1 / 101

Chapter 3 Information Security Program(me) Management

2004 CISM™ Review Course. Chapter 3 Information Security Program(me) Management. Chapter 3: Objective. Provide the CISM candidate with an understanding of knows how to…

lakia
Download Presentation

Chapter 3 Information Security Program(me) Management

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. 2004 CISM™ Review Course Chapter 3 Information Security Program(me) Management

  2. Chapter 3: Objective Provide the CISM candidate with an understanding of knows how to… “Design, develop and manage an information security program(me) to implement the information security governance framework .”

  3. Chapter 3: Tasks • Create and maintain plansto implement the information security governance framework. • Develop information security baseline(s). • Develop procedures and guidelines to ensure business processes address information security risk. • Develop procedures and guidelines for IT infrastructure activities to ensure compliance with information security policies. • Integrate information security program requirements into the organization’s life cycle activities.

  4. Chapter 3: Tasks (cont.) • Develop methods of meeting information security policy requirements that take into account the impact on end users. • Promote accountability by business process owners and other stakeholders in managing information security risks. • Establish metrics to manage the information security governance framework. • Ensure that internal and external resources for information security are identified, appropriated and managed.

  5. Chapter 3: Summary According to the CISM Certification Board, this area will represent approximately 21% of the CISM examination (approximately 42 questions)

  6. Chapter 3: Overview To retain a competitive advantage and to meet basic business requirements, organizations must: • Ensure the integrity of the information stored on their computer systems • Preserve the confidentiality of sensitive data • Ensure the continued availability of their information systems • Ensure conformity to laws, regulations and standards

  7. Chapter 3: Overview Key elements of information security management • Policies and procedures • Organization

  8. Chapter 3: Overview Positions with information security responsibilities include: • Executive management • Security committee • Data owners • Process owners • IT developers • Security specialists/advisors • Users

  9. Create and Maintain Plans Task 1: Creating and maintaining plans to implement the information security governance framework • The information security manager needs to develop a plan to: • Define the framework • Gain approval for the framework from senior management • Implement the information security governance framework • Monitor its’ progress and make changes as required

  10. Create and Maintain Plans The governance framework also should include the development and implementation of the security policy, security standards and guidelines.

  11. Create and Maintain Plans To create and maintain plans to implement the information security governance framework, the information security manager should have knowledge of: • Methods to develop an implementation plan that meets security requirements identified in risk analyses • Project management methods and techniques

  12. Methods to Develop an Implementation Plan • The information security manager should develop a plan for implementation of the security procedures to protect the information resources. • The information security manager can use consulting or develop internally

  13. Methods to Develop an Implementation Plan • The plan should be based on best practices • Having a matrix in place to record how each information resource will be protected will enable the information security manager to address the completeness of the implementation plan and make changes during this planning stage • Making changes during the implementation stage is less costly and more effective • Performance measures should be built into the plan

  14. Project Management Methods and Techniques The information security manager: • Must have strong project management capabilities • Should use existing organizational project management procedures • Benefits from the ability to set goals, measure progress, track deadlines, and assign responsibilities in a controlled and repeatable manner • Enhances effectiveness by using professional standards and certifications in the project management field

  15. Security Baselines Task 2: Develop information security baseline(s). • Developing information security baselines defines the minimum acceptable security that will be implemented to protect information resources. • Baselines are commonly defined by technology organization’s, including hardware and software vendors.  

  16. Security Baselines Common sources for overall security baselines are: • ISO/IEC17799 and BS7799 • President’s Critical Infrastructure Protection Board’s “National Strategy to Secure Cyberspace” report. This report outlines over 70 recommendations for security.

  17. Security Baselines To develop information security baselines, the information security manager should have knowledge of: • Security baselines and configuration management in the design and management of business applications and the infrastructure

  18. Security Baselines and Configuration Management • As the organizations business applications and infrastructure are implemented across the enterprise, the complexity of incorporating security post-implementation increases • Therefore, security baselines (and the security policy) and configuration management should be integrated into the design and management of business applications and the infrastructure 

  19. Security Baselines and Configuration Management • Decreases the risk that any new or changed applications or infrastructure changes may otherwise impose on the organization’s information resources • This approach reduces the amount of exposure that the organization faces when it makes changes • Enables the information security manager to focus on enhancing and improving security rather than spending resources addressing vulnerabilities that occur through careless application or infrastructure changes

  20. Business Processes Task 3: Developing procedures and guidelines to ensure business processes address information security risk • The most effective program for information security is one in which security is considered within each business process • Through awareness and security policies the information security manager should work to have security considered continuously

  21. Business Processes The information security manager should work with process owners to: • Ensure that information security is considered • Understand the issues • Enable an appropriate level of security procedures be designed and implemented 

  22. Business Processes The information security manager should work with business leaders to institute regular meetings with business process owners • This approach should be documented in a guideline that can be accepted and supported by senior management

  23. Business Processes To develop procedures and guidelines to ensure business processes address information security risk, the information security manager should have knowledge of: • Security procedures and guidelines for business processes and infrastructure activities

  24. Security Procedures and Guidelines • Knowledge of security procedures and guidelines for business processes enables the information security manager to better address risk • Business processes and infrastructure activities have inherent risk that the information security program seeks to mitigate • The information security manager can better design the security program and measure the effectiveness of the program with the business process and infrastructure knowledge

