CISSP WKBK D01 PDF

Certified Information Systems
Security Professional (CISSP)

Course 1 - Information Security and
Risk Management
Slide 1
Logical Security
9316 Yorktown St.
McKinney, TX 75071
www.LogicalSecurity.com © Logical Security
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 2
Logical Security Offers…
© Logical Security
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 3
Holistic Security
© Logical Security
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 4
© Logical Security
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 5
© Logical Security
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 6
© Logical Security
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 7
© Logical Security
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 8
Think of Us…
 Risk Management
 Enterprise Security Architect
 Security Governance
 Regulatory Compliance
 Vulnerability Management
 Data Leakage Protection
© Logical Security
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 9
Holistic Security
© Logical Security
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 10
Shon Harris CISSP®

Logical Security’s
CISSP Course
Logical Security
www.LogicalSecurity.com
Copyright © 2007. All rights reserved.
© Logical Security
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 11
Common Body of Knowledge

 Access Control
 Application Security
 Business Continuity and Disaster Recovery Planning
 Cryptography
 Information Security and Risk Management
 Legal, Regulations, Compliance, and Investigation
 Operations Security
 Physical (Environmental) Security
 Security Architecture and Design
 Telecommunications and Network Security
© Logical Security
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 12
Exam Specifics
CISSP Exam
 250 questions
 225 questions graded
 25 questions are for research purposes
 6 hours given to complete test
 Average is 4 ½ hours
 Passing grade is 700 points
 Questions are weighted
 Multiple choice – one answer is correct
© Logical Security
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 13
Your Instructor
 Recognized as one of the top 25
women in the security field by
Information Security Magazine
 Author of best-selling book CISSP All-
In-One Study Guide and CISSP
Passport
 Gray Hat Hacking book 2nd edition
 Former engineer in the Information
Warfare unit for the Air Force
 Security Consultant
 President Logical Security
 Security writer for Information
Shon Harris Security Magazine and Windows 2000
© Logical Security
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 14
What Have You Heard?

 Do you know others who have taken this exam?
 Why is it seen as such a difficult test?
© Logical Security
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 15
Some Reasons Why the Exam Is

Difficult
 Covers a wide range of information
 Many people may have experience in one or two domains of the
CBK, but not in all
 The types of questions

 Very cognitive questions
 You must understand the concepts deeply to answer the questions
properly
© Logical Security
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 16
We Will Cover It All!

Access Control Application Security
Physical Security Information Security

and Risk Management
Cryptography
Legal, Regulations,
Compliance, and
Investigation
Operations Security
Security Architecture and Design
Business Continuity and Disaster Recovery Planning
Telecommunications and Network Security

© Logical Security
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 17
CISSP Exam Tips

Requirements
 Minimum of 4 years of relevant experience or 3 years plus a degree
 Registration letter from (ISC)2

 Candidate ID is required for day of the exam
 You can write in booklets; pencils will be supplied
 If English is NOT your native language…

 You can bring a non-technical dictionary
 Sponsor must sign off vouching for your experience
© Logical Security
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 18
CISSP Associate
 Do not have the
experience to take the
exam?
 No problem – you can be
an “associate” and take
the exam.
 Once you have enough
experience, submit it to
(ISC)2 and join the ranks
of CISSPs.
© Logical Security
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 19
No Other World Exists Now
© Logical Security
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 20
This Will Be Trickier than

You Think
© Logical Security
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 21
Question 1 Example
Which of the following is a reason to place security elements
in a lower layer of the system architecture?
a. Increases performance and provides a wider range of protection

b. Increases performance and provides a more granular approach to
access
c. Allows for multitasking to not interfere or be affected by the
restrictions of the security elements
d. Provides more control and flexibility in configuration for the user
© Logical Security
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 22
Architecture Components
Granularity OS
Process OS Kernel
Processor
Intensive
BIOS and Firmware
Motherboard Components
© Logical Security
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 23
Question 2 Example
Clipping levels come in many different forms. Which of the
following best describes a benefit of the use of clipping
levels?
a. Detection of IP spoofing and resetting of configurations

b. Alerting IT staff of attacks
c. Reducing the amount of unauthorized users from logging onto a
system
d. Reduction in investigation by IT members
© Logical Security
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 24
Information Security and Risk

Management
 Security Definitions and Goals
 Control Types
 Risk Management and Analysis
 Components of a Security Program
 Roles and Responsibilities in Security
 Information Classification
 Employee Management
 Awareness Training
© Logical Security
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 25
Where did We Come From?
In 1945, huge computers could not even do what our small

calculators do today – but it was a start!
© Logical Security
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 26
Mainframe Days
And we evolved……
© Logical Security
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 27
In the Good Old Days – Who Knew?

OSI
Network Configuration Buffer Overflows
TCP/IP
Protocols
Phishing
Ethernet
APIs
Sniffers
Hacking
Layer 3
ICMP Ports
© Logical Security
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 28
Today’s Environment
© Logical Security
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 29
Agenda
Security Definitions and Components
© Logical Security
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 30
Security Definitions
Vulnerability
 Weakness in a mechanism that can threaten the
confidentiality, integrity, or availability of an asset
 Lack of a countermeasure
Threat
 Someone uncovering a vulnerability and exploiting it
Risk
 Probability of a threat becoming real, and the corresponding
potential damages
Exposure
 When a vulnerability exists in an environment
Countermeasure
 A control put into place to mitigate potential losses
© Logical Security
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 31
Vulnerabilities
Not just open ports …
 No policies or not following them

 Poorly configured remote access server
 No control over PDAs and smart phones
 Lack of security awareness training
 Etc., etc., etc.
© Logical Security
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 32
Examples of Some Vulnerabilities

