Certified Information Security Manager (CISM)

Domain 3 - Information Security Program

Development
Slide 1

Lesson 1: Development of Information Security

Program
 The information security program covers all of the activities and
resources that provide information security
 This could be a short-term project or large multiyear endeavor

 Three important elements to a security program

 The program should be based on good information integrated with the business
objectives
 Well-designed with support for management
 Quality metrics used for the design and implementation phases as well as ongoing
monitoring

_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 2

Importance of the Program

 The goal of the strategy isn’t implementation and operation
 Security program is used to design security systems from build, deployment,
modification, maintenance to the end of the lifecycle
 Any security program takes a great deal of planning with the use of expertise and
resources

_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 3

Outcomes of Security Program Development

 Strategic alignment
 Aligned with business objectives
 Communications and feedback

 Risk management
 Maintaining acceptable levels

 Value delivery
 Resource management
 People, technology, and processes

 Assurance process integration

 Performance measurement

_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 4

Effective Information Security Program

Development
 These include the roles and responsibilities of executive management
 A matrix of outcomes and responsibilities which connects the program
components with related activities
 All team members should be working together and made aware of the content of
the information security program to coordinate with their respective areas

Strategy

Compliance Policy

Monitoring Awareness

Implementation

_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 5

Cross Organizational Responsibilities

Role Responsibility KPI

Executive management Oversight and alignment Assigning responsibilities

Business risk management IT risk assessment Prioritization of risks

Department manager Signoff and testing of security Formal approval of security features as
requirements, and determining access well as assigned access rights
authorization
IT operations management Security monitoring Identification of security incidents as
Incident response well as proper response and recovery
Crisis management procedures
Site inventory
Quality manager Security review Creating security policy compliance
Application security design Meeting business requirements for
Change control CIA
Management of security upgrades Testing and application of security
software fixes

_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 6

Lesson 2: Information Security Program

Development Concepts
 The information security manager must have an understanding of many management
and process concepts such as:
 SDLC
 Requirements
 Specifications
 Control, design, and development objectives
 Implementing and testing controls
 Monitoring and metrics
 Architectures
 Documentation
 Quality assurance
 Program management – budgeting, costing, and other financial issues
 Risk management
 Communications

_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 7

Technology Resources
 Most resources will be of a variety of technologies as well as processes,
policies and people
 Examples of resources might be:
 Firewalls and other security systems, including network devices or intrusion detection

 Cryptographic techniques, such as PKI or digital signatures

 Authentication options, such as multi-factor authentication
 Application security methodologies
 Web security
 Compilation of logs
 Vulnerability scans and penetration testing
 Business continuity programs

_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 8

Information Security Manager

 Good governance includes clearly defined roles and responsibilities
 The information security manager is included in the definition of
responsibilities
 Meeting security objectives
 Delegation of roles and responsibilities
 Use of proper resources
 Creating a set of monitoring and management metrics
 Being a part of the top-down commitment

_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 9

Lesson 3: Scope and Charter of Information

Security Program Development
 Implementation of a security program will impact an organization’s
normal way of doing business
 The extent of management support in the implementation of the
strategy and risk management activities would determine the charter

_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 10

Assurance Function Integration

 Any security program, to be effective, will include activities of many
other department’s functions
 Each department has its own vernacular; nevertheless, there must be
some organization to the integration of the policy within the business
 Perhaps one department does their own risk assessment for physical security, it
would still have relevance to the overall security, including to Information Systems

_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 11

Challenges in Developing Information Security

Program
 It takes a lot of cooperation to effectively set a program in place and
measure its results
 It’s not unusual for the security program development to be impacted by people,
process and policy issues that may be in conflict
 Other issues may result in cost overruns, especially as unanticipated issues arise and
new requirements come to light

_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 12

Pitfalls
 Implementation security program can encounter some resistance, such as:
 Resistance to the changes
 A perception that increased security could reduce access required for job functions
 Overreliance on subjective metrics
 A failure of the strategy
 Poor project management that may result in delays
 Previously undetected or buggy software

_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 13

Objectives of the Security Program

 One of the main objectives should be the implementation of strategy in
the most cost-effective manner possible, while minimizing impact on the
business function
 Whether the strategy has been developed in a detailed or conceptual
level, the program development will need a lot of planning and design
to become project plans

