This document provides an overview of information security governance, risk management, program development, program management, and incident management and response. Key points include:
1. Effective governance requires strategic alignment of security with business objectives, collective risk understanding, prioritizing security based on risk analysis, and performance measurement.
2. Risk management involves assessing threats, vulnerabilities, risks and their potential impacts, evaluating risks, treating risks, and integrating controls.
3. Developing a security program involves defining objectives, scope, resources, metrics, and implementing according to a roadmap using methods like PDCA.
Summarize the design and build approach for SOC (Security Operation Center) for both end user company and service providers. Defines the approach flow for SOC building and various components and phases involved. Defines design thumb rules and parameters for SOC Design.
Cyber Security Trends
Business Concerns
Cyber Threats
The Solutions
Security Operation Center
requirement
SOC Architecture model
SOC Implementation
SOC & NOC
SOC & CSIRT
SIEM & Correlation
-----------------------------------------------------------
Definition
Gartner defines a SOC as both a team, often operating in shifts around the clock, and a facility dedicated to and organized to prevent, detect, assess and respond to cybersecurity threats and incidents, and to fulfill and assess regulatory compliance. The term "cybersecurity operation center "is often used synonymously for SOC.
A network operations center (NOC) is not a SOC, which focuses on network device management rather than detecting and responding to cybersecurity incidents. Coordination between the two is common, however.
A managed security service is not the same as having a SOC — although a service provider may offer services from a SOC. A managed service is a shared resource and not solely dedicated to a single organization or entity. Similarly, there is no such thing as a managed SOC.
Most of the technologies, processes and best practices that are used in a SOC are not specific to a SOC. Incident response or vulnerability management remain the same, whether delivered from a SOC or not. It is a meta-topic, involving many security domains and disciplines, and depending on the services and functions that are delivered by the SOC.
Services that often reside in a SOC are:
• Cyber security incident response
• Malware analysis
• Forensic analysis
• Threat intelligence analysis
• Risk analytics and attack path modeling
• Countermeasure implementation
• Vulnerability assessment
• Vulnerability analysis
• Penetration testing
• Remediation prioritization and coordination
• Security intelligence collection and fusion
• Security architecture design
• Security consulting
• Security awareness training
• Security audit data collection and distribution
Alternative names for SOC :
Security defense center (SDC)
Security intelligence center
Cyber security center
Threat defense center
security intelligence and operations center (SIOC)
Infrastructure Protection Centre (IPC)
مرکز عملیات امنیت
Iso iec 27001 foundation training course by interpromMart Rovers
What is involved with the ISO/IEC 27001 Foundation certification training course? Learn about the course curriculum, target audience, duration, formats, exam, fees and much more.
Summarize the design and build approach for SOC (Security Operation Center) for both end user company and service providers. Defines the approach flow for SOC building and various components and phases involved. Defines design thumb rules and parameters for SOC Design.
Cyber Security Trends
Business Concerns
Cyber Threats
The Solutions
Security Operation Center
requirement
SOC Architecture model
SOC Implementation
SOC & NOC
SOC & CSIRT
SIEM & Correlation
-----------------------------------------------------------
Definition
Gartner defines a SOC as both a team, often operating in shifts around the clock, and a facility dedicated to and organized to prevent, detect, assess and respond to cybersecurity threats and incidents, and to fulfill and assess regulatory compliance. The term "cybersecurity operation center "is often used synonymously for SOC.
A network operations center (NOC) is not a SOC, which focuses on network device management rather than detecting and responding to cybersecurity incidents. Coordination between the two is common, however.
A managed security service is not the same as having a SOC — although a service provider may offer services from a SOC. A managed service is a shared resource and not solely dedicated to a single organization or entity. Similarly, there is no such thing as a managed SOC.
Most of the technologies, processes and best practices that are used in a SOC are not specific to a SOC. Incident response or vulnerability management remain the same, whether delivered from a SOC or not. It is a meta-topic, involving many security domains and disciplines, and depending on the services and functions that are delivered by the SOC.
Services that often reside in a SOC are:
• Cyber security incident response
• Malware analysis
• Forensic analysis
• Threat intelligence analysis
• Risk analytics and attack path modeling
• Countermeasure implementation
• Vulnerability assessment
• Vulnerability analysis
• Penetration testing
• Remediation prioritization and coordination
• Security intelligence collection and fusion
• Security architecture design
• Security consulting
• Security awareness training
• Security audit data collection and distribution
Alternative names for SOC :
Security defense center (SDC)
Security intelligence center
Cyber security center
Threat defense center
security intelligence and operations center (SIOC)
Infrastructure Protection Centre (IPC)
مرکز عملیات امنیت
Iso iec 27001 foundation training course by interpromMart Rovers
What is involved with the ISO/IEC 27001 Foundation certification training course? Learn about the course curriculum, target audience, duration, formats, exam, fees and much more.
Privacy Trends: Key practical steps on ISO/IEC 27701:2019 implementationPECB
In this session, we will go through ISO/IEC 27701 and ISO/IEC 27001 key practical implementation steps and how they can help you to be compliant with the GDPR.
Our presenters, Peter Geelen and Stefan Mathuvis, will guide you through the implementer tasks with practical hints and tips and show you how an auditor will look at your implementation, searching for evidence and compliance.
In addition, we will match the ISO/IEC 27(7)01 requirements to complete the GDPR obligations as far as possible.
Starting from executive management to privacy policies, handling notifications, setting up awareness programs, controlling user access requests, over vendor management to incident management (data breaches) and continuous updates.
The webinar will cover:
• Quick recap on general ISO components and approach
• Implementing ISO/IEC 27001 with the ISO/IEC 27701 extension for GDPR compliance
• Do's and don’ts for implementation and audit
• The importance of evidence in the audit
• Managing audit expectations and the never ending audit cycle
Recorded webinar: https://youtu.be/HL-VUiCj4Ew
Security Framework for Digital Risk ManagmentSecurestorm
A cyber security governance framework and digital risk management process for OFFICIAL environments in UK Government. A pragmatic and proportional information risk management process which can be used at speed, and is compatible with Agile projects. This is released under a Creative Commons; Attribution-Non Commercial-Share Alike 4.0 International License.
ISO27001 standard was revised and a new version was published in 2013. ISO27001 is also becoming more common Information Security standard among service providers. This presentation focuses on the recent changes in 2013 version and also the process for implementing and getting certified for ISO27001.
Following are the key objectives of this presentation:
Provide an introduction to ISO27001 and changes in 2013 version
Discuss the implementation approach for an Information Security Management System (ISMS) framework
Familiarize the audience with some common challenges in implementation
Cyber Security Layers - Defense in Depth
7P's, 2D's & 1 N
People
Process
Perimeter
Physical
Points (End)
Network
Platform
Programs (Apps)
Database
Data
PCI DSS Implementation: A Five Step GuideAlienVault
Payment Card Industry Data Security Standard (PCI DSS) compliance can be both hard and expensive. For most small to medium sized organizations, it doesn’t have to be as long you have the right plan and tools in place. In this guide you’ll learn five steps that you can take to implement and maintain PCI DSS compliance at your organization.