that Are Not Always Obvious
 Lack of security understanding
 Real security requires real knowledge
 Technical to the C-level in companies
 Misuse of access by authorized users
 Authorization creep
 Can now be a criminal offense according to specific laws
 Concentration of responsibilities
 Separation of duties
 Not being able to react quickly
 No response team or procedures
 Lack of communication structure
 Lack of ways to detect fraud
 Rotation of duties
 Technologies and processes
© Logical Security
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 33
Risk – What Does It Really Mean?
Risk Definition
 Probability of a vulnerability being exploited by a threat and the
resulting business impact
 Vulnerability or risk management?
 Goal of risk management
 Optimal security at minimal cost © Logical Security
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 34
Relationships
© Logical Security
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 35
Who Deals with Risk?
© Logical Security
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 36
Overall Business Risk
© Logical Security
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 37
Who?
“Who deals with risk in our company?”
Response: “We don’t really understand it, so we ignore it.”
© Logical Security
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 38
AIC Triad
Availability
 Usability, timeliness
 Prevents disruption of services
 Protects production and
productivity
Integrity
 Accuracy, completeness
 Prevents unauthorized
modification
 Protects data and production
environment
Confidentiality
 Secrecy, sensitivity, privacy
 Prevents unauthorized disclosure
of data
 Protects sensitive data and
processes
© Logical Security
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 39
Availability
 Manmade, technical, or natural disaster
 Failure of components or a device
 Denial-of-service attacks
 Redundant technologies
 Failover devices
 Backup technologies
© Logical Security
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 40
Integrity
 Modifying data or configurations
 Changing security log information
 Software configurations
 Hash algorithms and message authentication code
 Authentication, logging, auditing
 Change control, configuration management
© Logical Security
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 41
Confidentiality
 Unauthorized access
 Protection of sensitive data or equipment
 Access control
 Encryption
© Logical Security
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 42
Who Is Watching?
Shoulder surfing - different types

Think about ALL of the people who have access!
© Logical Security
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 43
Social Engineering
 In every security system, people are the
weakest link.
 Some of the most effective reconnaissance
techniques target people.
 People want to be helpful.
 Nobody wants to get into trouble.
 If you sound legitimate, most people will think you
are.
 Confidence and a clipboard will get you into a lot
of places.
© Logical Security
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 44
Social Engineering
To effectively collect information from human subjects, you
may need to gather background information first.
 Organization’s website
 Company directory
 Other employees
 Address and phone numbers
 Background on the organization
 News articles/press releases
Footprinting!
© Logical Security
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 45
What Security People Are Really

Thinking
© Logical Security
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 46
Security Concepts
 Security through Obscurity

 Control Types
© Logical Security
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 47
Security through Obscurity

The idea that the opponent will always be less
intelligent than the defender:
 Designers think that if the flaws are not known then
they will not be exploited
 Some feel as though compiled code is more secure
than open source code, because it is more difficult to
identify flaws
 Some algorithms are not publicly released, which is
an example of security through obscurity
 Usually used in replace of a robust security
framework
© Logical Security
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 48
Another Approach
© Logical Security
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 49
Security?
Designers think that if the flaws are not known then they
will not be exploited.
 Vendors do not release information on flaws.
 Once found out – then patches have to be released.
A needle in haystack is hard to

find, but someone will find it!
© Logical Security
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 50
Security?
Some feel as though compiled code is more secure than open
source code, because it is more difficult to identify flaws.
Two camps continue to debate.
© Logical Security
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 51
The Bad Guys Are Motivated

Do not rely on other’s ignorance or lack of interest.
© Logical Security
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 52
If Not Obscurity – Then What?
 Industry best practices

 Standardization of protocols and communication
 Interoperability in a safe manner
 Everyone practicing security responsibly
© Logical Security
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 53
Open Standards
 Publicly available specifications to allow for
interoperability.
 Some of the organizations that develop open

standards:
 International Organization for Standardization (ISO)

International Telecommunication Union (ITU)
 The Institute of Electrical and Electronics Engineers Standards
Association (IEEE - SA)
Structured security
programs and enterprise
architectures! © Logical Security
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 54
Common Open Standards

Examples of Some Open Standards:
 TCP/IP  ISO 1799
 OSI Model  NIST
 HTML, XML, SOAP  Risk Management
 IEEE standards  Formal frameworks
 802.3, 802.5, 802.11, etc.  SABSA
© Logical Security
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 55
Without Standards
If technology and security were not standardized…
 Proprietary solutions and solution wars
 Everyone can now try to make the best widget, it just has to be
able to talk to all the other widgets out there
© Logical Security
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 56
“Soft” Controls
Administrative Controls
 Policies, procedures, standards, guidelines
 Employee management
 Testing and drills
 Risk management and analysis
 Information classification
 Awareness training
© Logical Security
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 57
Logical Controls
Technical Controls
 Firewalls
 IDS
 Encryption
 Protocols
 Authentication mechanisms
 Auditing
 Access control technologies
© Logical Security
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 58
Physical Controls
Physical Controls
 Doors, windows, walls
 Security guards and dogs
 Fencing and lighting
 Locks
 Environmental controls
 Intrusion detection systems
© Logical Security
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 59
Are There Gaps?

Do the departments responsible for these different types of
security communicate and work well together in your
company?
© Logical Security
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 60
Understanding Drivers
 Legal requirements
 Regulation requirements
 Business objectives
© Logical Security
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 61
Holistic Security
© Logical Security
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 62
Not Always So Easy
© Logical Security
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 63
What Is First?
Specific issues must be understood before the required
security program can be built.
 Legal requirements
 Regulation requirements
 Business drivers
 Threat profile
 Acceptable risk levels
These are the “whys” and then we will get to the controls,
which are the “hows”.
© Logical Security
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 64
Different Types of Law

Legal Issues
 Federal laws
 State laws
 Administrative laws (mainly regulations)
© Logical Security
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 65
How Is Liability Determined?

 Due Diligence
 Researching and identifying threats and risks
 Due Care
 Acting upon findings to mitigate risks
What are some examples of management carrying out

due diligence and due care?
© Logical Security
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 66
Examples of Due Diligence
Due Diligence
 Uncovering potential dangers
 Carrying out assessments
 Performing analysis on assessment data
 Implementing risk management
 Researching and understanding the environment’s vulnerabilities,
threats, and risks
© Logical Security
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 67
Examples of Due Care

Due Care
 Doing the right thing
 Implementing solutions based on analysis data
 Properly protecting the company and its assets
 Acting responsibly
© Logical Security
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 68
Prudent Person Rule

Way of Determining Liability
 Understanding activities and reactions of a reasonable and
responsible person
 Comparing your activities and reactions to this responsible person
 Judging the rationale of your actions
 Determining if you were negligent or not
© Logical Security
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 69
Prudent Person
We have to ask ourselves if we were responsible and
reasonable in our actions – can be subjective.
© Logical Security
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 70
Taking the Right Steps

Might need to start off slow and deliberate to ensure each
risk is properly identified and dealt with.
© Logical Security
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 71
Regulations
Regulations – security professional’s best friend!
© Logical Security
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 72
Why Do We Need Regulations?
Corporate and
security governance
is now all the rage!
© Logical Security
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 73
Risk Management
© Logical Security
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 74
Why Is Risk Management Difficult?