_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 14

Program Goals
 At a high level, security programs desired outcomes may include:
 Strategic alignment
 Risk management
 Value delivery
 Resource management
 Assurance process integration
 Performance measurements

_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 15

The Steps of the Security Program

 Defining objectives
 These should be clearly defined to help close the gap between the current state and
the objectives
 Residual risks
 The desired state
 The objectives could be found more expensive or more time consuming than
planned

_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 16

Defining the Roadmap

 A roadmap is needed so the information security manager doesn’t start
off with a blank slate
 Being able to create a roadmap is an effective skill that can help the
information security manager in developing a program that leads to the
desired state
 The roadmap should have:
 Objective
 The scope
 Constraints
 Approach
 Result

_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 17

Defining the Roadmap Continued

 Developing a roadmap should start with a review of the existing data,
applications, systems, facilities and processes
 A review objective is a statement of what is to be determined in the course of a
review
 The objective defines information that the security manager wants to
get out of the review
 The scope is a term that refers to the mapping of the objective of the
review to that item being reviewed - in a way, the review objective
dictates scope

_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 18

Defining the Roadmap Continued

 Constraints are situations within which the reviewer operates
 The approach is a set of activities that cover the scope in a way that
meets the objective of the review using the given constraints
 The main goal is to identify the best approach that has fewest constraints

 The result is an assessment to see if the review objective was met and
help answer the question “is this secure?”

_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 19

Elements of the Roadmap

 Roadmaps are used to implement the information security strategy and
must consider a number of factors. With a well-developed strategy,
there should be a high-level roadmap already created
 Without a good strategy, or risk objectives, then there is a risk that nothing will be
integrated or prioritized and thus making a very poor security program

_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 20

Elements of the Roadmap Continued

 Much of the security program will involve designing controls to meet
the objectives and then deciding on a course of projects to implement,
deploy and test those controls
 Consideration should be given to the ability of the organization to absorb new
security activities
 During the design of the security program, the manager should focus on
the relationship between general and application level controls
 This may involve a step-by-step breakdown of interrelated activities that cover the
infrastructure and operating environment as well as security measures

_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 21

Elements of the Roadmap Continued

 General controls are activities that support the entire organization in a
centralized fashion
 The term general is used to describe controls over the infrastructure that may
operate in a shared environment
 These controls can be managed by different groups, thus the security manager must
identify the roles and responsibilities respectively

_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 22

Elements of the Roadmap Continued

 Using the constraints of the roles and responsibilities, the information
security manager should be able to identify key technology elements
that facilitate the achievement of control objectives
 These elements, if used centrally throughout the organization, will become a part of
the security architecture

_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 23

Gap Analysis
 After the roles and responsibilities are properly established, an
inventory should be taken of the required versus existing technology
and processes
 This inventory and analysis can identify where the control objectives are not
adequately supported by controls
 This information can help in progress being made towards achieving the security
program goals

_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 24

Lesson 4: Information Security Program

Resources
 Many resources are required to develop and implement a security
program, and it’s important that the information security manager
understands what those resources are and how they can be used
 Resources are the mechanisms available, in some measure, that can help achieve the
desired state security

_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 25

Resources
 Many resources have already been enumerated in other domains;
examples of the resources are:
 Policies, standards, procedures and guidelines
 Architecture
 Controls: physical, technical and procedural
 Countermeasures and layer defenses as well as other technologies
 Personnel and organizational structure
 Skills and training, especially awareness and education
 Threat and vulnerability assessments
 Risk assessment and management

_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 26

Documentation
 Existing policies, standards, procedures and
guidelines are your primary documentation;
they can be resources as well as constraints
 Policies are often designed around regulatory
requirements and often list the security
requirements that are in alignment with the business
needs

_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 27

Enterprise Architecture
 As has been discussed earlier, there are many architectural approaches
that can be used for security
 The architectural approach is a newer idea seen in the last 10 years, and as such you
may be with a large organization where security has evolved in an ongoing process of
bits and pieces lacking the integration needed
 This can create a very complex situation to work with
 The goal of architecture is to define relationships between various business
attributes