AlienVault PCI DSS Compliance:
https://www.alienvault.com/solutions/pci-dss-compliance
Have a question? Ask it in our forum:
http://forums.alienvault.com
More videos: http://www.youtube.com/user/alienvaulttv
AlienVault Blogs: http://www.alienvault.com/blogs
AlienVault: http://www.alienvault.com
Introduction to Risk Management via the NIST Cyber Security FrameworkPECB
The cyber security profession has successfully established explicit guidance for practitioners to implement effective cyber security programs via the NIST Cyber Security Framework (CSF). The CSF provides both a roadmap and a measuring stick for effective cyber security. Application of the CSF within cyber is nothing new, but the resurgence of Enterprise Security Risk Management and Security Convergence highlight opportunities for expanded application for cyber, physical, and personnel security risks. This NIST CSF can help practitioners build a cross-pollenated understanding of holistic risk.
Main points covered:
• Understand the purpose, value, and application of the NIST CSF in familiar non-technical terms.
• Understand how the Functions and Categories of the NIST CSF (the CSF “Core”) and an organization's “current” and “target” profiles are relevant and valuable in a variety of sectors and environments.
• Understand how an organization’s physical and cyber security resources and stakeholders can align with the NIST CSF as a tool to achieve holistic security risk management.
Presenters:
David Feeney, CPP, PMP has 17 years of security industry experience assisting organizations with risk management matters specific to physical, personnel, and cyber security. He has 9 years of experience with service providers and 8 years of experience within enterprise security organizations. David has worked with industry leaders in the energy, technology, healthcare, and real estate sectors. Areas of specialization include Security Operations Center design and management, Security Systems design and implementation, and Enterprise Risk Management. David holds leadership positions in ASIS International and is also a member of the InfraGard FBI program. David holds Certification Protection Professional (CPP) and Project Management Professional (PMP) certifications.
Andrea LeStarge, MS has over ten years of experience in program management, risk analysis and curriculum development. Being specialized in Homeland Security, Andrea leverages her experience in formerly managing projects to support various Federal Government entities in identifying, detecting and responding to man-made, natural and cyber incidents. She has an established track record in recognizing security gaps and corrective risk mitigation options, while effectively communicating findings to stakeholders, private sector owners and operators, and first-responder personnel within tactical, operational and strategic levels. Overall, Andrea encompasses analytical tradecraft and demonstrates consistent, repeatable and defensible methodologies pertaining to risk and the elements of threat, vulnerability and consequence.
Recorded webinar: https://youtu.be/hxpuYtMQgf0
Jonathan Pollet and Mark Heard of Red Tiger Security at S4x15 OTDay.
The NIST Cybersecurity Framework (CSF) has been out for a year now, and some owner/operators have begun to use it to help create an ICS cyber security program. The Red Tiger Security team discusses what the CSF is and there experience in using it with real world clients.
The SOC analyst training program is meticulously designed by the subject matter experts at Infosec Train. The training program offers a deep insight into the SOC operations and workflows. It is an excellent opportunity for aspiring and current SOC analysts (L1/L2/L3) to level up their skills to mitigate business risks by effectively handling and responding to security threats.
https://www.infosectrain.com/courses/soc-analyst-expert-training/
From SIEM to SOC: Crossing the Cybersecurity ChasmPriyanka Aash
You own a SIEM, but to be secure, you need a Security Operations Center! How do you cross the chasm? Do you hire staff or outsource? And what skills are needed? Mike Ostrowski, a cybersecurity industry veteran, will review common pitfalls experienced through the journey from SIEM to SOC, the pros and cons of an all in-house SOC vs. outsourcing, and the benefits of a hybrid SOC model.
Learning Objectives:
1: You own a SIEM, but to be secure, you need a SOC. How do you cross the chasm?
2: What are the pros and cons of in-house, fully managed and hybrid security?
3: What considerations go into deciding whether to employ a hybrid strategy?
(Source: RSA Conference USA 2018)
The Cybersecurity Risk Management Framework Strategy for Defense Platform Systems course prepares command leadership to implement the National Institute of Standards and Technology’s (NIST) cybersecurity Risk Management Framework (RMF) from a Platform Information Technology (PIT) perspective.
This one-day workshop reviews the five functions of cybersecurity that leadership must consider when making decisions about program resources and requirements.
Security Operation Center (SOC) is the most sensible move in order to save your business during an attempted cyber security attack. SOC Represents the Overall Security in an organization/environment which includes Cyber, Digital & Information security and the operations center is responsible for assessing and implementing the Security Posture of an Organization. Through SOC, multiple layers of security are put in place where the objective is to protect Information valuable to an organization.
Quick Guide to ISO/IEC 27701 - The Newest Privacy Information StandardPECB
In this session, we have looked into the ISO/IEC 27701 standard that has been published in August 2019. This standard glues together the ISO/IEC 27001, ISO/IEC 27002, ISO 29100 and their sub-standards with the GDPR.
For certification and compliance, it's important to understand these standards and regulations, as the GDPR and other legislation have heated the discussion about certification. The ISO/IEC 27701 contains important requirements and implementation guidance for implementing a PIMS (Privacy Information Management System), which will set the baseline for the future of privacy and data protection.
The webinar covers:
• Walkthrough of the ISO/IEC 27701
• Links with ISO/IEC 2700x series standards, ISO 29100 series...
• ISO/IEC 2700x and GDPR mapping
• Audit & certification
Presenter:
Our presenter for this webinar, Peter Geelen is director and managing consultant at CyberMinute and Owner of Quest For Security, Belgium. Over more than 20 years, Peter has built strong experience in enterprise security & architecture, Identity & Access management, but also privacy, information & data protection, cyber- and cloud security. Last few years, the focus is on ISO/IEC 27001 and other ISO certification mechanisms.
Peter is an accredited Lead Auditor for ISO/IEC 27001/ISO 9001, PECB Trainer and Fellow in Privacy. Committed to continuous learning, Peter holds renowned security certificates as certified Sr. Lead Cybersecurity Manager, ISO/IEC 27001 Master, ISO/IEC 27002 lead manager, ISO/IEC 27701 Lead Implementer, CDPO, Risk management, Lead Incident Mgr., Disaster Recovery, and many more.
Date: December 04, 2019
The recorded webinar: https://www.youtube.com/watch?v=ilw4UmMSlU4&feature=emb_logo
-------------------------------------------------------------------------------
Find out more about ISO training and certification services
Training: https://pecb.com/whitepaper/iso-27001...
Webinars: https://pecb.com/webinars
Article: https://pecb.com/article
Whitepaper: https://pecb.com/whitepaper
-------------------------------------------------------------------------------
For more information about PECB:
Website: https://pecb.com/
LinkedIn: https://www.linkedin.com/company/pecb/
Google +: https://plus.google.com/+PECBGroup
Facebook: https://www.facebook.com/PECBInternat...
Slideshare: http://www.slideshare.net/PECBCERTIFI...
Privacy Trends: Key practical steps on ISO/IEC 27701:2019 implementationPECB
In this session, we will go through ISO/IEC 27701 and ISO/IEC 27001 key practical implementation steps and how they can help you to be compliant with the GDPR.
Our presenters, Peter Geelen and Stefan Mathuvis, will guide you through the implementer tasks with practical hints and tips and show you how an auditor will look at your implementation, searching for evidence and compliance.
In addition, we will match the ISO/IEC 27(7)01 requirements to complete the GDPR obligations as far as possible.
Starting from executive management to privacy policies, handling notifications, setting up awareness programs, controlling user access requests, over vendor management to incident management (data breaches) and continuous updates.
