices, MultiLevel Devices, and
Human-Readable Output.
o Mandatory Access Control Policy.
o Lifecycle Assurance of Design Specification and
Verification.
Structured Protection (B2) systems build on B1
requirements making them relatively resistant to
penetration:
o Addresses Subject Sensitivity Labels and Device
Labels in the Labeling Policy.
o Trusted Path for Identification and Authentication.
o Adds to the Operational Assurance of Covert
Channel Analysis.
o Adds to the Trusted Facility Management.
o Configuration Management of Lifecycle Assurance.
Security Domains (B3) systems are highly resistant to
penetration and builds on B2 requirements, adding:
o Trusted Recovery Operational Assurance.
o Uses a Trusted Computing Base (TCB) to allow
rigorous testing.
Verified Design (A1) systems do not add any requirements
or features: certification is granted because formal
techniques for design specification and verification are in
place.
81
Copyright The Art of Service│Brisbane, Australia│Email:service@theartofservice.com
Web: http://theartofservice.com │eLearning: http://theartofservice.org │Phone: +61 (0)7 3252 2055
The techniques used by A1 systems follow a five step process:
Development of a formal model of the security policy which
includes mathematical proof.
Development of a formal top-level specification (FTLS) of
the design including definitions of functions.
Formal and informal techniques used to verify the FTLS is
consistent with the model.
Verify the implementation of the TCB is consistent with the
FTLS through informal techniques.
Formal analysis performed to identify any covert channels
in the system.
83
Copyright The Art of Service│Brisbane, Australia│Email:service@theartofservice.com
Web: http://theartofservice.com │eLearning: http://theartofservice.org │Phone: +61 (0)7 3252 2055
5.3 Security Technologies
84
Copyright The Art of Service│Brisbane, Australia│Email:service@theartofservice.com
Web: http://theartofservice.com │eLearning: http://theartofservice.org │Phone: +61 (0)7 3252 2055
systems to reduce repetitive tasks.
Increase of usability by reducing the requirement for
multiple prompts to verify identity.
Reliability of user profile data ensures the timely updates
of user information.
Scalability of the solution across enterprises.
85
Copyright The Art of Service│Brisbane, Australia│Email:service@theartofservice.com
Web: http://theartofservice.com │eLearning: http://theartofservice.org │Phone: +61 (0)7 3252 2055
identity, authentication, and authorization using a Web access
management (WAM) solution. These solution typically use a front-end
Web server to authenticate once when entering the web environment
and sustaining that authorization throughout the entire session.
86
Copyright The Art of Service│Brisbane, Australia│Email:service@theartofservice.com
Web: http://theartofservice.com │eLearning: http://theartofservice.org │Phone: +61 (0)7 3252 2055
solutions. Most account management solutions provide a centralized,
cross-platform security capability with features:
Simultaneous management of user access to multiple
systems.
An automated workflow system for submitting requests for
new, modified, or deleted accounts.
Automatic replication of data.
Ability to load batch changes to user directories.
Policy-based changes automatically performed to create,
change, or remove access.
Focus on enterprise system access.
87
Copyright The Art of Service│Brisbane, Australia│Email:service@theartofservice.com
Web: http://theartofservice.com │eLearning: http://theartofservice.org │Phone: +61 (0)7 3252 2055
Also referred to as reduced sign-on or federated ID management,
single sign-on capabilities allow a user to sign-on to the system one
time and have access to multiple systems. Single sign-on solutions
allow for:
Efficient log-on processes
Stronger passwords
Elimination of multiple passwords
Enforcement of time-out and attempt thresholds
Centralized administrations
The two challenges to single sign-on solution is the ability to support
unique platforms and the risk of access to multiple systems through a
compromised username and password.
88
Copyright The Art of Service│Brisbane, Australia│Email:service@theartofservice.com
Web: http://theartofservice.com │eLearning: http://theartofservice.org │Phone: +61 (0)7 3252 2055
Reliability – ensures system availability when needed.
Transparency – authentication process is hidden from the
user.
Scalability – can support any number of clients and
servers.
The predetermined key for each principal is created when the user or
system is added to the Kerberos structure. A realm key is provided
when introduced, which is a common key used for initial trusted
communication. A unique key is created during the introduction to
support future communication. The unique key is shared throughout
89
Copyright The Art of Service│Brisbane, Australia│Email:service@theartofservice.com
Web: http://theartofservice.com │eLearning: http://theartofservice.org │Phone: +61 (0)7 3252 2055
the domain through the realm key.
TGTs are like passports and are only valid for a period of time,
generally 8 to 10 hours.
90
Copyright The Art of Service│Brisbane, Australia│Email:service@theartofservice.com
Web: http://theartofservice.com │eLearning: http://theartofservice.org │Phone: +61 (0)7 3252 2055
SESAME, or Secure European System for Applications in a Multi-
Vendor Environment, is a project funded by the European
Commission to address weaknesses in Kerberos and the name of the
technology that came out of the project.
91
Copyright The Art of Service│Brisbane, Australia│Email:service@theartofservice.com
Web: http://theartofservice.com │eLearning: http://theartofservice.org │Phone: +61 (0)7 3252 2055
those individuals, or subjects, authorized can access
information on a specific domain.
Access control lists (ACLs) are used to permit or limit traffic based on
an attribute or providing permissions within a specific system based
on policy. They are a form of a DAC.
ACLs are typically a list of users given access to a given system with
specific permission. They are often implemented with access control
matrices (ACMs).
An ACM is a table structure for an ACL. Subjects and objects are both
identified and permissions are incorporated.
92
Copyright The Art of Service│Brisbane, Australia│Email:service@theartofservice.com
Web: http://theartofservice.com │eLearning: http://theartofservice.org │Phone: +61 (0)7 3252 2055
The rules are enforced by a mediation mechanism to ensure only
authorized access.
Capability tables can track, manage, and apply controls based on the
93
Copyright The Art of Service│Brisbane, Australia│Email:service@theartofservice.com
Web: http://theartofservice.com │eLearning: http://theartofservice.org │Phone: +61 (0)7 3252 2055
object and capabilities, or rights, of the user.
When the access decisions are made by a single entity, the solution
utilizes a centralized access control. The entity can be an individual,
department, or device. RADIUS, TACACS+ and DIAMETER are
examples of centralized access control systems.
94
Copyright The Art of Service│Brisbane, Australia│Email:service@theartofservice.com
Web: http://theartofservice.com │eLearning: http://theartofservice.org │Phone: +61 (0)7 3252 2055
response which is given to the authenticating party and
access is granted.
