Domain 3: Information Security Program Development and Management

Question 1

ISC2 Canons of Ethics

Answer 1

Code of Ethics Canons:

1. Protect society, the common good, necessary public trust and confidence, and the infrastructure.
2. Act honorably, honestly, justly, responsibly, and legally.
3. Provide diligent and competent service to principals.
4. Advance and protect the profession.

Question 2

3 essential elements of an information security program

Answer 2

3 essential elements of an information security program

1. Strategy closely aligned with objectives
2. Support from Senior Management
3. Effective metrics to monitor effectiveness of program and achieving of objectives and goals

Question 3

6 Outcomes of Information Security Governance/Program Management

Answer 3

ACRONYM (RRAPS-V)

• These 6 outcomes should be considered as the basis for developing the objectives of an effective information security program;

1. Strategic Alignment - effective alignment of security with business objectives require regular interaction with business owners or steering committee and an understanding of their plans and objectives; regular reports to management should include performance metrics of issues and objective; alignment must take into consideration cost, culture, governance, existing technology, structure, and processes;
2. Risk Management - Risk landscape is always changing and there important to have continuous process of Risk Management during program Development, Implementation, and Evolution; ISM must have a clear understanding of threats, vulnerabilities, the organization’s risk profile, and risk appetite; Risk analysis must be based on business requirements;
3. Value Delivery - program should deliver clear value to organization; ISM should ensure standard set of practices are followed and the security baseline is proportionate to risk; prioritizing efforts to allocate limited resources to areas of greatest need and benefit
4. Resource Management - use of people, technology, and processes efficiently by documenting processes, practices, security architecture to show resource needs or shortfalls for good resource management
5. Performance Measurement - After a strategy has been developed, there should be meaningful metrics to measure progress and monitor activities to demonstrate whether objectives have been met; Metrics should be agreed on by management;
6. Assurance Process Integration - ISM should develop formal relationships with other assurance providers and integrate those activities with information security; This might include physical security, HR, Risk Mgmt, DR, insurance, etc; Goal is to increase information assurance and predictability of business operations; reduce all risk to an acceptable level

Question 4

• Information Security Program Objectives
• Defining Objectives
• Examples of Primary Drivers
• Scope and Charter of an Information Security Program
• Steps in Information Security Program Development

Answer 4

• Information Security Program Objectives - the primary task sit to turn high-level strategy into logical and physical reality through a series of projects and initiatives
  
  • Defining Objectives - determining forces that drive business needs will help clarify objectives; Once objectives have been defined, develop projects that close the gap between current state and the objectives; define meaningful metrics to measure effectiveness of program
  • Examples of Primary Drivers

1. regulatory compliance
2. high frequency and cost of security incidents
3. concerns over reputational damage
4. Commercial demands of PCI DSS
5. Business processes that may increase risk

• Scope and Charter of an Information Security Program - The scope of an IS Program is established by developing a Strategy with Risk Management responsibilities; The extent to which management supports the implementation of the strategy and Risk Management activities determines the charter; it is important to define responsibilities and for ISM to determine who they would report to in certain situations; ISM must understand and be understanding of organization’s culture; implementation of an IS program impacts an organization’s established way of already doing things, so expect push back;

Question 5

• Information Security management Framework
  
  • COBIT 5 and Key Principles
  • ISO/IEC 27000 series

Answer 5

• Information Security management Framework - defines all components and defines the interactions between them;
  
  • Most popular frameworks are COBIT 5 and ISO 27001
  • COBIT 5 - framework that helps maintain balance between realizing benefits and optimizing risk levels and resource use; Enables IT and information to be governed and managed in a holistic manner, addressing functional areas of responsibility while considering internal/external stakeholder needs;
  • COBIT 5 Based on 5 key principles:

1. Meeting the Stakeholder’s Needs
2. Covering the Enterprise End to End
3. Applying a Single Integrated Framework
4. Enabling a Holistic Approach
5. Separating Governance from Management

• ISO/IEC 27001:2013 - Information Security Management Systems and ISO/IEC 27002:2013 - Code of Practice for Information Security Controls provide a widely accepted framework and approach to IS management;
  
  • 14 domains and 114 controls less business oriented, but easily mapped to COBIT
  • 27000 series provides for all of security at a high level

Question 6

Information Security Framework Components

Answer 6

• Information Security Framework Components - Frameworks such as COBIT and ISO/IEC 27001 begin with Risk Assessments and the identification of control objectives; These frameworks serve as a guidance and should be modified as needed for the system; broken down into functional elements (technical, operational, managerial, administrative, & educational components)

