CISSP Training
Pages 566-631
Tim Jensen
StaridLabs
Security Awareness Training
●Designed to tell why a policy exists
●Show practical examples and ways to identify
threats
●T...
Topics
● Corporate security policies
● Organization's security program
● Regulatory compliance requirements for the
organi...
Topics Cont'd
● Emergency Management (hazmat, biohaz, etc)
● Security incident response
● Data classification
● Informatio...
Topics Still Cont'd
● Appropriate computing resource use
● Proper care and handling of security
credentials (usernames, pa...
Teaching why policy is necessary
● Show real world examples of security failures
that could have been fixed with policy
● ...
Why are security policies important
● The end goal of security policies is to
protect:
● The organization
● The employees
...
Questions to answer in training
● How does all this security stuff affect my
job at the company?
● Do I have to do it?
● I...
What should I be looking for?
Awareness Activities
● Formal training courses
● Posters
● Business unit walk throughs
● Security articles/reminders on in...
Job Training
● Employees should be professionally trained
on the systems/processes they manage.
● Lack of training leads t...
Performance Metrics
● Consistent metrics allow for the
identification of security gaps, identify is
process improvements h...
Managing the Security Function
IS Security Officers
● The Information Security Officer is accountable for ensuring the
pro...
Bridging IT with Executives
● IS Security Officers translate threats based
on configuration/technoligies into:
● What is t...
Reporting
● Security officer should report as high in
the organization as possible to:
● Maintain visibility of the import...
Budget
● Security maintains it's own budget as
well as ensures each applicable
department's budget contains funds for
secu...
Work Metrics
● Automated metric systems should be implimented to rate the
day to day security and long term trends.
● Help...
Interdepartmental resources
● Buy doughnuts for:
● System Admins
● Database Admins
● Network Admins
● Privacy Officers
● C...
Strategic Planning
● Make 3-5 year plans
● Review annually or before
Tactical Plans
● 6-18 month plans for specific purposes:
reducing vulnerabilities, etc
Review Security Program
● Anaully review security program for
completeness and to identify gaps
Domain 4
Software Development Security
Jem Jensen
StaridLabs
Overview
● Planning, programming, and management of
software systems
● Includes both operating systems and
applications
● ...
Software Development Life Cycle
● SDLC is is project management process
used to plan, execute, and control a
software deve...
Basic SDLC Phases
● Project initiation and planning
● Functional requirements definition
● System design specifications
● ...
Project initiation and planning
● Vision, goal
● Proposed technical solution
● Documentation: charter, scope
● Include obj...
Project initiation and planning
● Security professional mental checklist:
● Is particular info sensitive? (alone or togeth...
Functional requirements definition
● Define end-user needs
● Formalize security requirements
● Often rolled-into project i...
System design specifications
● Design:
● System architecture
● System outputs
● System interface
● Security features
● Gen...
Development and implementation
● Generate:
● Source code
● Test cases
● Perform unit tests and functional tests
● Perform ...
Documentation and common
program controls
● Controls for editing data within the
program
● What types of logging the progr...
Acceptance
● Ideally, an independent group develops
test data and tests the code
● Should simulate live environment for
go...
Testing and Evaluation Controls
● Test data should include:
● Data at the ends of acceptable ranges
● Data beyond acceptab...
Testing and Evaluation Controls
● Never use production data
● Sanitize test data
● Test all changes
● Management should be...
Transition to Production
● Train new users
● Implement the system
● Installation
● Data conversions (if needed)
● Parallel...
Revisions
● Regular evaluation and audits
● Should incorporate security planning to
avoid future problems
● Document failu...
Maturity Models
● CMM
● Capability Maturity Model
● Framework to product higher quality
software products
● Continual opti...
Operation and Maintenance
● Monitor performance of the system
● Detect defects and weaknesses
● Verify changes don't impac...
Change Management
● Track changes in software and systems to
prevent unintended or unauthorized changes
● Should be a form...
CISSP Week 12
CISSP Week 12
CISSP Week 12
CISSP Week 12
Upcoming SlideShare
Loading in …5
×