Synchronous token authentication is similar in process but
relies on an event, location, or time-based synchronization
between the requester and authenticating party. The most
popular method is time-based where the token utilizes an
embedded key to produce a unique string of numbers
and/or characters in a given timeframe, usually one
minute. The user will enter the character string whenever
access is requested to authenticate themselves.
Typically, the process requires the user to present the memory card
and a user ID or PIN. If the authentication information on the memory
card matches with the user provided information, access is granted. A
memory card can be used with computers, but a reader is required to
process the information.
95
Copyright The Art of Service│Brisbane, Australia│Email:service@theartofservice.com
Web: http://theartofservice.com │eLearning: http://theartofservice.org │Phone: +61 (0)7 3252 2055
The cost of readers, as well as the overhead with generating PINs
and cards, needs to be considered in any security solution. These
costs need to be balanced with the benefits of implementing memory
cards, which is generally, a more secure solution then basic
passwords.
Despite this security, memory cards have a basic flaw: the data stored
on the card is not protected. The data can be extracted or copied.
Since the card cannot process information, the data is unencrypted.
Smart cards, on the other hand, can have security controls and logic
embedded into its integrated circuits.
A smart card is the size of a credit card and has a semiconductor chip
embedded in it. The chip is either a memory chip with
nonprogrammable logic or a microprocessor with internal memory.
The chip will accept, store, and send information. That information is
divided into four sections:
Information that can be read only.
Information that can be added only.
Information that is updated only.
Information that has no access available.
Smart cards are more correctly termed integrated circuit card (ICC) by
the International Organization for Standardization (ISO) to specify all
96
Copyright The Art of Service│Brisbane, Australia│Email:service@theartofservice.com
Web: http://theartofservice.com │eLearning: http://theartofservice.org │Phone: +61 (0)7 3252 2055
devices which are an ISO 1 identification card with an integrated
circuit (IC). The size of the card is 85.6x53.98x0.76 mm or the size of
a bank or credit card.
97
Copyright The Art of Service│Brisbane, Australia│Email:service@theartofservice.com
Web: http://theartofservice.com │eLearning: http://theartofservice.org │Phone: +61 (0)7 3252 2055
from 8 to 256 KB.
Random-access memory (RAM) – With ROM solutions,
the data remains intact when power is removed. The
opposite is true for cards with RAM, requiring cards to
have their own power source. Though the risk is that
power will deplete, a RAM card has better storage and
speed capabilities.
98
Copyright The Art of Service│Brisbane, Australia│Email:service@theartofservice.com
Web: http://theartofservice.com │eLearning: http://theartofservice.org │Phone: +61 (0)7 3252 2055
7 to 10 years data retention
How smart cards interact with other system defines the type of smart
cards available. There are two basic types:
1. Contact cards require physical contact in order to communicate
with other systems.
2. Contactless cards use proximity technology to provide an
interface.
99
Copyright The Art of Service│Brisbane, Australia│Email:service@theartofservice.com
Web: http://theartofservice.com │eLearning: http://theartofservice.org │Phone: +61 (0)7 3252 2055
Contact Designation Use
C1 Vcc Power connection allowing operating power to the
microprocessor
100
Copyright The Art of Service│Brisbane, Australia│Email:service@theartofservice.com
Web: http://theartofservice.com │eLearning: http://theartofservice.org │Phone: +61 (0)7 3252 2055
contactless cards, more commonly referred to as proximity integrated
circuit cards (PICC). A low frequency electronic magnetic radiation
used to provide power and data interchange. A proximity coupling
device (PCD) provides the required signal and power control for
communicating with the card. A radio frequency (RF) field is produced
by the PCD which activates any card that falls within its electrometric
field loop. The field operates at 13.56 MHz ± 7 kHz and constant
power range.
The PCD will alternate between two modulation, or signal, types until
a PICC is incorporated into the communication process. Both types,
type A and type B, support 106 kbps in bidirectional communications.
The log-on process for smart cards is done at the reader and not the
host, providing an advantage to the technology because the identifier
and password are not exposed while in transit to the host.
101
Copyright The Art of Service│Brisbane, Australia│Email:service@theartofservice.com
Web: http://theartofservice.com │eLearning: http://theartofservice.org │Phone: +61 (0)7 3252 2055
5.3.7 Biometrics
102
Copyright The Art of Service│Brisbane, Australia│Email:service@theartofservice.com
Web: http://theartofservice.com │eLearning: http://theartofservice.org │Phone: +61 (0)7 3252 2055
Behavioral biometrics focus on determining patterns in a user's
actions:
Keystroke pattern analysis will utilize the user's pin or
password along with how the information is entered; driven
by the assertion that different people will enter the same
information differently.
Signature dynamics will analyze stroke speed,
acceleration, deceleration, and pressure along with the
content of a user's signature.
103
Copyright The Art of Service│Brisbane, Australia│Email:service@theartofservice.com
Web: http://theartofservice.com │eLearning: http://theartofservice.org │Phone: +61 (0)7 3252 2055
use of biometrics. Tuning the system to maintain a low CER is the
best way to ensure neutrality.
The unique traffic generated by the organization will require the IDS to
be tuned to support the network. If tuned incorrectly, the IDS can
create a significant vulnerability for the organization.
104
Copyright The Art of Service│Brisbane, Australia│Email:service@theartofservice.com
Web: http://theartofservice.com │eLearning: http://theartofservice.org │Phone: +61 (0)7 3252 2055
NIDS have several essential characteristics:
Monitors network packets and traffic in real time.
Analyzes protocols and other packet information.
Can send alerts or terminate offending connections.
Can integrate with firewalls and define rules.
Monitoring data packets can be disrupted by encryption.
Some HIDS have the ability to monitor multiple hosts and will share
policy information and real-time information between systems.
An IDS can utilize several analysis methods. Two basic types include:
105
Copyright The Art of Service│Brisbane, Australia│Email:service@theartofservice.com
Web: http://theartofservice.com │eLearning: http://theartofservice.org │Phone: +61 (0)7 3252 2055
Pattern matching - the attack vector is known and an alert
is provided when the pattern is detected.
Anomaly detection – draws conclusions from the use of
several tactics to determine if the traffic represents a risk.
106
Copyright The Art of Service│Brisbane, Australia│Email:service@theartofservice.com
Web: http://theartofservice.com │eLearning: http://theartofservice.org │Phone: +61 (0)7 3252 2055
Unexplained changes to system checks.
Multiple failed log-on attempts.