1. Technical Components - vast majority of organization’s information will reside in IT; Includes maintaining standards, procedures, policy compliance, designing, and implementing metrics; Addresses risk associated with technical components (i.e. configuration, monitoring, maintenance, & operation); While IT, data owners, or business owners “own” the system, it is the custodians that provide adequate protection & compliance; every component will have an identified owner, there are no “orphan systems”
2. Operational Components - ongoing management and administrative activities (done on daily to weekly timeline) such as SOPs, business operations security practices, maintenance, metrics, and administration of security technologies; ISM is responsible for identifying owners and collaborating with them to document key information on management of necessary functions; ISM should document roles and responsibilities as new tasks arise in operational component development
3. Management Components - typically done less frequently then operational components (monthly, quarterly, annually) (i.e. policy reviews, standards development, oversight of initiatives); ISM must ensure this process is executed with consideration to legal, regulatory, risk and resource issues and a suite of metrics needed for decision support; ongoing analysis of assets, threats, risks must continue; early versions of metrics are typically too permissive or too restrictive;
4. Administrative Components - ISM ensures financial, HR (hiring, payroll, recruitment), etc functions are effective; includes budgeting, time line planning, TCO, ROI, updates throughout fiscal year as organizational goals change; ISM ensures support and compliance with financial policies and procedures;
5. Educational and Informational Components - ISMs collaborate with HR and business units to determine education and training needs (i.e. Role-based training, IR training, CP training, AUP)

Question 7

The Open Group Architecture Framework (TOGAF) Architecture Development Model (ADM) steps

Answer 7

The Open Group Architecture Framework (TOGAF) Architecture Development Model (ADM) -

1. Preliminary Phase - define architecture, principles, overall scope, constraints, objectives, and assumptions
2. Architecture Visions - define vision, scope of architecture, specific segments of work to be performed
3. Business Architecture - gap analysis of business functions
4. Technology Architecture - gap analysis of technology functions
5. Opportunities and Solutions - formulation of high-level implementation and migration strategy to transform as-is architecture into the to-be architecture
6. Migration Planning - formulation of detailed implementation and migration road map, including analysis of costs, benefits, and risk
7. Implementation Governance - ensure implementation projects conform to defined architecture
8. Architecture Change Management - keep architecture up to date as changes arise

• Requirements Management - ensure architecture projects are based on business requirements and validated against the architecture

Question 8

• Elements of a road map
• Steps to define Information Security Program road map

Answer 8

Elements of a road map - a well developed strategy will have objectives, resources, and constraints defined; transform conceptual or logical architecture to a physical one; Initiatives must be planned, along with budgets, timetables, personnel, etc; should include various milestones such as KGIs, KPIs, and critical success factors (CSFs)

Steps to define Information Security Program road map

1. Interview stakeholders to determine issues and concerns
2. Use that information to draft security policies for implementation of security program for approval by upper management
3. Steering committee promote awareness of the policy and conduct internal reviews to test compliance
4. Identify gaps and an approach to monitor compliance
5. ISM builds consensus around roles and responsibilities, processes, and procedures to support policy

Question 9

• EISA
• 3 Basic Approaches to EISA
• 4 EISA Domains

Answer 9

Enterprise Information Security Architecture - overall enterprise IT system design; EISA objective is to address related elements of business structure in addition to managing security technology

3 Basic Approaches -

1. process approach - more directive in the processes
2. framework (Zachman, COBIT, SABSA, TOGAF); great deal of flexibility, describes how each element relates to one another;
3. reference models - small-scale representation of actual implementation

4 EISA Domains

1. Business Architecture - defines business strategy, governance. organization, key business processes
2. Data Architecture - describes structure of logical and physical data assets and data management resources
3. Applications Architecture - blueprint for individual application systems to be deployed and their relationships to core business processes
4. Technology Architecture - describes architecture principles, component relationships, HW SW infrastructure used to support mission critical applications

• An effective approach always starts with Business Architecture; the others are subsets;

Question 10

Objectives of Information Architecture

Answer 10

Objectives of Information Architecture -

*Serve as program development and road map

*implementing policies, strategic alignment, traceability, common language

• Providing a framework and road map
• Simplicity and clarity through layering and modularization
• Business Focus beyond the technical domain
• Architecture and control objectives

Question 11

Security Program Management and Administrative Activities

• Personnel
• Roles
• Skills
• Culture
• SAT
• AUP
• Ethics
• Documentation
• Document Maintenance
• Program Development and Project Management
• Risk Management
• Business Case Development

