Chapter1: Information Security Governance - 24%

Management Process
- Plan (ITIL -> Plan)
- Build (ITIL -> Do)
- Run (ITIL -> Check)
- Monitor (ITIL -> Act)


Information Security Manager's Responsibility
- Define and manage information security program
- Provide education and guidance to executive team
- Present options and information to decision making
- Act as on adviser

Governance dependent to Business strategy
Technology dependent to Policy


Objective of Information Security Governance
- Strategic alignment:
   o Aligned with business strategy to support objectives
- Risk management:
   o Mitigate risk and reduce impacts to acceptable levels
- Value delivery:
   o Optimizing security investments in support of objectives
- Resource optimization:
   o Security knowledge/infrastructure used efficiently/effectively
- Performance measurement:
   o Monitoring and reporting to ensure objectives achieved
- Integration:
   o Integrate relevant assurance factors to ensure that processes operate as intended from end to end


Business Goals and Objectives
Goals include:
- Providing strategic direction
- Ensuring that objectives are achieved
- Ascertaining that risk is managed appropriately
- Verifying that the enterprise's resources are used responsibly


Scope and Charter of IS Governance
- Information security deals with all aspects of information
- IT security is concerned with security of information within the boundaries of the technology domain.


Role and Responsibilities of Senior Management
- Board of directors/senior management:
   o Information security governance
- Executive management:
   o Implementing effective security governance and defining the strategic security objectives
- Steering committee:
   o Ensuring that all stakeholders impacted by security considerations are involved
- Chief information security officer (CISO)
   o Responsibilities currently range from the CISO who reports to the CEO to system administrators who have part-time responsibility for security management.


Information Security Role and Responsibilities
Information Security Manager (ISM): (ข้อสอบ)
- Develops security strategy with input from key business units and approval of strategy by senior leadership.
- Educates management

Information Security Requires:
- Leadership and ongoing support from senior management.
- Integration with and cooperation from organizational business unit management.
- Establishing reporting and communication channels.


Governance and Third-party Relationships
Rules in processes for:
- Service providers
- Outsourced operations
- Treading partners
- Merged or acquired organization


Effective Security Metrics
- It is difficult or impossible to manage any activity that cannot be measured.
- Standard security metrics may include:
   o Downtime due to viruses
   o Percentage of servers patched
   o Number of penetrations of systems

Governance Implementation Metrics
Key goal indicators (KGIs) and key performance indicators (KPIs) can:
- Be useful in providing information about achievement of process or service goals
- Help determine whether milestones are being met

* KGIs tend to reflect more strategic goals, e.g., strategic goals of information security governance, whereas KPIs tend to reflect more tactical goals, such as reducting the number of breaks-ins into systems.


Information Security Strategy Overview
People                                           Process                                               Output

Senior Manager      ------->   Business Strategy   ---------------> Business Objectives

Steering Committee and   ->  Risk Management/Information  --> Security Attributes
Executive Management          Security Strategy

CISO/Steering Committee-> Security Action Plan Policies, --> Security Programs
                                               Standards


Information Security Strategy Objectives
The six major goals of governance are:
- Strategic alignment  --> ล้อตามแผนกลยุทธ์
- Effective risk management --> การจัดการผลกระทบ
- Value delivery --> ให้คุณค่า
- Resource management --> บริหารทรัพยากร
- Performance management --> บริหารคุณภาพ
- Process assurance integration --> กระบวนการเพิ่มความเชื่อมั่น


The Desired State
- The desired state should include a snapshot of all relevant conditions at a particular point in the future: (ข้อสอบ)
   o Should include principles, policies and frameworks; processes; organizational structures; culture, ethics and behavior; information; services infrastructure and applications; and people, skills and competencies.
- A "desired state of security" must be defined qualitatively in terms of attributes, characteristics and outcomes:
   o Strategy development will have limits on the types of enforcement methods to consider.

The desired state according to COBIT:
- "Protecting the interests of those relying on information, and the processes, system and communications that handle, store and deliver the information, form harm resulting form failures of availability, confidentiality and integrity"
- Focus on IT-related processes from IT governance, management and control perspectives.

COBIT 5 is based on five key principles for governance and management of enterprise IT:
1. Meeting Stakeholder Needs
2. Covering the Enterprise End-to-end
3. Applying a Single, Integrated Framework
4. Enabling a Holistic Approach
5. Separating Governance From Management

The desired state of security may also be defined as levels in the Capability Maturity Model (CMM): (ข้อสอบ)
0. Nonexistent ----------------> ไม่ได้ทำ
1. Ad hoc --------------------> ทำแบบไม่มี formal
2. Repeatable but intuitive ----> มีผลลัพธ์
3. Defined process -----------> มี process
4. Managed and measurable --> สามารถวัดได้
5. Optimized ------------------> มีทางเลือกให้มากกว่า 1

Balanced Scorecard (ข้อสอบ)

is a strategic planning and management system that is used extensively in business and industry, government, and nonprofit organizations worldwide to align business activities to the vision and strategy of the organization, improve internal and external communications, and monitor organization.

