The three elements essential to ensure successful security program design, implementation and ongoing management:
- The execution of a well-developed information security strategy.
- Must be well-designed with cooperation and support from management and stakeholders.
- Effective metrics must be developed.
Information Security Program Development Overview
The ISM must realize that the objectives and expected benefits will work best if defined in business terms.
Implement of Information Security Program
A well-executed security program will serve to effectively:
- Design, implement, manage and monitor the security program, transforming strategy into actuality.
- Provide the capabilities to meet security objectives.
- Accommodate changes in security requirements.
Information Security Program Objectives
- Execute the information security strategy in the most cost-effective manner.
- Maximize support of business functions.
- Minimize business disruptions.
Information security program management uses a structured grouping of projects to produce clearly identified business value.
Information Security Program Concepts
A security program implementation effort should include a series of specific control objectives:
- Technical
- Procedural
- Physical
Concepts
Implementing and managing a security program will require the information security manager to understand and have a working knowledge of a number of management and process concepts including:
- System development life cycles (SDLCs) - Control implementation and testing
- Requirements development - Control monitoring and metrics
- Specification development - Architectures
- Control objectives - Documentation
- Control design and development - Quality assurance
- Project management - Communications
- Business case development - Problem resolution
- Business process reengineering - Variance and noncompliance resolution
- Budgeting, costing and financial issues - Risk management
- Deployment and integration strategies - Compliance monitoring and enforcement
- Training needs assessments and approaches - Personnel issues
Technology Resource
Technology itself is not a control-technology is used to implement controls:
- It is essential that Information Security Manager understand where a given technology fits into the basic prevention, detection containment, reaction and recovery framework.
There are numerous technologies related directly to information security with which the ISM should be familiar including:
- Firewalls
- Routers and switches
- IDS, NIDS, HIDS
- Cryptographic techniques (PKI,AES)
- Digital signatures
- Smart cards
Scope and Charter of an Information Security Program
Since the scope and charter are generally not explicitly stated, the ISM must gain a thorough understanding of the organization's:
- Goals
- Risk appetite and tolerance
- Principles, Policies, Frameworks
- Processes,
- Organizational Structures
- Culture, Ethics and Behaviors
- Information
- Services, Infrastructure and Applications
- People, Skill and Competencies
The Information Security Management Framework
- Should fundamentally describe the information security management components and their interactions.
- Information security management components include:
o Roles
o Policies
o Standard operating procedures --> procedure ที่ทุกคนต้องปฏิบัติ
o Management procedures
o Security architectures, etc.
ISO/IEC 27001:2013
The ISM should be aware of the breadth of the following information security management control areas:
- A.5: Information security policies
- A.6: Organization of information security
- A.7: Human resource security (controls that are applied before, during or afet employment)
- A.8: Asset control
- A.9: Access control
- A.10: Cryptography
- A.11: Physical and environmental security
- A.12: Operations security
- A.13: Communications security
- A.14: System acquisition, development and maintenance
- A.15: Supplier relationships
- A.16: Information security incident management
- A.17: Information security aspects of business continuity management
- A.18: Compliance (with internal requirements, such as policies, and with external requirements, such as laws)
Operational Components
- Operational components are ongoing activities that must be performed because of information security requirements.
- Operational components that are part of an information security program include:
o Standard operating procedures (SOPs)
o Business operations security practices
o Maintenance and administration of security technologies (e.g., identity management, access control administration, and SIEM monitoring and analysis
- The ISM should determine the operational components needed to implement policies and standards:
o Should then plan for deployment, monitoring and management of operational components
Management Components
- Set the stage for the information security program
- Take place less frequently than operational components
- Are often responsibility of middle and senior management
- Issues can be escalated to the board level (e.g. oversight)
- Include:
o Standards development or modification
o Policy reviews
o Oversight of initiatives or program execution
Administrative Components
- The ISM must ensure effective administration of the information security program include matters related to:
o Finance
o HR
o Support functions
- Strong working rapport with Finance and HR departments will help facilitate an effective information security program execution.
- The ISM must balance project efforts and ongoing operational overhead with:
o Staff headcount
o Utilization levels
o External resources
- Resource utilization must be prioritized based on guidance from:
o Steering committee
o Executive management
- Workload balancing and external resources help addresses planned/unplanned spikes in activity
Educational and Information Components
Training and Education:
- Can be considered preventive measures
- Educate employees on:
o Threats and risks
o Appropriate practices
o Repercussions of non-compliance
- Include:
o Organizational policies and procedures
o Appropriate Use Policy
o Protection of Proprietary Information (POPI) Policy
o Employee monitoring
- Generally communicated and administered by HR function.
Defining an Information Security Program Road Map
Key goals are universal and include:
- Strategic alignment
- Risk optimization
- Resource optimization
- Benefits realization
- Value delivery
An ISM roadmap helps define what each means to a given organization.