  25. IT Infrastructure Activities Task 4: Developing procedures and guidelines for IT infrastructure activities to ensure compliance with information security policies • Generally accepted areas of IT infrastructure include: • Process • Physical • Platform • Network

  26. IT Infrastructure Activities • Within each infrastructure area the goals of information confidentiality, integrity and availability must be considered and represented • The information security manager needs to develop the procedures and guidelines within each IT infrastructure area to meet the organization’s overall security policy

  27. IT Infrastructure Activities Process • The security policy and overall governance are included Physical • Basic security, such as identification badges, security cameras, security guards, locks, sensors and backup power sources, authentication devices, such as biometric components are included Platform • Operating system security, application-level security, virus detection etc. are included Network • Firewalls, routers, switches, remote access (including VPNs) and any devices that monitor and restrict information traveling over the network are included

  28. IT Infrastructure Activities To develop procedures and guidelines for IT infrastructure activities to ensure compliance with information security policies, the information security manager should have knowledge of: • Information security architectures (e.g., single sign-on, rules-based as opposed to list-based system access control for systems, limited points of systems administration) • Information security technologies (e.g., cryptographic techniques and digital signatures) to enable management to select appropriate controls

  29. Information Security Architectures Organization’s rarely have addressed security comprehensively and across the enterprise. The information security manager, therefore, needs to have knowledge of the various information security architectures including: • Identity management (rules based) • Single sign-on • List-based system access • Points of systems administration • Managed security • Open systems • Closed systems

  30. Information Security Technologies The information security manager should be aware of current proven security technologies so that appropriate security measures can be employed. Several of these technologies include: • Firewalls • Network security (routers, switches) • Intrusion detection systems (IDS) • Cryptographic techniques (PKI, DES, etc.) • Digital signatures • Application Security • Remote access (VPNs, etc.) • Digital signatures • Smart Cards

  31. Information Security Technologies • The information security manager should be aware of emerging security technologies and techniques • There is a great deal of research in the area of information security • New tools are continuously being developed • Individuals who attack information resources are continuously developing their techniques to circumvent today’s security procedures

  32. Information Security Technologies Telecommunications infrastructure • Telecommunications • Telecommunications networks • Telecommunications infrastructure • Types of networks

  33. Information Security Technologies Telecommunications infrastructure • Network services • File sharing • E-mail services • Print services • Terminal emulation services • Directory service • Network management

  34. Information Security Technologies • Network standards and protocols • International organizations developing standards • International Organization for Standardization (ISO) • American Institution of Electrical and Electronic Engineers (IEEE) • International Telecommunications Union-Telecommunications Sector (ITU-T, formerly CCITT).

  35. Information Security Technologies Network standards and protocols • ISO/OSI Model • Application layer • Presentation layer • Session layer • Transport layer • Network layer • Data link layer • Physical layer

  36. Information Security Technologies Internet • Comprises networks that connect to one another via pathways • Facilitates the exchange of information, data and files • Provides access through these pathways to other computers connected to the Internet

  37. Information Security Technologies TCP/IP • TCP/IP Internet world wide web services • Other Internet non-web based services and terminology

  38. Information Security Technologies SNMP protocol • Used in TCP/IP-based networks • Provides a means to monitor and control network devices and to manage configurations, management performance and security

  39. Information Security Technologies Network infrastructure components • Repeaters • Hubs • Bridges • Switches • Routers • Brouters • Gateways • Multiplexors

  40. Information Security Technologies Network infrastructure components • Front end communications processor (FECP) • Protocol converter • Spooling • Buffers • Modems

  41. Information Security Technologies Telecommunication links or lines • Private single-use networks • Private networks inter-linking systems • Private shared networks • Limited public networks • Nationwide public networks • International public networks

  42. Information Security Technologies Message Transmission Techniques: • Line (circuit) switching • Message switching • Packet switching • Circuit switching

  43. Information Security Technologies Transmission media • Copper (twisted pair) circuits • Coaxial cables • Fiber optic systems • Radio systems • Microwave radio systems • Satellite radiolink systems

  44. Information Security Technologies Transmission media attributes • Baseband • Broadband • Attenuation • Delay distortion • Noise

  45. Information Security Technologies Network operating systems • Provides functions as: • Supporting terminal access to remote hosts • Handling file transfer between hosts • Handling inter-user communications Network administrator

  46. Information Security Technologies Local area networks (LANs) • Main components of a LAN: • User workstations • Servers • Network Software • Applications • Cabling and transmission media

  47. Information Security Technologies LAN network topologies • Bus • Ring • Star • Completely connected (mesh)

  48. Information Security Technologies LAN technologies • Ethernet • Token ring network • FDDI (variant of token ring)

  49. Information Security Technologies Media access control methods • Carrier-sense multiple access with collision detection (CSMA/C) • Waiting for the idle channel to transmit • Listening for collisions • If a collision is detected, the retransmission is halted • Retransmitting after a random period of time or with some unique delay • Token passing

  50. Information Security Technologies LAN technology selection criteria • What are the applications • What are the bandwidth needs • What is the budget • What are the remote management needs

More Related