- Financial
- Customer
- Internal Business Processes
- Learning and Growth

ISO/IEC 27001:2013 - the 14 major areas are:
A.5: Information security policies
A.6: Organization of information security
A.7: Human resource security (controls that are applied before, during, or after employment)
A.8: Asset management
A.9: Access control
A.10: Cryptography
A.11: Physical and environmental security
A.12: Operations security
A.13: Communications security
A.14: System acquisition, development and maintenance
A.15: Supplier relationships
A.16: Information security incident management
A.17: Information security aspects of business continuity


Risk
Current Risk
- The current state of risk must also be assessed through a comprehensive risk assessment
- After risk assessment, a business impact analysis/assessment (BIA) must be performed
   o Shows the impact of adverse events (e.g. outages) over different period of time
   o Provides some of the information needed to develop an effective strategy
   o The ultimate objective of security is to provide business process assurance, including minimizing the impact of adverse events.
   o The difference between acceptable levels of impact and current level of potential impacts must be addressed by the strategy (ข้อสอบ)

Information Security Strategy Development
- Must move from current state to desired state (ข้อสอบ)
- Basis for creating a road map
- A set of information security objectives coupled with available processes, methods, tools and techniques creates the means to construct a security strategy.

Strategy Resource
The Information Security manager must be aware of:
- Resources that are available
- Cultural or other reasons (e.g., management reluctance to change or modify policies) that certain options are precluded

Strategy Constraints
- Numerous constraints that set boundaries for options available to the ISM exist.
- They need to be thoroughly defined and understood before initiating strategy development.

Action Plan to Implement Strategy
- Implementing an information strategy requires one or more projects or initiatives.
- Analysis of the gap between the current state and the desired state for each defined metric identifies the requirements and priorities for the an overall plan or road map to achieve the objectives and close the gaps.

Implementing Security Governance Example
Implementing security governance utilizing the Capability Maturity Model:
- To define objectives (KGIs)
- To determine a strategy
- As a metric for progress
- CMM level 4 is a typical organizational desired state (ข้อสอบ)

==============================================================
Practice Question 1-1
A security strategy is important for an organization PRIMARILY because it provides:
   a. basis for determining the best logical security architecture for the organization.
   b. management intent and direction for security activities.
   c. provides users guidance on how to operate securely in everyday tasks.
   d. helps IT auditors ensure compliance.

Practice Question 1-2
Which of the following is the MOST important reason to provide effective communication about information security?
   a. It makes information security more palatable to resistant employees.
   b. It mitigates the weakest link in the information security landscape.
   c. It informs business units about the information security strategy.
   d. It helps the organization conform to regulatory information security requirements.

Practice Question 1-3
Which of the following approaches BEST helps the information security manager achieves compliance with various regulatory requirements?
   a. Rely on corporate counsel to advise which regulations are the most relevant.
   b. Stay current with all relevant regulations and request legal interpretation.
   c. involve all impacted departments and treat regulations as just another risk.
   d. Ignore many of the regulations that have no penalties.

Practice Question 1-4
The MOST important consideration in developing security policies is that:
   a. they are based on a threat profile.
   b. they are complete and no detail is left out.
   c. management signs off on them.
   d. all employee read and understand them.

Practice Question 1-5
The PRIMARY objective in creating good procedures is:
   a. to make sure that they work as intended.
   b. that they are unambiguous and meet the standards.
   c. that they be written in plain language and widely distributed.
   d. that compliance can be monitored.

Practice Question 1-6
Which of the following MOST helps ensure that assignment of roles and responsibilities is effective?
   a. Senior management is in support of the assignments.
   b. The assignments are consistent with existing proficiencies (แต่ละบุคคล).
   c. The assignments are mapped to required skill.
   d. The assignments are given on a voluntary basis.

Practice Question 1-7
What is the PRIMARY benefit organizations derive from effective information security governance?
   a. Maintaining appropriate regulatory compliance
   b. Ensuring disruptions are within acceptable levels
   c. Prioritizing allocation of remedial resources
   d. Maximizing return on security investments

Practice Question 1-8
From an information security manager's perspective, the MOST important factors regarding data retention are:
   a. business and regulatory requirements.
   b. document integrity and destructions.
   c. media availability and storage.
   d. data confidentiality and encryption.

Practice Question 1-9
Which role is in the BEST position to review and confirm appropriateness of a user access list?
   a. Data owner
   b. Information security manager
   c. Domain administrator
   d. Business manager

Practice Question 1-10
In implementing information security governance, the information security manager is PRIMARILY responsible for:
   a. developing the security strategy.
   b. reviewing the security strategy.
   c. communicating the security strategy.
   d. approving the security strategy.

Chapter2: Information Risk Management and Compliance - 33%

Risk Management Overview
Risk management is:
- A process aimed at achieving an optimal balance between realizing opportunities for gain and minimizing vulnerabilities and loss.
- A process to ensure that loss events are either avoided their impact is kept within acceptable limits at acceptable cost.

Risk Management Objective
- Manage risks so that they do not have an adverse material impact on business processes.
- Risk is inherent to all business activities.

Risk Management Challenger
There is a high potential for misuse and misunderstanding of key terms:
- Risk
- Threats
- Vulnerabilities
There are many different approaches and techniques:
- Qualitative
- Quantitative - ALE/VAR --> Value at risk
- Semi-qualitative

Need to operate at multiple levels within the organization:
- Strategic level
- Operational level
- Project level

Risk Model
- All activities have an inherent risk
- Risk has a:
   o Likelihood/probability of occurrence
   o Consequence/business impact

Outcomes of Risk Management
Informed decision making based on understanding of:
- Organization's threat, vulnerability and risk profile
- Risk exposure and potential consequences of compromise

Results in:
- An organizational risk mitigation strategy sufficient to a achieve acceptable consequences.
- Organizational acceptance/deference based on an understanding of potential consequences of residual risk.
- Measurable evidence that risk management resources are used in an appropriate and cost-effective manner.

