1 / 65

CISSP Training: Security Management

CISSP Training: Security Management. Ricky Allen, CISSP, CISA, MCSE, CCNA, Network+ PricewaterhouseCoopers LLP Materials by: Ken Bell, CISSP, CISA Schlumberger IT Security. Schedule. 5:30 - 5:55 ( 25 min.) Sample Exam questions from the Security Management domain.

chandelle-daria
Download Presentation

CISSP Training: Security Management

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. CISSP Training:Security Management Ricky Allen, CISSP, CISA, MCSE, CCNA, Network+ PricewaterhouseCoopers LLP Materials by: Ken Bell, CISSP, CISA Schlumberger IT Security

  2. Schedule • 5:30 - 5:55 ( 25 min.) Sample Exam questions from the Security Management domain. • 5:55 - 6:45 ( 50 min.) PowerPoint -Outline overview of Security Management with group discussion • 6:45 - 6:55 (10 min) Break • 6:55 - 7:40 ( 45 min.) Training Video on Security Management domain • 7:40 - 8:30 (50 min.) Exam questions from the Security Management domain - with group discussion / analysis

  3. From the published (ISC)2 goals for the Certified Information Systems Security • “The candidate will be expected to understand the planning, organization, and roles of individuals in identifying and securing an organization’s information assets; the development and use of policies stating management’s views and position on particular topics and the use of guidelines standards, and procedures to support the polices; security awareness training to make employees aware of the importance of information security, its significance, and the specific security-related requirements relative to their position; the importance of confidentiality, proprietary and private information; employment agreements; employee hiring and termination practices; and the risk management practices and tools to identify, rate, and reduce the risk to specific resources.” A professional will be expected to know the following: • Basic information about security management concepts • The difference between policies, standards, guidelines, and procedures • Security awareness concepts • Risk management (RM) practices • Basic information on classification levels

  4. Agenda • Policies and Procedures • Risk Management • Information Classification • Employment Policies and Practices • Security Awareness • Standards

  5. Security Triad Integrity A-I-C C-I-A I-A-C Availability Confidentiality

  6. Confidentiality The concept of confidentiality attempts to prevent the intentional or unintentional unauthorized disclosure of a message’s contents. Loss of confidentiality can occur in many ways, such as through the intentional release of private company information or through a misapplication of network rights. • Integrity The concept of integrity ensures that: • Modifications are not made to data by unauthorized personnel or Processes • Unauthorized modifications are not made to data by authorized personnel or processes • The data are internally and externally consistent, i.e., that the internal information is consistent among all sub entities and that the internal information is consistent with the real world, external situation. • AvailabilityThe concept of availability ensures the reliable and timely access to data or computing resources by the appropriate personnel. In other words, availability guarantees that the systems are up and running when they are needed.

  7. The Big Three The opposite of confidentiality, integrity, and availability is DAD: • Disclosure • Alteration • Destruction

  8. Other Important Concepts • Identification • Authentication • Accountability • Authorization • Privacy

  9. Policies, Procedures, Standards Policies, standards, and procedures are the foundation for any information security program. • Policies - short, to the point, not often changed. • Standards - methods for achieving policy goals. Change as technology changes. • Guidelines - maps or suggestions about how to comply. Optional rather than mandatory. • Procedures - ordered steps performed by a specific person or group of persons.

  10. Policy Hierarchy/Layers General,Direct Specific,Less Direct

  11. Policy Guidelines • Information security is not just about technological controls. • View security as business processes and goals. • Policies should be a function of the corporation, not an obstacle. • Use the fewest policies required to convey the corporate security attitude. • Support policies with standards, guidelines, and procedures.

  12. Policy Guidelines (continued) • Test! Does the company practice what is published in the policy? • Consistently enforce the policies. • Carefully define security’s domain, responsibility, and accountability. • Communication is king.

  13. Title Purpose Authorizing individual Author/sponsor/change history References to related policies Scope Measurement expectations Exception process Accountability Effective/expiration dates Definitions Components of Effective Policy

  14. Security Policy Myths Each of these statements embodies a security myth: • Security technology will solve all of our problems. • I have written the policy, so now we are done. • Once published, everyone will comply. • Follow our vendor’s approach; it’s the best way to make an organization secure.

  15. Technology: Gate Keeper Technology provides three basic protection elements: • Authentication • Accountability • Audit

  16. Agenda • Policies and Procedures • Risk Management • Information Classification • Employment Policies and Practices • Security Awareness • RAINBOW Series/Common Criteria • BS7799

  17. Risk Management Ask the following questions: • What could happen? • If it happened, how bad could it be? • How often could it happen? • How certain are the answers to the first three questions?