Answer 11

• Personnel - ISM develop positions according to program needs; personnel requirements for program development differ after the program is implemented; Consider outsourcing for Skills that are rarely needed
• Roles - RACI charts
• Skills - skills needed for a short time should be outsourced; once skills have been agreed upon for certain personnel, a formal employment agreement should be established
• Culture - impacted by individual BG, work ethics, past experiences
• SAT - users are the front line for identifying threats that automated mechanisms cannot; role-based training is important to target specific roles that have more unlimited access to data; 3rd party users also need training to keep up with policies
• AUP - summary of what user should and should not do
• Ethics - training on what organization considers legal and appropriate behavior; usually for users who engage in activities that are sensitive such as pen testing, monitoring user activity, sensitive personal data; have users sign Code of Ethics and Conduct
• Documentation - each document should have an owner; changes need to be approved by senior management prior to distribution; owner is responsible for ensuring access to documentation is appropriate, controls, and auditable; should follow organization classification and labeling;
• Document Maintenance - Version control is important to ensure users are working from and using the same document;
• Program Development and Project Management - IS programs are rarely static and changes need to be constantly integrated; basis for development is the strategy to achieve objectives; ISMs should employ project management techniques such as goal setting, tracking deadlines, measuring progress, assigning responsibilities in a controlled repeatable manner;
• Risk Management - managing risk to an acceptable level; all organizations will face threats, must focus on how to respond effectively to incidents; risk landscape constantly changing so organization must adapt to change
• Business Case Development - for major projects and initiatives, it is important to have a persuasive business case; the business case should have a clear value proposition (or cost benefit) based on the organization needs; important to identify risk and impacts if not undertaken; to be effective

Question 12

Security Program Management and Administrative Activities CONTD.

• Program Budgeting
• IS Problem Management Practices
• Vendor Management
• Program Management Evaluation

Answer 12

• Program Budgeting - prior to entering budget process, ISM should have approval on strategy and objectives for a successful budget proposal; ISM should work with PMO, SMEs, etc to estimate costs as accurately as possible; parts of the program are unpredictable, looking at historical data can be helpful
• IS Problem Management Practices - identifying the root causes of problems, developing an action plan, assigning responsibility, due dates, reports to track results
• Vendor Management - outsourcing is sometimes more cost-effective and allows internal users to focus on their own projects; ISM may face issues with outsourcing such as quality of service, adherence to organization’s policy, etc
• Program Management Evaluation - ISM may be hired to evaluate the current existing IS Program. Critical areas to evaluate would be:

1. Program objectives - i..e do goals align with strategies, how often are they reviewed, do policies exist, is there consensus, has acceptable risk criteria been established, do metrics exist
2. Compliance Requirements - i.e. has level of compliance been determined, are there timelines and milestones to complete, are deficiencies documented and addressed, review results of last audit
3. Program Management - very technical driven programs have fewer management whereas strategic programs driven by standards compliance and governance have more established programs; considerations include roles and responsibilities defined and understood, a steering committee, metrics to measure program, policies and standards all approved
4. Security Operations Management - are there SOPs in place with security requirements and processes; is there a schedule for regularly performed procedure, is there segregation of duties; oversight metrics for management
5. Technical Security Management - ensuring technology is implemented effectively; are there technical standards for configurations; architecture security standards, communication protocols, etc
6. Resource Level - ISM assesses financial, human, and technical resources allocated to program; deficiencies must be identified and escalated to senior mgmt; Financial (what is current funding, what functions suffer from underfunding); HR (what is current staff level, Is there workload mgmt methodology); Technical (what technologies used to support, is it sufficient)

Question 13

• What are two methods when combined allow ISM to implement highly effective security program?
• Explain what is included in both

Answer 13

1. Total Quality Management (TMS) system - aka PDCA
2. Governance Methodology

• Vision - clear statement about organization’s purpose; includes desired outcomes of IS program
• Strategic Objectives - set of goals (KGIs) that are necessary to move towards vision
• CSFs - set of circumstances or events that are necessary to achieve the strategic objectives
• KPIs - metrics to ensure CSFs are achieved
• Key actions, including tactical and annual action plans - initiatives to be delivered to achieve the strategic objectives and KGIs

Question 14

Security Program Management and Administrative Activities CONTD.