Risk Management Strategy
A risk management strategy:
- Is an integrated business process.
- Has defined objectives.
- Incorporates all of the risk management processes, activities, methodologies and policies adopted and carried out in an organization.

Developing a Risk Management Program
Developing the program requirements: (ขั้นตอนการทำ RM)
- Establish Context and Purpose
- Define Scope and Charter (ใครมี role อะไร มีผลกระทบอย่างไร)
- Define Authority, Structure and Reporting
- Ensure Asset Identification, Classification and Ownership (ผู้รับผิดชอบสูงสุดต่อ Asset นั้น)
- Determine Objectives
- Determine Methodologies
- Designate Program Development Team

Role and Responsibilities
- Information security risk management is an integral part of security governance:
   o Is the responsibility of the board of directors or the equivalent to ensure that these efforts are effective.
- Management must be involved in and sign off on acceptable risk levels and risk management objectives.

- A steering committee must:
   o Set risk management priorities.
   o Define risk management objectives in terms of supporting business strategy.
- The ISM is responsible for developing, collaborating and managing the information security risk management program to meet the defined objectives.

Concepts
Key information security risk management concepts include:
- Threats               - Criticality
- Vulnerabilities     - Sensitivity
- Exposures          - Recovery Time Objectives (RTOs) -> ระยะเวลากู้ระบบ
- Risk                    - Recovery Point Objectives (RPOs) -> ระยะเวลาที่ยอมให้ Data loss
- Impacts              - Service Delivery Objectives (SDOs) -> จำนวน Service ที่จะทำ DR
- Controls             - Acceptable Interruption Window (AIW) -> ระยะเวลาที่ยอมให้ระบบล่ม
- Countermeasures
- Resource valuation (คน, ของ)
- Information asset classification

Other risk management functions related to information security can include:
- Service level agreements (SLAs)
- System robustness and resilience
- Business continuity/disaster recovery
- Business process reengineering
- Project management timelines and complexity
- Enterprise and security architectures
- IT and information security governence
- Systems life cycle management
- Policies, standards and procedures

Risk Management Process
Risk management usually consists of the following processes:
- Establish scope and boundaries
- Risk assessment
- Risk treatment
- Acceptance of residual risk ----> implement control for mitigate risk
- Risk communication and monitoring

Defining a Risk Management Framework
Risk management frameworks should have similar risk management requirements, including:
- Policy
- Planning and resourcing
- Implementation program
- Management review
- Risk management process
- Risk management documentation

Developing a Risk Profile
A risk profile is essential for effective risk management.
- COBIT 5 approach --> อ้างถึง
- Risk register --> เก็บเป็นตาราง หรือฐานข้อมูล

Risk Assessment
Numerous risk management models are available including
- COBIT
- OCTAVE
- NIST 800-39
- HB 158-2010
- ISO/IEC 31000  ---> ISMS recommendation
- ITIL
- CRAMM

Identification of Risks
In selection a risk identification methodology, the following techniques should be considered:
- Team-based brainstorming where workshops can prove effective in building commitment and making use of different experiences.
- Structured techniques such as flow charting, system design review, systems analysis, hazard and operability studies, and operational modeling.
- "What-if" and scenario analysis for less clearly defined situations, such as the identification of strategic risks and processes with a more general structure.

Threats
Threats are usually categorized as:
- Natural -- Flood, fire, cyclones, rain/hail, plagues and earthquakes
- Unintentional -- Fire, water, building damage/collapse, loss of utility services and equipment failure
- Intentional physical -- Bombs, fire, water and theft
- Intentional nonphysical -- Fraud, espionage, hacking, identity theft, malicious code, social engineering, phishing attacks and denial-of-service attacks

Risk Treatment Options
- Terminate the activity:
   o This is exactly what is says -- the activity giving rise to risk is changed or terminated to eliminate the risk
- Transfer the risk:
   o Risk may be reduced to acceptable levels by transferring it to another entity (e.g., an insurance company)
   o Risk may also be transferred by contract to a service provider or other entity
   o The cost of mitigating risk must not exceed the value of the asset
- Mitigate the risk:
   o Controls and countermeasures are used
- Tolerate/accept the risk:
   o Sometimes an identified defined risk may be accepted when the cost of mitigating the risk is too high compared to the value of the asset
   o Accepted risk should be reviewed regularly

Residual Risk
Is the amount of risk that remains after countermeasures and controls have been implemented.

Impact
Impacts are determined by performing a business impact assessment (BIA) and subsequent analysis:
- The BIA helps prioritize risk management.
- When coupled with asset valuations, the BIA provides the basis for the level and types of protection required and the basis for developing a business case for controls.