Risk Management
 Trying to predict the future
 Incredible number of variables to identify
 Surmising all possible threats and providing solutions to them
 Gathering data from many sources
 Dealing with many unknowns
 Quantifying qualitative items
© Logical Security
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 75
Necessary Level of Protection Is

Different for Each Organization
 Need to strike a balance between potential loss, acceptable
risk level, and cost to protect assets
 To help determine “how much is enough security” the
following items must be understood:
 Adversaries and their motivation and means to cause damage
 Assets values
 Vulnerabilities and threats
 Acceptable risk and resulting residual risk
 Countermeasure costs and benefits
© Logical Security
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 76
Security Team/Committee
Team Members
 Security
 Internal audit
 Administrators
 Business process and
data owners
 Operations
 HR, Legal
 Custodian
© Logical Security
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 77
Review
 3 control categories
 Type of control – auditing
 Due diligence versus due care
 Definition of risk
 What is security through obscurity?
© Logical Security
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 78
Risk Management Process
© Logical Security
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 79
Planning Stage – Team
Risk Assessment Team

 Should represent different departments of a company
 IT department
 Auditors
 Management
 Security department
 Physical security
 Business unit leaders
 Advisors
 Legal, human resources, management, safety officers
 Management will help decide upon team members
© Logical Security
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 80
Analysis Paralysis
© Logical Security
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 81
Planning Stage – Scope

Scope creep will
be expensive
and timely.
Scope of Project
 Is just one facility being assessed?
 Is it an enterprise-wide assessment?
 What type of assets will be assessed?
 Tangible and intangible assets
 What type of threats will be considered?
 Manmade, natural disasters, technical
© Logical Security
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 82
Planning Stage – Analysis Method
 Quantitative
 Assigning numeric and monetary values to risk components
 Asset value, business impact, frequency, countermeasure
costs and values, uncertainty
 Difficult to fully achieve complete quantitative analysis
requires a lot of resources and time
 Qualitative
 Opinion-based with the use of a rating system
 Scenario-based
 Purely qualitative analysis is possible and not as time
consuming
© Logical Security
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 83
Risk Management Tools
Tools of the Trade

 Automated tools require less repetitive data input
 Can run same data through several scenarios
 Analysis is still a time-consuming task
© Logical Security
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 84
Defining Acceptable Levels
 The risk acceptance level is the maximum overall

exposure to risk that should be accepted, based on
the benefits and costs involved.
 If the responses to risk cannot bring the risk exposure
to below this level, the activity will probably need to
be stopped.
 Hence the level must be agreed with the appropriate
level of management.
© Logical Security
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 85
Acceptable Risk Level

 Each organization will have its
own acceptable risk level,
which is derived from its legal
and regulatory compliancy
responsibilities and their threat
profile.
 Management must set this
acceptable risk level and then it
is the responsibility of the
designated risk management
roles to ensure that this level is
not exceeded.
The objective of this stage is to determine the overall level of

risk which the organization can tolerate for the given situation .
© Logical Security
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 86
Collecting and Analyzing Data Methods
Data Collection
 Surveys
 Interviews
 Vulnerability tests
 Penetration tests
You must understand the

business to understand risk in
the correct context! © Logical Security
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 87
What Is a Company Asset?
What are you trying to protect?
© Logical Security
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 88
Data Collection – Identify Assets

 Tangible
 Equipment
 Facilities
 Intangible
 Data
 Trade secrets
 Reputation
 Customer database
© Logical Security
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 89
Data Collection – Assigning Values

An asset’s value is calculated by
reviewing:
 Cost of acquisition
 Replacement cost
 Cost of developing the asset
 Role of the asset in the company
 Amount adversaries are willing to
pay for the asset
 Cost of maintaining and protecting
the asset
 Production and productivity losses
resulting from compromise of asset
 Liability if asset is not properly
protected
© Logical Security
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 90
Asset Value
The value of an asset consists of its intrinsic value and the
near-term impacts and long-term consequences of its
compromise.
© Logical Security
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 91
Data Collection – Identify Threats

Common Threats
 Errors and omissions
 Fraud and theft
 Employee sabotage
 Loss of physical or
infrastructure support
 Malicious hackers
 Industrial espionage
 Malicious code
 Threats to privacy
© Logical Security
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 92
Review
 Two types of approaching risk
 Acceptable risk level
 Prudent man rule
 Security through obscurity
© Logical Security
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 93
Data Collection – Calculate Risks
From here the team will carry out qualitative analysis

steps or quantitative analysis steps.
 Quantitative
 Assigning numeric and monetary values
 Qualitative
 Opinion and scenario-based
 Use of a rating system © Logical Security
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 94
Scenario Based – Qualitative
 Create scenarios and identify threats

 Identify the range of threats possible
 Write a scenario for each large threat identified
 Functional managers review to make sure the scenarios
are credible
 Evaluate security controls to address threats
© Logical Security
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 95
Consequence of Occurrence
Risk Approach
Probability of Occurrence
© Logical Security
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 96
Qualitative Analysis Steps

Steps to Qualitative
Analysis
1. Gather company
“experts”
2. Present risk
scenarios
3. Rank seriousness
of threats
4. Rank
countermeasures
© Logical Security
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 97
Want Real Answers?

Delphi Method
 Anonymous input
 More honest data collected
 Helps ensure no intimidation
© Logical Security
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 98
Qualitative Risk Analysis Ratings

Organizations can develop internal qualitative risk ratings:
 A-F
 1-10
 Low, medium, high
 Highly likely, likely, unlikely, highly unlikely
© Logical Security
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 99
Qualitative Risks
The following is an example of the Australia/New Zealand
Standard approach to qualitative ratings.
© Logical Security
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 100
Quantitative Analysis Steps

1. Calculate estimated potential losses
2. Carry out a threat analysis
3. Calculate annual loss expectancy
© Logical Security
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 101
Quantitative Analysis
Step 1 = Estimate potential loss
Single Loss Expectancy
Asset Value x Exposure Factor (EF) = SLE
Exposure factor = the percentage of loss that could

be experienced
© Logical Security
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 102
How Often Will This Happen?

