1.03k likes | 1.31k Views
2004 CISM™ Review Course. Chapter 3 Information Security Program(me) Management. Chapter 3: Objective. Provide the CISM candidate with an understanding of knows how to…
E N D
2004 CISM™ Review Course Chapter 3 Information Security Program(me) Management
Chapter 3: Objective Provide the CISM candidate with an understanding of knows how to… “Design, develop and manage an information security program(me) to implement the information security governance framework .”
Chapter 3: Tasks • Create and maintain plansto implement the information security governance framework. • Develop information security baseline(s). • Develop procedures and guidelines to ensure business processes address information security risk. • Develop procedures and guidelines for IT infrastructure activities to ensure compliance with information security policies. • Integrate information security program requirements into the organization’s life cycle activities.
Chapter 3: Tasks (cont.) • Develop methods of meeting information security policy requirements that take into account the impact on end users. • Promote accountability by business process owners and other stakeholders in managing information security risks. • Establish metrics to manage the information security governance framework. • Ensure that internal and external resources for information security are identified, appropriated and managed.
Chapter 3: Summary According to the CISM Certification Board, this area will represent approximately 21% of the CISM examination (approximately 42 questions)
Chapter 3: Overview To retain a competitive advantage and to meet basic business requirements, organizations must: • Ensure the integrity of the information stored on their computer systems • Preserve the confidentiality of sensitive data • Ensure the continued availability of their information systems • Ensure conformity to laws, regulations and standards
Chapter 3: Overview Key elements of information security management • Policies and procedures • Organization
Chapter 3: Overview Positions with information security responsibilities include: • Executive management • Security committee • Data owners • Process owners • IT developers • Security specialists/advisors • Users
Create and Maintain Plans Task 1: Creating and maintaining plans to implement the information security governance framework • The information security manager needs to develop a plan to: • Define the framework • Gain approval for the framework from senior management • Implement the information security governance framework • Monitor its’ progress and make changes as required
Create and Maintain Plans The governance framework also should include the development and implementation of the security policy, security standards and guidelines.
Create and Maintain Plans To create and maintain plans to implement the information security governance framework, the information security manager should have knowledge of: • Methods to develop an implementation plan that meets security requirements identified in risk analyses • Project management methods and techniques
Methods to Develop an Implementation Plan • The information security manager should develop a plan for implementation of the security procedures to protect the information resources. • The information security manager can use consulting or develop internally
Methods to Develop an Implementation Plan • The plan should be based on best practices • Having a matrix in place to record how each information resource will be protected will enable the information security manager to address the completeness of the implementation plan and make changes during this planning stage • Making changes during the implementation stage is less costly and more effective • Performance measures should be built into the plan
Project Management Methods and Techniques The information security manager: • Must have strong project management capabilities • Should use existing organizational project management procedures • Benefits from the ability to set goals, measure progress, track deadlines, and assign responsibilities in a controlled and repeatable manner • Enhances effectiveness by using professional standards and certifications in the project management field
Security Baselines Task 2: Develop information security baseline(s). • Developing information security baselines defines the minimum acceptable security that will be implemented to protect information resources. • Baselines are commonly defined by technology organization’s, including hardware and software vendors.
Security Baselines Common sources for overall security baselines are: • ISO/IEC17799 and BS7799 • President’s Critical Infrastructure Protection Board’s “National Strategy to Secure Cyberspace” report. This report outlines over 70 recommendations for security.
Security Baselines To develop information security baselines, the information security manager should have knowledge of: • Security baselines and configuration management in the design and management of business applications and the infrastructure
Security Baselines and Configuration Management • As the organizations business applications and infrastructure are implemented across the enterprise, the complexity of incorporating security post-implementation increases • Therefore, security baselines (and the security policy) and configuration management should be integrated into the design and management of business applications and the infrastructure
Security Baselines and Configuration Management • Decreases the risk that any new or changed applications or infrastructure changes may otherwise impose on the organization’s information resources • This approach reduces the amount of exposure that the organization faces when it makes changes • Enables the information security manager to focus on enhancing and improving security rather than spending resources addressing vulnerabilities that occur through careless application or infrastructure changes
Business Processes Task 3: Developing procedures and guidelines to ensure business processes address information security risk • The most effective program for information security is one in which security is considered within each business process • Through awareness and security policies the information security manager should work to have security considered continuously
Business Processes The information security manager should work with process owners to: • Ensure that information security is considered • Understand the issues • Enable an appropriate level of security procedures be designed and implemented
Business Processes The information security manager should work with business leaders to institute regular meetings with business process owners • This approach should be documented in a guideline that can be accepted and supported by senior management
Business Processes To develop procedures and guidelines to ensure business processes address information security risk, the information security manager should have knowledge of: • Security procedures and guidelines for business processes and infrastructure activities
