______ __ ______ __ __

/\ ___\ /\ \ /\ ___\ /\ "-./ \

\ \ \____ \ \ \ \ \___ \ \ \ \-./\ \
\ \_____\ \ \_\ \/\_____\ \ \_\ \ \_\
\/_____/ \/_/ \/_____/ \/_/ \/_/

______ ______ __ __ __ ______ __ __

/\ == \ /\ ___\ /\ \ / / /\ \ /\ ___\ /\ \ _ \ \
\ \ __< \ \ __\ \ \ \'/ \ \ \ \ \ __\ \ \ \/ ".\ \
\ \_\ \_\ \ \_____\ \ \__| \ \_\ \ \_____\ \ \__/".~\_\
\/_/ /_/ \/_____/ \/_/ \/_/ \/_____/ \/_/ \/_/

@NoisetierGlass

CISM Review @NoisetierGlass

 ______ __ ______ __ __
/\ ___\ /\ \ /\ ___\ /\ "-./ \
\ \ \____ \ \ \ \ \___ \ \ \ \-./\ \
\ \_____\ \ \_\ \/\_____\ \ \_\ \ \_\
\/_____/ \/_/ \/_____/ \/_/ \/_/

______ ______ __ __ __ ______ __ __

/\ == \ /\ ___\ /\ \ / / /\ \ /\ ___\ /\ \ _ \ \
\ \ __< \ \ __\ \ \ \'/ \ \ \ \ \ __\ \ \ \/ ".\ \
\ \_\ \_\ \ \_____\ \ \__| \ \_\ \ \_____\ \ \__/".~\_\
\/_/ /_/ \/_____/ \/_/ \/_/ \/_____/ \/_/ \/_/

@NoisetierGlass

CISM Review @NoisetierGlass

IAAA
Identification
Authentication – Type 1/2/3 (Something you know/ you have/ you are)
Authorization
Auditing

Biometrics Authentication
Type 1 Error – FRR, False Rejection Rate – False Positive
Type 2 Error – FAR, False Acceptance Rate – False Negative
CER, Crossover Rate – Sweetspot for biometric authentication

Digital Certificate
CA, RA, CRL, Registration Process

Information Security Governance

• Act of creating a plan on how company will protect information and making
sure everyone will stick to the plan
• Effectiveness to be measured by metrics
o METRICS should always be SMART
Specific, Measurable, Attainable, Relevant & Timely

Data Classifications
• Development of sensitivity label for data and assignment of data into these
defined sensitivity
• For purpose of configuring Baseline (minimum acceptable controls) security

Data Classification Considerations

• Value of Assets
• Loss and impact if compromised
• Regulations and Laws
• Liabilities
• Customer Impact

CISM Review @NoisetierGlass

 • Acquisition cost/ replacement cost

Information Security Governance

• Establish/ maintain an Information Security Governance framework and
supporting processes to ensure the Information Security Strategy is aligned
with business objectives.

Information Security Governance Hierarchy (from top to bottom)

• Business Objective
• Information Security Strategy
o Roadmap and Priority
• Security Program
o Its control objectives
• Security Policy
• Standards, Procedures, Guidelines
• Controls & Processes

Metrics are used for measuring effectiveness of controls and processes, metrics will
feed into IS governance to ensure alignment is achieved.

Information Security Organization - Roles and

Responsibilities
• Board of Directors
• Executive Management

They own and are liable for IS governance, they manage the information security of
an organization through “Hands-off management”

• Functional management, usually in form of security steering group

They operate according to the business objectives. They are to deliver end results B
of D/ Executive Management want to achieve

• Business Process Owners

They grant access, revoke permissions and review the privilege regularly. They define
business function/ process.

• Data custodian

CISM Review @NoisetierGlass

They make sure controls are configured.

• Data owners

They govern the use of data in context of business. They permit and grant access to
data in Information Systems. They make sure data is secured properly.

