Ch3 cism 2014

27-Feb-14
2
Copyright@2014 Al-Taysir for Information Systems Security Consulting LLC
 Introduction
 Information Security Program Development Overview
 Roles and Responsibilities
 Scope and Charter
 Information Security Program Development Objectives
 Defining an Information Security Program Roadmap
 Information Security Program Resources
 Implementing Information Security Program
 Information Infrastructure and Architecture
 Physical and Environmental Controls
 Information Security Program Metrics
 Summary

27-Feb-14
3
 Establish and manage the information security
program in alignment with the information
security strategy.
 The content area in this chapter will represent
approximately 25% of the CISM examination.
 Establish and maintain the information security program in
alignment with the information security strategy.
 Ensure alignment between the information security
program and other business functions (for example,
human resources [HR], accounting, procurement and IT) to
support integration with business processes.
 Identify, acquire, manage and define requirements for
internal and external resources to execute the information
security program.
 Establish and maintain information security architectures
(people, process, technology) to execute the information
security program.

27-Feb-14
4
 Establish, communicate and maintain organizational information
security standards, procedures, guidelines and other documentation to
support and guide compliance with information security policies.
 Establish and maintain a program for information security awareness
and training to promote a secure environment and an effective security
culture.
 Integrate information security requirements into organizational
processes (for example, change control, mergers and acquisitions,
development, business continuity, disaster recovery) to maintain the
organization’s security baseline.
 Integrate information security requirements into contracts and activities
of third parties (for example, joint ventures, outsourced providers,
business partners, customers) to maintain the organization’s security
baseline.
 Establish, monitor and periodically report program management and
operational metrics to evaluate the effectiveness and efficiency of the
information security program.
 Methods to align information security program
requirements with those of other business functions
 Methods to identify, acquire, manage and define
requirements for internal and external resources
 Information security technologies, emerging trends, (for
example, cloud computing, mobile computing) and
underlying concepts
 Methods to design information security controls
 Information security architectures (for example, people,
process, technology) and methods to apply them
 Methods to develop information security standards,
procedures and guidelines

27-Feb-14
5
 Methods to implement and communicate information
security policies, standards, procedures and guidelines
 Methods to establish and maintain effective information
security awareness and training programs
 Methods to integrate information security requirements
into organizational processes
 Methods to incorporate information security requirements
into contracts and third-party management processes
 Methods to design, implement and report operational
information security metrics
 Methods for testing the effectiveness and applicability of
information security controls

27-Feb-14
6
 The creation and maintenance of a program to
implement the information security strategy.
 The strategy is the approach to achieving the
objectives of information security that support
the business goals of the organization.
 Information security program management
includes directing, overseeing and monitoring
information-security-related activities in support
of organizational activities.
 In most organizations information security
management is seen as a technology-related
function, usually under IT
 Privacy and security of information is now a
significant market pressure within many industries
 Legal requirements in many countries now demand
 The protection of personal information
 Specific retention policies for certain types of information
 Public disclosure of diligence activities

27-Feb-14
7
 Achieving adequate levels of information security at
a reasonable cost requires thorough, efficient and
effective management.
 Properly designed, implemented and managed;
information security provides critical support for
many business functions that would not be feasible
without it.
 Provides executive management with:
 Ways to mitigate information risks
 A method to achieve organization goals and objectives
related to information security
 Many risk underwriters now value effective security
management programs so highly that they offer
discounts on insurance premiums if they find an
organization’s security program to be highly effective
 The importance of information security is broadly
recognized, but it is not ubiquitously supported
 The ISM should educate senior officers concerning
best practices in information security management
 Information risk control objectives, risk tolerance, mission-
critical functions and baseline security should be clearly
identified

27-Feb-14
8
 Security objectives must align with business
objectives and constraints
 Appropriate and sustainable baseline security
controls should be established and supported by
management
 Understanding that outstanding risk or threat situations,
at times, may create the need for additional control
investments
 The ISM should try hard to use information security
metrics that concisely demonstrate to management
the importance of information security
 Level 1 Control objectives have been documented in
a policy
 Level 2 Security control processes have been
documented in procedures
 Level 3 Supporting procedures have been
implemented (stakeholders have been made aware
and trained)
 Level 4 Policies, procedures and controls are tested
and reviewed to ensure continued adequacy
 Level 5 Procedures and controls are fully integrated
into the culture of the organization

27-Feb-14
9
 Strategic alignment
 Risk management
 Value delivery
 Resource management
 Performance
management
 Business process
assurance
Strategic alignment
Risk management
Value delivery
Resource
management
Assurance process
integration
Performance
measurement
 Long Term Goals (Strategic)
 Governance
 risk management
 Compliance
 Short Term Goals (Tactical)
 Short-term risk
 Threat intelligence
 Loss prevention
 Support of organizational initiatives

27-Feb-14
10
 The program adds tactical and strategic value to the
organization
 The program is being operated efficiently and with
concern to cost issues
 Management has a clear understanding of information
security drivers, activities, benefits and needs
 Information security knowledge and capabilities are
growing as a result of the program
 The program fosters cooperation and goodwill between
organizational units
 There is facilitation of information security stakeholder
and provider understanding of their roles, responsibilities
and expectations
 To ensure that the ISM understands the broad
requirements and activities required to create
and maintain a program to implement the
information security strategy to achieve business
objectives through a number of tasks utilizing the
ISM’s knowledge of people, process and
technology

27-Feb-14
11
 System Development Life Cycles (SDLC)
 Requirements development
 Specification development
 Control objectives
 Control design and
development
 Control implementation
and testing
 Control monitoring and
metrics
 Architectures
 Business Process
reengineering
 Documentation
 Risk assessment
 Risk management
 Quality assurance
 Project management
 Budgeting
 Deployment and
integration strategies
 Training needs
assessments and
approaches
 Communications
 Problem resolution
 Variance and
noncompliance resolution

27-Feb-14
12
 Technology itself is not a control—technology is used to
implement controls:
 It is important for an ISM to recognize where a given
technology fits into the basic prevention, detection and
recovery scheme
 There are numerous technologies relevant to security that
the ISM should be familiar with including:
 Firewalls
 Routers & switches
 IDS, NIDS, HIDS
 Cryptographic techniques (PKI, DES)
 Digital signatures
 Smart cards
 An information security program must execute
the information security strategy and mitigate
information and IT risk at a cost that does not
outweigh benefit
 Since IT security is an important component of
information security governance the goals of
information security and IT security must be
aligned

27-Feb-14
13
 The ISM must understand the governance
philosophy and strategic direction of the
organization to align information security
activities with business objectives

27-Feb-14
14
 High level of previously defined outcomes:
 Strategic alignment
 Risk management
 Value delivery
 Resource management
 Assurance process integration
 Performance measurement
 Building an information security program is often
a process of comparing existing organizational
activity to that which will accomplish
organizational security goals
 Setting up processes and projects that close the
gap is thus essential
 The basic work of an ISM is to
 Identify controls
 Create control activity
 Monitor control points in support of control objectives

27-Feb-14
15
 Residual risk is risk that remains after controls
have been implemented
 There will always be some residual risk because:
 There is no way to anticipate every event that may
cause damage
 Resources are limited
 The end goal of the ISM’s work is a state where
all KGIs have corresponding control objectives
that are supported by control activity that is
managed and measurable
 KPIs should also indicate value delivery, resource
management and performance measurement

