slide1 l.
Skip this Video
Loading SlideShow in 5 Seconds..
Information Security Management CISSP Topic 1 PowerPoint Presentation
Download Presentation
Information Security Management CISSP Topic 1

Loading in 2 Seconds...

play fullscreen
1 / 61

Information Security Management CISSP Topic 1 - PowerPoint PPT Presentation

  • Uploaded on

ISA 562 Internet Security Theory & Practice. Information Security Management CISSP Topic 1. Objectives. Roles of and responsibilities of individuals in a security program Security planning in an organization Security awareness in the organization

I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
Download Presentation

PowerPoint Slideshow about 'Information Security Management CISSP Topic 1' - faunia

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript

ISA 562Internet Security Theory & Practice

Information Security Management

CISSP Topic 1


Roles of and responsibilities of individuals in a security program

Security planning in an organization

Security awareness in the organization

Differences between policies, standards, guidelines and procedures as related to security

Risk Management practices and tools


Purpose of information security is to protect an organization's valuable resources, such as information, hardware and software.

Should be designed to increase organizational success.

Information systems are often critical assets that support the mission of an organization

information security triad
Information Security TRIAD

The Overhanging goals of information security are addressed through the AIC TRIAD.

it security requirements i
IT Security Requirements - I

Security Solutions should be designed with two main focus areas:

Functional Requirements:

Defines security behavior of the control measures

Selected based on risk Assessment


They should not depend on another control:


They should fail safe by marinating security of the system in an event of a failure:


it security requirements ii
IT Security Requirements -II

2. Assurance Requirements:

Provides confidence that security functions is performing as expected.

Examples :

Internal/External Audit.

Threat Risk Assessments

Third Party reviews

Compliance to best practices

3. Example for Functional vs. Assurance:

Functional Requirement: a network Firewall Permits or denies traffic.

Assurance requirement: logs are generated and monitored


organizational business requirements
Organizational & Business Requirements

Focus on organizational mission:

Business driven

Depends upon organizational type:

Example: Military , government and commercial.

Must be sensible and cost effective

Solutions must be developed with due consideration of the mission and environment of business

it security governance
IT Security Governance

Integral part of overall corporate governance:

Must be fully integrated into the overall risk-based threat analysis, it also

Ensures that the IT infrastructure of the company:

Meets the AIC requirements.

Supports the strategies and objectives of the company.

Includes service level agreements when outsourced.


security governance major parts
Security Governance Major parts


Security leaders must be fully integrated into the company leadership where they can be heard.


it occurs at many different levels of the organization and is in a layered approach.


by following internationally accepted “best practices”:

Job rotation , Separation of duties, least privilege, mandatory vacations …etc.

Some Examples for standards : ISO 17799 & ISO 27001:2005

security blueprints
Security Blueprints

Provide a structure for organizing requirements and solutions.

they are used to ensure that security is considered from a holistic view.

Used to identify and design security requirements

Infrastructure Security Blueprints

policy overview
Policy overview

Operational environment is a complex web of laws, regulations, requirements, competitors and partners

Change frequently and interact with each other , within this environment

Management must develop and publish overall security statements addressing

Security policies and their supporting elements such as standards , baselines and guidelines.

functions of security policy i
Functions of Security policy - I

Provides Management’s Goals and objectives in writing

Documents compliance

Creates the security culture

Anticipates and protects others from surprises

Establishes the security activity/function

Holds individuals personally responsible/accountable


functions of security policy ii
Functions of Security policy-II

Address foreseeable conflicts

Ensures employees and contractors are aware of organizational policy and changes

Mandates an incident response plan

Establishes process for exception handling , rewards, discipline


policy infrastructure
Policy Infrastructure

High level policies are interpreted into a number of functional policies.