Security Policy Loop

• Policies are the high level and

short statements to describe Policy
acceptable risk an organization
can tolerate
• Standards complements the
policy and fill the gap with
Procedures Standards
technologies, i.e. Use Windows
10, Ubuntu 20 LTS etc.
• Guidelines are discretionary
• Procedures describes how
business operates Guidelines

CISM Review @NoisetierGlass

How do senior management manage
Information Security risk?

• Controls mitigate risk

• Audit checks whether controls Controls
are in place & configured
exactly according to the specs
o DOES NOT mean the
control is configured
Assurance Audit
correctly
• Dashboard refers to the result/
findings/ metrics to measure
effectiveness of controls
• Assurance provides insights to Dashboard
management on the quality of
service/ controls

Considering the effectiveness of IS governance

• Metrics
• Strategic Alignment
• Risk Management
• Performance Management
• Value Delivery
e.g. Process Metrics
e.g. Risk is reduced to an acceptable level
e.g. time-sensitive metrics, system metrics
e.g. program cost, cost-benefit analysis

Balance Scorecard
• Determine the maturity of security program
• Financial, Customer, Internal Process, Innovation & Learning
• How are any of the above aligned to the business objectives?

CISM Review @NoisetierGlass

Information Strategy Development
OBJECTIVES ESTABLISHMENT
• Strategic alignment
o Check with management “where do you want to go?”
• Effective Risk Management
o Check with management “which risk would you address first?”
o By considering follows:
▪ Resources you have
▪ Value Delivery (Cost-benefit Analysis)
▪ Optimization/ Priority
▪ Certification/ Assurance

GAP ANALYSIS
• Think about current level of risk and the desired state

ASSET CLASSIFICATION
• Are all information assets classified?
• Are all information assets attributed with owners?

CULTURE OF THE ORGANIZATION

• Management impacts Culture, Culture impacts Ethics, Ethics impact
Employee’s behaviour

BUSINESS IMPACT ANALYSIS

• What if x/y/z risk comes true?
• What if threats get exploited?

RISK ASSESSMENT
THREAT ASSESSMENT
REGULATORY REQUIREMENT
BUSINESS PROCESS & REQUIREMENT
A WAY TO FORMAL ASSURE CONTROLS/ PROCESSES ARE RUNNING EFFECTIVELY

All of these contribute to the strategy development, and establishment of security

program and all policies documentations.

CISM Review @NoisetierGlass

Metrics
Metrics are used to measure key process and determine whether strategies are
working.

• KPI – Key Performance Indicator

• KRI – Key Risk Indicator
• KGI – Key Goal Indicator

Metrics should be captured SMART, i.e. specific, measurable, attainable, relevant and
timely.

Information Security Strategy Planning

RISK AND THREAT ASSESSMENT +
OBJECTIVES ESTABLISHMENT (SEE HERE) +
BUSINESS ANALYSIS
By observing

• Existing/ previous strategy

• Documentations, e.g. existing policies, standards, guidelines, procedures
• Controls in place
• Risk Assessment, if any
• Audit findings, results and reports
• Metrics, if any
• Risk Registers
• Business decision records
• Security treatment decision records
• Incident Response program and records
• Business Continuity Plan, Disaster Recovery Plan
• Third-party risk analysis, if any
• Awareness training records and program details

Using analysis technique, for example

• SWOT – Strength, Weakness, Opportunities and Threats

• CMMI Model to quantify maturity
o Level 1 – Initiating
o Level 2 – Repetitive
o Level 3 – Defined
o Level 4 – Managed

CISM Review @NoisetierGlass

 o Level 5 – Optimizing
• Compare current state to the desired state → Spirit of Gap Analysis

Security Strategy development and planning must be aligned to the business

objective.

Next step of Strategy Planning

ROADMAP BUILDING
• List of steps (priority) to achieve objective

POLICY DEVELOPMENT
STANDARD DEVELOPMENTS

Business Case
Business cases are used to describe initiatives and its benefits. They are usually
presented to senior management for funding request.