Step 2 = Threat analysis
ARO (annual
rate of
Occurrence) =
Number of
expected
incidents
annually
© Logical Security
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 103
ARO Values and Their Meaning
 One time in a 12-month period

ARO = 1.0
 Once in 10 years
ARO = 0.1
 Once in 100 years
ARO = 0.01
© Logical Security
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 104
Calculate ALE
Step 3 = Calculate annual loss expectancy
Annualized Loss Expectancy
SLE x Annualized Rate of Occurrence (ARO) = ALE
Annualized rate of occurrence (ARO) = frequency of

threat taking place
What is the ALE value used for?
© Logical Security
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 105
ALE Value Uses
 Categorize risks
 Build a security budget
 Amount to spend on risk mitigation
 Use to understand business risk overall
© Logical Security
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 106
Relationships
© Logical Security
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 107
Calculate Risks – ALE Example

1. If an e-commerce site is attacked (value = $300,000), it is
estimated to cause 40% in damages to a company based on:
 Liability costs
 Confidential data being corrupted
 Loss in revenue
Asset Value  EF = SLE
300,000  .4 = 120,000
2. Based on current safeguards, this threat is estimated to happen once in 12
months.
 SLE  ARO = ALE
 120,000  1.0 = 120,000
3. Management should not spend over this amount to protect this asset.
© Logical Security
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 108
Your Turn!
A facility has a value of $650,000. It is estimated that a
tornado would hit once in ten years. If 35% of the facility
would be damaged, what would the ALE be?
© Logical Security
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 109
ALE Calculation
SLE = $227,500
$650,000 x 0.35 = $227,500
ALE = $22,750
$227,500 x 0.1 = $22,750
What does the company do with this value?
© Logical Security
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 110
Can a Purely Quantitative Analysis

Be Accomplished?
NO!
A quantitative analysis requires quantifying many
qualitative items.
 How do you assign a value to a reputation?

 How can you know the potential customers that will be lost?
 How can you properly predict market share loss?
All of these questions are difficult, but are required in a

quantitative analysis.
© Logical Security
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 111
Risk Types
Risks
 Potential loss
 Ramifications of exposure
 Delayed loss
 Secondary ramifications of exposure
 Much harder to identify and calculate
List Examples of…

 Potential losses
 Delayed losses
© Logical Security
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 112
Examples of Types of Losses

Potential Losses
 Loss in production and productivity
 Cost of repairing damages
 Cost of consultants’ or experts’ services
 Loss in revenue
 Loss of customers
© Logical Security
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 113
Delayed Loss
Delayed Losses
 Loss in reputation
 Loss of potential customers
 Late fees or penalty fees
 Loss in market share
© Logical Security
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 114
Review – Steps of Analysis
 Identify a company’s assets

 Assign values to assets
 Identify the assets’ vulnerabilities and threats
 Calculate their associated risks
 Estimate potential loss and damages
© Logical Security
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 115
Review
 ALE formula
 SLE formula
 What is ARO?
 If an event will potentially occur once in 100 years, what is
the ARO?
 Steps of a qualitative analysis
© Logical Security
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 116
Cost/Benefit Analysis
 The annualized cost of countermeasures should not be more than
potential losses
 If a server is worth $3,000, a countermeasure that costs $4,000
should not be used
 Not as cut and dried as it may seem
How do you determine the cost of a countermeasure?

© Logical Security
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 117
Cost of a Countermeasure
Some of the items that can go into the calculation:
 Purchase amount
 Maintenance amount
 Negative effects on production environment
 Man-hours to maintain
 IDS is an expensive countermeasure in this respect
© Logical Security
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 118
Countermeasure Criteria
 A Countermeasure Should …
 Mitigate the identified risk
 Be cost-effective
 (ALE before implementing countermeasure) – (ALE after
implementing countermeasure) – (annual cost of
countermeasure) = value of the countermeasure to the
company
 If ALE for a specific asset is $78,000, and after
implementation of the control the new ALE is $20,000 and
the annual cost of the control is $60,000, what is the value
of the control to the company?
© Logical Security
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 119
Calculating Cost/Benefit
If ALE for a specific asset is $78,000, and after
implementation of the control the new ALE is $20,000 and
the annual cost of the control is $60,000, what is the value of
the control to the company?
$78,000 – $20,000 = $58,000

$58,000 – $60,000 = -$2,000
Company should not implement this control.

Not cost-beneficial.
© Logical Security
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 120
Controls
“How do we decide what controls we buy within the

company?”
Response: “We follow industry buzz words and buy the next
silver bullet. They must be right – they are the industry.”
© Logical Security
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 121
Control Selection Requirements

 Modular in nature
 Provides uniform protection
 Provides override functionality
 Defaults to least privilege
 Independence of safeguard and the asset it is
protecting
 Flexibility and security
 Clear distinction between user and administrator
 Minimum human intervention
 Easily upgraded
 Does not panic personnel
 Identifies suspect © Logical Security
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 122
Control Selection Requirements

 Auditing functionality
 Minimizes dependence on other components
 Easily useable, acceptable, and tolerated by personnel
 Must produce output in usable and understandable format
 Must be able to reset safeguard
 Testable
 Does not introduce other compromises
 System and user performance
 Proper alerting
 Does not negatively affect asset
© Logical Security
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 123
Quantitative Analysis
Quantitative Advantages:
 Results are based on independently objective processes and
metrics
 Cost/benefit assessment is possible
 Risk management can be tracked and evaluated
 Results can be expressed in monetary value, percentages,
probabilities
 Very useful for management to understand risks and create new
security budgets
© Logical Security
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 124
Quantitative Analysis Disadvantages
Quantitative Disadvantages
 Requires a large amount of preliminary work
 Hard to carry out manually
 Formulas are usually complex and inflexible
 No real standard on how to carry this out
© Logical Security
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 125
Qualitative Analysis Approach
Qualitative Advantages
 Assigning rating values are
simplistic
 Allows for flexibility in processes
and reporting results
 Requires less preliminary work
© Logical Security
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 126
Qualitative Analysis Disadvantages
Qualitative Disadvantages
 Very subjective
 No use of independent objective metrics or processes
 Difficult to map to security budget needs
 Cost/benefit analysis not possible
 Cannot track risk management performance objectively
© Logical Security
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 127
Can You Get Rid of All Risk?