Costs and Benefits
When considering costs, the total cost of ownership (TCO) must be considered for the full life cycle of the control or countermeasure. This can include such elements as:
- Acquisition costs
- Deployment and implementation costs
- Recurring maintenance costs
- Testing and assessment costs
- Compliance monitoring and enforcement
- Inconvenience to users
- Reduced throughput of controlled processes
- Training in new procedures or technologies as applicable
- End of life decommissioning

Third-party Service Providers
Key clauses that should be part of an SLA must include, but are not restricted to:
- Right to audit vendors books of accounts and premises
- Right to review their processes
- Insistence on standard operating prodedures (SOPs)
- Right to assess the skill sets of the vendor resources
- Advance information if the resource deployed are to be changed

==============================================================
Practice Question 2-1
The overall objective of risk management is to:
   a. eliminate all vulnerabilities, if possible.
   b. determine the best way to transfer risk.
   c. manager risks to an acceptable level.
   d. implement effective countermeasures.

Practice Question 2-2
The information security manager should treat regulatory compliance as:
   a. an organizational mandate.
   b. a risk management priority
   c. a purely operational issue.
   d. just another risk to be treated.

Practice Question 2-3
To address changes in risk, an effective risk management program should:
   a. ensure that continuous monitoring processes are in place.
   b. establish proper security baselines for all information resources.
   c. implement a complete data classification process.
   d. change security policies on a timely basis to address changing risks.

Practice Question 2-4
Information classification is important to properly manage risk PRIMARILY because:
   a. it ensures accountability for information resources as required by roles and responsibilities.
   b. it has a legal requirement under various regulations.
   c. there is no other way to meet the requirements for availability, integrity and auditability.
   d. it is used to identify the sensitivity and criminality of information to the organization.

Practice Question 2-5
Vulnerabilities discovered during an assessment should be:
   a. handled as a risk even though there is no threat.
   b. prioritized for remediation solely based on impact.
   c. a basis for analyzing the effectiveness of controls.
   d. evaluated for threat, impact and cost of mitigation.

Practice Question 2-6
Indemnity agreements (SLA) can be used to:
   a. ensure an agreed-upon level of service.
   b. reduce impacts on organizational resources.
   c. transfer responsibility to a third party.
   d. provide an effective countermeasure to threats.

Practice Question 2-7
Residual risk can be determined by:
   a. assessing remaining vulnerabilities
   b. performing a threat analysis
   c. conducting a risk assessment
   d. implementing a risk transfer

Practice Question 2-8
Data owners are PRIMARILY responsible for creating risk mitigation strategies to address which of the following areas?
   a. Platform security
   b. Entitlement changes  -> custodian เป็นคนดูแล
   c. Intrusion detection
   d. Antivirus controls

Practice Question 2-9
A risk analysis should:
   a. limit the scope to a benchmark of similar companies.
   b. assume an equal degree of protection for all assets.
   c. address the potential size and likelihood of loss.
   d. give more weight to the likelihood vs. the size of loss.

Practice Question 2-10
Which of the following is the FIRST step in selecting the appropriate controls to be implemented in a new business application?
   a. Business impact analysis (BIA)
   b. Cost-benefit analysis
   c. Return on investment (ROI) analysis
   d. Risk assessment

Chapter 3: Information Security Program Development and Management - 25%

Information Security Program Management Overview
The three elements essential to ensure successful security program design, implementation and ongoing management:
- The execution of a well-developed information security strategy.
- Must be well-designed with cooperation and support from management and stakeholders.
- Effective metrics must be developed.

Information Security Program Development Overview
The ISM must realize that the objectives and expected benefits will work best if defined in business terms.

Implement of Information Security Program
A well-executed security program will serve to effectively:
- Design, implement, manage and monitor the security program, transforming strategy into actuality.
- Provide the capabilities to meet security objectives.
- Accommodate changes in security requirements.

Information Security Program Objectives
- Execute the information security strategy in the most cost-effective manner.
- Maximize support of business functions.
- Minimize business disruptions.

Information security program management uses a structured grouping of projects to produce clearly identified business value.

Information Security Program Concepts
A security program implementation effort should include a series of specific control objectives:
- Technical
- Procedural
- Physical

Concepts
Implementing and managing a security program will require the information security manager to understand and have a working knowledge of a number of management and process concepts including:
- System development life cycles (SDLCs)         - Control implementation and testing
- Requirements development                              - Control monitoring and metrics
- Specification development                               - Architectures
- Control objectives                                            - Documentation
- Control design and development                     - Quality assurance
- Project management                                        - Communications
- Business case development                             - Problem resolution
- Business process reengineering                      - Variance and noncompliance resolution
- Budgeting, costing and financial issues          - Risk management
- Deployment and integration strategies           - Compliance monitoring and enforcement
- Training needs assessments and approaches  - Personnel issues

Technology Resource
Technology itself is not a control-technology is used to implement controls:
- It is essential that Information Security Manager understand where a given technology fits into the basic prevention, detection containment, reaction and recovery framework.

There are numerous technologies related directly to information security with which the ISM should be familiar including:
- Firewalls
- Routers and switches
- IDS, NIDS, HIDS
- Cryptographic techniques (PKI,AES)
- Digital signatures
- Smart cards


Scope and Charter of an Information Security Program
Since the scope and charter are generally not explicitly stated, the ISM must gain a thorough understanding of the organization's:
- Goals
- Risk appetite and tolerance
- Principles, Policies, Frameworks
- Processes,
- Organizational Structures
- Culture, Ethics and Behaviors
- Information
- Services, Infrastructure and Applications
- People, Skill and Competencies


The Information Security Management Framework
- Should fundamentally describe the information security management components and their interactions.
- Information security management components include:
   o Roles
   o Policies
   o Standard operating procedures  --> procedure ที่ทุกคนต้องปฏิบัติ
   o Management procedures
   o Security architectures, etc.