In general, they contain:

• Objective/ Problem statement

• Current state of the situation
• Desired state
• Requirement based on needs and constraints
• Approach to solve the problem/ close the gap, recommended solution to
reach the desired state
• Evaluation, telling how cost-effective the proposition is
• Implementation plan i.e. how to achieve, resources/ cost needed to achieve

CISM Review @NoisetierGlass

Risk Management Risk Governance
Identification of credible threats
and means to decide what to do
with the threats
Risk = Probability * Impact

OUTPUT OF RISK MANAGEMENT

• Lower probability of security
Response Evaluation
incident
• For those incidents that DO
occur, organization can be
better prepared hence impact
is lower

Developing Risk Management Strategy

OBSERVING AND DEFINING THE FOLLOWING
• Defining ‘acceptable level of risk’ *
o Risk Appetite
o Organization Ability to absorb loss
o Regulatory Requirement
• Culture *
• Management perspective *
• Scope of the strategy
o Which part of the organization will participate into the program?
• Internal and External Support

GAP ANALYSIS
• Compare current state of risk assessment and desired state

ASSET IDENTIFICATION AND VALUATION (SEE HERE)

Without any of the above, an effective risk management strategy will not be
established.

CISM Review @NoisetierGlass

Asset Identification and Valuation
1. Asset Classification
• Value
The activity organization Asset • Operational criticality
assigns an asset to a • Accruacy & integrity
category that represents requirement
Classification
usage of risk • Sensitivity to business

2. Development of handing Label/ Level

procedure for different

protection label/ level
➔ Define instruction on
how data should be
protected when
acquisition, storage,
transmission and destruction take place

3. System classification
Classification should be done on all Information Systems.
Development of hardening guidelines/ standards should be compiled to
protect information systems.

ASSET VALUATION
• Qualitative, scoring from 1 → 10, or low → high
• Quantitative, value should be based on the impact to business

CISM Review @NoisetierGlass

Risk Management Cycle
TERMINOLOGY
THREAT is the action that causes harm to the Organization
VULNERABILITY is the weakness that allows threat to occur
THREAT ACTOR is the entity, usually a person/ group, to cause the THREAT

RISK IDENTIFICATION Risk Identification

Risk can be identified from the

following sources:

• Previous risk
management report/ Risk
analysis
Risk Analysis
Communications

• Intelligence
• Identify risk from the
vulnerability concluded
in asset classification Risk Treatment

phase
• Security Vulnerability
Assessment

RISK ANALYSIS
• Finding out likelihood and impact
• Ranking the risk
• Ownership assignment

RISK TREATMENT
Treatment usually change in either/ both

• Likelihood, make the risk less likely to happen

• Impact, make the risk less “deadly”
• Operation efficiency, make the organization faster to respond to the risk

RISK COMMUNICATION
• Risk should be communicated with the business process owner, with one of
the following options
o Risk Acceptance
o Risk Mitigation with compensation controls

CISM Review @NoisetierGlass

 o Risk Transfer
o Risk Avoidance
• The decision should be based on risk appetite, and cost-benefit analysis

Third Party Risk Management

INITIAL ASSESSMENT
• Security requirement should be specified in the response of RFI/ RFP

BEFORE SIGNING AGREEMENT, LEGAL AGRREMENT SHOULD BE ESTABLISHED

• Roles and Responsibilities should be clearly defined. Clauses regarding the
right to audit, SLA, SoW, security controls agreed should be in place.
• Questionnaires to be filled to understand risk

TIERING & CLASSIFICATION

• Rank the third party service provider basing on the service provided
• Periodically monitor and perform assessment to see if the risk has changed

CONTINUOUS MONITORING & ASSESSMENT

• Through review, security check and audits

SUGGEST MITIGATION TO REDUCE RISK WHERE NECESSARY

Risk Management in other areas of IT

• Software Engineering
o Threat modelling, e.g. STRIDE modelling
o Application scanning to look for vulnerability
o Penetration testing
• Change management
• Configuration management

CISM Review @NoisetierGlass

Business Continuity Planning
Improve the chance of survival under a disaster without costly/ fatal consequence