Total Risk versus Residual Risk
 Amount of risk that exists before a safeguard is put into place is
total risk.
 After a safeguard is implemented, the remaining risk is called
residual risk.
© Logical Security
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 128
Calculating Residual Risk

Threats x Vulnerability x Asset Value = Total Risk
(Threats x Vulnerability x Asset Value) x Control Gap =

Residual Risk
(Control Gap = What the control cannot protect against)
Total Risk – Controls = Residual Risk
Analysis team needs to determine if residual risk is within the

acceptable risk level of the company. Management will have
to sign off on accepting this risk.
© Logical Security
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 129
Uncertainty Analysis
There are primary sources of uncertainty in the risk

management process:
 A lack of sufficient information to determine the exact value of the
elements of the risk model, such as threat frequency, safeguard
effectiveness, or consequences
 Relative magnitude of uncertainties and their implications on the
assessment results
© Logical Security
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 130
Dealing with Risk

Management
knows how to
deal with business
risk, which is
different from
security risk.
 Team presents the analysis results to management.
 Management makes the decisions about the next steps.
 Management has several choices when dealing with risk.
© Logical Security
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 131
Deal with Risk
“How do we deal with risk in the organization?”
Response: “We create a lot of paperwork and then we just

ignore it.”
© Logical Security
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 132
Management’s Response to
Identified Risks
 Risk mitigation
 Implement countermeasures
 Risk transference
 Third-party involvement purchase insurance
 Risk acceptance
 Informed decision – no action taken
 Risk avoidance
 Decide to stop activity
© Logical Security
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 133
Risk Acceptance
 Cost decision
 Potential loss is lower than control cost
 Pain decision
 Ability to deal with related security incidents
 Visibility decision
 Reputation can take it
 Not a surprise decision
 Risk should not be accepted without knowing it
© Logical Security
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 134
Risk Analysis Process Summary
© Logical Security
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 135
Review
 3 types of control categories
 Due diligence
 Separation of duties is what type of control?
 4 ways of dealing with risk
 Formula for residual risk
 Formula to calculate the value of a countermeasure
© Logical Security
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 136
Now What?
 We understand the legal requirements of the company.
 We understand the regulation requirements of the
company.
 We understand the acceptable risk level.
 We have identified critical assets.
 We have carried out risk assessments to understand the
current security posture.
 Now we need to build a security program with all of these
ingredients.
© Logical Security
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 137
Components of Security Program
 Layered Approach
 Security Program Steps
 Organizational Security
© Logical Security
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 138
A Layered Approach
Defense in Depth
 Providing layers of defense that an attacker must compromise
before accessing an asset
 Not relying upon just one control
 Understanding that compromises in one layer may take place and
having back up to compensate for this
© Logical Security
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 139
In Security, You Never Want Any

Surprises
© Logical Security
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 140
Building Foundation
Security Program
 Blueprint for a security program
 A framework for administrative, technical, and physical controls to
work within
© Logical Security
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 141
Security Roadmap
© Logical Security
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 142
Functional and Assurance

Requirements
The security controls, systems, and overall program need to
have both requirements covered.
 “What is it that we want it to do?”

 Defining before buying
 “How are we making sure it is doing what it is supposed to

be doing?”
 Testing, logging, auditing
© Logical Security
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 143
Building Foundation
© Logical Security
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 144
Most Organizations
© Logical Security
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 145
© Logical Security
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 146
Silo Security Structure
© Logical Security
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 147
Islands of Security Needs and Tools
© Logical Security
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 148
Get Out of a Silo Approach
© Logical Security
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 149
Security Is a Process
Security is a process, not a product.
© Logical Security
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 150
Approach to Security Management

 Top-Down Approach
 Security is directed, driven, and supported by senior management
 Bottom-Up Approach
 Staff member or group drives initiative
© Logical Security
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 151
Result of Battling Management
© Logical Security
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 152
Industry Best Practices Standards

BS/ISO I7799
 Comprehensive guidelines on range of controls for implementing
security
 Companies can be certified against this standard
 Divided into 10 sections
 Security policy
 Security organization
 Assets classification and control
 Personnel security
 Physical and environmental security
 Computer and network management
 System access control
 System development and maintenance
 Business continuity planning
 Compliance
© Logical Security
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 153
ISO/IEC 17799
 The ISO/IEC 17799 is a set of best practices for

organizations to follow to implement and maintain a
security program.
 It started out as British Standard 7799 (BS7799). BS7799

was published in the United Kingdom and became a de
facto standard in the industry that was used to provide
guidance to organizations, in the practice of information
security.
© Logical Security
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 154
Pieces and Parts

 BS7799 Part 1 outlines control objectives and a range of
controls that can be used to meet those objectives.
 BS7799 Part II outlines how a security program can be
setup and maintained.
 BS7799 Part II serves as a baseline which organizations
could be certified against.
 An organization would choose to be certified against the
BS7799 standard to provide confidence to their customer
base and partners
 The organization could be certified against all of BS7799 Part II or
just a portion of the standard.
© Logical Security
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 155
Numbering
 ISO/IEC 17799:2005 is the newest version of BS7799
Part 1
 Provides a list of controls that can be used within the framework
 Will be ISO/IEC 27002:yr
 ISO/IEC 27001:2005 is the newest version of BS7799

Part II
 Steps for setting up and maintaining a security program
© Logical Security
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 156
New ISO Standards

 ISO/IEC 27000 - a vocabulary or glossary of terms
 ISO/IEC 27002 - the proposed re-naming of existing
standard ISO 17799
 ISO/IEC 27003 - a new ISMS implementation guide
 ISO/IEC 27004 - a new standard for information security
measurement and metrics
 ISO/IEC 27005 - a proposed standard for risk
management, potentially related to the current British
Standard BS 7799 part 3
 ISO/IEC 27006 - a guide to the certification/registration
process
© Logical Security
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 157
COBIT
 What is COBIT?
 Control Objectives for Information and related Technology

(COBIT) was created by the Information Systems Audit
and Control Association (ISACA), and the IT Governance
Institute (ITGI).
 It is a set of best practices (framework) for information

(IT) management
© Logical Security
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 158
Inside of COBIT
4 domains are groupings

of processes that map to
the following organizational
responsibilities;
 Planning and Organization
 Acquisition and
Implementation
 Delivery and Support
 Monitoring
© Logical Security
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 159
COBIT – Control Objectives

5.1 Management of IT Security
Manage IT Security at the highest appropriate
organizational level …
5.2 IT Security Plan
Translate business information requirements, IT
configuration, information risk action plans, and
information security culture …
5.3 Identity Management
All users (internal, external, and temporary) and their
activity on IT systems (business application, system
operation…)
5.4 User Account Management
Ensure that requesting, establishing, issuing,
suspending, modifying, and closing user accounts
and related user privileges …
5.5 Security Testing, Surveillance, and
Monitoring
Ensure that IT security implementation is tested and
monitored proactively. IT security should be
reaccredited periodically …
© Logical Security
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 160
© Logical Security
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 161
Measurements
© Logical Security
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 162
Information Technology
Infrastructure Library (ITIL)
It is considered the de facto standard for IT service
management and concentrates on how to provide consistent,
documented, and repeatable processes to ensure quality.
© Logical Security
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 163
3rd Party Governance