CISSP Week 12

1,055 views

Published on

Published in: Education, Technology
0 Comments
8 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
1,055
On SlideShare
0
From Embeds
0
Number of Embeds
5
Actions
Shares
0
Downloads
206
Comments
0
Likes
8
Embeds 0
No embeds

No notes for slide

CISSP Week 12

  1. 1. CISSP Training Pages 566-631 Tim Jensen StaridLabs
  2. 2. Security Awareness Training ●Designed to tell why a policy exists ●Show practical examples and ways to identify threats ●Turn employees into human security sensors
  3. 3. Topics ● Corporate security policies ● Organization's security program ● Regulatory compliance requirements for the organization ● Social Engineering ● Business continuity ● Disaster Recovery
  4. 4. Topics Cont'd ● Emergency Management (hazmat, biohaz, etc) ● Security incident response ● Data classification ● Information labeling and handling ● Personnel security, safety, and soundness ● Physical Security
  5. 5. Topics Still Cont'd ● Appropriate computing resource use ● Proper care and handling of security credentials (usernames, passwords) ● Risk assessment ● Accidents, errors, or omissions
  6. 6. Teaching why policy is necessary ● Show real world examples of security failures that could have been fixed with policy ● Security teams identify risks to the company and create policies to mitigate just the risks present. Without policy every risk would have mitigation even if the risk didn't apply to the company/department
  7. 7. Why are security policies important ● The end goal of security policies is to protect: ● The organization ● The employees ● The Assets of the company ● (It's customers when possible)
  8. 8. Questions to answer in training ● How does all this security stuff affect my job at the company? ● Do I have to do it? ● If I don't do it, what are you going to do? ● All this security crap is just going to waste time and make my job harder!
  9. 9. What should I be looking for?
  10. 10. Awareness Activities ● Formal training courses ● Posters ● Business unit walk throughs ● Security articles/reminders on intranet ● Appointment of a 'security awareness mentor' ● Security Awareness Day – activies, prizes, recognition for winners ● Sponsor event with security organization (ISSA, ISACA, SANS, ISC2, Infragard, etc) ● Provide trinkets for the users within the organization that support security management principles ● Promote Security Awareness Week/month ● Provide security reference materials to employees (books, videos, websites)
  11. 11. Job Training ● Employees should be professionally trained on the systems/processes they manage. ● Lack of training leads to misconfigurations or process gaps which can lead to compromise ● It's the sign of a good employee to self learn. It's the sign of bad management to blindly trust that the employee is doing so. ● Vendor neutral vs vendor certifications
  12. 12. Performance Metrics ● Consistent metrics allow for the identification of security gaps, identify is process improvements helped or hurt, and identify non-compliance ● Can be walkthroughs, quizes, or etc
  13. 13. Managing the Security Function IS Security Officers ● The Information Security Officer is accountable for ensuring the protection of all of the business information assets from intentional and unintentional loss, disclosure, alteration, destruction, and unavailability. ● The security officer typically doesn't have the resources available to perform all of these functions and must depend on involvement from other departments/individuals ● Must keep up with emerging technologies and risks ● Security officers often operate CIRT teams ● Provides the leadership for the information security awareness program by ensuring that the program is delivered in a meaningful, understandable way to the intended audience.
  14. 14. Bridging IT with Executives ● IS Security Officers translate threats based on configuration/technoligies into: ● What is the real perceived threat? ● What is the risk (impact/probability) ● What is the cost of the safeguard? ● What will be the residual risk? ● How long will the project take (time, money, people, systems)
  15. 15. Reporting ● Security officer should report as high in the organization as possible to: ● Maintain visibility of the importance of security ● Limit the distortion or inaccurate translation of the message
  16. 16. Budget ● Security maintains it's own budget as well as ensures each applicable department's budget contains funds for security training/remediation
  17. 17. Work Metrics ● Automated metric systems should be implimented to rate the day to day security and long term trends. ● Helpdesk tickets/hour/day ● Inbound email/hour/day ● Outbound email/hour/day ● Inbound connections at border firewall – Packets dropped at border firewall – Packets dropped at internal firewall ● Employee hours spent on compliance reporting ● Report metrics – how effective is each report? Has it ever caught anything?