The webinar will cover:
• Quick recap on general ISO components and approach
• Implementing ISO/IEC 27001 with the ISO/IEC 27701 extension for GDPR compliance
• Do's and don’ts for implementation and audit
• The importance of evidence in the audit
• Managing audit expectations and the never ending audit cycle
Recorded webinar: https://youtu.be/HL-VUiCj4Ew
Security Framework for Digital Risk ManagmentSecurestorm
A cyber security governance framework and digital risk management process for OFFICIAL environments in UK Government. A pragmatic and proportional information risk management process which can be used at speed, and is compatible with Agile projects. This is released under a Creative Commons; Attribution-Non Commercial-Share Alike 4.0 International License.
ISO27001 standard was revised and a new version was published in 2013. ISO27001 is also becoming more common Information Security standard among service providers. This presentation focuses on the recent changes in 2013 version and also the process for implementing and getting certified for ISO27001.
Following are the key objectives of this presentation:
Provide an introduction to ISO27001 and changes in 2013 version
Discuss the implementation approach for an Information Security Management System (ISMS) framework
Familiarize the audience with some common challenges in implementation
Cyber Security Layers - Defense in Depth
7P's, 2D's & 1 N
People
Process
Perimeter
Physical
Points (End)
Network
Platform
Programs (Apps)
Database
Data
PCI DSS Implementation: A Five Step GuideAlienVault
Payment Card Industry Data Security Standard (PCI DSS) compliance can be both hard and expensive. For most small to medium sized organizations, it doesn’t have to be as long you have the right plan and tools in place. In this guide you’ll learn five steps that you can take to implement and maintain PCI DSS compliance at your organization.
AlienVault PCI DSS Compliance:
https://www.alienvault.com/solutions/pci-dss-compliance
Have a question? Ask it in our forum:
http://forums.alienvault.com
More videos: http://www.youtube.com/user/alienvaulttv
AlienVault Blogs: http://www.alienvault.com/blogs
AlienVault: http://www.alienvault.com
Introduction to Risk Management via the NIST Cyber Security FrameworkPECB
The cyber security profession has successfully established explicit guidance for practitioners to implement effective cyber security programs via the NIST Cyber Security Framework (CSF). The CSF provides both a roadmap and a measuring stick for effective cyber security. Application of the CSF within cyber is nothing new, but the resurgence of Enterprise Security Risk Management and Security Convergence highlight opportunities for expanded application for cyber, physical, and personnel security risks. This NIST CSF can help practitioners build a cross-pollenated understanding of holistic risk.
Main points covered:
• Understand the purpose, value, and application of the NIST CSF in familiar non-technical terms.
• Understand how the Functions and Categories of the NIST CSF (the CSF “Core”) and an organization's “current” and “target” profiles are relevant and valuable in a variety of sectors and environments.
• Understand how an organization’s physical and cyber security resources and stakeholders can align with the NIST CSF as a tool to achieve holistic security risk management.
Presenters:
David Feeney, CPP, PMP has 17 years of security industry experience assisting organizations with risk management matters specific to physical, personnel, and cyber security. He has 9 years of experience with service providers and 8 years of experience within enterprise security organizations. David has worked with industry leaders in the energy, technology, healthcare, and real estate sectors. Areas of specialization include Security Operations Center design and management, Security Systems design and implementation, and Enterprise Risk Management. David holds leadership positions in ASIS International and is also a member of the InfraGard FBI program. David holds Certification Protection Professional (CPP) and Project Management Professional (PMP) certifications.
Andrea LeStarge, MS has over ten years of experience in program management, risk analysis and curriculum development. Being specialized in Homeland Security, Andrea leverages her experience in formerly managing projects to support various Federal Government entities in identifying, detecting and responding to man-made, natural and cyber incidents. She has an established track record in recognizing security gaps and corrective risk mitigation options, while effectively communicating findings to stakeholders, private sector owners and operators, and first-responder personnel within tactical, operational and strategic levels. Overall, Andrea encompasses analytical tradecraft and demonstrates consistent, repeatable and defensible methodologies pertaining to risk and the elements of threat, vulnerability and consequence.
Recorded webinar: https://youtu.be/hxpuYtMQgf0
Jonathan Pollet and Mark Heard of Red Tiger Security at S4x15 OTDay.
The NIST Cybersecurity Framework (CSF) has been out for a year now, and some owner/operators have begun to use it to help create an ICS cyber security program. The Red Tiger Security team discusses what the CSF is and there experience in using it with real world clients.
The SOC analyst training program is meticulously designed by the subject matter experts at Infosec Train. The training program offers a deep insight into the SOC operations and workflows. It is an excellent opportunity for aspiring and current SOC analysts (L1/L2/L3) to level up their skills to mitigate business risks by effectively handling and responding to security threats.
https://www.infosectrain.com/courses/soc-analyst-expert-training/
From SIEM to SOC: Crossing the Cybersecurity ChasmPriyanka Aash
You own a SIEM, but to be secure, you need a Security Operations Center! How do you cross the chasm? Do you hire staff or outsource? And what skills are needed? Mike Ostrowski, a cybersecurity industry veteran, will review common pitfalls experienced through the journey from SIEM to SOC, the pros and cons of an all in-house SOC vs. outsourcing, and the benefits of a hybrid SOC model.
Learning Objectives:
1: You own a SIEM, but to be secure, you need a SOC. How do you cross the chasm?
2: What are the pros and cons of in-house, fully managed and hybrid security?
3: What considerations go into deciding whether to employ a hybrid strategy?
(Source: RSA Conference USA 2018)
The Cybersecurity Risk Management Framework Strategy for Defense Platform Systems course prepares command leadership to implement the National Institute of Standards and Technology’s (NIST) cybersecurity Risk Management Framework (RMF) from a Platform Information Technology (PIT) perspective.
This one-day workshop reviews the five functions of cybersecurity that leadership must consider when making decisions about program resources and requirements.
Security Operation Center (SOC) is the most sensible move in order to save your business during an attempted cyber security attack. SOC Represents the Overall Security in an organization/environment which includes Cyber, Digital & Information security and the operations center is responsible for assessing and implementing the Security Posture of an Organization. Through SOC, multiple layers of security are put in place where the objective is to protect Information valuable to an organization.
Quick Guide to ISO/IEC 27701 - The Newest Privacy Information StandardPECB
In this session, we have looked into the ISO/IEC 27701 standard that has been published in August 2019. This standard glues together the ISO/IEC 27001, ISO/IEC 27002, ISO 29100 and their sub-standards with the GDPR.
For certification and compliance, it's important to understand these standards and regulations, as the GDPR and other legislation have heated the discussion about certification. The ISO/IEC 27701 contains important requirements and implementation guidance for implementing a PIMS (Privacy Information Management System), which will set the baseline for the future of privacy and data protection.
The webinar covers:
• Walkthrough of the ISO/IEC 27701
• Links with ISO/IEC 2700x series standards, ISO 29100 series...
• ISO/IEC 2700x and GDPR mapping
• Audit & certification
Presenter:
Our presenter for this webinar, Peter Geelen is director and managing consultant at CyberMinute and Owner of Quest For Security, Belgium. Over more than 20 years, Peter has built strong experience in enterprise security & architecture, Identity & Access management, but also privacy, information & data protection, cyber- and cloud security. Last few years, the focus is on ISO/IEC 27001 and other ISO certification mechanisms.