• Legal and Regulatory Requirements
• Physical and Environmental Factors
• Culture and Regional Variances
• Logistics

Answer 14

• Legal and Regulatory Requirements - legal departments often focused on contracts, stocks, securities of company and not aware of regulatory requirements; ISM should identify them and request legal review and interpretation to ensure clarity;
• Physical and Environmental Factors - implementation of physical controls (i.e. motions detectors, cameras, locks, cages, etc); location of primary site, off site data storage, disaster recovery sites should be far from each other
• Culture and Regional Variances - identify audience and determine acceptable behavior; culture is dependent on many things such as location, perception, up bringing; different privacy laws;
• Logistics - ISM should be able to manage: cross-organizational strategic planning, project and task management, committee meetings, schedules, track regularly performed procedures, resource prioritization, workload management, coordinate resources and activities; online scheduling and resource mgmt systems help with this

Question 15

Security Program Services and Operational Activities

1. Liaison Responsibilities

• Physical/Corporate Security
• IT Audit
• Information Technology
• Business Unit Managers
• Human Resources
• Legal Department
• Employees
• Procurement
• Compliance
• Privacy
• Training
• Quality Assurance
• Insurance
• Third-Party Management
• Project Management Office

Answer 15

Security Program Services and Operational Activities

• Liaison Responsibilities - important for ISM to maintain relationship with other departments and groups; ISM should maintain relationship with the following departments:

1. Physical/Corporate Security - ISM should maintain close working relationship with physical security (i.e. guards); ISM should understand physical security policies, standards, procedures, etc
2. IT Audit - auditing effects the IS program;
3. Information Technology - ISM should build trust, understanding of common goals; IT often has conflicting interests; conflict between performance and safety which can result in sacrificing security to meet operational objectives; work with IT to fulfill both security and performance requirements
4. Business Unit Managers - keeping in touch with the business unit managers ensures each unit continues to meet the security requirements and ensure unit managers understand their role and how to escalate incidents; ensures stakeholders are aware of matters; allows architecture to be modified if changes need to be made
5. Human Resources - ensure HR and legal are monitoring employee’s actions and understand their roles to escalate as needed; work with HR to develop AUP and RoB; senior rep of HR should be assigned to IS steering committee
6. Legal Department - keep in touch so legal team is aware of any security issues and so that they act with their consensus; legal deals with compliance, liability, corp responsibilities, due diligence, contract, service providers;
7. Employees - they are the 1st line of defense in the security of information; essential they get proper training and testing on policies procedures; get feedback from employees on how to improve program; make sure they know how to escalate
8. Procurement - ISM should be aware of procurement process in terms of product acquisition
9. Compliance - independent or part of legal office;
10. Privacy - may be part of compliance office; privacy laws different depending on location; ISM must ensure they are compliant
11. Training - ISM can provide suggestions for training unit
12. Quality Assurance - QA must include acceptable levels of security-related controls; ISM should ensure QA unit addresses risk as part of the standard process
13. Insurance - ISM should be familiar with the type of insurance an organization has to include it in risk analysis and management and recovery planning because it serves as a compensating control
14. Third-Party Management - ISM should clearly understand which services are provided by external parties so they can understand the associated risk and acquire preventive, detective, and compensatory controls, as needed, including oversight and monitoring
15. Project Management Office - ISM should be aware of all projects, especially IT projects; allows security team to assist with projects and PM team to assist with IT projects if ISM has good working relationship;

Question 16

Security Program Services and Operational Activities contd

2. Cross organizational responsibilities
3. Incident Response
4. Security Reviews and Audits

Answer 16

Security Program Services and Operational Activities contd

2. Cross organizational responsibilities - Separation of Duties can be an issue, especially in smaller organization; if integrated seamlessly, avoid possible conflicts of interest
3. Incident Response - objective is to identify and contain incidents to prevent significant interruptions to business activities, restore affected services, and determine root causes to prevent recurrence
4. Security Reviews and Audits - ISMs should have a consistent standardized approach to assessing and evaluating certain aspects of the program;
   * For example, for reviews: 1. An Objective 2. A Scope 3. Constraints 4. An Approach (set of activities to achieve objective and scope with the constraints) 5. A result.

If there are no results, review inconclusive

• Audits - auditors identify, evaluate, test, and assess effectiveness of controls
• Auditors - help improve program immensely; audit findings allow steering committee or senior management to determine how effective the IS program is; ISM is encouraged to work with auditors; auditors may identify weaknesses that do not pertain to the organization requirements
  *

Question 17

Security Program Services and Operational Activities contd

5. Management of Security Technology
6. Due Diligence
7. Compliance Monitoring and Enforcement

Answer 17

Security Program Services and Operational Activities contd

5. Management of Security Technology - organizations have technology that require effective mgmt and operation if optimal value delivery and resource management are to be achieved; mature organizations are typically constrained to legacy architecture;

• Technology Competencies - all ISMs should have clear understanding of security architecture, control implementation principles, and commonly implemented security processes; highly integrated and tightly couple systems such as Enterprise Resource Planning (ERP) implementation creates challenges; if one system is down, the entire system is at risk for potential domino effect of cascading risk