_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 28

Enterprise Architecture Continued

 The contextual architecture defines the relationship between various
business attributes
 For example, this would include the who, what, when, where and how

 The logical architecture would describe the same elements in terms of

the relationship
 The physical layer will identify the relationships between different
security mechanisms that execute the logical relationships
 Component architecture would list the actual devices and their
interconnections
 The operational architecture describes how security device delivery is
organized

_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 29

Enterprise Architecture Continued

 There are a number of architectural approaches designed for the
enterprise, some of which deal partially with security or exclusively with
security
 The detailed discussion of these is outside the scope of this course, but they consist
of two basic categories
 Process models

 Framework models

 Basically, the architecture is tightly aligned with purpose, or linked to the business
objectives

_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 30

Controls as Strategy Implementation Resources

 Controls are considered a regulatory device, system, procedure or

process that regulates some operational activity
 Remember that these exist as policies, procedures, practices, technologies and
organizational structures to meet the business objectives
 Security controls address people, technology, and processes
 Controls represent corrective or preventive actions, although they can also be
deterrent and detective

_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 31

Controls as Strategy Implementation Resources

Continued
 The categories of controls are:
 Deterrent
 Preventive
 Detective
 Corrective or compensatory

 Controls should be automated, making it technically unfeasible to bypass

them

_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 32

Common Control Practices

 Some common control practices that make it difficult to bypass the
controls have principles such as:
 Logical access control – mandatory access control or discretionary access control
 Secure failure
 Least privilege
 Compartmentalization
 Segregation of duties
 Transparency
 Trust
 Trust no one

_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 33

Countermeasures
 These are controls that are put in place to respond to a specific threat
 These too may be preventive, detective or corrective
 Countermeasures, like controls, are designed in response to a specific threat
 Not all countermeasures are technical in nature
 An example may be training about social engineering

_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 34

Technologies
 The technology chosen to mitigate risk may be constrained by existing
legacy architecture
 These constraints can be minimized due to the wide range of technology alternatives

_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 35

Technologies Continued
 Some common types of technology that can be used as design control points are:
 Access control lists
 Data loss prevention
 Content filtering
 Database management systems
 Encryption– symmetric or asymmetric
 Hashing
 OSI
 Operating systems
 Public/private key encryption
 Route filtering
 Traffic/packet filtering
 IP security

_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 36

Personnel
 Personnel should have defined roles and responsibilities as well as an
inventory of their skills
 Roles – (RACI) responsible, accountable, consulted, informed
 There are charts that can be used to define the various roles associated with
developing an information security program
 These are often designated to an individual by virtue of their job function

_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 37

Personnel Continued
 Skills are the training, expertise and experience of the person
 This is often given a job function
 Skills can be gained through training or on-the-job experience

 Culture represents the organization’s behavior and often influences how

the work gets done
 One goal may be to build a security-aware culture

_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 38

Security Awareness
 There should be an awareness of the risks and available safeguards, and this
awareness is often the first line of defense
 A good security program should consider the human element
 Awareness training should be available for all employees, contractors, and third parties

_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 39

Awareness Topics
 Awareness training can vary but should include topics such as:
 Backing up files
 Good password security
 E-mail and web-based attacks
 Understanding social engineering
 Knowing how to report security incidents
 Securing information in all forms
 Detecting malware

_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 40

Formal Audits
 Audits, like a security review, should have objectives, scope, constraints,
approach and results
 The audit is based on approach to identify, evaluate, test, and assess effectiveness of
controls
 The goal is to test if the control meets the stated objectives, or said to be in
compliance with the policies and standards
 The audit documentation should verify the mapping of controls to objectives, how
the test is conducted, and their final assessment
 External standards of audit frameworks can be found with COBIT, or
ISO/IEC 27002

_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 41

Compliance Enforcement
 Once a security program is implemented, there should be a plan to
check compliance enforcement
 This should refer to any activity to ensure compliance with the stated objectives
 In some cases, the control may be chosen based on its ease of monitoring and
enforcement
 A complex control may actually pose more risk and the lack of monitoring compliance

_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 42

Project Risk Analysis

 In other words, the project itself may have its own inherent risks
 Possible threats that could be found through all stages of
implementation might be:
 Unclear objectives
 Carelessness or mistakes
 Lack of training or good planning
 Insufficient resources
 Improper specifications
 Mistakes and execution
 Malicious actions