ISO/IEC 27001:2013
The ISM should be aware of the breadth of the following information security management control areas:
- A.5: Information security policies
- A.6: Organization of information security
- A.7: Human resource security (controls that are applied before, during or afet employment)
- A.8: Asset control
- A.9: Access control
- A.10: Cryptography
- A.11: Physical and environmental security
- A.12: Operations security
- A.13: Communications security
- A.14: System acquisition, development and maintenance
- A.15: Supplier relationships
- A.16: Information security incident management
- A.17: Information security aspects of business continuity management
- A.18: Compliance (with internal requirements, such as policies, and with external requirements, such as laws)

Operational Components
- Operational components are ongoing activities that must be performed because of information security requirements.
- Operational components that are part of an information security program include:
   o Standard operating procedures (SOPs)
   o Business operations security practices
   o Maintenance and administration of security technologies (e.g., identity management, access control administration, and SIEM monitoring and analysis
- The ISM should determine the operational components needed to implement policies and standards:
   o Should then plan for deployment, monitoring and management of operational components

Management Components
- Set the stage for the information security program
- Take place less frequently than operational components
- Are often responsibility of middle and senior management
- Issues can be escalated to the board level (e.g. oversight)
- Include:
   o Standards development or modification
   o Policy reviews
   o Oversight of initiatives or program execution

Administrative Components
- The ISM must ensure effective administration of the information security program include matters related to:
   o Finance
   o HR
   o Support functions
- Strong working rapport with Finance and HR departments will help facilitate an effective information security program execution.
- The ISM must balance project efforts and ongoing operational overhead with:
   o Staff headcount
   o Utilization levels
   o External resources
- Resource utilization must be prioritized based on guidance from:
   o Steering committee
   o Executive management
- Workload balancing and external resources help addresses planned/unplanned spikes in activity

Educational and Information Components
Training and Education:
- Can be considered preventive measures
- Educate employees on:
   o Threats and risks
   o Appropriate practices
   o Repercussions of non-compliance
- Include:
   o Organizational policies and procedures
   o Appropriate Use Policy
   o Protection of Proprietary Information (POPI) Policy
   o Employee monitoring
- Generally communicated and administered by HR function.


Defining an Information Security Program Road Map
Key goals are universal and include:
- Strategic alignment
- Risk optimization
- Resource optimization
- Benefits realization
- Value delivery

An ISM roadmap helps define what each means to a given organization.
Because the ISM rarely begins with a blank slate, the ISM must be able to review* and evaluate the security level of existing:
- Data
- Applications
- Systems
- Facilities
- Processes

*Security reviews need to have an objective, scope, constraints, approach and result

Gap Analysis - Basis for an Action Plan
The ISM must:
- Identify where control objectives are not adequately supported by control activities.
- Establish procedures for continuously monitoring achievement of control objectives.
- Design and information security program with the flexibility to evolve and mature.


Information Infrastructure and Architecture
- Infrastructure - the underlying base or foundation upon which information systems are deployed.
- Security infrastructure - the foundation that enables security resource to be deployed.

When infrastructure is designed and implemented to support policies and standards, the infrastructure is said to be secure.

Enterprise Information Security Architecture
- Information security architecture includes multiple layers ranging from contextual to physical.
- The design is tightly aligned with the purpose. Good architecture is an articulation of policy.


Architecture Implementation
Numerous architectural frameworks have been developed to address the need for overall comprehensive model for information systems:
- COBIT
- ITIL
- ISO/IEC 27001:2013
- SABSA
- More

RACI Model
- Responsible
- Accountable
- Consulted
- Informed

Security Awareness, Training and Education
Topic for awareness training (Acceptable used policy) can include topics such as:
- Choosing password wisely and protecting them from exposure
- Avoiding e-mail and web-based malware
- Recognizing social engineering attacks
- Recognizing and reporting security incidents
- Securing electronic and paper media against theft and exposure
- Spotting malware that could lead to identity theft and desktop spying
- Backing up work-related files

Documentation -- ข้อสอบ
Primary documentation used to implement the information security program includes:
- Policies
- Standards
- Procedures
- Guidelines

Business Case Development
Purpose of a business case -- ข้อสอบ
- Obtain support of influencers and decision makers
- Require those proposing projects to provide a clear proposition
- Enable:
   o comparison between competing projects/proposals
   o objective decision-making
   o measurability of project success against projection

Business case content: (Outcome)
- Reference
- Context
- Value proposition
- Focus
- Deliverables
- Dependencies
- Project metrics
- Workload
- Required resources
- Commitments (importance)

Objectives of the business case process is to be:
- Adaptable
- Consistent
- Business oriented
- Comprehensive
- Understandable
- Measureable
- Transparent
- Accountable

Information Security Liaison Responsibilities
- Physical/Corporate Security    - Procurement
- IT Audit                                     - Compliance
- Information Technology Unit    - Privacy
- Business Unit Management     - Training
- Human Resources                   - Quality Assurance
- Legal Department                   - Insurance
- Employees                             - Third Party Management
                                                - Project Management Office


Controls and Countermeasures

Control Categories
Control categories include:
- Preventive
- Detective
- Corrective
- Compensatory
- Deterrent  -> เบี่ยงเบนความสนใจ