6. Due Diligence - “the standard of due care”; the idea that there are steps that should be taken by a person of similar competency in similar circumstances; ISMs should ensure basic components of a reasonable security program in place (i.e. senior mgmt support, comprehensive policies, appropriate training, periodic risk assessments, etc)

• Managing and Controlling Access to Information Resources - ISM should be aware of regulatory requirements
• Vulnerability Reporting Sources - ISM should check reports daily on new vulnerabilities

7. Compliance Monitoring and Enforcement - compliance is useless if it isn’t enforced; ISMs should enforce by developing procedures to track and monitor compliance requirements

• Policy Compliance - policies should be comprehensive enough, but also flexible enough to allow different processes and procedures to evolve for different technologies and still be in compliance; ISMs should ensure all systems have policy compliance owners; policies define mgmt intent, directions, and expectations
• Standards Compliance - standards set boundaries for systems that still comply with policy; standards provide economy of scale; the configuration mapping only needs to be done once for each domain and reused for systems of same type; if possible, standards should be automated so configurations do not deviate from policy compliance;
• Resolution of Noncompliance Issues - important for ISM to have process in place to identify impact of risk and have risk response
• Compliance Enforcement - ongoing set of activities to ensure policy and standards that are not being met are brought into compliance; audits are a snapshot of compliance in time

Question 18

Security Program Services and Operational Activities contd

8. Assessment of Risk and Impact

Answer 18

Security Program Services and Operational Activities contd

8. Assessment of Risk and Impact - primary responsibility of ISM and purpose of program is to manage risk to acceptable levels; The following objectives help to achieve that goal:

• Vulnerability Assessment - regular patch schedule important; change management should also be tracked here; automated process
• Threat Assessment - Threats evolve as a result of internal and external factors; new applications, personnel, partners, etc can increase threat; point where external entities are granted access are important to assess; ISM must evaluated existing controls to mitigate risk associated with threats; threats must be evaluated to include their likelihood and impact to systems
• Risk Assessment and Business Impact Analysis - identify, analyze, and evaluate risk; likelihood of compromise and potential impact; BIA determines impact of losing the availability of any resource; establishes escalation of that loss over time, identifies minimum resources needed to recover, and prioritizes recovery of systems; Potential impact is also basis for asset classification; residual risk may aggregate and become severe risks;
• Resource Dependency Assessment - less expensive alternate option if BIA cannot be performed due to resource or other constraints; reviews resources that are used to conduct business; prioritization of resources are based on day to day activities and criticality of certain functions; does not cover financial or operational impact and does not replace BIA

Question 19

Security Program Services and Operational Activities contd

9. Outsourcing and Service Providers

Answer 19

Security Program Services and Operational Activities contd

9. Outsourcing and Service Providers - security requirements are similar (3rd party vs outsourcing) but ownership is different; ISM is process owner for outsourced services; Economics are primary driver for outsourcing; Extended contracts offer little economic benefit which eliminates any initial cost savings; over a short time, control may require specific level of services but may not need it, however cost stays the same; or over a long term, outsourced services may cost more requiring more services then initially stated; must consider privacy laws; ISM should train external personnel; good way to choose vendor is by comparing their standards to the organization’s standards;

• Outsourcing Contracts - fundamental purpose of contracts is two-fold: 1. to ensure the parties are aware of their responsibilities and rights within the relationship 2. to provide the means to address disagreements once the contract is in force; ISM may or may not review contracts, but may need to provide security requirements to protect data from nondisclosure and on how to destroy data when contract is over;
  
  • right to audit and right to inspect without notice; two methods that can be used to assist with ensuring service provider adheres to contract requirements
  • “choice of law” - some jurisdictions are requires to favor service providers
• Third-Party Access - 3rd party access should be clearly defined in SLA; based on least privilege; need to know; 3rd party could have different culture/ethics and should be considered in terms of risk; review of access should be based on criticality of information, criticality of privileges given, and period of contract; asset owner grants approval of access;

Question 20

Security Program Services and Operational Activities contd

10. Cloud Computing

• Five essential characteristics
• Three Primary Service Models
• Other Service Models
• Four Deployment Models

Answer 20

Security Program Services and Operational Activities contd

10. Cloud Computing - aka utility computing; NIST defines as ‘a model for convenient, ON DEMAND network access to a SHARED pool of CONFIGURABLE computing resources (i.e. NWs, servers, storage, applications, and services) that can be RAPIDLY provisioned and released with MINIMAL management. effort or service provider interaction;

Five essential characteristics:

1. On-Demand Self-Service - computing capabilities can be provisioned without human interaction from service provider
2. Broad Network Access - computing capabilities are available over the NW and can be accessed by diverse client platforms
3. Resource Pooling - computer resources are pooled to support multi-tenant model
4. Elasticity - Resources can scale up or down rapidly, and sometimes automatically in response to business demands
5. Measured Service - Resource utilization can be optimized by leverage charge pay-per-use capabilities

Other Service Models

1. SecaaS - Security As a Service. Two major forms:

• CSP provides stand alone managed services ranging from AV scanning to full deployment end security.
• CSP offloads appliance utilization for the client, and CPU and memory-intensive activities moved to cloud; ADVANTAGE - client has minimal risk when patching since it is done by cloud appliances

2. DSRaaS - Disaster Recovery as a Service; provides DR solution (i.e. backup equipment, storage, BCP) ROI can be significant, cost of in house DR is expensive;
3. IDaaS - Identity as a Service - Two types

• Management of Identity strictly in cloud; deliver SSO
• Hybrid solution where access and roles are configured by CSP and users are authorized by internal solutions aka FEDERATED MODEL;

4. Data Storage and Data Analytics as a Service, or BIG DATA - allows analysis of all types of data by taking away constraint of volume, variety, velocity, and veracity; Limitless volume allows enterprises to use old data for new purposes; ability to find patterns in current data; real-time reporting and predictive analysis;
5. Information as a Service - builds on big data, rather then providing raw data or the algorithms that are used for trending, IaaS provides the required information, the result of a query is more important then the query itself;
6. IPaaS - Integration Platform as a Service; a suite of cloud services allowing any combination of on premise or cloud-based processes within individual or across multiple organizations; HYBRID MODEL;
7. FRaaS - Forensics as a Service; cloud forensic capability with safe storage of forensic material and legally defensible
8. CASB - Cloud Access Security Brokers; they offload a # of security issues and simplify security for cloud-based services; They can be on premise or cloud-based and located between consumer and service provider; they ensure consumer policy is implemented throughout the cloud or on premises

Question 21

Security Program Services and Operational Activities contd

10. Cloud Computing

• Advantages
• Security Considerations
• Cloud Computing Risk Map (Service Model vs Deployment Model and association with Risk)

Answer 21

Security Program Services and Operational Activities contd

10. Cloud Computing

• Advantages -
  
  • Optimized Resource Utilization - Pay as you go; use only what you need
  • Cost Savings - change computing cost from Capital Expenditure (CAPEX) to Operational Expenditure (OPEX); flexible on-demand service, solution testing without capital investments, pay as you go result in cost savings
  • Better Responsiveness - on-demand, agile, scalable, and flexible services that can be implemented quickly provide organizations ability to respond to changing requirements and peak periods
  • Faster Cycle of Innovation - patch mgmt and upgrades are more flexible; cloud users just type in URL and upgrade
  • Reduced Time for Implementation - services and resources provided in near real time
  • Resilience - ability to recover quickly; reduces potential for system failure; one failed component has less impact on overall service availability and reduces risk of downtime
• Security Considerations - ISM must consider location, data crossing state boundaries; handling incidents may vary (i.e. breach notification laws); availability of audit logs may be limited or nonexistent;

Question 22

Security Program Services and Operational Activities contd

10. Cloud Computing

• Evaluation of CSPs
• SOC Reports

Answer 22

Security Program Services and Operational Activities contd

10. Cloud Computing

• Evaluation of Cloud Service Providers - identifying the risk of operating under certain SPs must be completed; several frameworks exist to identify and evaluate risks
  
  • SOC Report - Service Organization Control Report; CSP engages CPA to perform an independent examination to provide CSP clients and their internal/external auditors assurance regarding control effectiveness that support CSP client’s processes and services;
    
    • SOC 1 - financial reporting processes;
    • SOC 2 and SOC 3 - identifies risk and impact
    • Type 1 - examines controls at a point in time
    • Type 2 - examines controls over a period of time

Question 23

11. Integration with IT Processes

• Integration
• SDLC Processes
• Change Management
• Configuration Management
• Release Management

Answer 23

Security Program Services and Operational Activities contd

11. Integration with IT Processes - i.e. BCP and IR activities go hand in hand; Risk Management activities and activities of organization risk manager; these functions should work together.