107
Copyright The Art of Service│Brisbane, Australia│Email:service@theartofservice.com
Web: http://theartofservice.com │eLearning: http://theartofservice.org │Phone: +61 (0)7 3252 2055
Analysis of the traffic structure can identify unaccepted deviation from
expected behaviors and is employed by traffic anomaly-based IDS.
The specific attributes include:
Watches for new services or unusual traffic patterns.
DoS floods and unknown attacks can be identified.
Tuning the system can be difficulty.
The normal traffic conditions must be clearly understood.
Two primary methods are used to encrypt data: stream and block.
108
Copyright The Art of Service│Brisbane, Australia│Email:service@theartofservice.com
Web: http://theartofservice.com │eLearning: http://theartofservice.org │Phone: +61 (0)7 3252 2055
Block ciphers focus on blocks of text to encrypt. A message is broken
down into a preset size. These sizes typically follow ASCII character
sizes of 64, 128, 192, and so on.
109
Copyright The Art of Service│Brisbane, Australia│Email:service@theartofservice.com
Web: http://theartofservice.com │eLearning: http://theartofservice.org │Phone: +61 (0)7 3252 2055
and receiver of the message. To ensure security, the key is often sent
separate from the message itself, called out-of-band distribution.
110
Copyright The Art of Service│Brisbane, Australia│Email:service@theartofservice.com
Web: http://theartofservice.com │eLearning: http://theartofservice.org │Phone: +61 (0)7 3252 2055
encrypted with a public key can only be decrypted with the private key
of the pair, retaining the confidentiality of the encrypted message. This
is because the sender would be encrypting the message with the
public key of the receiver. Any message that is encrypted using the
private key of the sender could be opened and read by anyone
possessing the corresponding public key. The process allows the
confidentiality of the message to remain intact and retain proof of
origin.
111
Copyright The Art of Service│Brisbane, Australia│Email:service@theartofservice.com
Web: http://theartofservice.com │eLearning: http://theartofservice.org │Phone: +61 (0)7 3252 2055
Small organizations can generally use the default authentication
method of the software providing remote access connectivity. As the
organization grows, more sophisticated solutions may be appropriate
such as RADIUS or TACACS/TACACS+.
112
Copyright The Art of Service│Brisbane, Australia│Email:service@theartofservice.com
Web: http://theartofservice.com │eLearning: http://theartofservice.org │Phone: +61 (0)7 3252 2055
Kryptoknight
Snareworks
A Key Distribution Center (KDC) holds all the keys and provides a
centralized authentication service. The overall structure of control is
called a realm. Time-stamping tickets ensure the keys are not
compromised. All the systems within the realm have their clocks
synchronized to maintain a common reference for authentication.
113
Copyright The Art of Service│Brisbane, Australia│Email:service@theartofservice.com
Web: http://theartofservice.com │eLearning: http://theartofservice.org │Phone: +61 (0)7 3252 2055
Part of the KDC is the Authentication Server (AS) which is responsible
for authenticating each client. During this authentication, the Ticket
Granting Service (TGS) makes the tickets and distributes to the
clients.
114
Copyright The Art of Service│Brisbane, Australia│Email:service@theartofservice.com
Web: http://theartofservice.com │eLearning: http://theartofservice.org │Phone: +61 (0)7 3252 2055
software. Three main functions are provided by IPSec:
Authentication only
Authentication and encryption
Key exchange
115
Copyright The Art of Service│Brisbane, Australia│Email:service@theartofservice.com
Web: http://theartofservice.com │eLearning: http://theartofservice.org │Phone: +61 (0)7 3252 2055
when both AH and ESP protocols are being used, forming four
separate SAs to accommodate the security needs of the connection.
The IKE Process is composed of two phases. The first phase sets the
foundation for the second phase. In the first phase:
Peers authenticate using certificates or a pre-shared
secret.
A DH key is created.
Keys and methods are exchanged and/or negotiated
between peers.
117
Copyright The Art of Service│Brisbane, Australia│Email:service@theartofservice.com
Web: http://theartofservice.com │eLearning: http://theartofservice.org │Phone: +61 (0)7 3252 2055
5.4.4 Methods of Encryption and Integrity
Negotiation in both phases of the process set the parameters for the:
Encryption Algorithm
Hash Algorithm
The encryption algorithms negotiated in the first phase (IKE SA) are
AES-256 (default), 3DES, DES, and CAST. The second phase (IPSec
SA) will negotiate 3DEA, AES-128 (default), AES-256, DES, CAST,
DES-40CP, CAST-40, or NULL (no encryption). The hash algorithms
negotiated for both phases are the same – MD5 and SHA1: The
default hash algorithm is different for each phase: MD5 for phase II
and SHA1 for phase I.
IKE Phase I is more process intensive than IKE phase II, and
therefore performed less frequently. The IKE SA is valid for a specific
period of time and must be renegotiated. The IPSec SA is valid for an
even shorter period of time requiring the IKE phase II to be performed
118
Copyright The Art of Service│Brisbane, Australia│Email:service@theartofservice.com
Web: http://theartofservice.com │eLearning: http://theartofservice.org │Phone: +61 (0)7 3252 2055
more frequently.
119
Copyright The Art of Service│Brisbane, Australia│Email:service@theartofservice.com
Web: http://theartofservice.com │eLearning: http://theartofservice.org │Phone: +61 (0)7 3252 2055
5.5 Security Documentation
120
Copyright The Art of Service│Brisbane, Australia│Email:service@theartofservice.com
Web: http://theartofservice.com │eLearning: http://theartofservice.org │Phone: +61 (0)7 3252 2055
2. Use directive wording.
3. Avoid technical implementation details.
4. Keep length to a minimum.
5. Provide links from policy to supporting documents.
6. Review details before publishing.
7. Conduct management review and sign-off.
8. Avoid technical language.
9. Adjust policies based on incident review.
10. Review policies regularly.
11. Develop noncompliance sanctions.
121
Copyright The Art of Service│Brisbane, Australia│Email:service@theartofservice.com
Web: http://theartofservice.com │eLearning: http://theartofservice.org │Phone: +61 (0)7 3252 2055
Development of procedures should involve all departments interfacing
with the instructions. This is also beneficial to create a common
understanding of the entire procedure by interacting organizations.
122
Copyright The Art of Service│Brisbane, Australia│Email:service@theartofservice.com
Web: http://theartofservice.com │eLearning: http://theartofservice.org │Phone: +61 (0)7 3252 2055
information security requirements. In some cases, security awareness
programs are a requirement for compliance to regulations, such as:
HIPAA
Sarbanes-Oxley Act
Gram-Leach-Bliley Act
The architecture and design of the security solution must address the
design, implementation, and operations of those controls used to
enforce the levels of confidentiality, integrity, and availability required.