* Backup เป็น Control ประเภทใด? -> Corrective
* Malware Antivirus เป็น Control ประเภทใด? -> Preventive

==============================================================
Practice Question 3-1
When designing an intrusion detection system, the information security manager should recommend that it be placed:
   a. outside the firewall
   b. on the firewall server
   c. on a screened subnet
   d. on the external router

Practice Question 3-2
Which of the following is the BEST metric for evaluating the effectiveness of security awareness training? The number of:
   a. password resets
   b. reported incidents
   c. incidents resolved
   d. access rule violations

Practice Question 3-3
Security monitoring mechanisms should PRIMARILY:
   a. focus on business-critical information
   b. assist owners to manage control risks
   c. focus on detecting network intrusions
   d. record all security violations

Practice Question 3-4
When contracting with an outsourcer to provide security administration, the MOST important contractual element is the:
   a. right-to-terminate clause
   b. limitations of liability
   c. service level agreement (SLA)
   d. financial penalties clause

Practice Question 3-5
Which of the following is MOST effective in preventing security weaknesses in operating systems?
   a. Patch management
   b. Change management
   c. Security baselines
   d. Configuration management

Practice Question 3-6
Which of the following is the MOST effective solution for preventing internal users from modifying sensitive and classified information?
   a. Baseline security standards
   b. System access violation logs
   c. Role-based access controls
   d. Exit routines

Practice Question 3-7
Which of the following is the MOST important consideration when implementing an intrusion detection system (IDS)?
   a. Tuning
   b. Patching
   c. Encryption
   d. Packet filtering

Practice Question 3-8
Which of the following practices is BEST used to remove system access for contractors and other temporary users when it is no longer required?
   a. Log all account usage and send it to their manager
   b. Establish predetermined automatic expiration dates
   c. Require managers to email security when the user leaves
   d. Ensure that each individual has signed a security acknowledgement

Practice Question 3-9
Which of the following is MOST important for a successful information security program?
   a. Adequate training on emerging security technologies
   b. Open communication with key process owners
   c. Adequate policies, standards and procedures
   d. Executive management commitment

Practice Question 3-10
An enterprise is implementing an information security program. During which phase of the implementation should metrics be established to assess the effectiveness of the program over time?
   a. Testing
   b. Initiation
   c. Design
   d. Development

Chapter 4: Information Security Incident Management -18%

Incident Response Procedures
Incident response procedures (IRP) enable a business to:
- respond effectively when an incident occurs (ใช้รับมือ).
- to continue operations in the event of disruption (ใช้ดำเนินการต่อ).
- survive interruptions or security breaches in information systems.

Plans must be:
- Clearly documented.
- Readily accessible.
- Based on the long-range IT plan.
- Consistent with the overall (ร้อตาม BCP และ Security Strategy) business continuity and security strategies.

The process of developing and maintaining an appropriate plan for the defined scope of incident management and response should include:
- Incident Response Planning -> security breach/interrupt
- Business Continuity Planning -> interrupt
- Disaster Recovery Planning -> กู้คืนระบบ

Concepts
Incident handling is one service that involves all the processes or tasks associated with handling events and incidents. It involves multiple functions:
- Detection and reporting -> พบแล้วแจ้ง
- Triage -> Classify and priority
- Analysis -> วิเคราะห์
- Incident response -> ตอบสนอง

Incident response is the last step in an incident handling process.
It encompasses:
- Planning, coordination, and execution of any appropriate mitigation.
- Recovery strategies and actions.

Responsibilities
The ISM's incident response-related responsibilities include:
- Developing the information security incident management and response plans.
- Handling and coordinating information security incident response activities effectively and efficiently.
- Validating, verifying and reporting of protective or countermeasure solutions, both technical and administrative.
- Planning, budgeting and program development for all matters related to information security incident management and response.

Incident response goals include:
- Containing and minimizing the effects of the incident so that damage and losses do not escalate out of control.
- Notifying the appropriate people for the purpose of recovery or to provide needed information.
- Recovering quickly and efficiently from security incidents.
- Responding systematically and decreasing the likelihood of recurrence.
- Balancing operational and security processes.
- Dealing with legal and law enforcement-related issues.

The ISM must define what constitutes a security-related incident: (by Scenario)
- Malicious code attacks
- Unauthorized access to IT or information resources
- Unauthorized utilization of services
- Unauthorized changes to systems, network devices or information
- Denial of service
- Misuse
- Surveillance and espionage (โจรกรรม)
- Hoaxes/social engineering

Senior Management Commitment
- Senior management commitment is critical to the success of incident management and response.
- Incident management and response:
   o Is a component of risk management  -> ส่วนหนึ่งของ risk management
   o Needs the same level of support from the top


Incident Management Resources
- Develop a clear scope and objective  [ก่อน]
- Develop an implementation strategy   [หลัง]

Policies and Standards
The incident response plan must be backed up with well-defined policies, standards and procedures. This helps:
- Ensure activities are aligned with Incident Management Team (IMT) mission
- Set correct expectations -> กำหนดเป้าหมายได้ตรง
- Provide guidance on operational needs
- Maintain consistency and reliability of services
- Clearly understand roles and responsibilities
- Set requirements for identified alternates for all important functions -> resource of requirement

Incident Response Technology Concepts
IRT members should be familiar with:
- Basic Security Principles