_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 43

Other Actions
 Conducting a vulnerability analysis
 Risk and business impact assessment
 Resource dependency analysis
 Review of external security service providers (outsource or service
contract). Examples of these might be:
 Physical perimeter security
 BCP
 Penetration testing
 Audits
 Security reviews
 Forensics

_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 44

Other Organizational Support

 Many other sources of information may be useful for a security manager
to integrate into their security program
 Good practices organizations
 Security networking roundtables
 Security training organizations
 Vulnerability alerting services

_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 45

Program Budgeting
 Budgeting is an important part of information security program
development and can be seen as a constraint on the program’s success
 Information security manager should be very familiar with the budgeting process
prior to the development of the program

_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 46

Program Budgeting Continued

 Elements of each project that should be considered for cost might be:
 Ongoing operational costs
 Hardware and software subscription services
 Employee time
 Contracting or consulting fees
 Space and other environmental requirements
 Testing resources
 Documentation support
 Maintenance
 Unknown contingencies

_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 47

Lesson 5: Implementing an Information

Security Program
 The successful development and implementation of the information
security program will depend on some prerequisites such as:
 Defined and agreed upon objectives
 Resources required for the building blocks of the program
 Defined control objectives
 Security reviews and audits as well as gap analysis
 Management support

_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 48

Policy Compliance
 Policies are the basis for accountability with regards to security
responsibilities
 Policies must become comprehensive enough to cover all situations, yet flexible to
allow different processes and procedures to evolve
 The security manager should make sure there are no “orphan” systems or systems
without policy compliance owners
 At times there may be exceptions to policy that should be well documented

_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 49

Standards Compliance
 Standards supply the boundaries of options for systems, processes and
actions that enforce policy
 A standard should give some consistency to similar systems within the same domain
having similar configurations and operations
 When possible, compliance should be automated to avoid intentional or
unintentional activity that may deviate from the policies

_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 50

Training and Education

 If any part of this security program is dependent on people, it should be
included in its roadmap for the training and education of those involved
 The training should be to educate employees about operational requirements and
the responsibilities of their activities
 People having an understanding of why a policy is enforced are more motivated to
follow those policies

_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 51

ISACA Control Objectives

 ISACA identifies 11 control objectives as minimum controls needed to be in
place for system security:
 Management of IT security
 IT security plan
 Identity management
 User account management
 Security testing, surveillance and monitoring
 Security incident definition
 Protection of security technology
 Cryptographic management
 Malicious software prevention, detection and correction
 Network security
 Exchange of sensitive data

_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 52

Third-party Service Providers

 A third-party service provider may provide
partial or complete business processes or
services
 As such they will require some level of access to the
organization’s networks and information systems
 Information security manager should ensure that
appropriate policies, procedures and processes are
designed to address the outsourcing lifecycle

_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 53

Third-party Service Providers Continued

 The organization and third parties should commit to:
 How data is stored with security
 Allocation of appropriate resources to maintain security
 Taking responsibility for security rather than expecting the organization to supply
additional safeguards
 Maintain accountability within the service provider
 Maintain all application security processes so they are transparent to customers
 Well-defined procedures for incident response
 Policy of data destruction and sanitization

_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 54

Integration into Lifecycle Processes

 Security should be designed and built into the project management and
system development lifecycle processes
 The security manager must remember that technology processes evolve as a part of
the SDLC
 There should be accountability for policy compliance through request change, by
identifying where the changes are initiated, funded and deployed

_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 55

Monitoring and Communication

 There are many monitoring considerations that should be implemented
in this program regardless of the scope
 For example, changes or modifications of controls should be monitored to
determine if they are operating as intended
 This may involve reviewing logs or other alerts
 Key controls should be monitored in real time if possible

_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 56

Documentation
 Documentation should accompany any security program
 Documentation should record changes at various stages to ensure that it is current
 Some of the documentation might include:
 Program objectives
 The roadmap
 Business case
 Required resources
 Risks, controls – standards, procedures, guidelines
 Budgets

 System designs and architectures

 Project plans, milestones, timelines

_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 57

The Plan of Action

 The gap analysis should have identified projects where improvements
are needed
 Many of these projects could be technology implementations or
reconfigurations to meet the stated objectives
 These projects have time, budget and a measurable result