Functional polices are derived from overarching policy of the organizations and

create the foundation for the procedures, standards, and baselines to accomplish the security objectives

Functional polices gain their credibility from senior management’s buy-in.


example functional policies
Example Functional Policies

Data classification

Certification and accreditation

Access control


Remote access

Acceptable Internet usage


Dissemination control

Sharing control

policy implementation
Policy Implementation

Standards, procedures, baselines, and guidelines turn the objectives and goals established by management in the overarching and functional policies into actionable and enforceable actions for the employees.

standards and procedure
Standards and procedure

Standards: Adoption of common hardware and software mechanism and products throughout the enterprise.

Examples: Desktop, Anti-Virus, Firewall

Procedures: required step by step actions which must be followed to accomplish a task.

Guidelines: recommendations for security product implementations, procurement and planning, etc.

Examples: ISO17799, Common Criteria, ITIL


Benchmarks used to ensure that a minimum level of security configuration is provided across multiple implementations and systems.

They establish consistent implementation of security mechanisms.

Platform unique


VPN Setup,

IDS Configuration,

Password rules


three levels of security planning
Three Levels of security planning

Strategic Planning: long term

Focuses on the high-level, long-range organizational requirements

Examples: overarching security policy

Tactical Level Planning: medium-term

Focus on events that will affect the entire organization.

Examples: functional plans

Operational planning: short-term

Fighting fires at the keyboard level, this

Directly affects the ability of the organization to accomplish its objectives.

organizational roles and responsibilities
Organizational roles and responsibilities

Every actor has a role:

Entails responsibility:

must be clearly communicated and

understood by all actors.

Duties associated with the role Specific must be assigned


Securing email

Reviewing violation reports

Attending awareness training

specific roles and responsibilities duties 1
Specific Roles and Responsibilities (duties)- 1

Executive Management:

Publish and endorse security policy

establishing goals, objectives

overall responsibility for asset protection.

Information systems security professionals:

Security design, implementation, management,

Review of the organization security policies.


specific roles and responsibilities 2
Specific Roles and responsibilities - 2


information classification

set user access conditions

decide on business continuality priorities


Security of the information entrusted to them

Information System Auditor

Auditing assurance guarantees.


Compliance with procedures (AIC) and policies

personal security hiring staff
Personal Security: Hiring staff

Background checks/Security clearances

Check references/ educational records

Sign Employment agreement


Non-disclosure agreements

Non-compete agreements

Low level Checks

Consult the Human Resources (H.R.) department

Termination procedures

third party considerations
Third party considerations

Established procedures to address these groups on an individual basis.

Examples of third party are:



Temporary Employees


personnel good practices
Personnel good practices

Job description and defended roles and responsibilities

Least privilege/Need to know

Compliance with need to share

Separation of duties

Job rotation

Mandatory vacations

security awareness
Security Awareness

Awareness training

Provides employees with a reminder of their security responsibilities.

Motivate personnel to comply with requirements





Key-chains, etc.


training and education
Training and Education

Job training

Provides skills needed to perform the security functions in their jobs.

Focus on security-related job skills

Specifically address security requirements of the organization, etc.

Professional Education

Provides decision-making, and security management skills that are important for the success of an organizations security program.

good training practices
Good training practices

Address the audience


Data Owner and custodian

Operations personnel


Support personnel

risk from nist sp 800 30
Risk from NIST SP 800-30

Risk is a function of the likelihood of a given threat-source’s exercising a particular potential vulnerability,

and the resulting impact of that adverse event on the organization (SP800-30)


definitions related to risk
Definitions Related to Risk

Threat: the Potential for a mal-actor to exercise a specific vulnerability.

Vulnerability: A Flaw or weakness in system security procedures, design, implementation or internal controls that could be exercised and could result in a security breach or violation of systems security policy.

Likelihood: the probability that a potential vulnerability may be exercised within the threat environment.

Countermeasures: A risk reduction control

maybe technical, operational or management controls or a combination of these type

risk management definitions
Risk Management Definitions

Asset: Something that is valued by the organization to accomplish its goals and objectives

Threat: Any potential danger to information or an information systems.