123
Copyright The Art of Service│Brisbane, Australia│Email:service@theartofservice.com
Web: http://theartofservice.com │eLearning: http://theartofservice.org │Phone: +61 (0)7 3252 2055
5.6 Compliance
124
Copyright The Art of Service│Brisbane, Australia│Email:service@theartofservice.com
Web: http://theartofservice.com │eLearning: http://theartofservice.org │Phone: +61 (0)7 3252 2055
5.6.2 Service Level Agreements
125
Copyright The Art of Service│Brisbane, Australia│Email:service@theartofservice.com
Web: http://theartofservice.com │eLearning: http://theartofservice.org │Phone: +61 (0)7 3252 2055
with customers of the business, or individual departments
within the organization. Departments like Finance and
Research and Development may have more stringent
requirements for security than Customer Support. Different
classifications of information may contribute to different
SLAs being applied.
Multi-level SLA – A three-layer structure for adopting
agreements. The levels are corporate, customer, and
service. The corporate level covers all generic concerns
and requires less frequent changes. Customer level
relates to a specific customer or business unit regardless
of the service provided, while the service level relates to a
specific service for a specific customer.
126
Copyright The Art of Service│Brisbane, Australia│Email:service@theartofservice.com
Web: http://theartofservice.com │eLearning: http://theartofservice.org │Phone: +61 (0)7 3252 2055
Administrative law is part of the Code of Federal
Regulations which is enacted by agencies of the executive
branch.
Case law exists within the judicial branch and documents
the legal precedents of the court.
One of the most difficult problems with the rapid growth of computer
technology is ensuring the laws and regulations to protect against
computer crimes remain abreast of emerging technologies. This was
present in 1994 when the Computer Emergency and Response Team
(CERT) reported that a 498 percent increase in the number of
computer intrusions and 702 percent rise in the number of sites
affected by these intrusions. U.S. legislature chose to add
amendments to the Computer Fraud and Abuse Act to address
specific abuses from misuse of new technologies. The result is the
1996 National Information Infrastructure Protection Act.
128
Copyright The Art of Service│Brisbane, Australia│Email:service@theartofservice.com
Web: http://theartofservice.com │eLearning: http://theartofservice.org │Phone: +61 (0)7 3252 2055
Title VIII strengthens criminal laws as they apply to
terrorism.
The act creating this government agency was the Homeland Security
Act of 2002.
130
Copyright The Art of Service│Brisbane, Australia│Email:service@theartofservice.com
Web: http://theartofservice.com │eLearning: http://theartofservice.org │Phone: +61 (0)7 3252 2055
as, system updates.
Normal Change Model – identifies changes that must go
through some effort of assessment, authorization, and
agreement before the change can be implemented. Adding
a new resource to the network, or allowing a contracting
firm to do facilities work are examples of these types of
changes.
Emergency Change – used for highly critical changes that
must be put into place immediately, usually as a result of
failure in availability or service quality.
131
Copyright The Art of Service│Brisbane, Australia│Email:service@theartofservice.com
Web: http://theartofservice.com │eLearning: http://theartofservice.org │Phone: +61 (0)7 3252 2055
Many enterprises will adopt a Change Advisory Board (CAB) which is
responsible for reviewing all changes and providing authorization to
proceed. The CAB will prioritize changes based on business need
and will be asked to reject changes if they do not meet or could harm
the business objectives. Several stakeholders may be represented on
the CAB, including:
Customers
User Managers
User Groups
Application developers and support
Security specialists and consultants
IT Operations staff
Facilities staff
Contractors
132
Copyright The Art of Service│Brisbane, Australia│Email:service@theartofservice.com
Web: http://theartofservice.com │eLearning: http://theartofservice.org │Phone: +61 (0)7 3252 2055
A Configuration Item (CI) can be any asset, service component, or
item that is managed by the Configuration Management process.
They can vary in complexity, size, and type. Groups of CIs may be
managed together, or selected thorough established criteria,
groupings, classifications, or other identification. The different types of
CIs can include:
Service Lifecycle – broad descriptions of services and
major components of those services.
Service – identifies the assets and resources for a service,
including any models, packages and acceptance criteria.
Organization – identifies the information assets of the
organization, such as the business strategy.
Internal – represents the tangible and intangible assets
delivered, such as applications, software licenses,
computers, and the like.
External – requirements and agreements with third party
customers of suppliers.
Interfaces – those assets required to deliver a service.
133
Copyright The Art of Service│Brisbane, Australia│Email:service@theartofservice.com
Web: http://theartofservice.com │eLearning: http://theartofservice.org │Phone: +61 (0)7 3252 2055
of these relationships will aid in determining how to minimize the
impact and risk of changes.
135
Copyright The Art of Service│Brisbane, Australia│Email:service@theartofservice.com
Web: http://theartofservice.com │eLearning: http://theartofservice.org │Phone: +61 (0)7 3252 2055
5.7.4 Problem Management
136
Copyright The Art of Service│Brisbane, Australia│Email:service@theartofservice.com
Web: http://theartofservice.com │eLearning: http://theartofservice.org │Phone: +61 (0)7 3252 2055
The problem management process consists of several general steps:
Problem Detection
Problem Logging
Problem Categorization
Problem Prioritization
Problem Investigation
Problem Diagnosis
Problem Workaround
Known Error Record
Problem Resolution
Problem Closure
Problem Review
All reported problems are logged and referenced back to the related
incidents. The typical details contained in a problem record include:
Information about the user.
Information about the service.
137
Copyright The Art of Service│Brisbane, Australia│Email:service@theartofservice.com
Web: http://theartofservice.com │eLearning: http://theartofservice.org │Phone: +61 (0)7 3252 2055
Information about the equipment.
Initial log data and time.
Priority and categorization details.
Incident description.
All diagnostic or recovery actions taken.
138
Copyright The Art of Service│Brisbane, Australia│Email:service@theartofservice.com
Web: http://theartofservice.com │eLearning: http://theartofservice.org │Phone: +61 (0)7 3252 2055
5.7.5 Recovery and Continuity Planning
139
Copyright The Art of Service│Brisbane, Australia│Email:service@theartofservice.com
Web: http://theartofservice.com │eLearning: http://theartofservice.org │Phone: +61 (0)7 3252 2055
Revenue loss
Extra expenses
Compromised customer service
Embarrassment or loss of confidence
140
Copyright The Art of Service│Brisbane, Australia│Email:service@theartofservice.com
Web: http://theartofservice.com │eLearning: http://theartofservice.org │Phone: +61 (0)7 3252 2055
The development of the scope should focus on:
Disaster recovery planning (DRP).