Peter is an accredited Lead Auditor for ISO/IEC 27001/ISO 9001, PECB Trainer and Fellow in Privacy. Committed to continuous learning, Peter holds renowned security certificates as certified Sr. Lead Cybersecurity Manager, ISO/IEC 27001 Master, ISO/IEC 27002 lead manager, ISO/IEC 27701 Lead Implementer, CDPO, Risk management, Lead Incident Mgr., Disaster Recovery, and many more.
Date: December 04, 2019
The recorded webinar: https://www.youtube.com/watch?v=ilw4UmMSlU4&feature=emb_logo
-------------------------------------------------------------------------------
Find out more about ISO training and certification services
Training: https://pecb.com/whitepaper/iso-27001...
Webinars: https://pecb.com/webinars
Article: https://pecb.com/article
Whitepaper: https://pecb.com/whitepaper
-------------------------------------------------------------------------------
For more information about PECB:
Website: https://pecb.com/
LinkedIn: https://www.linkedin.com/company/pecb/
Google +: https://plus.google.com/+PECBGroup
Facebook: https://www.facebook.com/PECBInternat...
Slideshare: http://www.slideshare.net/PECBCERTIFI...
Revised by Christian Reina
Version: 1.1
Date: September 18, 2009
Change log:
-Risk Based Audit approach
-Things to know
-Penetration Testing Stages
-OSI Model protocols
-Firewall generations
-Wireless
-Common Criteria ISO 15408
-Problem Management
-System Development Life Cycle
-Software Life Cycle
-Five rules of evidence
-Incident Response framework
-Evidence Lifecycle
-Fair Information Practices
White Paper: Gigya's Information Security and Data Privacy PracticesGigya
As the leading SaaS Customer Identity and Access Management provider for enterprises, Gigya is committed to maintaining a high level of performance and security Our platform is optimized for maximum e ciency and scalability while protecting our clients’ data by adhering to strict security and compliance standards This document provides an overview of Gigya’s standards for the following four categories: Infrastructure, Data Security, Compliance, and Privacy Policies.
This Business Improvement Proposal was created by WebIT2 Consultants (Sarah Killey, Donald Gee, Mark Cottman-fields, Darren Cann and Sean Marshall) for the Queensland University of Technology (QUT) Library.
The plan outlines an in-depth situational analysis, proposal description, recommended solution, key benefits, business drivers, return on investment and implementation plan.
This is an assessment piece for INB346 - Enterprise 2.0 unit, Semester 2, 2009 (Lecturer Dr Jason Watson).
Creating A Business Advantage With Offshore ResourcesKPI Partners
This white paper discusses how Fortune 500 enterprises leverage the offshore and blended-shore model for higher market growth and business advantage.
Offshore outsourcing is now a mainstream practice for Fortune 500 Enterprises as more and more companies are going offshore to develop and maintain software. The reason is simple: outsourcing saves time and money.
Cost savings was the primary reason US clients began to adopt the offshore model in the early 1990s. The major drivers in the past few years have gone way beyond cost. Other drivers for offshore now include:
Time to market
Available and flexible talent pool
Quality
Higher productivity
A 24-hour workday for support activities
Quick ramp-up
KPI Partners currently operates two Offshore Technology Centers in India. The Offshore Technology centers are a critical component of the blended-shore model that many of our clients utilize today. The basic framework of our blended-shore model consists of on-site KPI consultants and an OTC team working in concert to meet the needs of our clients.
White Paper: Look Before You Leap Into Google AppsOffice
Many IT organizations that have evaluated Google Apps have found that the projected versus actual costs of switching to Google Apps greatly increase their total cost of ownership (TCO). This white paper discusses three major hidden-cost areas associated with Google Apps: Deployment costs, IT Support costs, and User Training and File Fidelity costs.
This whitepaper examines the challenges in integrating malware protection into broader product offerings, provides an in-depth review of the VIPRE® SDK, and covers the benefits of partnering with the GFI Advanced Technology Group to deliver the most efficient and effective protection solutions available.
1. CISM Study Guide
Christian Reina, CISSP, CISA, CRISC
2010
An investment in knowledge pays the best interest.
Benjamin Franklin
_______________________________
This document may be used only for informational,
training and noncommercial purposes.
2. Table of Contents
Information Security Governance ................................................................................................................. 7
Overview ................................................................................................................................................... 7
Significant benefits:............................................................................................................................... 7
Outcomes: ............................................................................................................................................. 7
Effective Governance ................................................................................................................................ 7
Business goals and objectives ............................................................................................................... 7
Roles and Responsibilities ..................................................................................................................... 8
Governance, Risk and Compliance ........................................................................................................ 8
Business Model for Information Security ............................................................................................. 8
Information security manager .................................................................................................................. 9
Obtaining senior management commitment ....................................................................................... 9
Governance metrics .................................................................................................................................. 9
Effective security metrics ...................................................................................................................... 9
Strategic alignment ............................................................................................................................... 9
Risk management.................................................................................................................................. 9
Value delivery........................................................................................................................................ 9
Resource management ......................................................................................................................... 9
Performance measurement .................................................................................................................. 9
Assurance integration ........................................................................................................................... 9
Common pitfalls in developing a security strategy ................................................................................. 10
Strategic Objectives ................................................................................................................................ 10
The goal ............................................................................................................................................... 10
Business case development ................................................................................................................ 10
The desired state................................................................................................................................. 11
Risk objectives ..................................................................................................................................... 11
Information security strategy ................................................................................................................. 12
Road map ............................................................................................................................................ 12
Resources ............................................................................................................................................ 12
Constraints .......................................................................................................................................... 12
Action Plan .............................................................................................................................................. 13
Information Risk Management ................................................................................................................... 13
3. Overview ................................................................................................................................................. 13
Effective information risk management ................................................................................................. 14
Development....................................................................................................................................... 14
Roles and Responsibilities ................................................................................................................... 14
Implementing Risk Management ............................................................................................................ 14
Process: ............................................................................................................................................... 14
Framework .......................................................................................................................................... 14
External and Internal environment ..................................................................................................... 14
Risk management scope ..................................................................................................................... 15
Risk Assessment ...................................................................................................................................... 15
NIST approach ..................................................................................................................................... 15
Aggregated and cascading risk............................................................................................................ 15
Other ................................................................................................................................................... 15
Identification of risks........................................................................................................................... 15
Threats ................................................................................................................................................ 16
Vulnerabilities ..................................................................................................................................... 16
Risks .................................................................................................................................................... 16
Risk Analysis ........................................................................................................................................ 16
Evaluation of risks ............................................................................................................................... 16
Risk treatment..................................................................................................................................... 16
Impact ................................................................................................................................................. 16
Controls ................................................................................................................................................... 16
Information Resource valuation ............................................................................................................. 16
Information Asset Classification ......................................................................................................... 17
Impact assessment and analysis ......................................................................................................... 17
Integration with Life Cycle Processes ..................................................................................................... 17
Risk monitoring and communication ...................................................................................................... 17
Information Security Program Development.............................................................................................. 17
Overview ................................................................................................................................................. 17
Outcomes ............................................................................................................................................ 17
Information Security Manager Responsibilities...................................................................................... 17
Scope and Charter development ............................................................................................................ 18
4. Development Objectives......................................................................................................................... 18
Defining objectives.............................................................................................................................. 18
Residual risks ....................................................................................................................................... 18
The Desired State ................................................................................................................................ 18
Defining a program development road map .......................................................................................... 19
Program Resources ................................................................................................................................. 19
Implementing an Information security program .................................................................................... 20
PDCA Methodology ............................................................................................................................. 20
Information Infrastructure and Architecture.......................................................................................... 20
Objectives............................................................................................................................................ 20
Development Metrics ............................................................................................................................. 21