Unauthorized access, Hardware failure, Loss of key personnel

Threat Agent: Anything that has the potential of causing a threat.

Exposure: An opportunity for a threat to cause loss.

Vulnerability: Is a weakness that could be exploited.

Attack: An Intentional action trying to cause harm.

Countermeasures and safeguards: Are those measures and actions that are taken to protect systems.

Risk: The probability that some unwanted event could occur

Residual Risk: The amount of risk remaining after countermeasures and safeguards are applied

risk management
Risk Management

The purpose of risk management is to identify potential problems

Before they occur

So that risk-handling activities may be planned and invoked as needed

Across the life of the product or project

risk factors
Risk Factors

The Risk arises when threat-agent attack assets and vulnerabilities are present

Residual Risk happens when threat-agent attack assets and countermeasuresare in place but are not sufficient

risk management37
Risk Management

Risk Management identifies and reduces total risks ( threats, vulnerabilities, & asset value)

Mitigating controls: Safeguards & Countermeasures reduce risk

Residual Risk should be set to an acceptable level

purpose of risk analysis
Purpose of risk Analysis

Identifies and justifies risk mitigation efforts

Identifies the threats to business processes and information systems

Justifies the implementation of specific countermeasures to mitigate risk

Describes current security posture

Conducted based on risk to the organization's objectives/mission

benefits of risk analysis
Benefits of Risk Analysis

Focuses policy and resources

Identifies areas with specific risk requirements

Part of good IT Governance


Business continuity process

Insurance and liability decisions

Legitimizes security awareness programs

emerging threats factors
Emerging threats factors

Risk Assessment must also address emerging threats

New technology

Change in culture of the organization or environment

Unauthorized use of technology, etc.

Can come from many different areas

May be discovered by periodic risk assessments

sources to identity threats
Sources to identity threats


Systems administrators

Security officers



Facility records

Community and government records

Vendor/security provider alerts

Other types of threats :

Natural disasters – flood, tornado, etc.

Environment-overcrowding or poor moral

Facility -physical security or location of building

risk analysis key factors
Risk analysis key factors

Obtain senior management support

Establish the risk assessment team

Define and approve the purpose and scope of the risk assessment team

Select team members

State the official authority and responsibility of the team

Have management review findings and recommendations

Risk team members

Some of the areas which should be included:

Information System Security, IT & Operations Management, Internal Audit, Physical security, etc

use of automated tools for risk management
Use of automated tools for risk management

Objectives is to minimize manual effort

Can be time consuming to setup

Perform calculations quickly

Estimate future expected losses

Determine the benefit of security measures

preliminary security evaluation
Preliminary security evaluation

Identify vulnerabilities

Review existing security measures

Document findings

Obtain management review and approval

risk analysis types
Risk analysis types

Two types of Risk analysis

Quantitative Risk analysis

Qualitative Risk analysis

Both provide valuable metrics

Both are often required to get a full picture

quantitative risk analysis
Quantitative risk analysis

Assign independently objective numeric monetary values

Fully quantitative if all elements of the risk analysis are quantified

difficult to achieve

Requires substantial time and personnel resources

determining asset value
Determining asset value

Cost to acquire, develop, and maintain

Value to owners, custodians, or users

Liability for protection

Recognize cost and value in the real world

Price others are willing to pay

Value of intellectual property


quantitative analysis steps
Quantitative analysis steps

Estimate potential losses

SLE – Single Loss Expectancy

SLE = Asset Value ($) X Exposure Factor (%)

Exposure Factor=% of asset loss when threat is successful

Types of loss to consider

Physical destruction/theft, Loss data, etc

Conduct threat analysis

ARO-Annual Rate of Occurrence

Expected number of exposures/incidents per year

Likelihood of an unwanted event happening

Determine Annual Loss Expectancy (ALE)