Business continuity planning (BCP).
Crisis management planning (CMP).
Continuous availability (CA).
Incident command systems (ICS).
Within the implementation phase, the project team works with the
organization's business process owners to implement:
Continuity plans.
Short-term and long-term testing.
Short-term and long-term maintenance strategies.
Training, awareness, and education processes.
Management processes.
143
Copyright The Art of Service│Brisbane, Australia│Email:service@theartofservice.com
Web: http://theartofservice.com │eLearning: http://theartofservice.org │Phone: +61 (0)7 3252 2055
5.7.7 Information Incident Management
144
Copyright The Art of Service│Brisbane, Australia│Email:service@theartofservice.com
Web: http://theartofservice.com │eLearning: http://theartofservice.org │Phone: +61 (0)7 3252 2055
incident entirely or within a specific time frame and requires the
incident record to be sent to another level of support. Hierarchical
escalation is performed for incidents with a high severity, when IT and
business management must be notified.
145
Copyright The Art of Service│Brisbane, Australia│Email:service@theartofservice.com
Web: http://theartofservice.com │eLearning: http://theartofservice.org │Phone: +61 (0)7 3252 2055
5.7.8 Managing Evidence
146
Copyright The Art of Service│Brisbane, Australia│Email:service@theartofservice.com
Web: http://theartofservice.com │eLearning: http://theartofservice.org │Phone: +61 (0)7 3252 2055
Reliability – cannot be tampered with requiring a
documented chain of custody.
Legality – must be gathered within the parameters of the
law and respecting the rights of the accused.
5.8 Facilities
147
Copyright The Art of Service│Brisbane, Australia│Email:service@theartofservice.com
Web: http://theartofservice.com │eLearning: http://theartofservice.org │Phone: +61 (0)7 3252 2055
fluctuate or be completely lost as a resource to the organization. Man-
made threats are usually malicious in nature and can consist of
physical attack, sabotage, vandalism, arson, or theft.
148
Copyright The Art of Service│Brisbane, Australia│Email:service@theartofservice.com
Web: http://theartofservice.com │eLearning: http://theartofservice.org │Phone: +61 (0)7 3252 2055
include fencing, landscaping, and parking areas. Urban environments
may be a building or single floor within a shared building. Inner
perimeters are areas found within the outermost perimeter. In a
campus situation, a perimeter may be set around every building. In a
single building, each floor may have their own inner perimeter.
Security zones are areas within all perimeters that require a higher
level of security because of the information or operations being
performed.
149
Copyright The Art of Service│Brisbane, Australia│Email:service@theartofservice.com
Web: http://theartofservice.com │eLearning: http://theartofservice.org │Phone: +61 (0)7 3252 2055
regulations and work in partnership with the environmental controls.
Infrastructure systems to work with include:
Fire detection and suppression systems.
Perimeter walls, fences, and barriers.
Vehicle and personnel entry and exit gateways.
Entry points are major elements of physical security. Key locks require
a physical key to open the lock, while deadbolts have one or more
bolts that are thrown to prevent opening the door. Key systems are
required to manage who has a key and to what facilities those keys
can be used. Duplication of keys should be managed appropriately.
Combination locks reduce the need for managing physical keys but
require additional effort to manage who has knowledge of particular
combinations. Keypad and pushbutton locks are similar to
combination locks which have a combination of numbers to be
learned and secured.
150
Copyright The Art of Service│Brisbane, Australia│Email:service@theartofservice.com
Web: http://theartofservice.com │eLearning: http://theartofservice.org │Phone: +61 (0)7 3252 2055
The use of card, badge, and pass identifiers provide access controls
to physical facilities. More sophisticated access controls include
biometric controls.
152
Copyright The Art of Service│Brisbane, Australia│Email:service@theartofservice.com
Web: http://theartofservice.com │eLearning: http://theartofservice.org │Phone: +61 (0)7 3252 2055
5.8.2 Defense in Depth
153
Copyright The Art of Service│Brisbane, Australia│Email:service@theartofservice.com
Web: http://theartofservice.com │eLearning: http://theartofservice.org │Phone: +61 (0)7 3252 2055
5.8.3 Physical Security Implementation
154
Copyright The Art of Service│Brisbane, Australia│Email:service@theartofservice.com
Web: http://theartofservice.com │eLearning: http://theartofservice.org │Phone: +61 (0)7 3252 2055
6 Practice Exam
Question 1
A) Control
B) Evaluate
C) Report
D) Plan
Question 2
A) Oversight
B) Utilization of resources
C) Allocation of resources
D) Strategic planning
155
Copyright The Art of Service│Brisbane, Australia│Email:service@theartofservice.com
Web: http://theartofservice.com │eLearning: http://theartofservice.org │Phone: +61 (0)7 3252 2055
Question 3
A) Risk Management
B) Organization Structure
C) Compliance Monitoring
D) All of the above
Question 4
A) COBIT
B) NIST 800-53A
C) ISO 17799
D) SysTrust
Question 5
A) Fast path
B) Distributed
C) Centralized
D) All of the above
156
Copyright The Art of Service│Brisbane, Australia│Email:service@theartofservice.com
Web: http://theartofservice.com │eLearning: http://theartofservice.org │Phone: +61 (0)7 3252 2055
Question 6
A) Confidentiality
B) Availability
C) Integrity
D) Accountability
Question 7
A) Least Privileges
B) Job Sensibility
C) Separation of Duties
D) Job Rotation
Question 8
A) Access matrix
B) Bell-LaPadua
C) Take-grant
D) Clark-Wilson
157
Copyright The Art of Service│Brisbane, Australia│Email:service@theartofservice.com
Web: http://theartofservice.com │eLearning: http://theartofservice.org │Phone: +61 (0)7 3252 2055
Question 9
A) Authorization
B) Accounting
C) Authentication
D) Auditing
Question 10
A) Critical Change
B) Normal Change
C) Standard Change
D) Emergency Change
Question 11
A) Biometric scan
B) Authentication device
C) Intrusion Detection System
D) Access Control List
158
Copyright The Art of Service│Brisbane, Australia│Email:service@theartofservice.com
Web: http://theartofservice.com │eLearning: http://theartofservice.org │Phone: +61 (0)7 3252 2055