BUSINESS CONTINUITY PLANNING PROCESS

Assign
ownership Writing
of the BCP policy
program Scope

Business alignment

Controls used in BCP

Business
Impact Analysis
▪ Refer to the
list of threats
Criticality
Test Results and identify
Analysis
ones with
▪ Inventory of potential
the system ▪ Figure out
▪ Statement of likelihood
impact per ▪ Mitigating
system Determine
control &
target e.g.
Test MTD/MTO/ costs
RTO/RPO/
RCapO/RCO

If the controls are too

pricey to implement

Recovery procedures Evaluate and

Implement
Training - How to restore in process and
an alternative site? architecture to
achieve target

Develop
Develop
Recovery
Recovery Plans
Teams
Think about initiation/
declaration of BCP… who
and how?
Steps to recover
Roles and responsibilities
Damage assessment etc.

BUSINESS CONTINUITY PLAN

A typical business continuity plan usually contains the following:

• Supporting Document, e.g. Scope

• Analysis Document – Threat/ Risk/ Criticality Assessment, BIA

CISM Review @NoisetierGlass

 • Response Document
o Recovery Plan
o Occupant emergency plan – physical security, human security comes
first!
o Emergency communication plan
o Contact list
o DR plan – usually for IT systems
o Incident Response plan – usually for cybersecurity incidents

Testing your Recovery & Continuity Plan

• Document Review
• Walkthrough
• Simulation – Table-top
• Parallel Test
• Cutover Test

The test results must be discussed and feed back into the BIA for continuous
improvement.

Cyber Kill-chain
• Reconnaissance
• Weaponization
• Delivery
• Exploit
• Installation
• Command & Control
• Actions on Objectives

Incident Response Process

• Planning
• Detection
• Initiation
• Analysis
• Containment
• Eradication
• Recovery

CISM Review @NoisetierGlass

 • Remediation
• Closure
• Post-incident Review
• Retention of Evidence

Preparation of Incident Response Plan

1. SCOPE & OBJECTIVE
2. UNDERSTANDING OF CURRENT STATE
o Make reference to the business objective as always
o Use CMMI-DEV (I, R, D, M, O) to describe current/ desired maturity

3. UNDERSTANDING RESOURCES NEEDED

o Personnel
o Tools
o Outsourcing IR / Managed Security Service Providers
o Threat-hunting capability
o External legal counsel

4. GAP ANALYSIS
5. PLAN WRITING
o Policy
o Playbooks
o Roles and Responsibilities
o Detection Capabilities
o Communications
o Incident Classifications
o Escalation Criteria

6. PLAN TEST
o Document Review
o Walkthrough
o Simulation
o Live-fire test

7. TRAININGS AND PREPARATIONS

CISM Review @NoisetierGlass

Incident Response Process
DETECTION
This phase is supported by multiple sources (logs, metrics, Detection
report from users etc.). Higher event visibility drives down
dwell time.

INITIATION
Initiatiom
• Incident Responders declares the incident
• Formation of Incident Response Team (IRT) and
assignment of incident commander, who coordinates
the incident response Evaluation
EVALUATION
• Incident ranking & classification
• Determine the need of notifying senior management,
this is usually based on Information Security policy Containment
• Determine the need of triggering legal proceeding, if
so, chain of custody must be kept
• Consider the need of trigger DR/ BCP
Eradication
CHAIN OF CUSTODY AND FORENSIC INVESTIGATION
• Identification
• Preservation
• Analysis Recovery
• Presentation

CONTAINMENT
• Isolation of affected systems
Remediation
• Creating backup of systems for forensic purpose

ERADICATION
• Root cause analysis is performed in this phase
• Removal of agents/ factors that cause the incident Closure
• Might rebuild the system with latest backup if
confidence of removal of agents is not high

RECOVERY Post-Incident
• Recover damaged file Review
• Recover bare metal if necessary

REMEDIATION
• Remediation of any vulnerability that got exploited in the incident
• This should be done on ALL machines not just the impacted ones

CISM Review @NoisetierGlass

CLOSURE
• Archival of forensic evidence
• Archival of communication

POST-INCIDENT REVIEW
• Report to management what went well (and what did not)
• Suggest improvement items to existing procedures/ IRP

CISM Review @NoisetierGlass