IRT members must understand the impact to organizational system, including:
- Security vulnerabilities/weaknesses
- Internet
- Operating system (s)
- Malicious code
- Programming skills

Personnel
Composition of IMT:
- Information Security Manager
- Steering Committee/Advisory Board
- Perm/Dedicated Team Members
- Virtual/Temp Team Members

Team organizational types: (ORG syles)
- Centralizaed IRT
- Distributed IRT
- Coordinating IRT
- Outsourced IRT

Awareness and Education
Incident response training must include the following target groups:
- End users
- Management
- IMT team
- General IT team -> ระบบ custody

Detailed Plan of Action for Incident Management
- The incident management action plan is also known as the incident response plan (IRP).
- There are a number of approaches to developing the IRP.
- In the CMU/SEI technical report titled Defining Incident Management Processes, the approach is as follows:
1. Prepare/improve/sustain
2. Protect infrastructure
3. Detect events
4. Triage events (priority)
5. Respond

Developing an Incident Response Plan
CIAC (and later the SANS Institute) propose the following incident response phases:
1. Preparation
2. Identification
3. Containment
4. Eradication
5. Recovery
6. Lessons learned

1. Preparation
- This phase prepares an organization to develop an incident response plan prior to an incident. Sufficient preparation facilitates smooth execution.
- Activities in this phase include:
   o Establishing an approach to handle incidents
   o Establishing policy and warning banners in information system to deter intruders and allow information collection.
   o Establishing communication plan to stakeholders.
   o Developing criteria on when to report incident to authorities.
   o Developing a process to activate the incident management team.
   o Establishing a secure location to execute the incident response plan.
   o Ensuring equipment needed is available.

2. Identification
- This phase aims to verify if an incident has happened and find out more details about the incident. Reports on possible incidents may come from information systems, end users or other organizations.
Not all reports are valid incidents, as they may be false alarms or may not qualify as an incident.
- Activities in this phase include:
   o Assigning ownership of an incident or potential incident to an incident handler.
   o Verifying that report or events qualify as an incident.
   o Establishing chain of custody during identification when handling potential evidence.
   o Determining the severity of an incident and escalating it as necessary.

3. Containment
- After an incident has been identified and confirmed, the IMT is activated and information from the incident handler is shared.
- The team will conduct a detailed assessment and contact the system owner or business manager of the affected information systems/assets to coordinate further action.
- The action taken in this phase is to limit the exposure. Activities in this phase include:
   o Activating the incident management/response team to contain the incident.
   o Notifying appropriate stakeholders affected by the incident.
   o Obtaining agreement on actions taken that may affect availability of a service or risks of the containment process.
   o Getting the IT representative and relevant virtual team members involved to implement containment procedures.
   o Obtaining and preserving evidence.
   o Documenting and taking backups of actions from this phase onward.
   o Controlling and managing communication to the public by the public relations team.

4. Eradication
- When containment measures have been deployed, it is time to determine the root cause of the incident and eradicate it.
- Eradication can be done in a number of ways:
   o restoring backups to achieve a clean state of the system,
   o removing the root cause
   o improving defenses
   o performing vulnerability analysis to find further potential damage from the same root cause.
- Activities in this phase include:
   o Determining the signs and cause of incidents
   o Locating the most recent version of backups or alternative solutions
   o Removing the root cause. In the event of worm or virus infection, it can be removed by deploying appropriate patches and updated antivirus software.
   o Improving defenses by implementing protection techniques
   o Performing vulnerability analysis to find new vulnerabilities introduced by the root cause

5. Recovery
- This phase ensure that affected systems or services are restored to a condition specified in the service delivery objectives (SDO - ระยะเวลาที่เปลี่ยนไปใช้ระบบสำรอง) or business continuity plan (BCP - ระยะเวลากู้คืนระบบ). The time constraint up to this phase is documented in the RTO.
- Activities in this phase include:
   o Restoring operations to normal
   o Validating that actions taken on restored systems where successful
   o Getting involvement of system owners to test the system
   o Facilitating system owners to declare normal operation

6. Lessons learned
- At the end of the incident response process, a report should be developed to share what has happened, what measures were taken and the results after the plan was executed.
- The report should contain lesson learned that provide the IMT and other stakeholders valuable learning points of what could have been done better.
- These lessons should be developed into a plan to enhance the incident management capability and the documentation of the incident response plan. Activities in this phase include:
   o Writing the incident report
   o Analyzing issues encountered during incident responses efforts
   o Proposing improvement based on issues encountered
   o Presenting the report to relevant stakeholders

Gap Analysis - Basis for an Incident Response Plan
- Gap analysis - compares current incident response capabilities with the desired level.
- By comparing the two levels, the following may be identified:
   o Processes that need to be improved to be more efficient and effective
   o Resource needed to achieve the objectives for the incident response capability.