Question 12
A) Directories
B) Profiles
C) Web access
D) Account management
Question 13
A) Single-factor authentication
B) Two-factor authentication
C) Three-factor authentication
D) All of the Above
159
Copyright The Art of Service│Brisbane, Australia│Email:service@theartofservice.com
Web: http://theartofservice.com │eLearning: http://theartofservice.org │Phone: +61 (0)7 3252 2055
Question 14
A) Baseline Modeling
B) Cost Benefit Analysis
C) Qualitative Analysis
D) Gap Analysis
Question 15
A) Distinct
B) Independent
C) Reliable
D) Sustainable
160
Copyright The Art of Service│Brisbane, Australia│Email:service@theartofservice.com
Web: http://theartofservice.com │eLearning: http://theartofservice.org │Phone: +61 (0)7 3252 2055
Question 16
A) Data Protection
B) Proper use of IT assets
C) Social Responsibility
D) Security Awareness
Question 17
A) Operational
B) Variable
C) Fixed
D) Indirect
161
Copyright The Art of Service│Brisbane, Australia│Email:service@theartofservice.com
Web: http://theartofservice.com │eLearning: http://theartofservice.org │Phone: +61 (0)7 3252 2055
Question 18
A) Steering Committee
B) Chief Information Security Officer
C) Board of Directors
D) Executives
Question 19
162
Copyright The Art of Service│Brisbane, Australia│Email:service@theartofservice.com
Web: http://theartofservice.com │eLearning: http://theartofservice.org │Phone: +61 (0)7 3252 2055
Question 20
A) Integrity
B) Availability
C) Confidentiality
D) Accountability
Question 21
A) Preventive
B) Detective
C) Reductive
D) Repressive
163
Copyright The Art of Service│Brisbane, Australia│Email:service@theartofservice.com
Web: http://theartofservice.com │eLearning: http://theartofservice.org │Phone: +61 (0)7 3252 2055
Question 22
A) Responsibility
B) Fairness
C) Accountability
D) Transparency
Question 23
164
Copyright The Art of Service│Brisbane, Australia│Email:service@theartofservice.com
Web: http://theartofservice.com │eLearning: http://theartofservice.org │Phone: +61 (0)7 3252 2055
Question 24
A) ISF
B) NIST
C) OECD
D) AICPA
Question 25
A) Threat
B) Vulnerability
C) Risk
D) Control
165
Copyright The Art of Service│Brisbane, Australia│Email:service@theartofservice.com
Web: http://theartofservice.com │eLearning: http://theartofservice.org │Phone: +61 (0)7 3252 2055
Question 26
A) Password crackers
B) Mobile code
C) Trojan horses
D) Spyware
Question 27
A) 3
B) 8
C) 12
D) 15
166
Copyright The Art of Service│Brisbane, Australia│Email:service@theartofservice.com
Web: http://theartofservice.com │eLearning: http://theartofservice.org │Phone: +61 (0)7 3252 2055
Question 28
Which TCSEC specification describes systems that are resistant to
penetration?
A) Structured Protection
B) Controlled Access Protection
C) Security Domains
D) Verified Design
Question 29
A) Passwords
B) Routers
C) Access Control Lists
D) All of the above
Question 30
A) DES
B) RSA
C) AES
D) RD5
167
Copyright The Art of Service│Brisbane, Australia│Email:service@theartofservice.com
Web: http://theartofservice.com │eLearning: http://theartofservice.org │Phone: +61 (0)7 3252 2055
Question 31
A) Biometric
B) Synchronous
C) Asynchronous
D) Integrated Circuit
Question 32
A) EAL4
B) EAL5
C) EAL6
D) EAL7
Question 33
A) Monitoring
B) Protocols
C) User management
D) Policies
168
Copyright The Art of Service│Brisbane, Australia│Email:service@theartofservice.com
Web: http://theartofservice.com │eLearning: http://theartofservice.org │Phone: +61 (0)7 3252 2055
Question 34
A) Objective
B) Measurable
C) Descriptive
D) Time-consuming
Question 35
A) Risk Mitigation
B) Risk Avoidance
C) Risk Acceptance
D) Risk Transfer
Question 36
A) Policies
B) Risks
C) Problems
D) all of the above
169
Copyright The Art of Service│Brisbane, Australia│Email:service@theartofservice.com
Web: http://theartofservice.com │eLearning: http://theartofservice.org │Phone: +61 (0)7 3252 2055
Question 37
A) Cost Classification
B) Consumption Type
C) Cost Units
D) Cost Types
Question 38
A) Responsibility
B) Dependency
C) Accountability
D) Fairness
170
Copyright The Art of Service│Brisbane, Australia│Email:service@theartofservice.com
Web: http://theartofservice.com │eLearning: http://theartofservice.org │Phone: +61 (0)7 3252 2055
Question 39
A) Preventive
B) Detective
C) Corrective
D) Reductive
Question 40
171
Copyright The Art of Service│Brisbane, Australia│Email:service@theartofservice.com
Web: http://theartofservice.com │eLearning: http://theartofservice.org │Phone: +61 (0)7 3252 2055
7 Answer Guide
Question 1
Answer: C
Reasoning: The five elements of an Information Security Management
System are control, plan, implement, evaluate, and maintain. Report
is not one of those elements, but may be a by-product of Evaluate.
Question 2
Answer: B
Reasoning: Information Security Management is generally driven by
implementation of solutions, authorizing action, enforcing policy and
responsibility, planning in terms of projects, and proper utilization of
resources. This is different from governance of information security
which provides a higher level of support and oversight.
Question 3
Answer: D
Reasoning: An information security governance framework will have
the listed components as well as a security strategy, security policies,
standards, feedback, and continual improvement.
Question 4
Answer: A
Reasoning: COBIT was introduced by ITGI to define the IT
requirements related to effectiveness, efficiency, availability, integrity,
confidentiality, reliability, and compliance.
172
Copyright The Art of Service│Brisbane, Australia│Email:service@theartofservice.com
Web: http://theartofservice.com │eLearning: http://theartofservice.org │Phone: +61 (0)7 3252 2055
Question 5
Answer: B
Reasoning: A distributed governance solution increases the
responsiveness of the solution and solution innovation to generate
revenue growth.
Question 6
Answer: C
Reasoning: Ownership provides the greatest level of integrity to the
information by providing a single person responsibility over how
information is used or by whom.
Question 7
Answer: D
Reasoning: By rotating jobs, the organization can ensure that a fresh
look is provided to determine the requirements and activities of a
specific job.
Question 8
Answer: B
Reasoning: the Bell-LaPadua model is used for both access control
and integrity with different implementation of the rules.
