ISA 562
Upcoming SlideShare
Loading in...5

ISA 562






Total Views
Views on SlideShare
Embed Views



1 Embed 1 1



Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
Post Comment
Edit your comment

ISA 562 ISA 562 Presentation Transcript

  • Information Security Management CISSP Topic 1 ISA 562 Internet Security Theory and Practice
  • Course Outline
    • An introductory course at the graduate level
    • It covers the topics of
      • The CISSP exam at varying depth
      • But is NOT a CISSP course
    • Textbooks:
      • Matt Bishop: Computer Security Art and Science
      • Official ISC 2 Guide to the CISSP CBK
  • Objectives Roles and responsibilities of individuals in a security program Security planning in an organization Security awareness in the organization Differences between policies, standards, guidelines and procedures Risk Management practices and tools
  • Syllabus of the Course
    • Bishop’s book for the first part
    • Papers for some classes
    • IC 2 book for the second part
    • Cover material relevant to the PhD qualifying examination in security
  • Introduction
    • Purpose of information security:
      • to protect an organization's information resources  data, hardware, and software.
    • To increase organizational success: IS are critical assets supporting its mission
  • Information Security TRIAD
    • The Overhanging goals of information security are addressed through the AIC TRIAD.
  • IT Security Requirements - I
    • Security should be designed for two requirements:
    • Functional : Define behavior of the control means  based on risk assessment
        • Properties :
        • should not depend on another control:
        • Why? fail safe by maintaining security during a system failure
    • Assurance: Provide confidence that security functions perform as expected.
        • Internal/External Audit.
        • Third Party reviews
        • Compliance to best practices
      • Examples
      • Functional: a network Firewall to permit or deny traffic.
      • Assurance: logs are generated, monitored, and reviewed
  • Organizational & Business Requirements
    • Focus on organizational mission:
      • Business or goals driven
    • Depends on type of organization:
      • Military , Government, or Commercial.
    • Must be sensible and cost effective
      • Solution considers the mission and environment  Trade-off
  • IT Security Governance
    • Integral part of corporate governance:
      • Fully integrated into overall risk-based threat analysis
    • Ensure that IT infrastructure:
      • Meets all requirements.
      • Supports the strategies and objectives of the company.
      • Includes service level agreements [if outsourced].
  • Security Governance: Major parts
    • Leadership:
      • Security leaders must be part of the company leadership -- where they can be heard.
    • Structure:
      • occurs at many levels and should use a layered approach.
    • Processes:
      • follow internationally accepted “ best practices ” :
      • Job rotation , Separation of duties, least privilege, mandatory vacations, … etc.
      • Examples of standards : ISO 17799 & ISO 27001:2005
  • Security Blueprints
    • Provide a structure for organizing requirements and solutions.
      • Ensure that security is considered holistically.
    • To identify and design security requirements
  • Policy Overview
    • Operational environment is a web of laws, regulations, requirements, and agreements or contracts with partners and competitors
    • Change frequently and interact with each other
    • Management must develop and publish security statements addressing policies and supporting elements, such as standards , baselines, and guidelines.
  • Policy overview
  • Functions of Security policy
    • Provide Management Goals and Objectives in writing
    • Ensure Document compliance
    • Create a security culture
    • Anticipate and protect others from surprises
    • Establish the security activity/function
    • Hold individuals responsible and accountable
    • Address foreseeable conflicts
    • Make sure employees and contractors aware of organizational policy and changes to it
    • Require incident response plan
    • Establish process for exception handling, rewards, and discipline
  • Policy Infrastructure
    • High level policies interpreted into functional policies.
    • Functional polices derived from overarching policy and create the foundation for procedures, standards, and baselines to accomplish the objectives
    • Polices gain credibility by top management buy-in.
  • Examples of Functional Policies
    • Data classification
    • Certification and accreditation
    • Access control
    • Outsourcing
    • Remote access
    • Acceptable mail and Internet usage
    • Privacy
    • Dissemination control
    • Sharing control
  • Policy Implementation
    • Standards, procedures, baselines, and guidelines turn management objectives and goals [functional policies] into enforceable actions for employees.
  • Standards and procedure
    • Standards (local): Adoption of common hardware and software mechanism and products throughout the enterprise.
        • Examples: Desktop, Anti-Virus, Firewall
    • Procedures: step by step actions that must be followed to accomplish a task.
    • Guidelines: recommendations for product implementations, procurement and planning, etc.
        • Examples: ISO17799, Common Criteria, ITIL
  • Security Baselines
    • Benchmarks: to ensure that a minimum level of security configuration is provided across implementations and systems.
      • establish consistent implementation of security mechanisms.
      • Platform unique
        • Examples:
        • VPN Setup,
        • IDS Configuration,
        • Password rules
  • Three Levels of security planning
    • Strategic: long term
    • Focus on high-level, long-range organizational requirements
      • Example: overall security policy
    • 2. Tactical: medium-term
    • Focus on events that affect all the organization
      • Example: functional plans
    • 3. Operational: short-term
    • Fight fires at the keyboard level, directly affecting how the organization accomplishes its objectives.
  • Organizational roles and responsibilities
    • Everyone has a role:
      • with responsibility clearly communicated and understood
    • Duties associated with the role must be assigned
        • Examples:
          • Securing email
          • Reviewing violation reports
          • Attending awareness training
  • Specific Roles and Responsibilities (duties)
    • Executive Management:
      • Publish and endorse security policy
      • Establish goals and objectives
      • State overall responsibility for asset protection.
    • IS security professionals:
      • Security design, implementation, management,
      • Review of organization security policies.
    • Owner:
      • Information classification
      • Set user access conditions
      • Decide on business continuity priorities
    • Custodian:
      • Entrusted with the Security of the information
    • IS Auditor:
      • Audit assurance guarantees.
    • User:
      • Compliance with procedures and policies
  • Personnel Security: Hiring staff
    • Background check/Security clearance
    • Check references/Educational records
    • Sign Employment agreement
          • Non-disclosure agreements
          • Non-compete agreements
    • Low level Checks
    • Consult with HR Department
    • Termination/dismissal procedure
  • Third party considerations
    • Include:
      • Vendors/Suppliers
      • Contractors
      • Temporary Employees
      • Customers
    • Must established procedures for these groups.