Business Impact Assessment
- A BIA should:
   o Determine the loss to the organization resulting from a function being unavailable
   o Establish the escalation of that loss over time
   o Identify the minimum resources needed for recovery
   o Prioritize the recovery of processes and supporting systems
- Create report to aide stakeholders in understanding what impact an incident would have on the business.
- A successful BIA requires participation from:
   o Senior management  -> approved
   o IT  -> custodian
   o End-user personnel  -> owner

Incident Management and Response Teams
Number of teams depends upon size of organization and magnitude of operations - examples include:
- The emergency action team  -> เข้าถึงจุดเกิดเหตุ
- Damage assessment team -> ประเมิน
- Emergency management team -> สั่งการ
- Relocation team  -> ย้าย Site
- Security team  -> ทีม security

Recovery Site
Types of offsite backup hardware facilities available include:
- Hot sites  -> มีระบบสำคัญ
- Warm sites  -> มีอุปกรณ์สำคัญ
- Cold sites  -> ห้องเปล่า
- Mobile sites -> รถ truck
- Duplicate sites -> เหมือน site หลัก
- Mirror sites -> ทำคู่ขนานกับระบบหลัก

Basis for Recovery Site Selections
Response and recovery strategy should be based on the following considerations:
- Interruption window -> Gap
- RTOs -> ระบบ
- RPOs -> Data
- Services delivery objectives (SDOs) -> ระยะสลับไปใช้ Alternative sites
- Maximum tolerable outages (MTOs) -> ระยะที่ Alternative sites สามารถใช้งานได้นานที่สุด
- Proximity factors -> สิ่งที่เกิดขึ้นคล้ายๆกัน ในพื้นที่แถบเดียวกัน
- Location -> ระยะห่างระหว่างสถานที่ๆ เกิดเหตุ กับ |Alternative sites
- Nature of probable disruptions -> ธรรมชาติของเหตุ เช่นระยะเวลาเกิดเหตุจะนานกี่ชั่วโมง

Reciprocal Agreements
Alternatives available for securing backup hardware and physical facilities include:
- A vendor or third party
- Off-the-shelf -- to make use of this approach, several strategies must be employed:
   o Avoiding the use of unusual and hard-to-get equipment
   o Regularly updating equipment to keep current
   o Maintaining software compatibility to permit the operation of newer equipment

Impact Analysis with Incident Response
The ISM needs to:
- Oversee the development of response and recovery plans* to ensure that they are properly designed and implemented.
- Ensure resources required to continue the business are identified and recorded.
- Identify and validate response and recovery strategies.
- Obtain senior management approval of strategies.
- Oversee the development of comprehensive response and recovery plans.

High-Availability Considerations
Plan must also address fault tolerant systems:
- Fail safe servers using clusters or load balancing.
- Redundant Array of Inexpensive Disks (RAID)

Types of Tests
Tests that are progressively more challenging can include:
- Table-top walk-through of the plans
- Table-top walk-through with mock disaster scenarios
- Testing the infrastructure and communication components of the recovery plan
- Testing the infrastructure and recovery of the critical
- applications
- Testing the infrastructure, critical applications and involvement of the end users
- Full restoration and recovery tests with some personnel unfamiliar with the systems
- Surprise tests

==============================================================
Practice Question 4-1
The PRIMARY goal of a postincident review is to:
   a. gather evidence for subsequent legal action.
   b. identify individuals who failed to take appropriate action.
   c. prepare a report on the incident for management.
   d. derive ways to improve the response process.

Practice Question 4-2
Which of the following is the MOST appropriate quality that an incident handler should possess?
   a. Presentation skill for management report
   b. Ability to follow policy and procedures
   c. Integrity
   d. Ability to cope with stress

Practice Question 4-3
What is the PRIMARY reason for conducting triage?
   a. Limited resources in incident handling
   b. As a part of the mandatory process in incident handling
   c. To mitigate an incident
   d. To detect an incident

Practice Question 4-4
Which of the following is MOST important when deciding whether to build an alternate facility or subscribe to a hot site operated by a third party?
   a. Cost to rebuild information processing facilities
   b. Incremental daily cost of losing different systems
   c. Location and cost of commercial recovery facilities
   d. Estimated annualized loss expectancy (ALE) from key risks

Practice Question 4-5
Which of the following documents should be contained in a computer incident response team (CIRT) manual?
   a. Risk assessment
   b. Severity criteria
   c. Employee phone directory
   d. Table of all backup files

Practice Question 4-6
Which of the following types of insurance coverage would protect an organization against dishonest or fraudulent behavior by its own employees? (ความไม่ซื้อสัตย์ของพนักงาน)
   a. Fidelity
   b. Business interruption
   c. Valuable papers and records
   d. Business continuity

Practice Question 4-7
Which of the following practices would BEST ensure the adequacy of a disaster recovery plan?
   a. Regular reviews of recovery plan information
   b. Table top walk-through of disaster recovery plans
   c. Regular recovery exercises using expert personnel
   d. Regular audits of disaster recovery facilities

Practice Question 4-8
Which of the following procedures would provide the BEST protection if an intruder or malicious program has gained superuser (e.g., root) access to a system?
   a. Prevent the system administrator(s) from accessing the system until it can be shown that they were not he accackers.
   b. Inspect the system and intrusion detection output to identify all changes and then undo them.
   c. Rebuild the system using original media.
   d. Change all passwords then resume normal operations.

Practice Question 4-9
Which of the following is likely to be the MOST significant challenge when developing an incident management plan?
   a. Plan does not align with organizational goals
   b. Inplementation of log centralization, correlation and event tracking
   c. Development of incident metrics
   d. Lack of management support and organizational consensus

Practice Question 4-10
If a forensics copy of a hard drive is needed, the copied data is MOST defensible from a legal standpoint if which of the following is used?
   a. A compressed copy of all contents of the hard drive
   b. A copy that includes all files and directories
   c. A bit-by-bit copy of all data
   d. An encrypted copy of all contents of the hard drive