27-Feb-14
16
 Programs are comprised of people, processes
and policies (PPP)
 Individuals whose activities impact the achievement
of objectives (people)
 The activity of those individuals and that of others
whose actions provide constraints on the activity
(process)
 The influences over the individual in the form of
legislative and ethical environment that affects their
decision making (policy)

27-Feb-14
17
 An ISM must attempt to integrate information
security policy into existing sets of people
following established processes and policies
using existing systems
 The ISM must also identify the technologies in
use that process the information covered by the
information security policy
 It is critical that an ISM understands that
effective security goes far beyond the scope of
information security activities
 Activities, disciplines and functions of other
departments have implications for information
security

27-Feb-14
18
 The process of setting a program in place and
measuring its results involves a great deal of
cooperation among everyone in an organization
who handles data
 Information security program development is not
usually hampered by technology choices
available, but rather by PPP issues that conflict
with program objectives

27-Feb-14
19
 Organizational resistance due to changes in areas
of responsibility introduced by the program
 A perception that increased security will reduce
access required for job functions
 Over reliance on subjective metrics
 Assumptions that procedures are followed
without confirming oversight
 Ineffective project management, delaying
security initiatives
 Previously undetected, broken or buggy software

27-Feb-14
20
 The ISM generally directs people, process and policy
to implement the information security program.
 The commitment and involvement of senior
management is necessary for any security program
to be successful.
 Senior manager commitment is vital:
 Must assign willing participants within their organizations
who can integrate the information security program into
their day-to-day operations
 A program in which senior managers simply rubber stamp
plans of the ISM is not effective because the program lacks
senior management oversight
 Acceptance and support for the strategy and the
objectives of the security program is the
responsibility of executive management –
without it success is unlikely

27-Feb-14
21
 Usually charged with security program development,
implementation and management.
 Ensure information security objectives are clearly stated
and those who are assigned security activities’
responsibilities understand their roles, and capable of
performing them and are accountable for results
 Develop information security program objectives
 Ensure accountability and responsibility for completing
each objective is assigned and understood
 Direct People, Processes and Policy (PPP) to affect the
information security program

27-Feb-14
22
 Information security responsibilities must be
distributed over a variety of job functions
 Almost everyone in an organization must have access
to the information that is required to perform their
job
 The ISM can set clear policy and assist in process
coordination, but management in all areas must
assist in providing oversight

27-Feb-14
23
 The main, overarching COBIT 5 product
 Contains the executive summary and the full
description of all of the COBIT 5 framework
components:
 The five COBIT 5 principles
 The seven COBIT 5 enablers plus
 An introduction to the implementation guidance provided
by ISACA (COBIT 5 Implementation)
 An introduction to the COBIT Assessment Programme (not
specific to COBIT 5) and the process capability approach
being adopted by ISACA for COBIT
46

27-Feb-14
24
Copyright@2014 Al-Taysir for Information Systems Security Consulting LLC 47
 Meeting Stakeholder Needs
 Covering the Enterprise End-to-end
 Applying a Single Integrated Framework
 Enabling a Holistic Approach
 Separating Governance From Management
48

27-Feb-14
25
 Enterprises exist to
create value for their
stakeholders.
49
 Enterprises have many stakeholders, and ‘creating value’
means different—and sometimes conflicting—things to
each of them.
 Governance is about negotiating and deciding amongst
different stakeholders’ value interests.
 The governance system should consider all stakeholders
when making benefit, resource and risk assessment
decisions.
 For each decision, the following can and should be asked:
 Who receives the benefits?
 Who bears the risk?
 What resources are required?
50

27-Feb-14
26
 Stakeholder needs have to
be transformed into an
enterprise’s practical
strategy.
 The COBIT 5 goals cascade
translates stakeholder
needs into specific,
practical and customised
goals within the context of
the enterprise,
IT-related goals and
enabler goals.
51
 Benefits of the COBIT 5 goals cascade:
 It allows the definition of priorities for implementation,
improvement and assurance of enterprise governance of IT
based on (strategic) objectives of the enterprise and the related
risk.
 In practice, the goals cascade:
 Defines relevant and tangible goals and objectives at various
levels of responsibility.
 Filters the knowledge base of COBIT 5, based on enterprise
goals to extract relevant guidance for inclusion in specific
implementation, improvement or assurance projects.
 Clearly identifies and communicates how (sometimes very
operational) enablers are important to achieve enterprise
goals.
52

27-Feb-14
27
 COBIT 5 addresses the governance and management of
information and related technology from an enterprise-
wide, end-to-end perspective.
 This means that COBIT 5:
 Integrates governance of enterprise IT into enterprise
governance, i.e., the governance system for enterprise IT
proposed by COBIT 5 integrates seamlessly in any governance
system because COBIT 5 aligns with the latest views on
governance.
 Covers all functions and processes within the enterprise; COBIT
5 does not focus only on the ‘IT function’, but treats
information and related technologies as assets that need to be
dealt with just like any other asset by everyone in the
enterprise.
53
 Key components of a
governance system
54

27-Feb-14
28
 COBIT 5 aligns with the latest relevant other
standards and frameworks used by enterprises:
 Enterprise: COSO, COSO ERM, ISO/IEC 9000, ISO/IEC
31000
 IT-related: ISO/IEC 38500, ITIL, ISO/IEC 27000 series,
TOGAF, PMBOK/PRINCE2, CMMI
 This allows the enterprise to use COBIT 5 as the
overarching governance and management
framework integrator.
 ISACA plans a capability to facilitate COBIT user
mapping of practices and activities to third-party
references.
55
 COBIT 5 enablers are:
 Factors that, individually and collectively, influence
whether something will work—in the case of COBIT,
governance and management over enterprise IT
 Driven by the goals cascade, i.e., higher-level IT-
related goals define what the different enablers
should achieve
 Described by the COBIT 5 framework in seven
categories
56

27-Feb-14
29
Copyright@2014 Al-Taysir for Information Systems Security Consulting LLC 57
 The COBIT 5 framework makes a clear distinction
between governance and management.
 These two disciplines:
 Encompass different types of activities
 Require different organisational structures
 Serve different purposes
 Governance—In most enterprises, governance is the
responsibility of the board of directors under the
leadership of the chairperson.
 Management—In most enterprises, management is
the responsibility of the executive management
under the leadership of the CEO.
58

27-Feb-14
30
Governance
 Ensures that stakeholders
needs, conditions and options
are evaluated to determine
balanced, agreed-on
enterprise objectives to be
achieved; setting direction
through prioritisation and
decision making; and
monitoring performance and
compliance against agreed-on
direction and objectives
(EDM).
Management
 Plans, builds, runs and
monitors activities in
alignment with the direction
set by the governance body to
achieve the enterprise
objectives (PBRM).
59
 COBIT 5 is not
prescriptive, but it
advocates that
organisations
implement governance
and management
processes such that the
key areas are covered,
as shown.
60

27-Feb-14
31
 Leverages the comprehensive view of COBIT 5 while
focusing on providing guidance for professionals involved
in maintaining the confidentiality, availability and integrity
of enterprise information.
 The framework provides tools to help understand, utilize,
implement and direct core information security related
activities and make more informed decisions.
 It enables information security professionals to effectively
communicate with business and IT leaders and manage
risk associated with information, including those related to
compliance, continuity, security and privacy.
 Updated in 2013
 4 Context of the organization
 4.1 Understanding the organization and its context
 4.2 Understanding the needs and expectations of interested parties
 4.3 Determining the scope of the information security management
system
 4.4 Information security management system
 5 Leadership
 5.1 Leadership and commitment
 5.2 Policy
 5.3 Organizational roles, responsibilities and authorities
 6 Planning
 6.1 Actions to address risks and opportunities
 6.2 Information security objectives and planning to achieve them