• Integration - ISM must ensure IS program interfaces effectively with other assurance functions; helps with strategic outcome of business assurance integration; reduces gap, duplication of efforts;
• System Development Life Cycle Processes - integrate security every phase of the SDLC (initiation, dev/acq, imp, op/main, disposal)
• Change Management - as changes occur, existing controls can continue to be effective or become less effective, therefore important to test controls; have change management process in place early on
• Configuration Management - Incorrect configuration is a major enabler for security breaches; this is usually due to a lack of procedures or controls in place to effectively manage configurations; procedures should be tested and validated
• Release Management - reduces operational failure by ensuring adequate testing has been performed and conditions exist and are met; ISM should ensure standards and procedures exist so that products are not deployed prematurely;

Question 24

12. Controls and Countermeasures

• 5 control categories
• Control types and effects (attached)
• Control Design Considerations
• Common Practices to Prevent Users to Bypass Controls
  
  • Access (Logical) Control
  • Secure Failure
  • Principle of Least Privilege
  • Compartmentalize to minimize damage
  • Segregation of Duties
  • Transparency
  • Trust
  • Trust no one

Answer 24

Security Program Services and Operational Activities contd

12. Controls and Countermeasures -

• 5 Control Categories
  
  • Corrective - remediate impact; i.e. backup restore procedures
  • Compensating - reduce the impact and reduce the risk of weakness; i.e. Insurance
  • Detective - warn of violations of security policy; i.e. Audit trails, intrusion detection, checksums
  • Deterrent - provide warnings that can deter potential compromise; i.e. warning banner, offering rewards for arrest of hackers; addresses threat.
  • Preventive - stops attempts to violate policy; i.e. Access Control enforcement, encryption, authentication; directly address risk
• Control Design Considerations - Controls should be automated as much as possible so it is hard to bypass
  
  • Common practices to prevent users to bypass controls
    
    • Access (logical) control - users should be identified, authenticated, and authorized;
      
      1. Mandatory Access Control (MAC) - restricting access to data based on security requirements for information contained and security clearance of the user; typically used for military (secret clearance required for data classified as ‘secret’); also grant access based on need to know
      2. Discretionary Access Control (DAC) - restricting access to objects based on the identity of subject and/or groups; subjects with certain permission may pass it along to another subject;
    • Secure Failure - device designed to shut down or stop processing information whenever it detects malfunction that may affect its access control mechanisms; DISADV is this effects availability; also dangerous if devices fail in a locked condition during a disaster
    • Principle of Least Privilege - giving minimum access needed to accomplish duties
    • Compartmentalize to Minimize Damage - containing access to subsets of systems resources by requiring a separate set of authorization controls per subset
    • Segregation of Duties (SOD) - restricts a user to have two functions that are meant to provide oversight (i.e. if I have the ability to print checks, I should to have the ability to edit the check prior to printing to avoid unauthorized modification)
    • Transparency - refers to the ability that a normal person can understand how system security is supposed to work; allows all stakeholders to understand security; in other words, ISM should keep technology design as simple as possible
    • Trust - identity of user determined by relationship to identify provider. identify provider is trusted by relying party. relying party determines authenticity of connection from the identity provider and allows provider to pass on authenticity to user; Common example would be Certificate Authority issuing certificates
    • Trust No One - oversight controls rather than having designated trust individuals to administer the system; Common example CCTV to monitor activities

Question 25

**12. Controls and Countermeasures countd.** * _Control Strength_ * _Control Methods_ * _Countermeasures_ * _Control Technology Categories_

Answer 25

**Security Program Services and Operational Activities contd** **12. Controls and Countermeasures contd.** * _Control Strength_ - although automated controls are favorable; manual controls can increase control strength; * _Control Methods_ - managerial (administrative), technical, physical * _Countermeasures_ - controls put in place in response to a specific threat; more effective, more expensive, less efficient as it only mitigates a specific threat; they can be applied to existing controls and their enhancements (i.e. NOAA scans all emails to block incoming viruses. There is increase in spam, therefore countermeasure is to enhance virus scanner to block spam) * _Control Technology Categories_ 1. ***Native Control Technologies*** - out of the box security features; configured and operated by IT; exist on all information technology devices (servers, databases, routers, switches) 2. ***Supplemental Control Technologies*** - components that are added on to an environment; more specialized and operated by security; can be operated by both IT and security i.e. Federated identity management systems; (other i.e. SSO, IPS, Firewalls) 3. ***Management Support Technologies*** - automates security-related procedure, increase management efficiency; operated by security's.e. SIM tools, SIEM systems, vulnerability scanning, policy mgmt systems

Question 26

**13. Metrics and Monitoring** * _Metrics and Monitoring_ * Metrics Development - what is the purpose of metrics * 3 levels of metrics * Attributes of metrics