Combine potential loss and rate/year

Magnitude of risk = Annual Loss Expectancy

Purpose of ALE

Justify security countermeasures


qualitative risk analysis
Qualitative Risk analysis

Scenario oriented

Does not attempt to assign absolute numeric values to risk components

Purely qualitative risk analysis is possible

Qualitative risk analysis factors

Rank seriousness of the threats and sensitivity of assets

Perform a carefully reasoned risk assessment

other risk analysis methods
Other risk analysis methods

Failure modes and effects analysis

Potential failures of each part or module

Examine effects of failure at three levels

Immediate level (part or module)

Intermediate level (process or package)


Fault tree analysis

Sometimes called “spanning tree analysis”

Create a “tree” of all possible threats to, or faults of the system

“Branches” are general categories such as network threats, physical threats, component failures, etc.

Prune “branches” that do not apply

Concentrate on remaining threats.

risk mitigation options
Risk mitigation options

Risk Acceptance

Risk Reduction

Risk Transference

Risk Avoidance

the right amount of security
The right amount of security

Cost/Benefit analysis- balance between the cost to protect and asset value

To estimate, need to know:

Asset value

Threats, Adversary, means , motives, and opportunity.

Vulnerabilities and Resulting risk


Risk tolerance

countermeasures selection principles
Countermeasures selection principles

Based on cost/benefit analysis, total cost of safeguard

Selection and acquisition

Construction and placement

Environment modification

Nontrivial operating cost

Maintenance, testing

Potential side effects

Cost must be justified by the potential loss


At least one person for each safeguard

Associate directly with performance reviews

Absence of design secrecy

countermeasures selection principles continued
Countermeasures selection principles (Continued)

Audit capability

Must be testable

Include auditors in design and implementation

Vendor Trustworthiness

Review past performance

Independence of control and subject

Safeguards control/constrain subjects

Controllers administer the safeguards

Controllers and subject are from different populations

Universal application

Impose safeguards uniformly

Minimize exceptions

countermeasures selection principles continued55
Countermeasures selection principles (Continued)

Compartmentalization and defense in depth

Safeguard’s role

Consider to improve security through layers of security

Isolation, economy and least common mechanism

Isolate from other safeguards

Simple design is more cost effective and reliable, etc

Acceptance and tolerance by personnel

Care must be taken to avoid implementing controls that pose an unreasonable constrains

Less intrusive controls are more acceptable

Minimize human intervention

Reduces the possibility of errors and “exceptions” by reducing the reliance on administrative staff to maintain the control


countermeasures selection principles continued56
Countermeasures selection principles (Continued)


Reaction and recovery

Countermeasures should do the following when activated

Avoids asset destruction and stops further damage

Prevents disclosure of sensitive information through a covert channel

Maintains confidence in system security

Captures information related to the attack and attacker

Override and fail-safe defaults

Residual and reset

basis and origin of ethics
Basis and origin of ethics

Religion, law, tradition, culture

National interest

Individual rights

Enlightened self interest

Common good/interest

Professional ethics/practices

Standards of good practice


Formal ethical theories

Teleology: Ethics in terms of goals, purposes, or ends

Deontology: Ethical behavior is duty

Common ethical fallacies

Computers are a game

Law-abiding citizen, Free information




Difficult to define

Start with senior management

codes of ethics examples
Codes of ethics - examples

Relevant professional codes of ethics include:

Internet Activities Board (IAB)

Any activity is unethical & unacceptable that purposely:

Seeks to gain unauthorized access to the internet resources

Disrupts the intended use of the internet

Wastes resources through such actions

Destroys the integrity of computer-based information

Compromises the privacy of users

Involves negligence in the conduct of internet-wide experiments

codes of ethics examples60
Codes of ethics - examples

Relevant professional codes of ethics include:

(ISC)2 and other professional codes:

ISC2 Code of ethics preamble

Protect society, the commonwealth, and the infrastructure

Provide diligent and competent services to principals,etc


Professional codes may have legal importance



ISC2 CBK Material

ISC2 official Guide

CISSP All-in-one