Levels................................................................................................................................................... 21
Attributes ............................................................................................................................................ 21
Goals ................................................................................................................................................... 21
Information Security Program Management .............................................................................................. 22
Overview ................................................................................................................................................. 22
Outcomes ................................................................................................................................................ 22
Roles and responsibilities ....................................................................................................................... 22
Information security manager ............................................................................................................ 22
Board of directors ............................................................................................................................... 23
Executive management....................................................................................................................... 23
Steering committee ............................................................................................................................ 23
IT.......................................................................................................................................................... 23
Business unit managers ...................................................................................................................... 23
Management Framework ....................................................................................................................... 23
Technical ............................................................................................................................................. 23
Operational ......................................................................................................................................... 23
Management ....................................................................................................................................... 24
Administrative ..................................................................................................................................... 24
Educational ......................................................................................................................................... 24
Assurance integration ......................................................................................................................... 24
Measuring Performance ......................................................................................................................... 24
5. Risk and Loss ....................................................................................................................................... 24
Support of business objectives ........................................................................................................... 24
Compliance ......................................................................................................................................... 24
Operational productivity ..................................................................................................................... 24
Cost effectiveness ............................................................................................................................... 25
Organizational awareness ................................................................................................................... 25
Technical security architecture ........................................................................................................... 25
Effectiveness of management framework and resources .................................................................. 25
Operational performance ................................................................................................................... 25
Management challenges ......................................................................................................................... 25
Determine the State of Information Security ......................................................................................... 25
Information Security Management Resources ....................................................................................... 26
Implementing Management ................................................................................................................... 26
Outsourcing......................................................................................................................................... 27
Incident Management and Response ......................................................................................................... 27
Overview ................................................................................................................................................. 27
Incident management and response ...................................................................................................... 28
Incident handling process ....................................................................................................................... 28
Detection and reporting...................................................................................................................... 28
Triage .................................................................................................................................................. 28
Analysis ............................................................................................................................................... 28
Incident response................................................................................................................................ 28
Information security manager responsibilities ....................................................................................... 28
Metrics and Indicators ............................................................................................................................ 28
Strategic alignment ............................................................................................................................. 28
Risk management................................................................................................................................ 29
Assurance process integration ............................................................................................................ 29
Value delivery...................................................................................................................................... 29
Resource management ....................................................................................................................... 29
Performance Measurement ................................................................................................................ 29
Plan of action .......................................................................................................................................... 29
Challenges ............................................................................................................................................... 29
6. Resources ................................................................................................................................................ 30
BIA ........................................................................................................................................................... 30
Goals ................................................................................................................................................... 30
Activities .............................................................................................................................................. 30
Current state of incident response capability......................................................................................... 31
Developing an incident response plan .................................................................................................... 31
Elements ............................................................................................................................................. 31
Gap analysis ........................................................................................................................................ 31
Response and recovery plans ................................................................................................................. 31
Threat mitigation ................................................................................................................................ 31
Recovery sites ..................................................................................................................................... 31
Basis for recovery ................................................................................................................................ 31
Incident management teams .............................................................................................................. 32
Continuity of network services ........................................................................................................... 32
Insurance ............................................................................................................................................. 32
Testing ..................................................................................................................................................... 32
Types of tests ...................................................................................................................................... 32
Test Results ......................................................................................................................................... 33
Executing Response and Recovery Plans ................................................................................................ 33
Ensuring Execution as required........................................................................................................... 33
Forensic Evidence ................................................................................................................................... 33
7. Information Security Governance
Overview
Significant benefits:
Policy compliance
Lowering risks
Optimize resources
Assurance on critical decisions
Efficient and effective risk management
Trust and reputation
Outcomes:
1. Strategic Alignment
a. Security requirements driven by organizational objectives
b. Security solutions fit for organizational processes
c. Investments aligned with the organizational strategy
2. Risk Management
a. Collective understanding
b. Risks mitigation
3. Value delivery
a. Standard set of security practices
b. Prioritizing security objectives based on risk analysis
4. Resource management
a. Knowledge is captured and available
b. Efficient security architecture
5. Performance measurement
a. Metrics
b. External assessments and audits
6. Integration
a. Relationships with assurance functions
b. Roles and responsibilities between assurance functions should not overlap
Effective Governance
Business goals and objectives
Security strategy linked with business objectives
Policies address each aspect of strategy, controls, and regulation
Standards for each policy
Sufficient authority
Metrics and monitoring
8. Roles and Responsibilities
Board of directors/senior management
Validating and ratifying the key assets they want protected and the protection levels
Penalties for non compliance must be communicated and enforced
Executive management
Implement effective security governance
Align information security activities in support of business objectives
Steering Committee
Consensus on priorities and tradeoffs
Ensuring the alignment of the security program with business objectives
CISO
CISO, CSO, C-Level responsibility, authority, and required resources to improve the security
posture
Governance, Risk and Compliance
Governance: senior executive management responsibility
Risk management: Risk tolerance, risk identification and impact, risk mitigation
Compliance: Records and monitors the policies, procedures, and controls needed to ensure that plicies
and standards are adhered to.
Business Model for Information Security
1. Elements
a. Organization design and strategy
b. People
i. Recruitment strategies
ii. Employment issues
iii. Termination
c. Process
d. Technology
2. Dynamic Interconnections
a. Governance: Sets limits within which an enterprise operates and is implemented within
processes to monitor performance
b. Culture
c. Enablement and support: Connects the technology element and the process element
d. Emergence: Introduce feedback loops, alignment with process improvement,
e. Human factors
9. f. Architecture
Information security manager
Obtaining senior management commitment
Aligning security objectives with business objectives
Identifying potential consequences
Budget
ROI
Monitoring and auditing
Governance metrics
Effective security metrics
Strong upper level management support
Security policies and procedures
Quantifiable performance metrics
Periodic analysis of metrics data
Strategic alignment
From a business perspective, adequate and sufficient practices proportionate to the requirements are
likely to be more cost effective than best practices.
Risk management
Reduce adverse impacts on the organization to an acceptable level
Value delivery
Cost of security being proportional to the value of assets
Well designed controls
Resource management
Infrequent problem rediscovery
Effective knowledge capture and dissemination
Performance measurement
Time it takes to detect and report incidents
Benchmarking comparable organizations
Methods of tracking evolving risks
Assurance integration
No gaps in information asset protection
No security overlaps
Well defined roles and responsibilities
10. Common pitfalls in developing a security strategy
Overconfidence
Optimism
Anchoring
Status quo bias
Mental accounting
Herding instinct
False consensus
Strategic Objectives
The goal
1. Information is located and identified
2. Asset valuation
3. Level of sensitivity
Business case development
Process
o Introduce project considering value, risk, and relative priority
o Value to the organization
o Allow management to determine the value to the business relative to other alternatives
o Enable management to objectively measure the benefits
Business case format
o Reference
o Context
o Value proposition: Important
o Focus
o Deliverables: important
o Dependencies : critical success factors (CSF)
o Project metrics: KGI, KPI
o Workload
o Resources
o Commitments (Required)
Objectives
o Adaptable
o Consistent
o Business oriented
o Comprehensive
o Understandable
o Measurable
o Transparent
o Accountable
11. The desired state
Complete snapshot of all relevant conditions at a particular point in the future.