27-Feb-14
32
 7 Support
 7.1 Resources
 7.2 Competence
 7.3 Awareness
 7.4 Communication
 7.5 Documented information
 8 Operation
 8.1 Operational planning and control
 8.2 Information security risk assessment
 8.3 Information security risk treatment
 9 Performance evaluation
 9.1 Monitoring, measurement, analysis and evaluation
 9.2 Internal audit
 9.3 Management review
 10 Improvement
 10.1 Nonconformity and corrective action
 10.2 Continual improvement

27-Feb-14
33
 Conceptual representation of an information
security management structure that describes the
combination of technical, operational, management
and physical security controls in relation to the
organization’s technical and operational
environments
 Should fundamentally describe the information
security management components:
 Roles, policies, standard operating procedures,
management procedures, security architectures) and their
interactions
 Ongoing activities that must be completed to ensure
information security assurance
 Items:
 Standard operating procedures
 Business operations security practices
 Maintenance and administration of security technologies
(e.g., identity management, access control administration,
and security event monitoring and analysis)
 The ISM should determine the operational
components that are needed to implement policies
and standards
 Should subsequently plan for deployment, monitoring and
management of operational components

27-Feb-14
34
 Because many operational components to fall
outside of the information security domain (e.g.,
patching procedures), the ISM should leverage IT,
business units and other resources to ensure that
operational needs are thoroughly covered
 For each operational component, the ISM
should:
 Identify the component owner
 Collaborate to document key information needed for
effective fulfillment of the component
 Components:
 Requirement and policy establishment
 Strategic implementation activities
 Oversight of execution
 These are generally activities that take place less
frequently than operational components:
 Most often the responsibility of middle and senior
management
 Some issues, particularly those around oversight, can
escalate to the board level

27-Feb-14
35
 High-level management requirements and
policies are critical in shaping the rest of the
information security program
 The ISM must ensure that this process is executed
with appropriate consideration to legal, regulatory,
risk and resource issues
 Analysis of assets, threats, risks and organizational
impacts should inform the process of developing
policies and requirements
 The ISM should be flexible in making adjustments
to policies and objectives during the initial stages
of the program
 After requirements are established, the ISM must
develop strategies that
 Ensure that strategic decisions are made in support of
operational and technical implementation
 Address needs such as financial support, personnel
hiring, and establishing realistic timelines

27-Feb-14
36
 The ISM must ensure that these strategies
remain at a high enough level to avoid
unnecessarily constraining implementation
options while effectively communicating enough
detail to permit understanding of direction, goals
and constraints during implementation
 During development of operational and technical
program components, management oversight
ensuring fulfillment of requirements and
adhesion to strategic direction must occur
 Depending on the components involved,
management oversight forums might occur
monthly, quarterly or annually
 The ISM must establish:
 An appropriate frequency for oversight activities that
is driven by the rate of change in the involved program
 Channels outside of the established management
oversight process in the event that an issue is too
significant to wait

27-Feb-14
37
 Ensure that financial, HR and all management functions
are effective.
 Establish a working rapport with the organization’s:
 Finance department (because of changes in financial realities)
 HR (e.g., in adhering to established procedures)
 Larger information security management programs must
also develop efficient organizational structure with
appropriate layers of management and supervisory
personnel
 Effort management functions require the ISM to balance
project efforts and ongoing operational overhead with
staff headcount, utilization levels and external resources
 Because the optimal number of resources is
almost never available, efforts must be
prioritized
 The ISM should work with the steering committee and
executive management to determine priorities and to
establish consensus on what project items to delay
because of resource constraints
 Spikes in activity or unexpected project efforts can
often be addressed with third-party resources

27-Feb-14
38
 Document and ensure that executive management
understands the risk implications of moving an
initiative ahead without full security diligence
 It is up to executive management to decide if the initiative
is important enough to warrant the risk
 When occurs, the ISM should utilize the first available
opportunity to revisit uncertified systems or initiatives
 To ensure that the existing security environment
operates as needed, security operational resources
should only be diverted to project efforts if they are
not fully utilized
 Employee education and awareness regarding
security threats and practices that pertain to
employee responsibilities
 General organizational policies and procedures,
such as appropriate use policies and employee
monitoring policies, should be communicated
and administered at the organization’s HR level
 Collaborate with HR and business units to
identify information security education needs

27-Feb-14
39
 Though the key goals of strategic alignment, risk
management, value deliver, resource
management, assurance process integration and
performance measurement are universal, what
each means to a given organization needs to be
defined. To help in this process a roadmap can be
developed.

27-Feb-14
40
 Roles and responsibilities matrix
 An ISM must understand the general risk appetite of
an organization to determine whether gaps in an
information security program exist have reached
acceptable levels
 The Systems Development Life Cycle process that
allows a security “tollgate” review.
 Key criteria in selecting technical elements:
 Adoption of a security architecture
 The ability to formally delegate responsibility for operating
within it

27-Feb-14
41
 It is rare that an ISM begins information security
program development with a blank slate so it is
critical that the Ism be able to evaluate the security
level of the existing data, applications, systems,
facilities and processes
 All security reviews need to have:
 An objective
 A scope
 Constraints
 An approach
 A result
 Basis for an Action Plan
 Once organizational roles and responsibilities
appropriately established and inventory taken of
the required vs. existing technology and
processes, identify where control objectives are
not adequately supported by control activities
 The procedure for continuously monitoring
achievement of control objectives is established
 An initial information security program should evolve
and mature

27-Feb-14
42
 Infrastructure:
 the underlying base or foundation upon which information
systems are deployed
 Security infrastructure:
 the foundation that enables security resources to be
deployed
 When infrastructure is designed and implemented
consistent with policies and standards, the
infrastructure is said to be secure
 Information security architecture should be used to
achieve information security control objectives

27-Feb-14
43
 Providing a Framework and roadmap
 Architecture acts as a roadmap for projects and services
that must be integrated
 Simplicity and Clarity through Layering and
Modularization
 Information Systems architecture must take account of
▪ The goals that are to be achieved through the systems
▪ The environment in which the systems will be built and used
▪ The technical capabilities of the people to construct and operate
the systems and their component subsystems
 Business Focus Beyond the Technical Domain
 Architecture is concerned with more than technology.
 Objectives of complex systems must be
comprehensively defined, precise specifications
developed
 Their structures engineered and tested for form,
fit and function
 Their performance monitored and measured in
terms of the original design objectives and
specifications.

27-Feb-14
44
 SABSA
 Developed to address the need for overall comprehensive
model for information systems.
 Can utilize COBIT, ITIL and ISO/IEC 27001
 SABSA Six layers
 Contextual Security Architecture
 Conceptual Security Architecture
 Logical Security Architecture
 Physical Security Architecture
 Component Security Architecture
 Operational Security Architecture
 Given that input is the major source of damage to
most systems, all systems should have security
mechanisms to validate input
 Preventing harm due to unauthorized access is
fundamental to the security program
 Most system configurations have some type of access
control lists
 Information systems should be monitorable and
recoverable
 They should have logs that produce alerts
 Security mechanisms must result in ”defense in
depth”

27-Feb-14
45
 When gathering information used to make
architecture decisions, the ISM must constantly
shift focus between:
 Business requirements
 The infrastructure engineer’s perspective
 Operations support
 End users
 Financial planner
 Engineer
 Operations support manager
 Must also maintain a sharp focus on
 Security requirements
 How security features of platforms can be used to
provide layered security
 Security architecture requires
 Balancing requirements
 Finding a way to meet requirements with available

27-Feb-14
46

27-Feb-14
47
 What are you trying to do at this layer?
 The assets to be protected by your security architecture.
 Why are you doing it?
 The motivation for wanting to apply security, expressed in the terms
of this layer.
 How are you trying to do it?
 The functions needed to achieve security at this layer.
 Who is involved?
 The people and organizational aspects of security at this layer.
 Where are you doing it?
 The locations where you apply your security, relevant to this layer.
 When are you doing it?
 The time-related aspects of security relevant to this layer.