  18. Analyze Each Threat • What can be done to mitigate the risk? • How much will it cost? • Is it worth the cost?

  19. SLE X ARO = ALE Central Equation Annualized Loss Expectancy (ALE) AssetValue ExposureFactor Single Loss Expectancy = x Single LossExpectancy Annualized Rateof Occurrence Annualized LossExpectancy = x Ex: $1,000,000 X 1/10 = $10,000

  20. Definitions • Exposure Factor (EF) – Magnitude(%) of loss or impact on an asset • Information Asset – Body of informationCost associated with: • Replacement of data • Replacement of software (hardware?) • Availability • Confidentiality • Integrity

  21. Definitions (continued) • Probability – Chance of an event happening. • Risk – Potential for harm or loss. • Risk Analysis – Process of analyzing a target environment. • Risk Assessment – Assignment of value to threats, frequency, and consequences. • Risk Management – Overall process. • Safeguard– Risk-reducing measure. Control or counter measure.

  22. Definitions (continued) • Safeguard Effectiveness – Degree (%) to which a safeguard is effective at mitigating a risk. • Threat – Event which could have an undesirable effect. • Uncertainty – Degree (%) of confidence in the value of any element of the risk assessment. • Vulnerability – Absence or weakness of a safeguard.

  23. Tangibles Computers, communications equipment, wiring Data Software Audit records, books, documents Intangibles Privacy Employee safety and health Passwords Image and reputation Availability Employee morale Identifying Assets

  24. Earthquake, flood, hurricane, lightening Structural failure, asbestos Utility loss (water, power, telecommunications) Theft of hardware, software, data Terrorists, both political and information Software bugs, viruses, malicious code, spam, mail bombs Strikes, labor, and union problems Hackers, internal/external Inflammatory Usenet, Internet, and Web postings Employee illness, death Outbreak, epidemic Identifying Threats

  25. Risk Management Program • Establish Information Risk Management (IRM) Policy • Establish and fund an IRM team • Establish IRM methodology and tools • Purchase tools, learn to use them • Identify and measure risks • Project sizing (scope, constraints) • Threat analysis • Asset identification and valuation • Vulnerability analysis (identification of all vulnerabilities that could increase frequency or impact of threat • Risk evaluation (ALE evaluation)

  26. Risk Program (continued) • Establish Risk Acceptance criteria. • Guidelines: “ALE > $500k is not acceptable” • Mitigate risk. • Safeguard selection and mitigation analysis: • Evaluate safeguards and the degree to which they mitigate the risk • Cost benefit analysis: • Benefit – Cost = Yield • Monitor IRM performance.

  27. Qualitative vs. Quantitative • Quantitative – More objective. Numbers are assigned to risks. • Qualitative – Simple calculations. Subjective. Uses ordinal ranking.

  28. Agenda • Policies and Procedures • Risk Management • Information Classification • Employment Policies and Practices • Security Awareness • Standards

  29. Information Classification Objective - To ensure that information assets receive an appropriate level of protection.

  30. Common Schemes • Other Levels in use: • Client-Attorney privilege • Client-Supplier privilege • Eyes Only • Officers Only • Company Confidential Common classification schemes, ranked highest to lowest: • Commercial Business • Secret • Confidential • Private or Sensitive • Public • Military • Top Secret • Secret • Confidential • Sensitive but unclassified • Unclassified

  31. DoD Classification Scheme • Top Secret - Most sensitive business information. Intended strictly for use within the organization. Unauthorized disclosure could seriously and adversely impact the company, stockholders, business partners, or customers. • Secret - Less sensitive business information. Intended for use within a company. Unauthorized disclosure could adversely impact the company, stockholders, business partners, or customers. • Confidential - Personal information intended for use within the company. Unauthorized disclosure could adversely impact the company or its employees. • Unclassified - All other information that does not clearly fit into any of the above classifications. Unauthorized disclosure isn’t expected to seriously or adversely impact the company.

  32. More security controls More confidential SLB Classification Scheme Public Information made available to clients and third parties. Private Information made available to company employees and contractors as part of routine business. Disclosure would compromise company interest or cause embarrassment or difficulty for employees. Confidential Information which would be prejudicial to the interests of the company if disclosed, or its disclosure would cause embarrassment or difficulty for the company. Secret Information that provides a significant competitive edge, that shows specific business strategies, or is essential to the technical or financial success of a product or service.