Because the ISM rarely begins with a blank slate, the ISM must be able to review* and evaluate the security level of existing:
- Data
- Applications
- Systems
- Facilities
- Processes
*Security reviews need to have an objective, scope, constraints, approach and result
Gap Analysis - Basis for an Action Plan
The ISM must:
- Identify where control objectives are not adequately supported by control activities.
- Establish procedures for continuously monitoring achievement of control objectives.
- Design and information security program with the flexibility to evolve and mature.
Information Infrastructure and Architecture
- Infrastructure - the underlying base or foundation upon which information systems are deployed.
- Security infrastructure - the foundation that enables security resource to be deployed.
When infrastructure is designed and implemented to support policies and standards, the infrastructure is said to be secure.
Enterprise Information Security Architecture
- Information security architecture includes multiple layers ranging from contextual to physical.
- The design is tightly aligned with the purpose. Good architecture is an articulation of policy.
Architecture Implementation
Numerous architectural frameworks have been developed to address the need for overall comprehensive model for information systems:
- COBIT
- ITIL
- ISO/IEC 27001:2013
- SABSA
- More
RACI Model
- Responsible
- Accountable
- Consulted
- Informed
Security Awareness, Training and Education
Topic for awareness training (Acceptable used policy) can include topics such as:
- Choosing password wisely and protecting them from exposure
- Avoiding e-mail and web-based malware
- Recognizing social engineering attacks
- Recognizing and reporting security incidents
- Securing electronic and paper media against theft and exposure
- Spotting malware that could lead to identity theft and desktop spying
- Backing up work-related files
Documentation -- ข้อสอบ
Primary documentation used to implement the information security program includes:
- Policies
- Standards
- Procedures
- Guidelines
Business Case Development
Purpose of a business case -- ข้อสอบ
- Obtain support of influencers and decision makers
- Require those proposing projects to provide a clear proposition
- Enable:
o comparison between competing projects/proposals
o objective decision-making
o measurability of project success against projection
Business case content: (Outcome)
- Reference
- Context
- Value proposition
- Focus
- Deliverables
- Dependencies
- Project metrics
- Workload
- Required resources
- Commitments (importance)
Objectives of the business case process is to be:
- Adaptable
- Consistent
- Business oriented
- Comprehensive
- Understandable
- Measureable
- Transparent
- Accountable
Information Security Liaison Responsibilities
- Physical/Corporate Security - Procurement
- IT Audit - Compliance
- Information Technology Unit - Privacy
- Business Unit Management - Training
- Human Resources - Quality Assurance
- Legal Department - Insurance
- Employees - Third Party Management
- Project Management Office
Controls and Countermeasures
Control Categories
Control categories include:
- Preventive
- Detective
- Corrective
- Compensatory
- Deterrent -> เบี่ยงเบนความสนใจ
* Backup เป็น Control ประเภทใด? -> Corrective
* Malware Antivirus เป็น Control ประเภทใด? -> Preventive
==============================================================
Practice Question 3-1
When designing an intrusion detection system, the information security manager should recommend that it be placed:
a. outside the firewall
b. on the firewall server
c. on a screened subnet
d. on the external router
Practice Question 3-2
Which of the following is the BEST metric for evaluating the effectiveness of security awareness training? The number of:
a. password resets
b. reported incidents
c. incidents resolved
d. access rule violations
Practice Question 3-3
Security monitoring mechanisms should PRIMARILY:
a. focus on business-critical information
b. assist owners to manage control risks
c. focus on detecting network intrusions
d. record all security violations
Practice Question 3-4
When contracting with an outsourcer to provide security administration, the MOST important contractual element is the:
a. right-to-terminate clause
b. limitations of liability
c. service level agreement (SLA)
d. financial penalties clause
Practice Question 3-5
Which of the following is MOST effective in preventing security weaknesses in operating systems?
a. Patch management
b. Change management
c. Security baselines
d. Configuration management
Practice Question 3-6
Which of the following is the MOST effective solution for preventing internal users from modifying sensitive and classified information?
a. Baseline security standards
b. System access violation logs
c. Role-based access controls
d. Exit routines
Practice Question 3-7
Which of the following is the MOST important consideration when implementing an intrusion detection system (IDS)?
a. Tuning
b. Patching
c. Encryption
d. Packet filtering
Practice Question 3-8
Which of the following practices is BEST used to remove system access for contractors and other temporary users when it is no longer required?
a. Log all account usage and send it to their manager
b. Establish predetermined automatic expiration dates
c. Require managers to email security when the user leaves
d. Ensure that each individual has signed a security acknowledgement
Practice Question 3-9
Which of the following is MOST important for a successful information security program?
a. Adequate training on emerging security technologies
b. Open communication with key process owners
c. Adequate policies, standards and procedures
d. Executive management commitment
Practice Question 3-10
An enterprise is implementing an information security program. During which phase of the implementation should metrics be established to assess the effectiveness of the program over time?
a. Testing
b. Initiation
c. Design
d. Development
CISSP training.
ReplyDeleteHi, This is a great article. Loved your efforts on it buddy. Thanks for sharing this with us. ceh v10.
ReplyDelete