 Today’s business environment is increasingly dependent on
third party relationships as organizations concentrate on
their core competencies and outsource many non-core
services.
 In turn, the heightened security expected by customers
and a growing global emphasis on legal and regulatory
compliance requires evidence of adequate governance
measures.
 Thus, the twin issues of due diligence and due care over third
parties have become critical to business success.
© Logical Security
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 164
3rd Party Governance (Cont.)
 There are 6 elements to consider:
© Logical Security
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 165
Security Governance
“Security governance is the set of responsibilities and
practices exercised by the board and executive management
with the goal of providing strategic direction, ensuring that
objectives are achieved, ascertaining that risks are managed
appropriately and verifying that the enterprise’s resources are
used responsibly.”
- IT Governance Institute
© Logical Security
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 166
Company A Company B
Board members understand that Board members do not understand that
information security is critical to the information security is in their realm of
company and demand to be updated responsibility and focus solely on
quarterly on security performance and corporate governance and profits.
breaches.
CEO, CFO, CIO and business unit CEO, CFO and business unit managers
managers participate in a risk feel as though information security is
management committee that meets the responsibility of the CIO, CISO and
each month and information security is IT department and do not get involved.
always one topic on the agenda to
review.
Executive management sets an CISO took some boilerplate security
acceptable risk level that is the basis for policies, inserted his company’s name,
the company’s security policies and all then had the CEO sign them.
security activities.
Executive management holds business All security activity takes place within
unit managers responsible for carrying the security department, thus security
out risk management activities for their works within a silo and is not integrated
specific business units. throughout the organization.
© Logical Security
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 167
Company A Company B
Critical business processes are Business processes are not documented
documented along with the risks that and are not analyzed for potential risks
are inherent at the different steps within that can affect operations, productivity,
the business processes. and profitability.
Employees are held accountable for any Policies and standards are developed,
security breaches they participate in, but no enforcement or accountability
either maliciously or accidentally. practices have been envisioned or
deployed.
Security products, managed services, Security products, managed services,

and consultants are purchased and and consultants are purchased and
deployed in an informed manner. They deployed without any real research or
are also constantly reviewed to ensure performance metrics to be able to
they are cost effective. determine the return on investment or
effectiveness. Company has a false
sense of security because it is using
products, consultants, and/or managed
services.
The organization is continuing to review The organization does not analyze its
its business processes, including performance for improvement, but does
security, with the goal of continued continually march forward and makes
improvement. the same mistakes over and over again.
© Logical Security
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 168
Security Program Components
 Policies
 Standards
 Baselines
 Guidelines
 Roles
© Logical Security
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 169
Policy Framework
© Logical Security
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 170
Policy Types
Organizational Policy
 Management’s directives on the role of security within company
 Organizational policy is created to address:
 Business needs
 Laws
 Regulations
 Standards of due care
© Logical Security
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 171
Organizational Policy
Policy should have the following goals:
 Define security program
 Set strategic directions
 Assign responsibilities
 Address all compliancy issues
 Identify assets
 Provides personal responsibility
 Give authority
 Tool to resolve conflicts
 Define security team
 Address exceptions and discipline
© Logical Security
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 172
Policy Approved – Now What?

 Once policies are approved by governing body, control
objectives should be defined.
 The objectives of management are used as the framework

for developing and implementing controls.
 What do we need our controls to do before we buy and/or
implement them?
© Logical Security
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 173
Issue-Specific Policies
Also called functional policies.
Issue-Specific Policies can be created for:

 Protection of confidential/proprietary information
 Unauthorized software
 Employees working from home
 Rights of privacy
 Responsibility for correctness of data
 Suspected malicious code
 Physical emergencies
 Risk management and contingency planning
© Logical Security
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 174
ASP Policy Example
Source: www.sans.org © Logical Security
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 175
System-Specific Policies
Policy should have the following characteristics:
 Express management’s decisions pertaining to systems
 Content is based on technical analysis of stated systems
 Map to specific system objectives and requirements
 Strictly enforced
© Logical Security
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 176
System-Specific Policy
Concentrates directly on the use and maintenance of
computers and devices
© Logical Security
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 177
Standards
Organizational Standards
 Compulsory rules
 Employee behavior
 Computer and device use
Organizational standards (not to be confused with American National

Standards, FIPS, Federal Standards, or other national or international
standards) specify uniform use of specific technologies, parameters, or
procedures when such uniform use will benefit an organization.
Standardization of organization wide identification badges is a typical
example, providing ease of employee mobility and automation of
entry/exit systems.
- NIST
© Logical Security
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 178
Standard Example
© Logical Security
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 179
Baseline
Baselines
 A minimum level of security required
 Abstraction of the standards
 Ensure acceptable risk level is met
 Required configuration of systems
 Metrics representation
 Unauthorized access incidents
 Unpatched systems
 Users with too much access
© Logical Security
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 180
Data Collection for Metrics

Different data collected is compared to set baselines to
validate compliance.
© Logical Security
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 181
Guidelines
Guidelines
 Recommendations on actions in different situations
 Operational guides where standards do not apply
 Industry or internal guidelines
© Logical Security
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 182
Procedures
Procedures
 Detailed activities to be taken to achieve a specific task
 Step-by-step instructions
 Implementation of standards
 Standardization
© Logical Security
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 183
Tying Them Together

 Policy = Unauthorized users should not have access to
sensitive data
 Standard = Users must be authorized with a smart card
and PIN before accessing the database
 Baseline = Number of unauthorized accesses allowed
 Guideline = Explanation of identification and authorization
and smart card use
 Procedures = How to configure the database
© Logical Security
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 184
Program Support
© Logical Security
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 185
Entity Relationships
© Logical Security
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 186
Senior Management’s Role

Senior Management
 Defines the scope, objectives, priorities, and strategies of the
company’s security program
 Provides vision, funds, visibility, and enforcement
 Ultimately liable
 Without management’s support, efforts can be doomed from start
© Logical Security
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 187
Security Roles
Data Owner
 Responsible for subset(s) of data and data classification
 Sets security requirements for data protection
 Usually process owners or business VPs or department heads
 Business accountability
 Not ITs job
© Logical Security
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 188
Custodian
Custodian
 Is delegated data maintenance tasks
 Required to implement and maintain controls to provide the
protection level dictated by data owner
 Usually a technical security staff or IT
© Logical Security
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 189
Auditor
 Ensuring independent assurance to management and
shareholders on the appropriateness of security objectives
 Determines if controls (administrative, technical, physical)
comply with security objectives
 Internal and external auditing
 Third-party reviews
© Logical Security
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 190
Access
“Who determines the level of access employees have and

who configures the technology and who validates it all?”
Response: “Fred, the IT guy.”
© Logical Security
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 191
Information Classification
© Logical Security
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 192
Information Classification Program