Question 9
Answer: A
Reasoning: Kerberos is named after the mythological three-headed
dog with the elements of authentication, accounting, and auditing.
173
Copyright The Art of Service│Brisbane, Australia│Email:service@theartofservice.com
Web: http://theartofservice.com │eLearning: http://theartofservice.org │Phone: +61 (0)7 3252 2055
Authorization is not distinguished.
Question 10
Answer: D
Reasoning: Emergency changes represent those changes that must
be done immediately to handle highly critical issues to the business or
service.
Question 11
Answer: C
Reasoning: IDS systems used pattern matching and anomaly
detection.
Question 12
Answer: A
Reasoning: Directories are used within identity management to
simplify the architecture and prevent duplication of information.
Question 13
Answer: B
Reasoning: Tokens, fobs and smart devices provide two-factor
authentication by using what a person has and knows.
Question 14
Answer: D
Reasoning: Gap analysis compares actual and expected delivery of
performance, functional, and usage requirements.
174
Copyright The Art of Service│Brisbane, Australia│Email:service@theartofservice.com
Web: http://theartofservice.com │eLearning: http://theartofservice.org │Phone: +61 (0)7 3252 2055
Question 15
Answer: A
Reasoning: Distinct controls do not overlap its operations with other
controls and countermeasures.
Question 16
Answer: C
Reasoning: Though all policies have may touch on required behaviors
of employees, Social Responsibility policies address the primary
behaviors expected of all employees under all conditions, including
onsite and offsite.
Question 17
Answer: D
Reasoning: The Indirect cost classification is normally used to identify
the assignment of cost across several customers, rather than Direct
for the assignment of cost to a single customer.
Question 18
Answer: B
Reasoning: The Chief Information Security Officer serves as the
authority to address all security concerns.
Question 19
Answer: C
Reasoning: Information Security Governance is responsible for
175
Copyright The Art of Service│Brisbane, Australia│Email:service@theartofservice.com
Web: http://theartofservice.com │eLearning: http://theartofservice.org │Phone: +61 (0)7 3252 2055
aligning business strategy with security objectives. Controls are
implemented to support those security objectives. While management
ensures the controls are maintained throughout the life cycle.
Question 20
Answer: A
Reasoning: Confidentiality serves to keep information private:
Integrity, to keep information accurate: and Availability, to keep
information accessible at all times.
Question 21
Answer: B
Reasoning: Detective measures are applied to the environment to
provide the earliest detection of a security incident for the purpose of
handling it.
Question 22
Answer: D
Reasoning: Decision-making structures and activities should be
transparent as a part of Information Security Governance.
Question 23
Answer: A
Reasoning: Security is not a technical issue only, but also a business
and governance concern. Though many of the security controls can
be automated, it does not disregard the responsibility of people to
adopt security practices. These controls and practices would have to
176
Copyright The Art of Service│Brisbane, Australia│Email:service@theartofservice.com
Web: http://theartofservice.com │eLearning: http://theartofservice.org │Phone: +61 (0)7 3252 2055
be adopted whether or not the people are trustworthy, in order to
ensure that the systems are managed effectively and efficiently. Most
security controls address the potential risks to the environment and
the business.
Question 24
Answer: C
Reasoning: The Guidelines for the Security Information Systems was
designed by the Organization of Economic Co-operations and
Development (OECD).
Question 25
Answer: B
Reasoning: A threat is the potential cause of a security incident, which
exploits a vulnerability. The likelihood of a threat exploiting a
vulnerability defines the risk of a security incident, which is counter
measured to reduce that risk using controls.
Question 26
Answer: D
Reasoning: Spyware are hidden applications used to track user's
activity and information.
Question 27
Answer: B
Reasoning: The DoD Instruction 8500.2 standard has 8 Information
Assurance components for each leg of the CIA triad.
177
Copyright The Art of Service│Brisbane, Australia│Email:service@theartofservice.com
Web: http://theartofservice.com │eLearning: http://theartofservice.org │Phone: +61 (0)7 3252 2055
Question 28
Answer: A
Reasoning: Structured Protection (B2) systems build on previous
specifications to create systems which are resistant to penetration.
Question 29
Answer: C
Reasoning: ACLs are used to permit or limit traffic based on an
attribute. They provide information to routers to provide the rules for
managing traffic. Passwords will ensure users have access to the
system.
Question 30
Answer: B
Reasoning: RSA is an asymmetric algorithm.
Question 31
Answer: A
Reasoning: Retina scans are a biometric authentication method.
Question 32
Answer: D
Reasoning: The Common Criteria evaluation of products, EAL7,
describes products whose design has been formally verified and
tested.
178
Copyright The Art of Service│Brisbane, Australia│Email:service@theartofservice.com
Web: http://theartofservice.com │eLearning: http://theartofservice.org │Phone: +61 (0)7 3252 2055
Question 33
Answer: B
Reasoning: Protocols are considered a technical control. Other
administrative controls include personnel clearance and privilege
management.
Question 34
Answer: C
Reasoning: Qualitative risk assessments are descriptive and usually
performed when information, expertise, resources, and time are
limited.
Question 35
Answer: D
Reasoning: Risk Transfer is an attempt to pass on risk to another
entity. Insurance is used to cover the organization against the
occurrence of a security incident by passing on the impact to another
entity.
Question 36
Answer: A
Reasoning: Policies drive the type and extent of activities in the
information security.
Question 37
Answer: C
Reasoning: Cost units describe the unit of consumption that can be
179
Copyright The Art of Service│Brisbane, Australia│Email:service@theartofservice.com
Web: http://theartofservice.com │eLearning: http://theartofservice.org │Phone: +61 (0)7 3252 2055
tracked and is used for accounting, budgeting, and billing.
Question 38
Answer: B
Reasoning: The characteristics of Information Security Governance
are discipline, transparency, independence, accountability,
responsibility, and fairness.
Question 39
Answer: A
Reasoning: Access controls ensure that security incidents are
prevented by ensuring the information is accessed only by authorized
persons.
Question 40
Answer: D
Reasoning: The security objectives revolve around ensure that
information remains confidential, available, and maintains integrity.