  33. Mapping Protection to Value A classification scheme should ensure that protection levels are commensurate with the value of the information or system being protected. • Procedures and protection tools should be defined for each class. • Reporting rules map to loss levels such as Catastrophic, Major, Serious, Light. • Each division in a company should classify their own information. Total volume of information and associated security labels SECRET CONFIDENTIAL PRIVATE PUBLIC

  34. SLB Definition: Secret Information that provides company with significant competitive edge, shows specific business strategies, or is essential to technical and financial success. Disclosure would cause serious damage to the company. • Relates to significant acquisition/divestment project • Could affect share price • Highly sensitive politically or legally • Potential loss greater than $1M • Concerns a major reorganization or has high staff impact

  35. SLB Definition: Confidential Information that would be prejudicial to the interests of the Company. Disclosure would cause embarrassment or difficulty for the company or its employees. • Client information • Personnel-related information • Detailed technical Information (e.g. tool maintenance manuals) • P&L reports • Potential loss exceeds $25K

  36. SLB Definition: Private Information available to company employees and selected third parties (e.g. contractors, vendors) ONLY as a part of routine business. • Intra-company email which is not restricted or confidential • Instruction manuals, equipment catalogs • Personnel directory • Some training materials

  37. Defining Sensitive Data Sensitive data varies between companies, but may include: • Hardware designs, drawings • New technologies, marketing documents • Information about mergers or acquisitions • Marketing information that gives a competitive advantage • Legal records • Private records about individuals

  38. Classification Objectives • Minimize risks from • Destruction • Modification • Disclosure • Comply with legal requirements • Privacy laws • Safeguard commercial interests • Maintain competitive edge

  39. MAC Classification • In mandatory access control systems, every subject and object in a system has a sensitivity label and a set of categories: classification [category] Examples: • Top Secret - CEO, CFO, board members • Confidential - internal employees, auditors • The function of categories is that even someone with the highest classification is not automatically cleared to see all information at that level. This supports the need-to-know concept.

  40. Data Classification Issues • In a commercial setting, the person who created or updated the information is responsible for assigning data classification labels. • With the exception of general business correspondence, all externally-provided, non-public information must have a classification label. • All tape reels, floppy disks, and other storage media containing secret, confidential, or private information must be externally labelled with the appropriate classification. • Holders of sensitive information must take appropriate steps to ensure that these materials are not available to unauthorized persons.

  41. Classification Limitations • Ability of classifier • Ethics of custodian • Activity of administrator

  42. Classification Benefits • Data confidentiality, integrity, and availability are improved, since appropriate controls are used throughout the enterprise. • Protection mechanisms are maximized. • A process exists to review the values of company business data. • Decision quality is increased, since the quality of the data upon which the decision is being made has been improved. • Sensitivity to modification.

  43. Classification Problems • Data aggregation • Attacks or malicious code

  44. Agenda • Policies and Procedures • Risk Management • Information Classification • Employment Policies and Practices • Security Awareness • Standards

  45. Employment Practices Background checks and security clearances: • Checking public records provides critical information needed to make the best hiring decision. • Conducting these checks (often fairly simple) verifies that application information is current and true, and gives the employer an immediate measurement of an applicant’s integrity.

  46. Background Checks What can background checks protect against: • Lawsuits from terminated employees • Unqualified employees • Lost business and profits • Time wasted recruiting, hiring, and training • Theft, embezzlement, or property damage • Money lost to recruiters fees or signing bonuses • Negligent hiring lawsuits (e.g. from customers) • Decrease in employee moral • Workplace violence, or sexual harassment suits

  47. Who to Check • Employee background checks should be performed according to sensitivity of the position. • Include those responsible for: • firewall administration • e-commerce management • Kerberos administrator • SecurID and password usage • PKI and certificate management • Router administrator

  48. What to Check for For applicants: • Credit report • SSN searches • Workers compensation reports • Criminal records • Motor vehicle report • Education verification and credential confirmation • Reference checks • Prior employer verification

  49. Military Security Clearance A defense security clearance is generally only requested for individuals in the following categories, whose employment involves access to sensitive government assets: • Members of the military • Civilian employees working for the Department of Defense or other government agencies • Employees of government contractors

  50. DoD Review A Department of Defense review, more correctly known as a personnel security investigation is comprised of the following: • search of investigative files and other records held by federal agencies (including FBI) and, if appropriate, overseas countries • financial check • field interviews of references (in writing, by telephone, or in person), including coworkers, employers, personal friends, educators, neighbors, and other individuals, as appropriate • personal interview with the applicant conducted by an investigator

More Related