Classification goals
 Availability, integrity, and confidentiality are provided at the
necessary levels for all identified assets
 Return on investment by implementing controls where they are
needed the most
 Map data protection levels with organizational needs
 Mitigate threats of unauthorized access and disclosure
 Comply with legal and regulation requirements
 Maintain competitive status
© Logical Security
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 193
Data Leakage
Data is the gold of our times that must be protected.
© Logical Security
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 194
Do You Want to End Up in the

News?
© Logical Security
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 195
Types of Classification Levels
Commercial Military
 Confidential
Top secret

 Private
 Sensitive Secret

 For internal use only Confidential

Sensitive but

unclassified
 Unclassified
Companies need to decide what levels
 Public
they will use and
what those levels mean. © Logical Security
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 196
Data Protection Levels
© Logical Security
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 197
Classification Program Steps

1. Compile an inventory of all information assets
2. Define levels of protection for information assets
3. Define a classification criteria
4. Develop information classification policy
5. Define information handling and labeling procedures
6. Assign responsibility for classification to the owner of
information
7. Assign a security classification to all information assets
8. Classify information according to sensitivity and how much
protection is required
9. Integrate into security awareness and training programs
© Logical Security
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 198
Information Classification
Components
A policy should outline:
 Information as an asset of individual business units
 Declare business unit managers as information owners
 Declare IT as data custodians
 Classification scheme
 Definitions for each classification
 Criteria for each classification
 Roles and responsibilities of classification
© Logical Security
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 199
Procedures and Guidelines

Procedures and guidelines should outline:
 How to classify information
 How to change classification level if needed
 How to communicate classification change to IT
 How to declassify and destroy material
 Periodic review of:
 Current classification levels and mapping to business needs
 Current access rights and privileges
 Protection levels that current controls are using
© Logical Security
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 200
Classification Levels
Once the organization understands the different levels of
protection that must be provided, it can develop the
necessary classification levels.
 Too many classification levels are impractical and add

confusion.
 Too few classification levels gives the perception of little
value and use.
 There should be no overlap between classification
levels.
 Classification levels should be developed for data and
software.
© Logical Security
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 201
Information Classification Criteria

Criteria Items
 Usefulness and value of information
 How long information will hold this
protection requirement
 The level of damage possible if the
data was disclosed, modified, or
corrupted
 Laws, regulations, or liability
responsibilities pertaining to the data
 Lost opportunity costs
© Logical Security
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 202
Criteria Example
© Logical Security
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 203
Or Not
© Logical Security
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 204
Information Owner Requirements

To properly classify information, the information owner must:
 Understand the organization’s classification scheme and criteria
 Be familiar with legal and regulation requirements
 Carry out classification processes in a consistent manner
 Have classification processes reviewed and monitored
 Carry out declassifying procedures when necessary
© Logical Security
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 205
Clearly Labeled
 All classified items need to be clearly labeled

 Handling of data in different formats (paper, digital, video,
audio, facsimile)
 Marking should be on cover and inside of documents
 Magnetic or optical media must be labeled
© Logical Security
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 206
Testing Classification Program
 Are documents in open view?

 Is sensitive information viewable on computer screen?
 Is data physically protected and not just logically
protected?
 How is sensitive data destroyed?
 Review users’ access levels
 Review an information flow matrix
© Logical Security
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 207
Who Is Always Causing Problems?
Not birds
– PEOPLE are always a security headache.
© Logical Security
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 208
Employee Management
 Hiring and Firing

 Termination
 Training
© Logical Security
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 209
Employee Management
 Weakest link in security is people
 80/20 rule
 Proper management of employees is very important
 Communication structure needs to be in place
 Constructing and enforcing policies
 Culture
© Logical Security
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 210
Employee Position and Management
Employee Management
 Position definition
 Determining position sensitivity
 Filling the position - screening and selecting
 Employee training and awareness
 User account management
 Audit and management reviews
 Detecting unauthorized/illegal activities
 Temporary assignments and in-house transfers
© Logical Security
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 211
Hiring and Firing Issues

 Pre-employment
 Background check
 Drug screening
 Security clearance
 Credit check
 Termination Procedures
 Complete an exit interview
 Review the non-disclosure agreement
 Individual must be immediately escorted out of the facility
 Individual must surrender ID badges, keys, and company
assets
 User’s accounts must be disabled
 User’s passwords must be changed
© Logical Security
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 212
A Few More Items

 When hiring be alert about future checks that may be
necessary if the individual moves to a higher classification
level in the company.
 Hiring and firing practices should follow pre-determined

checklists developed by HR.
© Logical Security
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 213
Unfriendly Termination
Security and Safety Steps
1. System access should be terminated as quickly as possible.
2. System access should be removed at the same time (or just
before) the employees are notified of their dismissal.
3. System access should be immediately terminated.
© Logical Security
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 214
Security Awareness and Training
© Logical Security
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 215
Training Characteristics
Awareness Training Education
Attribute: “What” “How” “Why”
Level: Information Knowledge Insight
Learning Recognition
Skill Understanding
Objective: and Retention
Media Practical Instruction Theoretical Instruction

Example -Videos -Lecture and/or demo -Seminar and discussion
Teaching Method: -Newsletters -Case study -Reading and study
-Posters -Hands-on practice -Research
True/False Problem Solving, i.e.,

Multiple Choice Recognition and Essay
Test Measure: Resolution
(Identify (Interpret learning)
learning) (Apply learning)
Impact
Short-term Intermediate Long-term
Timeframe:
© Logical Security
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 216
Awareness
Security Awareness Program
 Employees must know what’s expected of them, as well as the
ramifications of non-compliance
 This is part of due care and can be used in liability cases if not
performed
 Banners, employee handbooks, posters
 Should be performed annually
 Policies, standards, baselines, guidelines
 Incident reporting, malware, social engineering, hazards
 Different training for different employee groups
 Technical = IT
 Liability, laws, regulations = management levels
 Basic security and usability issues = users
© Logical Security
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 217
Security Enforcement Issues

Importance
 Not just lip service
 Support directly from upper management
 Ensures required baseline of security is met
 Realized ramifications for actions
© Logical Security
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 218
Answer This Question
A company needs to be concerned about an asset’s reliability,

confidentiality, and integrity. What is used to enforce the
protection of integrity?
a. Controlling physical security

b. Using access controls
c. Enforcing the rules of confidentiality
d. Using logical security
© Logical Security
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 219
Answer This Question

The risk management team process for identifying,
controlling, eliminating, and/or minimizing uncertain events
can be assisted by what aid?
a. Qualitative risk assessment processes

b. Automated information system security tools
c. Internal security controls
d. Risk mitigation
© Logical Security
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Review Questions:
1. Which of the following is an example of an ultimate data owner?