  18. 18. Interdepartmental resources ● Buy doughnuts for: ● System Admins ● Database Admins ● Network Admins ● Privacy Officers ● Compliance Officers ● Legal ● Law Enforcement ● QA testers ● Helpdesk ● Budget Officers ● Procurement Specialists ● Business Analysts ● Administrative Professionals ● Enterprise Architects ● Software Developers
  19. 19. Strategic Planning ● Make 3-5 year plans ● Review annually or before
  20. 20. Tactical Plans ● 6-18 month plans for specific purposes: reducing vulnerabilities, etc
  21. 21. Review Security Program ● Anaully review security program for completeness and to identify gaps
  22. 22. Domain 4 Software Development Security Jem Jensen StaridLabs
  23. 23. Overview ● Planning, programming, and management of software systems ● Includes both operating systems and applications ● Software is layered, kind of like networking ● Hardware, drivers, OS, utilities and applications
  24. 24. Software Development Life Cycle ● SDLC is is project management process used to plan, execute, and control a software development project ● Can differ from project to project ● Specific model should best fit the project
  25. 25. Basic SDLC Phases ● Project initiation and planning ● Functional requirements definition ● System design specifications ● Development and implementation ● Documentation and common program controls ● Acceptance ● Testing and evaluation control ● Transition to production
  26. 26. Project initiation and planning ● Vision, goal ● Proposed technical solution ● Documentation: charter, scope ● Include objectives, strategy, costs, time estimates, milestones ● Usually ends with management signoff on charter and/or scope
  27. 27. Project initiation and planning ● Security professional mental checklist: ● Is particular info sensitive? (alone or together) ● Has info owner determined the info value? ● Classifications/Categories? ● Is there a risk of sensitive info exposure? ● Will data be transmitted or stored in public? ● Are controlled areas required? ● What systems interconnect with this? ● How will this affect the org culture? ● Could the company become dependent upon it?
  28. 28. Functional requirements definition ● Define end-user needs ● Formalize security requirements ● Often rolled-into project initiation phase for small projects
  29. 29. System design specifications ● Design: ● System architecture ● System outputs ● System interface ● Security features ● Generally based on over-all architecture for the company
  30. 30. Development and implementation ● Generate: ● Source code ● Test cases ● Perform unit tests and functional tests ● Perform vulnerability analysis on code
  31. 31. Documentation and common program controls ● Controls for editing data within the program ● What types of logging the program does ● How program versions should be stored ● Tests and integrity checks
  32. 32. Acceptance ● Ideally, an independent group develops test data and tests the code ● Should simulate live environment for good tests ● Ensure the application meets security requirements and specifications
  33. 33. Testing and Evaluation Controls ● Test data should include: ● Data at the ends of acceptable ranges ● Data beyond acceptable bounds ● Various data points between acceptable range ● Random data ● Data validations – review data before and after each test to ensure data has not been changed inadvertently ● Bounds checking
  34. 34. Testing and Evaluation Controls ● Never use production data ● Sanitize test data ● Test all changes ● Management should be informed and sign off on testing results
  35. 35. Transition to Production ● Train new users ● Implement the system ● Installation ● Data conversions (if needed) ● Parallel operations (to reduce disruption)
  36. 36. Revisions ● Regular evaluation and audits ● Should incorporate security planning to avoid future problems ● Document failures ● Helps to justify future enhancements
  37. 37. Maturity Models ● CMM ● Capability Maturity Model ● Framework to product higher quality software products ● Continual optimization of processes ● ISO 9000?
  38. 38. Operation and Maintenance ● Monitor performance of the system ● Detect defects and weaknesses ● Verify changes don't impact existing functionality or circumvent security measures
  39. 39. Change Management ● Track changes in software and systems to prevent unintended or unauthorized changes ● Should be a formal cycle with planning, approval, testing, and documentation ● Patch management ● Should include testing and rollback features

×