_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 58

Plan of Action Continued

 The plan of action should encompass total quality management which
contain some of the following elements:
 Vision – clear and compelling statement about the organization’s purpose
 Strategic objectives – set of goals to move towards the vision
 CSF – circumstances or events to achieve objectives
 KPI – concrete metrics to ensure that the CSFs are achieved
 Key actions – initiatives to be delivered to achieve the objectives and KGI

_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 59

Lesson 6: Information Infrastructure and

Architecture
 Infrastructure is the base or foundation in which information systems
are to be deployed
 It may comprise of computing platforms, networks and middleware layers for a wide
variety of applications

_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 60

Managing Complexity
 As business environments grow, many business
processes and support functions must integrate
seamlessly to be effective, which can be seen as
increasing complexity
 Providing a framework and roadmap
 Architecture can act as a roadmap

 Simplicity and clarity to layering and modularization

 Business focus beyond the technical domain

_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 61

Managing Complexity Continued

 Architecture and control objectives are
considered a combination of technologies to
provide control points within a system’s
infrastructure
 Some examples of architecture policy
domains would be:
 Database management systems
 Telecommunications
 Web application access

_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 62

Objectives of Information Security

Architectures
 The underlying idea for architectures is that the objectives of complex
systems must:
 Be comprehensively defined
 Have precise specifications
 Their structures engineered and tested to perform, fit and function
 Have the performance monitored or measured according to the design objectives

 Little exists for overall comprehensive enterprise security

infrastructure, or its management as it relates to the business objectives

_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 63

Objectives of Information Security

Architectures Continued
 The SABSA model has six layers that can assist in developing a model
for enterprise architecture
 The business view – contextual security architecture
 The architects view – conceptual security architecture
 The designers view – logical security architecture
 The builders view – physical security architecture
 The tradesmen view– component security architecture
 The facilities managers view– operational architecture

_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 64

Physical and Environmental Controls

 The best technical security can be thwarted by a lack of good physical
security
 If you can touch it you own it - often physical mechanisms can override logical controls
 Physical controls can also mitigate damaged facilities and other resources that might be
of a natural or technological event

_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 65

Lesson 7: Information Security Program

 As an information security manager, there is no expectation that you are
directly configuring the processes involving security; rather, those
functions are assigned to other people within the organization
 The information security manager is available to close gaps between
business units within the organization that have responsibility for
different security controls
 As an example, working with procurement to purchase technologies that might need
to be reviewed
 New IT projects that are supported by the business can also follow some type of
system development lifecycle, and these would be integrated by the information
security manager

_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 66

Information Security Program Deployment

Metrics
 In the development of an information program, several metrics should be
considered
 Metrics necessary to track and guide the program development
 Will metrics be needed for ongoing management results
 It may be useful to clarify the distinction between managing technical IT
security systems at the operational level and the overall management of the
information security program
 Remember that information security governance should have a set of goals
for the information security program that are designed for the organization
 Metrics really serve just one purpose, which is decision support
 Strategic metrics – combination of management metrics to validate if program is on track & budget
 Management metrics – managing the security program to the levels of compliance
 Operational metrics – often technical metrics such as vulnerability scans, patch management

_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 67

Metrics
 There are a number of other considerations for the creation of metrics;
the essential attributes to be considered would be:
 Are they manageable
 Are they meaningful
 What metrics are actionable
 Unambiguous
 Are they reliable
 Are the timely
 Are they predictive

_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 68

Strategic Alignment
 Remember that the alignment of security activities with the
organizational objectives are essential in all phases of the security
program
 One primary concern is if the program objectives have materially changed
 Another concern is that changes or modifications to the strategic objectives are
reflected in the security program objectives

_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 69

Risk Management
 The lifecycle approach to risk management should be used since the
program development risks are different than the strategic or ongoing
management risks
 Primarily, risks addressed to the program development are often designed as project
risks
 The design risk is that the end result is not suitable for the intended purpose
 Should always consider project risk as it relates to costs, timetables, resources and
critical path matters