27-Feb-14
48
 The ISM must plan personnel resources around the
needed technical and administrative skills required
to effectively operate the program. Roles include:
 Security engineers
 Policy specialists
 Access administrators
 Project managers
 Compliance liaisons
 Security architects
 Awareness coordinators
 The ISM must ensure that personnel within the security
organization as well as other responsible organizations
maintain the appropriate skills needed to carry out
program functions
 Each organization’s skill requirements vary, generally
revolving around the existing information systems and
security technologies implemented
 Skills that are only rarely needed are best acquired
through service providers such as integrators or consulting
firms.
 When faced with the need for a specialized skill, the ISM
should analyze the cost, timing and intellectual capital
implications of hiring staff vs. using an external service
provider

27-Feb-14
49
 An active security awareness program can greatly
reduce risks by addressing the behavioral element of
security through education
 Focus on common user security concerns such as
password selection, appropriate use of computing
resources, e-mail and web browsing safety, and
social engineering
 Users are the front line for the detection of threats
that may not be detectable by automated means
 Employees should be educated on recognizing and
escalating such events
 Simple quizzes
 Reminders such as posters, newsletters, or
screen savers
 A regular schedule of refresher training
 In larger organizations, special management-
level training on information security awareness
and operations issues is desirable

27-Feb-14
50
 Computer-based security awareness & training programs
 E-mail reminders and security tips
 Written security policies and procedures (and updates)
 Nondisclosure statements signed by the employee
 Use of different media in promulgating security
 Visible enforcement of security rules
 Simulated security incidents for improving security
procedures
 Rewarding employees who report suspicious events
 Periodic reviews
 Job descriptions
 Performance reviews
 All employees of an organization and, where
relevant, third-party users must receive
appropriate training and regular updates on the
importance of security policies, standards and
procedures in the organization
 For new employees, this should occur before access
to information or services is granted and be a part of
new employee orientation

27-Feb-14
51
 The ISM must be methodical in developing and
implementing the education and awareness program and
needs to consider various aspects including:
 Who is the intended audience (management, business
managers, IT staff, users)?
 What is the intended message (policies, procedures, recent
events)?
 What is the intended result (improved policy compliance,
behavioral change, better practices)?
 What communication method will be used (computer-based
training (CBT), all-hands meeting, intranet, newsletters, etc.)?
 What is the organizational structure and culture?
 Some of the documentation required will typically include:
 Program objectives
 Roadmaps
 Business cases
 Resources required
 Documentation
 Controls
 Budgets
 Systems designs/architectures
 Policies, standards, procedures, guidelines
 Project plan milestones, time lines
 KGIs, KPIs, CSFs, other metrics
 Training and awareness requirements

27-Feb-14
52
 Gap Analysis
 Prioritization
 Budgetary aspects
 Portfolio management
 The purpose is to capture the reasoning for initiating a
project or task, and the business case should include all
the factors that can materially affect the project’s success
or failure
 Must persuasively encompass benefits, costs and risk.
 The benefits must be tangible, supportable and relevant to
the organization.
 Particular attention must be given to the financial aspects
of the proposal.
 The TCO and risk must be realistically represented for the
full life cycle of the project.
 It is important to avoid overconfidence, overly optimistic
projections and excessive precision for what are likely to be
somewhat speculative results.

27-Feb-14
53
 Should include some or all of the following:
 Reference
▪ Project name/reference, origins/background/ current state
 Context
▪ Business objectives/opportunities, business strategic alignment (priority)
 Value Proposition
▪ Desired business outcomes, outcomes road map, business benefits (by
outcome), quantified benefits value, costs/ROI financial scenarios, risk/costs
of not proceeding, project risk (to project, benefits and business)
 Focus
▪ Problem/solution scope, assumptions/constraints, options
identified/evaluated, size, scale and complexity assessment
 Deliverables
▪ Outcomes, deliverables and benefits planned; organizational areas impacted
(internally and externally); key stakeholders
 Dependencies
▪ CSFs
 Project metrics
▪ KGIs, KPIs
 Workload
▪ Approach, phase/stage definitions (project change] activities,
technical delivery activities, workload estimate/breakdown, project
plan and schedule, critical path analysis)
 Required resources
▪ Project leadership team, project governance team, team resources,
funding
 Commitments (required)
▪ Project controls, review schedule, reporting processes, deliverables
schedule, financial budget/schedule

27-Feb-14
54
 Evaluation:
 The investment has value and importance.
 The project will be properly managed.
 The enterprise has the capability to deliver the
benefits.
 The enterprise’s dedicated resources are working on
the highest value opportunities.
 Projects with interdependencies are undertaken in the
optimal sequence.
 Elements of each project that should be
considered include:
 Employee time
 Contractor and consultant fees
 Equipment (hardware, software) costs
 Space requirements (data center rack space, etc.)
 Testing resources (personnel, system time, etc.)
 Creation of supporting documentation
 Ongoing maintenance
 Contingencies for unexpected costs

27-Feb-14
55
 Acceptable use policy:
 User-friendly summary of what should and should not
be done to comply with policy
 Detail in everyday terms the obligations of all users
 Must be communicated to all users
 Must be read and understood by all users
 Should be provided to new personnel
 Rules of use for all personnel include the policies
and standards for:
 Access control
 Classification
 Marking and handling of documents
 Reporting requirements and disclosure constraints
 Rules regarding email and internet use

27-Feb-14
56
 Problem management typically requires a systematic
approach to understanding the various aspects of the
issue, defining the problem and designing an action
program along with assigning responsibility and assigning
due dates for resolution.
 A reporting process should also be implemented for
tracking the results and ensuring that the problem is
resolved
 As the information systems environment is continually
going through changes via updates and additions, it is not
unusual for the security controls in place to occasionally
develop a problem and not work as intended.
 It is at this point that the ISM must identify the problem
and assign a priority to it.
 Benefits:
 Specialist skills as needed
 Longer-term staff augmentation while recruiting for
open positions
 Offloading of routine daily tasks
 Outsourced security service providers can deliver
a range of services (e.g., assessment and audit,
engineering, operational support, security
architecture and design, advisory services)

27-Feb-14
57
 Evaluation of program management components
will reveal the extent of management support
and the overall depth of the program
 Very technical, tactically-driven programs are weak in
management components
 Thorough documentation of the program itself
 Key guidelines and procedures been reduced to
accessible guidelines and distributed to responsible
parties
 Responsible individuals understand their roles and
responsibilities
 Roles and responsibilities defined for members of
senior management, boards, etc.
 Organization understand and engage their
responsibilities
 Business unit managers involved in guiding and
supporting information security program activities
 Formal steering committee

27-Feb-14
58
 Policies and standards defined, formally approved, and
distributed
 How is the program positioned within the organization? To
whom is the program accountable? Does this positioning
impart an appropriate level of authority and visibility for the
objectives that the program must fulfill?
 Does the program implement effective administration
functions, e.g., budgeting, financial management, human
resources management, knowledge management?
 Are metrics used to evaluate program performance? Are these
metrics regularly collected and reported?
 Are there forums and mechanisms for regular management
oversight of program activities? Does management regularly
reassess program effectiveness?
 Total Quality Management (TQM) system
 Based on four primary processes, Plan-Do-Check-Act (PDCA)
 Combined with a governance methodology that focuses on strategic program
alignment with organizational goals, will provide the ISM with tools can be used to
implement and maintain a highly effective, efficient security program
 Elements
 Vision
▪ A broadly defined, clear and compelling statement about the organization’s purpose. This should
include the desired outcomes of the information security program.
 Strategic objectives
▪ A set of goals that are necessary and sufficient to move the organization toward its vision. These
goals should be reflected in KGIs.
 CSFs
▪ A set of circumstances or events that are necessary to achieve the strategic objectives.
 KPIs
▪ Concrete metrics tracked to ensure that the CSFs are being achieved.
 Key actions
▪ including tactical and annual action plans are the initiatives to be delivered in order to achieve the
strategic objectives and KGIs.