180
Copyright The Art of Service│Brisbane, Australia│Email:service@theartofservice.com
Web: http://theartofservice.com │eLearning: http://theartofservice.org │Phone: +61 (0)7 3252 2055
8 References
Information: www.isaca.org
Websites
www.artofservice.com.au
www.theartofservice.org
www.theartofservice.com
181
Copyright The Art of Service│Brisbane, Australia│Email:service@theartofservice.com
Web: http://theartofservice.com │eLearning: http://theartofservice.org │Phone: +61 (0)7 3252 2055
9 Index
access 13, 42-3, 46-8, 53, 63-4, 69, 73, 76-7, 84-8, 91-6, 112-14, 134-5, 144, 150,
153-4, 178
accountability 67, 135, 157, 163-4, 170, 180
accounting 153-4, 158, 173, 180
accreditation 5, 25, 67, 124
accuracy 61, 103-4, 163
ACLs (Access control lists) 5, 76, 92, 167, 178
agreements 33, 115-16, 121, 126, 131, 133
AH (Authentication Header) 5, 115-16
algorithm 44, 109, 118
applications 36, 41-4, 49-50, 53, 70, 72, 75, 77, 86-8, 90-1, 93, 100, 133, 135
assessment 8, 55-6, 131, 141
assets 20-1, 32, 35, 38, 133, 161, 165
attributes 91-2, 102, 106-8, 178
audits 22, 27, 56, 73, 152
authentication 15, 70, 76, 80-1, 84, 86, 90, 94, 101, 103, 111-14, 116, 158, 173
authorization 15, 86, 112, 131-2, 158, 174
availability 13-14, 17, 28-9, 38, 40, 82, 123, 131, 157, 163, 171-2, 176
capabilities 11, 43, 48, 53, 70, 94, 97, 125, 142-3, 152
card, smart 86, 95-101
certification 5, 8-9, 81, 124
change management 5, 66, 130-2, 145
changes 37, 45, 58-61, 87, 121, 130-4, 138, 174
classifications 11, 38-9, 126, 133
compliance 5, 15-16, 20, 22, 25-6, 28, 31, 79, 123-5, 172
components 68, 73, 116-17, 133, 166
confidentiality 13, 17, 28-9, 38, 40, 77, 82, 111, 123, 157, 163, 172, 176
configuration 59, 98, 132
Configuration Item (CI) 133-4
continuity planning 5, 139-40, 143
cost 11, 18, 24-5, 36-7, 45, 50, 60-1, 86, 96, 161, 175
Cost Benefit Analysis 4, 60, 160
182
Copyright The Art of Service│Brisbane, Australia│Email:service@theartofservice.com
Web: http://theartofservice.com │eLearning: http://theartofservice.org │Phone: +61 (0)7 3252 2055
countermeasures 3, 36-8, 55, 153, 175
credentials 53, 95, 112, 114
Crisis management planning (CMP) 141-2
customers 11-12, 14, 24-5, 33, 53, 84, 122, 125-6, 171, 175
183
Copyright The Art of Service│Brisbane, Australia│Email:service@theartofservice.com
Web: http://theartofservice.com │eLearning: http://theartofservice.org │Phone: +61 (0)7 3252 2055
identification 15, 70, 74, 80-1, 133
identity 44, 84-6
IDS (Intrusion Detection Systems) 5, 48, 70, 104-5, 107, 151, 158
IKE (Internet Key Exchange) 5, 116
implementation 15-16, 18, 23-4, 26, 33, 37, 66, 82, 120, 122-4, 136, 152, 172-3
incidents 35, 65, 67, 70, 130, 134, 136-8, 144-5
individuals 8, 14, 92-4
information security 3, 9, 12, 17, 21, 23, 27-9, 65, 69, 101, 144, 164, 172, 179
Information Security Governance 3, 11, 17, 21, 156, 162, 172, 175-6, 180-1
information security management 8-9, 11-12, 14, 21, 28, 66, 155, 162, 171-2
Information Security Policy 14, 16, 32-4
Information System (ISMS) 9-10, 23, 28-9, 40, 65, 69, 128, 144, 147, 165, 177
integrity 5, 13, 17, 20, 28-9, 38-40, 77, 82, 104, 116, 118, 123, 157, 163, 172-3, 176
interaction 26, 54, 89, 94
ISO 28-9, 96-7, 99-100, 156
ITSEC (Information Technology Security Evaluation Criteria) 4, 82-3
management 8, 11-12, 17, 21, 28, 31, 42, 50, 71-2, 74, 84-6, 91, 159, 176
managers 39, 54, 56, 84
memory 42, 45-6, 49-50, 97-8
message 54, 109-11
model 82-3, 133, 144
network 29, 42, 47-8, 72, 76-7, 88, 104, 131, 134-5, 154, 158
NIST (National Institute of Standards and Technology) 28, 139, 165
passwords 44-5, 49, 54, 73-5, 86, 88, 94-5, 101, 103, 113, 167, 178
performance 59, 64, 117, 160, 174
184
Copyright The Art of Service│Brisbane, Australia│Email:service@theartofservice.com
Web: http://theartofservice.com │eLearning: http://theartofservice.org │Phone: +61 (0)7 3252 2055
phases 117-18, 140-1
policies 3, 11, 14, 18, 20, 26-7, 32-5, 70-2, 81, 92-3, 120-2, 133, 168-9, 175, 179
power 98, 101, 147
privileges 69, 74, 92-3, 157
problems 27, 127, 134, 136, 138, 169
processes 4, 17, 19-20, 35, 46, 49-50, 53, 55, 57, 63-5, 84, 95, 114, 118-19, 136,
144
products 7, 12, 26, 83, 88, 135, 168, 178
projects 60-1, 91, 172
protection 13, 30, 39, 48, 72, 128, 151
protocols 85, 91, 105, 107, 114, 116, 168, 179
185
Copyright The Art of Service│Brisbane, Australia│Email:service@theartofservice.com
Web: http://theartofservice.com │eLearning: http://theartofservice.org │Phone: +61 (0)7 3252 2055
threats 15, 31, 36, 40, 42-3, 55, 64, 77, 129, 147-8, 165, 177
time 25, 37, 45-6, 59-61, 88, 90, 94, 118, 134, 138, 153, 179
tokens 75, 94-5, 103, 174
traffic 92, 104-6, 108, 167, 178
types 5, 60, 71, 92, 94, 97-9, 101-3, 120, 125, 130-1, 133, 146-7, 159-60, 163, 166,
168
value 1-2, 12, 17, 19-20, 22, 38, 54, 60-1, 103
vendors 23, 26, 84
visibility 18, 70, 105
vulnerabilities 3, 15, 27, 30-1, 40, 42, 52-3, 55, 104, 127, 148, 152-3, 165, 177
186
Copyright The Art of Service│Brisbane, Australia│Email:service@theartofservice.com
Web: http://theartofservice.com │eLearning: http://theartofservice.org │Phone: +61 (0)7 3252 2055