Security Procedures and Guidelines • Knowledge of security procedures and guidelines for business processes enables the information security manager to better address risk • Business processes and infrastructure activities have inherent risk that the information security program seeks to mitigate • The information security manager can better design the security program and measure the effectiveness of the program with the business process and infrastructure knowledge
IT Infrastructure Activities Task 4: Developing procedures and guidelines for IT infrastructure activities to ensure compliance with information security policies • Generally accepted areas of IT infrastructure include: • Process • Physical • Platform • Network
IT Infrastructure Activities • Within each infrastructure area the goals of information confidentiality, integrity and availability must be considered and represented • The information security manager needs to develop the procedures and guidelines within each IT infrastructure area to meet the organization’s overall security policy
IT Infrastructure Activities Process • The security policy and overall governance are included Physical • Basic security, such as identification badges, security cameras, security guards, locks, sensors and backup power sources, authentication devices, such as biometric components are included Platform • Operating system security, application-level security, virus detection etc. are included Network • Firewalls, routers, switches, remote access (including VPNs) and any devices that monitor and restrict information traveling over the network are included
IT Infrastructure Activities To develop procedures and guidelines for IT infrastructure activities to ensure compliance with information security policies, the information security manager should have knowledge of: • Information security architectures (e.g., single sign-on, rules-based as opposed to list-based system access control for systems, limited points of systems administration) • Information security technologies (e.g., cryptographic techniques and digital signatures) to enable management to select appropriate controls
Information Security Architectures Organization’s rarely have addressed security comprehensively and across the enterprise. The information security manager, therefore, needs to have knowledge of the various information security architectures including: • Identity management (rules based) • Single sign-on • List-based system access • Points of systems administration • Managed security • Open systems • Closed systems
Information Security Technologies The information security manager should be aware of current proven security technologies so that appropriate security measures can be employed. Several of these technologies include: • Firewalls • Network security (routers, switches) • Intrusion detection systems (IDS) • Cryptographic techniques (PKI, DES, etc.) • Digital signatures • Application Security • Remote access (VPNs, etc.) • Digital signatures • Smart Cards
Information Security Technologies • The information security manager should be aware of emerging security technologies and techniques • There is a great deal of research in the area of information security • New tools are continuously being developed • Individuals who attack information resources are continuously developing their techniques to circumvent today’s security procedures
Information Security Technologies Telecommunications infrastructure • Telecommunications • Telecommunications networks • Telecommunications infrastructure • Types of networks
Information Security Technologies Telecommunications infrastructure • Network services • File sharing • E-mail services • Print services • Terminal emulation services • Directory service • Network management
Information Security Technologies • Network standards and protocols • International organizations developing standards • International Organization for Standardization (ISO) • American Institution of Electrical and Electronic Engineers (IEEE) • International Telecommunications Union-Telecommunications Sector (ITU-T, formerly CCITT).
Information Security Technologies Network standards and protocols • ISO/OSI Model • Application layer • Presentation layer • Session layer • Transport layer • Network layer • Data link layer • Physical layer
Information Security Technologies Internet • Comprises networks that connect to one another via pathways • Facilitates the exchange of information, data and files • Provides access through these pathways to other computers connected to the Internet
Information Security Technologies TCP/IP • TCP/IP Internet world wide web services • Other Internet non-web based services and terminology
Information Security Technologies SNMP protocol • Used in TCP/IP-based networks • Provides a means to monitor and control network devices and to manage configurations, management performance and security
Information Security Technologies Network infrastructure components • Repeaters • Hubs • Bridges • Switches • Routers • Brouters • Gateways • Multiplexors
Information Security Technologies Network infrastructure components • Front end communications processor (FECP) • Protocol converter • Spooling • Buffers • Modems
Information Security Technologies Telecommunication links or lines • Private single-use networks • Private networks inter-linking systems • Private shared networks • Limited public networks • Nationwide public networks • International public networks
Information Security Technologies Message Transmission Techniques: • Line (circuit) switching • Message switching • Packet switching • Circuit switching
Information Security Technologies Transmission media • Copper (twisted pair) circuits • Coaxial cables • Fiber optic systems • Radio systems • Microwave radio systems • Satellite radiolink systems
Information Security Technologies Transmission media attributes • Baseband • Broadband • Attenuation • Delay distortion • Noise
Information Security Technologies Network operating systems • Provides functions as: • Supporting terminal access to remote hosts • Handling file transfer between hosts • Handling inter-user communications Network administrator
Information Security Technologies Local area networks (LANs) • Main components of a LAN: • User workstations • Servers • Network Software • Applications • Cabling and transmission media
Information Security Technologies LAN network topologies • Bus • Ring • Star • Completely connected (mesh)
Information Security Technologies LAN technologies • Ethernet • Token ring network • FDDI (variant of token ring)
Information Security Technologies Media access control methods • Carrier-sense multiple access with collision detection (CSMA/C) • Waiting for the idle channel to transmit • Listening for collisions • If a collision is detected, the retransmission is halted • Retransmitting after a random period of time or with some unique delay • Token passing
Information Security Technologies LAN technology selection criteria • What are the applications • What are the bandwidth needs • What is the budget • What are the remote management needs