27-Feb-14
59
 The level of security that hardware and software
controls provide should depend on the:
 Sensitivity of data that can be accessed
 Significance of applications processed
 Cost of equipment and availability of backup equipment
 A wide range of physical security controls are
available to the ISM to implement physical security
some include:
 Electronic locks
 Cameras
 Motion Detectors

27-Feb-14
60
 Physical security policies and control devices are
needed
 Access should be provided on an as-needed basis
 Unrelated equipment and supplies (e.g., paper
and printing supplies) should not be stored along
with sensitive computing infrastructure
 Computing environments must implement
systems to monitor and control environmental
factors such as temperature and humidity
 Personal computers used in open areas may
need special controls
 Laptops and portable devices must also be
protected against theft or loss
 Electronic and print media should also be
protected
 Geographical concerns also need to be
considered

27-Feb-14
61
 Many organizations have implemented ethics
training to provide guidance on what the
organization considers appropriate and legal
behavior.
 This approach is common when individuals are
required to engage in activities of sensitive nature
such as monitoring user activities, penetration
testing and having access to sensitive data.
 Information security personnel must be sensitive to
potential conflicts of interest or activities that may
be perceived as detrimental to the organization.
 The ISM should be aware of differences in
perceptions, customs and appropriate behaviors
across different regions and cultures.
 Policies, controls and procedures should be
developed and implemented with respect to these
differences.
 Elements that might be culturally offensive to others
should be avoided.
 If in doubt, the ISM should work with HR to develop
strategies for addressing differences across the
regions and cultures represented within the
organization.

27-Feb-14
62
 Logistic issues that an ISM needs to be able to
manage include:
 Cross-organizational strategic planning and execution
 Project and task management
 Coordination of committee meetings and activities
 Developing schedules of regularly performed
procedures
 Resource prioritization
 Coordination of security resources and activities with
larger projects and operations

27-Feb-14
63
 Physical/Corporate Security
 It Audit
 Information Technology Unit
 Business Unit Managers
 Human Resources
 Legal Department
 Employees
 Procurement
 Compliance
 Privacy
 Training
 Quality Assurance
 Insurance
 Third Party Management
 Project Management Office
 As each phase of a security program is developed,
executive management, managers with risk management
responsibilities and department management should be
made aware of the content of the information security
program so that activities can be coordinated and specific
areas of responsibility confirmed.
 Information security programs typically cross numerous
department boundaries; therefore, fostering awareness
and getting consensus early in the process is important.
 The role of the information security manager itself often
becomes that of “ambassador” for the information
security program

27-Feb-14
64
 Typically an operational requirement for the
information security department.
 The incident response capability provides first
responders to the inevitable security incidents
experienced in virtually all organizations.
 Objectives:
 Quickly identify and contain incidents to prevent
significant interruptions to business activities;
 Restore affected services
 Determine root causes so that improvements can be
implemented to prevent recurrence.
 Security audits have objectives, scope,
constraints, approach and results
 Effectiveness is judged on the basis of whether or
not controls in place meet a given set of control
objectives
 An information security program should have
established policies and standards

27-Feb-14
65
 Extremely useful in identifying whether those
policies and standards have been fully
implemented
 Where an information security program is under
development, the ISM may
 Select externally published standards
 Engage an audit team to determine the extent to
which his/her own organization is in compliance
 Different standards publications focus on one or
more of these types of items:
 COBIT lists control objectives
 The Standard of Good Practice for Information Security
 SANS Institute
 International Organization for Standardization Code of
Practice for Information Security Management, ISO/IEC
17799:2005, and corresponding Information Security
Management Systems Requirements, ISO/IEC 27001:2005
 The Center for Internet Security (CIS)

27-Feb-14
66
 CISO may not require hands-on technical skills, but should
be knowledgeable about the information technologies
implemented by their organization from architectural and
data flow perspectives.
 Regardless of operating level, all information systems
managers should have a thorough understanding of
security architecture, control implementation principles,
and commonly implemented security processes and
mechanisms.
 This understanding should include the strengths,
limitations, opportunities and risk of common security
controls in addition to the financial and operational
implications of deployment.
 Due diligence = the “standard of due care”
 Some due diligence components include:
 Senior management support
 Comprehensive policies, standards and procedure
 Appropriate security education, training and awareness
 Periodic risk assessments
 Effective backup and recovery processes
 Implementation of adequate security controls
 Effective monitoring and metrics
 Effective compliance
 Testing business continuity and disaster recovery plans
 Periodic independent reviews of the infrastructure

27-Feb-14
67
 Maintaining daily monitoring of relevant entities
that publish vulnerability information.
 CERT
 MITRE’s Common Vulnerabilities and Exposures (CVE)
database
 Security Focus’ BUGTRAQ mailing list
 SANS Institute
 Numerous software vendors
 Compliance enforcement has two connotations
 To a regulatory environment
 To internal policies, standards and procedures
 Enforcement activities are management oversight
functions by which the control activities designed to
achieve an objective of compliance are supervised
 Compliance enforcement is any activity within the
information security program designed to ensure
compliance with the organization’s control
objectives

27-Feb-14
68
 Policy forms the basis for all accountability with
respect to security responsibilities throughout
the organization
 In most large organizations the ISM designates
formal security roles that hold the department
head responsible for getting processes that
maintain security policy compliance for a given
set of information systems in place
 The ISM must:
 Ensure that, in the assignment process, there are no
“orphan” systems or systems without policy-
compliance owners
 Further provide oversight to ensure that policy
compliance processes are properly designed
 Where a policy document is deemed to have
such little benefit that it may be bypassed, an
ISM should use that feedback to effect change
being termed the Policy Exception Process

27-Feb-14
69
 Standards must be designed to ensure that all
systems of the same type are configured and
operated in the same way.
 As far as possible, compliance with standards should
be automated to ensure that system configurations
do not, through intentional or unintentional activity,
deviate from policy compliance.
 Executive management signs off on policy, while
standards simply provide a standard method for
complying with policy.
 If there are deviations, there should be no dispute among
executive management that the security program is intact.
 Background and training is necessary for execution of tasks
 Training classes should be tailored for those with security
job responsibilities
 Security awareness must also include end-user training:
 Backing up work-related files
 Choosing passwords wisely and protecting them from exposure
 Avoiding e-mail and web-based viruses
 Recognizing social engineers
 Reporting security incidents
 Securing electronic and paper media against theft and exposure
 Spotting malware that could lead to identity theft and desktop
spying