_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 70

Value Delivery
 The security program is usually a series of
planned projects designed to improve the
quality of the overall program
 Standard metrics should be used to see if the program
is meeting the objectives and delivering the expected
value
 There should be an examination of the budgeted cost
of the work scheduled with the actual cost of the work
performed

_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 71

Resource Management
 Even with good processes for identifying and designating the technology,
roles and responsibilities for program development, you are still
required to make sure day-to-day operations work properly
 Metrics for resource utilization should be used to support efforts at maximizing the
program development
 May be helpful to gather historical data on resource dependencies that might affect
the security program
 In managing resources, you should make sure that personnel who have a lead role
have a backup that can perform the given function unassisted
 Some consider “cross-training”

_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 72

Assurance Process Integration

 A security program should consider how it will interface with and
integrate into other assurance activities
 Examples might be:
 Physical security, IT security, legal, HR and privacy issues
 The development and implementation of the security program should provide
opportunities to hook into these departments

_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 73

Performance Measurement
 There should be a means of gauging how
effective performance measurements
themselves reflect the performance of
various aspects of the security program
 You may find that some performance
measurements are not adequate, accurate or
reliable and timely
 Performance measurements should
demonstrate if the security program is
working and achieving its objectives

_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 74

Security Baselines
 Remember that a baseline is the lowest boundary of standards that
define the minimum required security for an enterprise
 A major part of the security program is made up of designing, developing and
implementing controls that conform to the standards and should meet the baselines
 A baseline can be used as a point of reference

_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Review Questions:

1. Who is in the best position to develop the priorities and identify what risks and impacts
would occur if there were a loss or corruption of the organization's information
resources?
A. Internal auditors
B. Security management
C. Business process owners
D. External regulatory agencies

2. The single most important concept for an information security architect to keep in mind
is:
A. Plan-do-check-act
B. Confidentiality, integrity, availability
C. Prevention, detection, correction
D. Tone at the top

3. Which of the following is the best method of managing risk inherent to wireless
networks?
A. Require private, key-based encryption to connect to the wireless networks
B. Enable auditing on every host that connects to a wireless network
C. Require that every host that connects to this network have a well-tested recovery
plan
D. Enable auditing on every connection to the wireless network

4. Which of the following is the most important element of a successful security awareness
training program?
A. Providing metrics for measuring effectiveness
B. Customized content for the security awareness program
C. The level of technical detail in the awareness program
D. Mapping the awareness training to a recognized security standard

5. If an information security manager has the responsibility of application security review,

which of the following additional responsibilities present a conflict of interest in
performing the review?
A. Operating system recovery
B. Application administration
C. Network change control
D. Host-based intrusion detection
6. Access controls that fail secure are used when:
A. It is necessary to ensure user system access
B. The controls policy specifies the requirement
C. There is a business reason to limit impact
D. It is indicated by a cost effectiveness analysis

7. Control policies addressing failure modes are a critical element to consider in security
architecture primarily because they:
A. Provide the requirements that mandate a number of architectural constraints
B. Provide an objective-oriented approach to overall control design
C. Express the systems' capabilities required to meet business objectives
D. Are sub-policies that must be implemented at the functional or operation level
Answer Key:

1. C
Business process owners are in the best position to judge the risks and impacts since
they are the most knowledgeable concerning their systems.

2. C
The architect is expected to have a set of requirements and must concentrate on tools
with which to build. These are mechanisms for prevention, detection, and correction.

3. A
Encryption is the only preventive control, and prevention is preferred over detection and
recovery.

4. B
Customizing the content for the security awareness program is necessary to ensure
alignment with the goals of the organization.

5. B
Of the job functions listed, only application administration is sufficiently close to
application security review, where the outcome of a well-performed review could be
affected by potentially biased judgment as to the competence of individuals in the
corresponding organization.

6. B
When a control, such as a firewall, should fail (whether software related, or even attack
related) then the default would be no access, as opposed to failing open. In such a
case, the firewall that fails open no longer secures a network, whereas a firewall that
fails secure will block all traffic. This can also have a consequence of providing an
outage for network traffic; thus, it should be a feature that is specified in the controls
policy for when it should occur.

7. A
Control policy is one of the major requirements that architecture must address and is a
design constraint. Control objectives are broader than just failure modes, but may
include the requirements of behavior when they fail, which is only one aspect of design.