A. Front-line employee
B. Customer accessing information via the extranet
C. IT administrator
D. CIO
2. What is the term that defines when senior management initiates and sponsors a
company’s security program?
A. Bottom-up approach
B. Top-down approach
C. Steering committee
D. Middle-driven approach
3. Which of the following would not be part of an organizational security policy?

A. Security program goals
B. E-mail security policy
C. Responsibilities assignments
D. Enforcement information
4. A technique used in qualitative risk analysis that uses the anonymous opinions of
all individuals is called what?
A. Consensus approach
B. Delphi technique
C. Group mentality
D. Group discussion phase
5. Which of the following terms is a recommendation to an employee on how to act?

A. Baseline
B. Rule
C. Guideline
D. Standard
6. Which is not an example or characteristic of qualitative risk analysis?

A. Delphi technique
B. Storyboarding
C. SLE calculations
D. Opinion-based
7. A policy that is more technically focused and outlines the directives dictated by
management is which of the following?
A. System-specific
B. Technical-specific
C. Organizational
D. Issue-specific
8. Which is not an example of security awareness?

A. Security training
B. Security bulletin board notes
C. Security ACLs
D. Security objectives in an employee’s performance review
9. A common omission in security programs by many companies is which of the

following?
A. Responsibility assignments
B. Penalties for non-compliance
C. Risk analysis
D. Awareness
10. What step should happen first when an employee is terminated if it is an

unfriendly separation?
A. Escorted off premises
B. Network and system access privileges removed
C. Facility ID badges handed out
D. Employees personal items should be boxed
11. Third party governance is used to accomplish what aspect of security?

A. Taking control of a third party’s IT department
B. Ensuring that a third party partner has met a certain level of compliance
and security
C. Allowing a third party entity to take over security of your organization’s IT
department
D. Hiring a contractor to do an internal audit
Answer Key:
1. D
The key here is the word ultimate. Employees and the administrator can be data owners
in some situations, but senior management is ultimately the owner of business-oriented
data. Data owners are legally bound to the protection of data within a company.
Because of this required responsibility, data owners should be members of senior
management. These individuals practice due care with data classifications and
associated security policies.
2. B
A top-down approach to security management is the ideal method because it is typically
more successful than the bottom-up approach. A top-down approach means that
management is driving a project, and bottom-up means that a lower level employee is
driving a project. The most important factor in security management is obtaining the
support of upper management.
3. B
An organizational security policy covers the entire program at a high level. Typically this
will cover how the program is set up, goals and objectives, who is responsible for what,
and how to enforce the policy. E-mail security would be an issue-specific policy.
4. B
In the qualitative risk analysis approach, the Delphi Technique is used to achieve
honest results by allowing the individuals to submit their opinions anonymously. This
technique is designed to allow people to submit their opinions without being influenced
by others.
5. C
Guidelines are used to provide employees with recommendations on how to perform
specific tasks. This is different than a standard, which is a rule that must be followed, or
a baseline, which is a minimal level of security.
6. C
Qualitative risk analysis does not focus on real-number calculations, but instead assigns
rankings to threats and countermeasures and focuses on judgment, intuition, and
experience. Single loss expectancy (SLE) is a method used in quantitative risk analysis.
7. A
System-specific policies are technical directives derived by management to protect
individual systems. They can outline how a system should be accessed or how users
should be trained on the use of a specific system.
8. C
Security awareness is a vital part of a successful security program. As its name states,
the goal is to make employees aware of the components of the security program.
Employees can be made aware in a variety of ways, such as e-mail, regular meetings,
training classes, or by having security-related tasks as part of their performance plans.
Access control lists (ACL) are security controls, but do not contribute to security
awareness.
9. B
A common mistake that many companies make is failing to include penalties in the
security program to be enforced if/when individuals do not comply with outlined
directives. As with any rule or law, without known consequences, it is unlikely that the
instruction will be followed. Security awareness is included in most security policies;
however, following through with the awareness objective is not as common.
10. B
The first step taken when an employee is terminated is to remove all network and
system privileges. The ex-employee could still remotely connect to a network and do
harm. Protecting the company’s assets should be the first step.
11. B
We need to make certain that working with a third party doesn’t introduce new security
concerns, so we use third party governance to work with verifying the third party’s
compliance to your security needs.

CISSP WKBK D01 PDF

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

CISSP WKBK D01 PDF

Uploaded by

Copyright:

Available Formats

Certified Information Systems

Security Professional (CISSP)

www.LogicalSecurity.com © Logical Security

Logical Security Offers…

Shon Harris CISSP®

Common Body of Knowledge

What Have You Heard?

Some Reasons Why the Exam Is

 The types of questions

We Will Cover It All!

Physical Security Information Security

Business Continuity and Disaster Recovery Planning

Telecommunications and Network Security

CISSP Exam Tips

 Minimum of 4 years of relevant experience or 3 years plus a degree

 Registration letter from (ISC)2

 You can write in booklets; pencils will be supplied

 If English is NOT your native language…

 Sponsor must sign off vouching for your experience

No Other World Exists Now

This Will Be Trickier than

a. Increases performance and provides a wider range of protection

a. Detection of IP spoofing and resetting of configurations

Information Security and Risk

Where did We Come From?

In 1945, huge computers could not even do what our small

In the Good Old Days – Who Knew?

Network Configuration Buffer Overflows

 No policies or not following them

Examples of Some Vulnerabilities

Risk – What Does It Really Mean?

Who Deals with Risk?

Overall Business Risk

“Who deals with risk in our company?”

Response: “We don’t really understand it, so we ignore it.”

Shoulder surfing - different types

What Security People Are Really

 Security through Obscurity

Security through Obscurity

A needle in haystack is hard to

Two camps continue to debate.

The Bad Guys Are Motivated

If Not Obscurity – Then What?

 Industry best practices

 Some of the organizations that develop open

 International Organization for Standardization (ISO)

Common Open Standards

Are There Gaps?

Not Always So Easy

Different Types of Law

How Is Liability Determined?

What are some examples of management carrying out

Examples of Due Diligence

Examples of Due Care

Prudent Person Rule

Taking the Right Steps

Why Do We Need Regulations?

Why Is Risk Management Difficult?

Necessary Level of Protection Is

Risk Management Process

Planning Stage – Team

Risk Assessment Team

Planning Stage – Scope