27-Feb-14
70
 Numerous threats exist that may impact security
program efforts and objectives.
 Threats must be evaluated to determine:
 If they are viable
 The likelihood that they will materialize
 Their potential magnitude
 The potential impact
 Possible threats:
 Unclear objectives
 Carelessness
 Mistakes
 Deficient strategy
 Poor planning
 Inadequate resources
 Incorrect specifications
 Faulty execution

27-Feb-14
71
 Designed to identify vulnerabilities in a given
information system or environment
 ISMs need to perform a vulnerability analysis in
order to ascertain whether controls are adequate
 Vulnerabilities can be characterized by whether:
 They were intentionally maliciously created or not
 Whether they exist in system development or
operations
 BIA
 Determines impact of losing support of a resource to an
organization
 Establishes the escalation of that loss over time
 Identifies the minimum resources needed to recover
 Prioritizes the recovery of processes and supporting systems
 BIAs are based on risk assessment results
 Should have a process by which:
 Business impact of damage to any information resource is
reassessed periodically
 Assessment is used to determine requirements for security
measures with respect to that resource

27-Feb-14
72
 Can, to a large extent, replace a BIA for the
purposes of developing business continuity
plans.
 Based on determining the applications used by a
business operation in conducting its primary
activities and the resources (networks,
databases) needed to perform required functions
 Two types:
 Outsourcing
 Service contracting
 Distinction is that when services are contracted for,
the ISM retains ownership of and responsibility for
the performance of the security service
 Outsourced activity must be consistent with the
goals and objectives of the overall information
security program
 Security program elements that monitor outsourced
security functions must not themselves be
outsourced

27-Feb-14
73
 Advantage:
 Cost
 Scalability
 Reliability
 Performance
 Agility
 Security considerations:
 The loss of control over sensitive data
 The location of data: organizations may store and transmit data across state
or national boundaries, so the ISM may consider myriad laws, regulations
and compliance requirements of various jurisdictions.
 Requirements for handling incidents may vary from one jurisdiction to
another, e.g., breach notification laws. Availability of audit logs may also be
limited or nonexistent from the cloud provider, and the actual level of
security may be difficult to ascertain.
 Integration
 System lifecycle processes
 Change management
 Configuration management
 Release management

27-Feb-14
74
 Include risk and protection considerations in the
SDLC by:
 Establishing requirements
 Solution architecture and design
 Proof of concept
 Full development and coding
 Integration testing, deployment
 Quality and acceptance testing
 Maintenance
 Systems’ end-of-life
 Defined baseline security controls should be a
standing requirement for all new systems
development.
 The ISM should refer to industry and regional
sources to determine a baseline set of
appropriate security functions.
 Supplemental controls may be warranted based on
vulnerability, threat and risk analysis, and these
controls should be included in the requirements-
gathering process.

27-Feb-14
75
 The ISM should:
 Communicate solution deficiencies and developing,
mitigating or compensating controls as required.
 Employ internal or external resources to review
coding practices and security logic during
development to ensure that best practices are being
employed.
 A key to policy compliance is having a policy-compliance
owner for each deployed information system
 To maintain accountability for policy compliance through
frequent change, a security program must identify where
IT changes are initiated, funded, and deployed
 The ISM must create hooks into processes so that those in
job functions that specify, purchase and deploy new
systems have policy compliance as part of their job
functions
 Gives the ISM time to identify vulnerabilities in new
systems, identify new threats presented by systems &
assist the implementation team to develop policy-
compliant pre-approved standards for production
deployment

27-Feb-14
76

27-Feb-14
77
 The key to risk management is the risk mitigation
process. After risks are identified existing
controls and countermeasures can be evaluated
or new ones designed to mitigate risk to
acceptable levels.

27-Feb-14
78
 Based on today's regulatory environment, controls
and countermeasures are most efficiently
approached based on a top-down, risk-based
approach.
 After applying industry-recognized frameworks such
as COBIT and ISO 27001, design of the controls
implemented must include measurability.
 Effectiveness of controls cannot be evaluated unless
they can be tested and measured.
 Further, confidence levels and sampling sizes for
testing the effectiveness of these controls closely
mirror audit and regulatory compliance objectives.
 Strength of controls can be measured by the type of
control being evaluated (preventive, detective, manual,
automated, etc.) and its quantitative and qualitative
compliance testing results.
 As such, although an automated control is, by default,
stronger than a manual control, detailed analysis may
reveal that a manual control is better.
 An automated control design may create alerts and
generate automatic reports.
 However, after carefully looking at the process, one may
determine that a) no evidence of review can be produced,
and b) subsequent response actions up to and including
resolution cannot be measured.

27-Feb-14
79
 Technical controls are safeguards that are
incorporated into computer hardware, software
or firmware.
 Non technical methods include management and
operational controls such as policies, operational
procedures etc.
 Once the risks facing an organization have been
identified and prioritized, the ISM can customize the
security strategies and prioritize the options to
mitigate those risks
 Deterrent controls
 Preventative controls
 Detective controls
 Corrective controls

27-Feb-14
80
 Existing controls are the policies, procedures,
practices and guidelines designed to provide
assurance
 Countermeasures directly reduce a threat or
vulnerability and can be considered a targeted
control e.g.:
 Segmenting a network
 Having multiple ISPs
 Stopping an activity that creates a risk
 Elements of controls
 Preventative or detective
 Manual or automated
 Formal (documented in procedure manuals and evidence
of their operation is maintained) or ad hoc.
 Considerations:
 Effectiveness of recommended options
 Legislation and regulation
 Organizational policy
 Operational impact
 Safety and reliability

27-Feb-14
81
 A specialized set of general controls upon which all
computing facilities as well as personnel depend.
 The ISM should:
 Validate technology choices in support of physical security
 Ensure that formal roles and responsibilities and
accountabilities with respect to physical access controls
exist
 Use the roles and responsibilities for interfacing with
various local physical security organizations if they are
geographically dispersed
 Intended to restrict access to facilities
 Methods for keeping unauthorized individuals from
gaining access to tangible information resources
include
 Smart cards or access controls based on biometrics
 Security cameras
 Security guards
 Fences
 Lighting
 Locks
 Sensors

27-Feb-14
82
 Designed to ensure that the facilities in which
systems are stored are designed to compensate
for physical limitations of computer system
operations
 Without environment controls to prevent, detect
and recover from physical damage to information
systems, control activities would be subject to
physical damage from a variety of sources (e.g.,
theft and weather)
 Because organizational departments also have a
responsibility for information security process
deployment, the ISM is not able to enforce all policy
requirements.
 Personnel outside can be assigned security job
responsibilities, thus allowing the ISM to close gaps out of
his/her control
 The ISM may also need to assist business application
owners in establishing procedures
 An ISM must integrate security touchpoints into the life
cycle to ensure that the business is not surprised by last-
minute introduction of security requirements

27-Feb-14
83
 Native control technologies:
 Out of the box security features that are integrated with
business information systems.
 Generally configured and operated by IT
 Supplemental control technologies
 Components that are added on to an information systems
environment
 Usually provide some function that is not available in the
native components (network intrusion detection), or that
is more appropriate to implement outside of primary
business application systems
 Tend to be more specialized than native control
technologies
 Management support technologies
 Automate a security related procedure, provide
management information processing, or increase
management efficiency
 Examples include security information management
(SIM) tools, compliance monitoring scanners and
security event analysis systems
 Used by information security group independent of
information technology

27-Feb-14
84
 Analysis of technical components and
architecture
 When analyzing technical security architecture, the
ISM must use a clearly defined set of measurable
criteria to enable tracking of performance metrics
 A few possible criteria for analyzing technical security
architecture and components:
▪ Control placement
▪ Control efficiency
▪ Control policy
▪ Control implementation
 Changes to the technical or operational
environment can often modify the protective effect
of controls or create new weaknesses that existing
controls are not designed to mitigate.
 Periodic testing of controls should be implemented
to ensure that mechanisms continually enforce
policies and procedural controls are being carried
out consistently and effectively.
 After implementation, acceptance testing must be
conducted to ensure that prescribed policies are
enforced by the mechanisms.