Approaches to get there:
COBIT:
Plan and organize
Acquire and implement
Deliver and support
Monitor and evaluate
CMM
Nonexistent
Ad hoc
Defined process
Managed
Optimized
Balanced scorecard
Learning and growth
Business process
Customer
Financial
ISO 27001/27002
Security policy
Organizing information security
Asset management
Human resources security
Physical and environmental security
Communications and operations
Access controls
Infosec development and maintenance
Infosec incident management
BCP
Compliance
Risk objectives
Developing the right strategy objectives usually needs to be an iterative approach
12. Process risks pose the greatest hazard and technical controls are unlikely to adequately
compensate for poor management or faulty processes.
Information security strategy
The goal of security is business process assurance
Road map
Consider the initial stages of developing a security architecture
Break down complex projects into a series of shorter-term projects
Shorter projects can serve as checkpoints and opportunities
Resources
Policies, standards, procedures, and guidelines
Architecture
Controls
Countermeasures
Layered defenses
Technologies
Personnel security
Organizational structure
Roles and responsibilities
Skills
Training
Awareness and education
Audits
Compliance enforcement
Threat analysis
Risk assessment
BIA
Resource dependency analysis
Outsourced security providers
Environmental security
Constraints
Legal
Physical
Ethics
Culture
Costs
Personnel
Organizational structure
Resources
13. Capabilities
Time
Risk tolerance
Action Plan
Gap analysis
o Annually
o Work backward from endpoint to the current state
o Link business objectives with strategy
o Appropriate authority
o Appropriate security approvals
Policy development
Standards development
Training and awareness
Metrics
o KGI:
Completing independent controls testing validation and attestation
Preparation of required statement of control effectiveness
o CSF
Identification, categorization, and definition of controls
Defining appropriate test to determine effectiveness
o KPI
Control effectiveness testing plans
Results of testing control effectiveness
Information Risk Management
Overview
The foundation for effective risk management is a comprehensive risk assessment. Although a
computational approach may be used to arrive at various risk aspects, the approach is nevertheless
qualitative and subjective to some extent.
Effectiveness is influenced by:
Culture
Mission and objectives
Structure
Products and services
Processes
Practices
14. Regulatory conditions
Outcomes:
Understanding of the organization’s threat, vulnerability and risk profile
Understanding risk exposure and potential consequences
Awareness of risk management priorities
Organizational risk mitigation strategy
Organizational acceptance based on potential residual risk
Cost effectiveness
Effective information risk management
Development
Context and purpose: Defining the organization, process, project, scope, and establishing goals
and objectives. Risk tolerance and appetite.
Scope and charter
Objectives: Based of risk analysis
Methodologies
Implementation team
Roles and Responsibilities
Governing boards and senior management: Ultimate responsibility for mission accomplishment.
Ensure adequate resources. Sign off acceptable risk levels.
CIO: IT planning, budgeting, and performance.
Information Security Manager: responsible for security program
System and information owners: Ensuring proper controls are in place to address CIA.
Business managers: Responsible for business operations
Implementing Risk Management
Process:
1. Establish scope and boundaries
2. Risk assessment
3. Risk treatment
4. Acceptance of residual risk
5. Risk communication and monitoring
Framework
Scope and framework are independent from the particular structure of the management process,
methods, and tools to be used for implementation.
External and Internal environment
External: Political, financial, local market, law, regulation, social and cultural.
15. Internal: Key business drivers, Organization’s SWOT, internal stakeholders, structure, culture,
assets, goals and objectives
Risk management scope
Must provide a balance between costs and benefits
Duration
Full scope of activities
Roles and responsibilities
Activities to be assessed
Risk Assessment
Asset valuation
Vulnerabilities
Threat analysis
Risk mitigation
NIST approach
1. System characterization
2. Threat identification
3. Vulnerability identification
4. Control analysis
5. Likelihood determination
6. Impact analysis
7. Risk determination
8. Control recommendations
9. Results documentation
Aggregated and cascading risk
Aggregated: Minor vulnerabilities combined can have a significant impact.
Cascading: Chain reaction as a result of one failure contribute to unacceptable impact.
Other
Factor Analysis of Information Risk (FAIR): Taxonomy, a method for measuring, a computational engine,
simulation model
Probabilistic Risk Assessment (PRA): Systematic and comprehensive methodology to evaluate risk
associated with a complex engineered technological entity. (Nuclear regulatory commission)
Identification of risks
Brainstorming
Flow charting
What if
16. Threats
Natural, unintentional, intentional physical/nonphysical
Vulnerabilities
Poor network design, lack of redundancy, poor management communications, insufficient staff, lack of
skills, defective software
Risks
Every organization has a level of risk to accept.
Risk Analysis
Examination of risk sources
Consequences
Likelihood
Assessment of existing controls: Quantitative, Qualitative, Semiquantitative
Evaluation of risks
Risk evaluation may lead to a decision to undertake further analysis.
Risk treatment
Terminate
Transfer
Mitigate
Accept
Impact
The bottom line for risk management. A direct financial loss can include:
Reputation
Money
Legal liability
Business interruption
Breach
Noncompliance
Controls
Deterrent controls reduce probability of threats
Preventative controls reduce vulnerabilities
Corrective controls reduce impact
Compensatory controls compensate increased risk
Detective controls discover attacks
Information Resource valuation
Valuation must be based on the total range of potential losses and impacts
17. Information Asset Classification
Determine sensitivity and criticality
Business dependency analysis can be used to provide a basis for protective activities if there are
resource constraints or other reasons
Locate and identify followed by appropriate level of sensitivity and criticality
Impact assessment and analysis
System mission, system/data criticality (system’s value), system/personnel/data criticality (impact if
disclosed) is required to conduct the analysis.
Integration with Life Cycle Processes
Risk management is paramount during SDLC phases for IT system development and during project
management life cycles.
Risk monitoring and communication
Monitoring: Key risk indicators (KRI) can be defined as measure that indicate when an
enterprise is subject to risk that exceeds a defined risk level.
Reporting: Reporting significant changes in risk is a primary responsibility of the information
security manager.
Information Security Program Development
Overview
Well developed information security strategy
Cooperation and support from management and stakeholders
Outcomes
1. Strategic Alignment: change management practices that ensure business requirements drive
security initiatives
2. Risk management: ongoing or continuous process of risk management
3. Value delivery: effective/efficient
4. Resource management: project planning, technology selection and skill acquisition
5. Assurance integration
6. Performance Measurement: progress and monitoring
Information Security Manager Responsibilities
1. Strategy: monitors and makes recommendations
2. Policy: writes and publishes
18. 3. Awareness
4. Implementation: Contributes secure architecture, design, and engineering strategy.
5. Monitoring
6. Compliance
Scope and Charter development
Integrated with corporate objectives
Clearly defined
End users are increasingly accountable
Information security reporting
Active monitoring
Incidents are promptly addressed
Threats and vulnerabilities analyzed
Intrusion testing
Continuous improvement
Challenges:
Cost overruns
New monitoring and metrics requirements
New policies or standards
Pitfalls:
Resistance
Failure of strategy
Increase security results in less job functionality
Ineffective project management
Development Objectives
Defining objectives
Develop the processes and projects that close the gap between the current state and those
objectives.