Answer 26

**Security Program Services and Operational Activities contd** **12. Controls and Countermeasures countd.** * _Metrics and Monitoring_ - one of the essential elements of controls selection is whether they can be effectively monitored and measured; key controls that cannot be monitored pose an unacceptable risk and should be avoided; Measurement is a fundamental requirement for security program success; * _Metrics Development_ - meaningful metrics cannot be set without goals; metrics should correspond with objectives; metrics serve one purpose DECISION SUPPORT; * Metrics design can be summed up as: who needs to know? what do they need to know? when do they need to know? * Metrics should cross reference each other for validation; this can be accomplished by measuring 2 different aspects of the same thing and ensuring agreement between them * Metrics need to provide information at one or more of the 3 levels 1. _Strategic metrics_ - these metrics indicate the program is on track, on target, and on budget to achieve the desired outcomes; typically needed by ISM and senior mgmt for oversight 2. _Management (or technical) metrics_ - metrics needed to manage the program; i.e. information on compliance, resource utilization, alignment with business goals, summary of technical controls; metrics do not indicate if the program is head in the correct direction, but it could indicate the program will fail 3. _Operational Metrics_ - these metrics are more common technical and procedural metrics such as open vulnerabilities and patch management status; useful for IT security mgrs and sys admins; * _Essential Attributes for Metrics_ * **Manageable** - data is readily collected, condensed, sorted, reviewed, understood * **Meaningful** - metric should be understandable to user and relevant to objectives and provide basis for decisions needed to manage * **Actionable** - gives mgmt clear direction on what to do next * **Unambiguous** - metric is clear and leaves no room for argument * **Reliable** - same results under same conditions everytime * **Accurate** - needs to be accurate to be of any use * **Timely** - metric must occur when needed * **Predictive** - leading indicators are valuable * **Genuine** - metric isn't subject to manipulation and is reliable and accurate

Question 27

**13. Metrics and Monitoring** * _Monitoring Approaches_ * _Determining Success of Information Security Investments_ * _Measuring Compliance_ * _Measuring Operational Productivity_

Answer 27

**Security Program Services and Operational Activities contd** **12. Controls and Countermeasures countd.** * _Monitoring Approaches_ - conduct regular risk assessments, vulnerability scans, track metrics, etc; continuous monitoring of processes such as IDS, firewalls; training help desk on escalation procedures; * _Determining Success of Information Security Investments_ - important to determine cost effectiveness of resources; senior mgmt seeks best ROIs and justification for costs; concept of TCO is useful here; ISM should have metrics in place to measure costs * For qualitative metrics, a successful measure is the analysis of why an objective was or was not met * _Measuring Compliance_ - ongoing and primary concern is policy and standards compliance; for critical businesses, anything less then 100% compliance is unacceptable (i.e. nuclear power plant, piloting passenger jets); For non-life threatening organizations, the cost and level of compliance efforts must be weighted against the benefits and potential impacts; compliance is often tied to audits * _Measuring Operational Productivity_ - goal is to maximize operational productivity; productivity can be improved through automation or outsourcing low value operational tasks; The personnel cost savings can often justify expense of tools such as Vulnerability Scanner; Manual vulnerability assessments would take days weeks and a lot of man hours whereas automating the scan would reduce significant time; * time-based comparison analysis is best to measure productivity; comparing before and after cost and time; this can demonstrate ROSI * ISM should set goals for increasing productivity

Question 28

**13. Metrics and Monitoring** * _Measuring Security Cost Effectiveness_ * _Measuring Organizational awareness_

Answer 28

**Security Program Services and Operational Activities contd** **13. Metrics and Monitoring** * _Measuring Security Cost Effectiveness_ - program needs to be financially sustainable to avoid security lapses; ISM should consider total costs of maintaining, operating, and administering security components including personnel costs; should be shared with steering committee to determine cost effectiveness and forecasting future resource needs * _Measuring Organizational Awareness_ - initial training, acceptance of policies, ongoing training, testing after training and months after training *

Question 29

**14. Common Program Challenges** * list of common challenges * mgmt support * funding * staffing

Answer 29

**14. Common Program Challenges** * Resistance due to changes * Perception that increased security will reduce access required for job functions * Overreliance on metrics * Failure of strategy * Assumption of procedural compliance without confirming oversight * Effective program is more then just gaining senior management support; ISM must take into consideration cultural and organizational challenges; effective program is completely dependent on the environment; * _Management Support_ - lack of mgmt support more common in smaller organizations or organizations with little to no security; best way to approach is through initial and ongoing education * _Funding_ - inadequate funding may be a result of a lack of understanding for security or mgmt not knowing where existing money is going; ISM must find way to close financial gaps by leveraging budgets in other units, improving efficiency of existing security program components, work with steering committee to reprioritize resources * _Staffing_ - poor understanding of resources, questioning the need for new resources, lack of awareness; ISM consider outsourcing possibilities, work with steering committee to reprioritize security personnel assignments