27-Feb-14
85
 Changes to operational procedures should also undergo
review and approval by appropriate stakeholders.
 Requisite changes to process inputs, activity steps,
approvals or reviews, and process results should be
considered and modifications to related processes and
technologies should be coordinated.
 Workload considerations should also be taken into
consideration to ensure that changes to operational
controls do not overload resources and impact operational
quality.
 If additional training is required to implement changes, it
should be coordinated and completed prior to
implementation of change.
 Defined baseline security controls should be a standing
requirement
 for all new systems development:
 Security requirements should be defined and documented as an
essential part of the system documentation.
 Adequate traceability of the security requirements should be ensured
and supported across the different phases of the life cycle.
 A few examples include authentication functions, logging, role-based
access control and data transmission confidentiality mechanisms.
 ISM should refer to industry and regional sources to determine
a baseline set of security functions appropriate to their
organizational policies and other needs.
 Supplemental controls may be warranted based on
vulnerability, threat and risk analysis, and these controls should
be included in the requirements-gathering process.

27-Feb-14
86
 Information security program metrics corresponding
to control objectives provide senior management
with information needed to ascertain whether the
information security program is on track
 Control objective metrics should correspond to
information security governance goals (covered in
chapter 1)
 Must cover:
 Strategic Level
 Management Level
 Operational Level

27-Feb-14
87
 The ISM must thoroughly know how to continually
monitor security programs and controls
 Some monitoring is technical and quantitative—some by
necessity is imprecise and qualitative
 Technical metrics can be used to provide quantitative
monitoring and can include elements such as:
 Number of unremediated vulnerabilities
 Number of closed audit items
 Number or percentage of user accounts in compliance with
standards
 Perimeter penetrations
 Unresolved security variances
 Qualitative metrics:
 CMM maturity levels at periodic intervals
 Key performance indicators (KPIs)
 Key goal indicators (KGIs)
 Business balanced scorecard (BBS)
 Six Sigma quality indicators
 ISO 9001 quality indicators
 Other relevant measures:
 Cost-effectiveness of controls
 The extent of control failures, etc.

27-Feb-14
88
 As information resources change over time, both the
security baseline and the resources must adapt to
changing threats and new vulnerabilities.
 The ISM must develop a consistent, reliable method
to determine the overall ongoing effectiveness of
the program ways to do this can include:
 Conduct and track risk assessments
 Penetration testing
 Regular vulnerability scans
 Effective metrics
 Require that a baseline is established for each measurement
 Should have SMART attributes (i.e., specific, measurable,
achievable, repeatable and time-dependent)
 Should be used to chart progress
 The organization’s change management activities also
should feed into the monitoring program
 Metrics are important, but are little use if adverse trends are
not dealt with in a timely manner
 Metrics must be regularly reviewed and any unusual
outcomes are reported
 An action plan to react to the unusual activity should be
developed as well as a proactive plan to address trends in
activity that may lead to a security breach or failure

27-Feb-14
89
 The ISM must also monitor security activities in
infrastructure and business applications:
 Since vulnerability to security breaches exists all the time,
continuous monitoring of security activities is a prudent
business process
 Continuous monitoring of IDSs and firewalls can provide
real-time information of attempts to breach perimeter
defenses
 Training help desk personnel must escalate suspicious
reports that may be the first signs of a breach or an attack
 A variety of methods and techniques that are tailored to
the organization must be used
 Other after-the-fact monitoring techniques include:
 Event logging
 Log reviews
 Compliance assessments
 Network- and host-based IDS
 Penetration testing
 Should consolidate various security event-
monitoring techniques into a single console that the
security team monitors.
 The ISM must have processes in place to determine
the overall effectiveness of security investments and
the extent to which objectives have been met.

27-Feb-14
90
 Security program actual costs need to be accurately
determined to for cost-effectiveness.
 In addition to initial procurement and
implementation costs, it is important to include.
 The staff needed to administer controls
 Maintenance fees
 Update fees
 Consultant or help desk fees
 Fees associated with other interrelated systems that may
have been modified to accommodate security objectives
Strategic Alignment
 Extent to which business
areas are represented in the
information security
program
 Percentage of those that
include data stewardship or
information protection in
their charter
Risk Management
 Level at which risks are
formally addressed in various
business areas
 Identifiable risk management
function in steering
committee
 Periodic testing of the
communication lines to
escalate risks

27-Feb-14
91
Value delivery
 Budgeted cost of work
scheduled verses budgeted
cost compared to the actual
cost of the project for that
period
 Demonstrated effectiveness—
low cost and schedule
variances
 Positive returns on investment
through reusable security tools
and techniques within the
infrastructure and security
review processes
Resource management
 Resource deficiencies are
detected and corrected
before impact
 Identify changing security
resource requirements
 All personnel in lead roles in
critical security functions have
a backup
Performance Management
 Verification that control
activities are achieving
desired results
 Performance measurement
with respect to security
activity designed to achieve
technical objectives
Security Baselines
 To what extent do existing
processes conform to security
baselines?

27-Feb-14
92
 The ISM needs to understand how to implement processes
and mechanisms that provide for assessing the successes
and shortcomings of the information security
management program
 Specific objectives of each organization’s information
security management program vary according to the scope
and operating level of the program
 Should be conceptually and chronologically aligned with
business goals, leading to further diversity in program
goals
 The ISM must lead the analysis of these areas along with
issues of information security governance requirements
 Information security management programs generally
include a core set of common objectives:
 Minimize risk and loss related to information security issues
 Support achievement of overall organizational objectives
 Support organizational achievement of compliance
 Maximize the program’s operational productivity
 Maximize security cost-effectiveness
 Establish and maintain organizational security awareness
 Facilitate effective technical security architecture
 Maximize effectiveness of program framework and resources
 Measure and manage operational performance

27-Feb-14
93
 The primary objective of most information
security programs is to ensure that organizational
information resources are not unduly impacted
by accidental or malicious threats
 Most organizations experience security breaches
 Any information security program must thus also
strive to detect and minimize the impact associated
with detrimental events
 The following are possible approaches to
periodically measuring the program’s success
against risk management and loss prevention
objectives
 The technical vulnerability management approach—
focus on vulnerabilities and vulnerability management
 Risk management approach - focus on risk severity
and annual loss expectancies (ALEs)
 Loss prevention approach - focus on loss due to
incidents

27-Feb-14
94
 The following qualitative measures can be reviewed
by the information security steering committee
and/or executive management:
 Is there documented correlation between key
organizational milestones and the objectives of the
information security management program?
 How many information security objectives were
successfully completed in support of organizational goals?
 Were there organizational goals that were not fulfilled
because information security objectives were not met?
 How strong is consensus among business units, executive
management and other information security stakeholders
that program objectives are complete and appropriate?
 The ISM should recognize that much of a
successful measure’s value is in analyzing why an
objective was or was not met.
 For missed objectives, the reasons why they were not
accomplished should be analyzed
 Feedback should be used to guide ongoing
optimization of the information security management
program