Develop KGI
Residual risks
A business case must address the fact that regardless of the level of control, residual risk will always
remain and it must address the fact that it may aggregate into levels that are unacceptable
The Desired State
A state where defined objectives have corresponding KGIs, which in turn have corresponding control
objectives. These control objectives should be supported by a control activity which is managed and
measurable.
19. Defining a program development road map
Review Security Level:
Objective
Scope
Constraint
Approach
Result
Program Resources
Documentation: Policies, standards, procedures
Security Architecture: Conceptual layer integrates with business requirements.
Controls
o Logical access: MAC, DAC
o Secure failure: affects availability
o Principle of least privilege
o Compartmentalize to minimize damage
o Segregation of duties
o Transparency
o Trust
o Trust no one
Countermeasures
Technologies
o ACLS
o Choke routers
o Content filtering
o DBMS
o Encryption
o Hashing
o PKI
o Route filtering
o Traffic/packet filtering
Skill, roles and responsibilities
Awareness
Formal audits
Compliance enforcement
Project risk analysis: Possible threats include the following
o Unclear objectives
o Carelessness
o Mistakes
20. o Deficient strategy
o Poor planning
o Inadequate resources
o Incorrect specifications
o Faulty execution
o Sabotage
Vulnerability analysis
BIA
Resource dependency analysis
Implementing an Information security program
Objectives have been defined
Resources are available
Control objectives have been defined
Security reviews and audits are available
Management support
Integration into life cycle processes
PDCA Methodology
1. Plan: Design, plan, initiate. Create strategy, policies, goals, objectives
2. Do: Execute and control including integration into organizational practices
3. Check: semiannual audits
4. Act: Continuous improvement
Information Infrastructure and Architecture
Objectives
Defined
Precise
Tested
Monitored
Measured
Business View: Business risk model Contextual
Architect’s View: Control objectives Conceptual
Designer’s View: Security Policies Logical
Builder’s View: security rules, procedures Physical
Tradesman’s View: Security standards Component
Facilities Manager’s View: Operational risk Operational
management
21. Development Metrics
Security is certainly comprised of technical controls, processes, and people issues, called
security program
Measurement is a fundamental requirement for security program success
Levels
Strategic: security program on track, on target, and on budget
Management/tactical: policy standards compliance, incident management effectiveness
Operational: Technical metrics
Attributes
Manageable
Meaningful
Actionable
Unambiguous
Reliable
Timely
Predictable
Goals
1. Strategic Alignment:
a. Portfolio of projects
b. Committee charters include data protection
c. Regulatory audit
2. Risk management
a. Design risk
b. Project risk
c. Program development
d. Risk management at the steering committee
3. Value delivery
a. Expected value
b. Cost of work performed
c. Cost variance
d. Cost of internal services
4. Resource management
a. Deficiencies detected and corrected
b. Resource utilization
c. Functions have a backup
5. Assurance integration
a. Assurance providers participating in development, planning, oversight
6. Performance metrics: Metrics on metrics
22. Information Security Program Management
Overview
Ongoing, largely administrative function
Involves addressing incidents, conducting investigations, protect management, consulting,
educating, budgeting, recruiting, business case development.
Outcomes
1. Strategic alignment:
a. Enumeration of risks, selection of controls, agreement on risk tolerance
b. Consideration of security solutions taking into account enterprise processes as well as
culture, cost, governance, and existing technology.
2. Risk management:
a. Develop a comprehensive understanding of threats the organization faces.
3. Value delivery:
a. Security solutions be institutionalized as normal and expected practices
4. Resource management
a. Knowledge is captured and made available to those who need it
5. Performance measurement
a. Good metrics design and implementation
6. Business process assurance
Roles and responsibilities
Information security manager
Alignment to business objectives
Consistent strategy
Corporate culture values security
Interaction with business process owners
Established metrics
Risk management
o Methods for assessing
o Ability to analyze
o Knowledge of risk analysis
o Impact analysis
o Methods of tracking
Technology competencies
Administrative
o Project management
o Service delivery
o Budgeting
23. o SDLC
Board of directors
Direction, oversight, and requirements for appropriate metrics
Executive management
Sets tone for information security
Steering committee
Communications channel and provides ongoing basis for the alignment of the security program
with business objectives
Information security manager should clearly define the roles, responsibilities, and scope of the
information security steering committee
IT
Configuring security within the actual technical environment
Business unit managers
Ensuring business operations meet security requirements
Identify and escalate security incidents
Management Framework
Conceptual representation of an information security management structure
Technical
1. Native controls
2. Supplemental controls
3. Management controls
Control Analysis
Placement
Effectiveness
Efficiency
Policy
Implementation
Operational
Ongoing management activities
o Procedures
o Security practices
o Maintenance
o IAM
o Change control
o Security metrics collection
24. o Incident response, investigation, and resolution
Management
Strategic
o Policy review
o Standards implementation
o Threat, risk, analysis
Administrative
Financial: TCO, ROI
HR: job description, organizational planning, recruitment, hiring, payroll, termination
Educational
Employee quiz scores
Avg time since last employee training
Assurance integration
Assurance functions provide input, requirements, and feedback
Measuring Performance
Objectives
o Minimize risk
o Support business
o Support compliance
o Maximize productivity
o Maximize cost effectiveness
o Security awareness
o Measure and manage performance
Risk and Loss
Technical vulnerability management
Risk management
Loss prevention
Support of business objectives
Completed objectives that support the business
Compliance
Internal and external audits
Operational productivity
Logs analyzed
Personnel cost savings
25. Cost effectiveness
Accurate cost forecasting
Total cost of keeping up security program
Organizational awareness
Tracking awareness success
Employee testing
Technical security architecture
Intrusions detected
Blocked attacks
Effectiveness of management framework and resources
Frequency issue occurrence
Infosec requirements in every project plan
Operational performance
Time between vulnerability detection and resolution
Time to detect, escalate, isolate, and contain incidents
Management challenges
Inadequate management support
Inadequate funding
Inadequate staffing
Determine the State of Information Security
Evaluate program objectives
o Goals alignment
o Objectives alignment
o Collaboration
Evaluate compliance requirement
o Compliance in policies
o Recent audit results
Evaluate program management
o Documentation
o Roles and responsibilities
o Approved polices
o Program accountability
Evaluate security operations
o Standard Operating Procedures (SOP)
o Separation of duties
o Effective operational metrics
Evaluate technical security management
26. o Technical security standards
o Technical standards uniformly implemented
Evaluate resource levels
o Financial: budget
o HR: skilled people
o Technical: capacity of supporting technologies
Information Security Management Resources
Policies, standards, and procedures
Controls
Countermeasures
Technologies
Skills
Awareness and education
Audits
Compliance enforcement
Threat analysis: at least annually by evaluating changes in the technical and operating
environments of the organization, particularly where external entities are granted access to
organizational resources.