27-Feb-14
95
 If the organization must comply with compulsory
or voluntary standards involving information
security, the ISM must ensure that program goals
are aligned with these requirements
 Likewise, the policies, procedures and
technologies implemented by the program must
fulfill requirements of adopted standards
 Measurements of compliance achievement are
often tied to the results of internal or external
audits
 The ISM may also wish to implement automated
or manual compliance monitoring with higher
frequency and/or broader scope than achievable
with incremental audits
 In addition to actual point-in-time compliance,
the program should be measured on the
effectiveness of resolving identified compliance
issues

27-Feb-14
96
 The ISM must maximize operational productivity
 Productivity can be improved through:
 Automation technologies
 Outsourcing of low-value operational tasks
 Leverage of other organizational units
 The ISM should set periodic goals for increasing the
productivity of the information security management
program through specific initiatives:
 Goals should be reviewed to determine the productivity gains
achieved
 The ISM should analyze data such as hourly employee cost and
effort expended per task to demonstrate the value of
productivity improvement initiatives to senior management
 The information security program must be
financially sustainable
 Otherwise, security controls degrade due to poor
maintenance and support
 Financial constraints are a common reason for security
lapses, including failure to plan for ongoing
maintenance requirements
 The ISM must work to maximize the value of each
security investment to control information security
expenses and ensure sustainable achievement of
objectives

27-Feb-14
97
 This process begins with accurate cost forecasting
and budgeting
 The success of this activity is generally established by
monitoring budget utilization vs. original projections; can
help identify issues with security cost planning
 The ISM should implement procedures to measure
the ongoing cost-effectiveness of security
components, most often accomplished by tracking
cost/result ratios
 This approach establishes cost-efficiency goals for new
technologies and improvement goals for existing
technologies by measuring the total cost of producing a
specific result
 Ratios of result-units per currency-unit (e.g., 7,400
network packets analyzed per US dollar annually) or vice
versa (0.04 Euros per thousand e-mails scanned annually)
can be used to demonstrate cost efficiency and cost of
results, respectively.
 Other examples include
 Per-application costs of vulnerability assessment
 Per-user costs for workstation security controls
 Per-mailbox costs for e-mail spam and virus protection
 ISM must regularly consider the total cost of technical
security components
 Purchase and implementation costs are only part of the total
cost

27-Feb-14
98
 Personnel actions can present threats that can
only be mitigated through education and
awareness
 The ISM must implement processes to track the
ongoing effectiveness of awareness programs
 Tracking organizational awareness is most commonly
achieved at the employee level
 As such, the ISM should work with their organization’s HR
department to implement metrics for tracking
organizational awareness success
 Records of initial training, acceptance of policies and usage
agreements, and ongoing awareness updates are useful
metrics
 In addition to identifying individuals in need of training,
this helps identify organizational units that may not be
fully engaged in the security awareness program

27-Feb-14
99
 Employee testing can indicate awareness
program effectiveness
 Conducting additional quizzing on a random sample of
employees several months after training will help
determine the longer-term effectiveness of awareness
training
 The ISM must establish quantitative measures
that inform management about the effectiveness
of the technical security architecture
 Technical security metrics can be categorized for
reporting and analysis purposes by protected
resource and geographic location

27-Feb-14
100
 Qualitative measures apply to technical control
environment.
 Individual technical mechanisms have been tested to
verify control objectives and policy enforcement
 The security architecture is constructed of appropriate
controls in a layered fashion
 Control mechanisms are properly configured and
monitored in real-time, self-protection implemented, and
information security personnel alerted to faults
 All critical systems events are reported to information
security personnel or to event analysis automation tools
for real-time threat detection
 Methods of tracking the program’s success include:
 Tracking the frequency of issue recurrence
 Monitoring the level of operational knowledge capture and
dissemination
 The degree to which process implementations are standardized
 Clarity and completeness of documented information security roles
and responsibilities
 Information security functions incorporated into every project plan
 Efforts and results in making the program more productive and cost-
effective
 The ISM should implement such mechanisms with the goal of
extracting additional “latent” value from the framework,
procedures and resources that make up the program

27-Feb-14
101
 Measures of security operational performance
include:
 Average time to detect, escalate, isolate and contain
incidents
 Average time between vulnerability detection and
resolution
 Quantity, frequency and severity of incidents discovered
post hoc
 Average time between vendor release of vulnerability
patches and their application
 Percentage of systems audited within a certain period
 Number of changes released without full change control
approval
 The ISM must determine the most appropriate
metrics for tracking security operations within all
responsible organizational units
 Metrics should be regularly compiled, analyzed and
distributed to stakeholders and responsible
management
 Performance issues should be analyzed for root cause
by the security steering committee
 Solutions for improvement should be implemented

27-Feb-14
102
 The ISM should consider the development of a
central monitoring environment that provides
analysts visibility into all enterprise information
resources.
 Each organization needs to determine which
security events are the most pertinent in terms
of affected resource and event type.
 Some commonly monitored event types include:
 Failed access attempts to resources
 Processing faults that may indicate system tampering
 Outages, race conditions and faults related to
insufficient resources
 Changes to system configurations, particularly security
controls
 Privileged system access and activities
 Technical security component fault detection

27-Feb-14
103
 Procedures for analyzing events and taking
appropriate responsive action must be developed.
 Security monitoring analysts should be trained on
these procedures, and monitoring supervisors
should have procedures to address unknown
anomalies.
 Response procedures involve:
 analyzing related events and system states
 capturing additional event-related information
 investigating suspicious activity
 escalating the issue to senior analysts or management
 The escalation path for security events and
incident initiation should be tested regularly.
 In addition to real-time monitoring, the ISM
should periodically conduct analysis of trends in
security-related events such as attempted attack
types or most frequently targeted resources.

27-Feb-14
104
 Information security is a relatively new function
within many organizations
 Even for mature information security programs, the
requirements and demands are rapidly changing,
driven by technical and regulatory pressures
 The ISM should be aware of
 Common challenges to effective information security
management
 The reasons behind those challenges
 Strategies for addressing them

27-Feb-14
105
 The most common in smaller organizations and
those that are not in security-intensive industries
 Misunderstanding of the organization’s dependence on
information systems and of the threat and risk
environment is common
 The ISM must utilize resources, such as industry statistics,
organizational impact and dependency analyses, and
reviews of common threats to the organization’s
information resources
 Management may need guidance concerning
 What is expected of them
 Information security approaches that industry peers are
taking
 Some funding-related issues that the ISM may need
to address include:
 Management not recognizing the value of security
investments
 Security being viewed as a low-value cost center
 Management not conceptually understanding where
existing money is going
 The organizational need for a security investment not
being understood
 The need for more awareness of industry trends in
security investment

27-Feb-14
106
 Inadequate funding extends to the challenge of
inadequate staff levels to meet security program
requirements
 The ISM utilize workload management
procedures to generate personnel workload
analyses, utilization reports and other metrics
that demonstrate the level of effort currently
expended
 Charts that associate specific information security
roles or teams with the protection that they provide
to enterprise information systems are helpful
 Demonstrating high or growing levels of productivity
also help demonstrate that the information security
program is utilizing resources effectively and
efficiently
 If all else fails, the ISM should work with the steering
committee to determine areas in which personnel
time allocations can be cut back

Ch3 cism 2014

More Related Content

What's hot

Similar to Ch3 cism 2014

More from Aladdin Dandis

Recently uploaded

Ch3 cism 2014