Vulnerability analysis
Incremental risk assessments
Resource dependency analysis
Implementing Management
Review Policies and Standards
Security metrics and monitoring
o Must be implemented to determine the ongoing effectiveness
o Monitoring with risk assessments
o Determine success of information security investments
Control testing and modification: Under change control management
Monitoring and communication: SIEM
Documentation
Assurance integration
o Steering committees
o Policies and standards
Acceptable use policies
Change management
Vulnerability assessments
o There must be a threat to exploit a vulnerability that must cause an impact.
Due dillegence
o Senior management support
27. o Appropriate security education, training, awareness
o Comprehensive policies
o Risk assessments
o Backup recovery
o Compliance efforts
SDLC
o Establishing requirements
o Feasibility
o Architecture and design
o Proof of concept
o Full development
o Integration testing
o Quality and acceptance testing
o Deployment
o Maintenance
o System end of life
Outsourcing
Contracts
o Right to audit
o Notification procedures
o Investigation process
o SLA
o Indemnity clauses to mitigate impacts caused by the service provider
o Data protection
o Privacy laws
Incident Management and Response
Overview
Incident management and response is part of business continuity. It may be less costly to maintain an
effective incident management capability than to try to prevent most incidents. It is critical to achieve
stakeholder consensus and senior management support.
Response activities:
1. Detect incidents quickly
2. Diagnose incidents accurately
28. 3. Manage them properly
4. Contain and minimize damage
5. Restore affected services
6. Determine root causes
7. Implement improvements to prevent reoccurrence
Incident management and response
Incident Management Planning (IRP) focuses on security breaches. Defining requirements and
expectations is primarily the responsibility of business owners. BCP, DR, and IRP must be consistent but
not necessarily integrated.
Decisions to be made:
Detection
Severity level: triggers response
Assessment and triage: Effectively manage limited resources during incident
Declaration criteria
Scope of incident management
Response capabilities
Incident handling process
Detection and reporting
Receive and review event information
Triage
Categorize, prioritize, and assign events and incidents
Analysis
Determine what happened
Incident response
Actions taken to resolve or mitigate and incident
Information security manager responsibilities
Developing plan
Handling and coordinating
Validating, verifying, and reporting
Metrics and Indicators
Strategic alignment
Constituency: who are the stakeholders
Mission
Services: manage stakeholders expectations
29. Organizational structure: Provide business with the maximum availability of IMT services on the
most cost-effective basis.
Resources: staffing
Funding
Management buy-in
Risk management
Any risk that materializes becomes an incident
Assurance process integration
Involvement from other business units
Value delivery
Integrate with business processes
Provide assurance to stakeholders
Integrate with BCP
Part of overall strategy
Resource management
Optimal effectiveness
Performance Measurement
Successful handling of incidents
Plan of action
1. Prepare/improve/sustain (Prepare)
2. Protect infrastructure (Protect)
3. Detect events (Detect)
4. Triage events (Triage)
a. Tactical: based on set criteria
b. Strategic: based on the impact of business
5. Respond
a. Technical
b. Management
c. Legal
Challenges
Lack of business buy in
Mismatch to organizational goals and structure
IMT member turnover
Lack of communication process
Complex and wide plan
30. Resources
Policies and standards
Technologies
Personnel
o Central IRT
o Distributed IRT: geographically dispersed
o Coordinating IRT
o Outsourced IRT
Roles and responsibilities
Personal Skills
o Communication
o Presentation skills
o Ability to follow policies and procedures
o Team skills
o Integrity
o Self understanding
o Coping with stress
o Problem solving
o Time management
Technical skills: foundation and handling skills
Awareness and education
Audits
BIA
BIA
Vulnerability analysis is often part of the BIA process. The first step in the incident response
management process is to consider the potential impact of each type of incident that may occur. A BIA
must establish the escalation of loss over time, identify the minimum resources needed for recovery,
and prioritize the recovery of processes and supporting systems.
Goals
1. Criticality prioritization
2. Downtime estimation
3. Resource requirement
Activities
Gathering assessment material
Vulnerability assessment
Analyzing information
Documenting results
31. Current state of incident response capability
What’s already in place.
History of incidents
Threats: environmental, technical, man-made
Vulnerabilities
Risks
Risk tolerance
Business & incident response integration
RPO/RTO/SDO/MTO (Maximum tolerable outage) integration
Developing an incident response plan
Elements
1. Preparation
2. Identification: chain of custody, ownership of an incident, determining severity
3. Containment: activating the incident management, notifying, controlling
4. Eradication: locating recent backups, improving defenses
5. Recovery: restoring, validating actions taken
6. Lessons learned
Gap analysis
Processes that need to be improved and resources needed to achieve the objectives
Response and recovery plans
Threat mitigation
Eliminate or neutralize a threat
Minimize the likelihood of a threat’s occurrence (The best option)
Minimize the effects of a threat if an incident occurs
Recovery sites
Hot sites
Warm sites
Cold sites
Mobile sites
Duplicate information processing facilities
Mirror sites
Basis for recovery
Interruption window: total time the organization can wait from the point of failure to the
restoration of critical services/applications
RTO: Recovery Time Objective
32. RPO: Recovery Point Objective
SDO: Service Delivery Objective. Level of service to be supported
MTO: Maximum Tolerable Outage. Maximum time the organization can support processing in
alternate mode.
Incident management teams
Emergency action team: fire wardens
Damage assessment team
Emergency management team: Coordinating the activities of all other recovery teams and
handling key decision making
Relocation team
Security team
Continuity of network services
Redundancy
Alternate routing: Using alternate medium such as fiber optics
Diverse routing: duplicate cable facilities
Long haul network diversity
Last mile circuit protection
Voice recovery
Insurance
IT equipment and facilities
Media reconstruction
Extra expense
Business interruption
Valuable papers
Error and omissions
Fidelity coverage: Loss from dishonest or fraudulent acts by employees
Media transportation
Testing
Identifying gaps
Verifying assumptions
Testing time lines
Effectiveness of strategies
Performance of personnel
Accuracy and currency of plan information
Types of tests
Checklist review
Structured walkthrough
33. Simulation test: role play
Parallel test
Full implementation test
Other tests
Table-top walk-through of plans
Table-top walk-through with mock disaster scenarios
Testing infrastructure
Full restoration and recovery with some personnel unfamiliar with systems
Surprise test
Test Results
Verify completeness
Evaluate personnel performance
Level of training and awareness
Evaluate coordination
Retrieval capability
Executing Response and Recovery Plans
It is virtually guaranteed that untested plans will not work.
Ensuring Execution as required
Facilitator or director to direct the tasks within the plans
Independent observer to record progress and document any exceptions
Change management is paramount
Maintenance activities
o Periodic review
o Calling for revisions
o Coordinating scheduled and unscheduled tests to evaluate adequacy
o Participating in scheduled plan test
o Training personnel
o Maintaining records
Forensic Evidence
Requirements
o Disconnect the power to maximize the preservation of evidence on the hard disk is not
universally accepted as the best solution, and the information security manager will
need to establish the most appropriate approach.
o Trained personnel must use forensic tools to create a bit by bit copy of any evidence on
hard drives
o Original media must remain unchanged
Legal aspects
34. o Chain of custody
o Checklists for acquiring technicians
o Detailed activity log
o Signed non-disclosure/confidentiality forms for all technicians involved in recovering
evidence