Cyber Security - Defense in Depth

*** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
Compiled by; Mark E.S. Bernard, ISO 27001 Lead Auditor,

CISSP, CISM, SABSA-F2, CISA, CRISC, CGEIT
Introduction
Layer 1 - ISMS causes 4 8
Layer 2 - Policy, Organizational Design, Legal Obligations, Asset
Management
Layer 3 - Human Resources
Layer 4 - Incident Management
Layer 5 - Access Control
Layer 6 - Physical & Environmental
Layer 7 - Information Systems Acquisition, Development &
Maintenance
Layer 8 - Communications and Operations Management
Layer 9 - Business Continuity Management
ITIL ICT, ISMS, DiD Operational Integration
Mark is an independent contractor who formerly worked in BC Government

as a Director overseeing the Governments payments systems and public
accounts processing in excess of $42 billion annually in payments to
firemen, judges, social service clients etc Mark also spent time over
seeing the privacy and security programs for BC Government Revenue
Service & Small Business and Central 1 credit Union.
When Mark is a volunteer and was recognized by the Premier of New Brunswick for his work in
the Knowledge Industry establishing the Atlantic Chapter of the High technology Crime
Investigation Association. Mark has also volunteered with local professional associations for
HTCIA, ISACA, ISSA, IIA and FMI. Mark has also been published in trade magazines and on the
Internet in addition to being sought after as an expert by local radio, newspapers and television.
In Toronto Mark volunteer on the annual Toronto Childrens Sick Kids Telethon and road a
stationary bike on a marathon Juvenile Diabetes campaign. Mark has also volunteered with local
Minor Hockey, Minor Fastball, Elementary School, Middle School, Boys Scots and assisted with
raising money for the Food bank in conjunction with the annual NHL Old-Timers Challenge. Mark
is continuing to contribute his knowledge through ISACA with the development of Cloud
Computing whitepaper and the Canadian Standards Institutes workgroup updating ISO/IEC
27001:2012 Information Security Management Systems framework.
Probably the most famous German castle. Neuschwanstein Castle is a

19th-century Gothic Revival palace on a rugged hill above the village
of Hohenschwangau near Fssen in southwest Bavaria, Germany.
Fort Bourtange: Eighty Years' War (c. 15681648) when William I of

Orange wanted to control the only road between Germany and the
city of Groningen which was controlled by the Spaniards.
Marching and Physical Training:

Soldiers were taught to march and
they could march at a rapid speed
for long intervals. Any army that
could be split up by stragglers at
the back or soldiers trundling along
at differing speeds would be
vulnerable to attack.
Training of handling weapons: they primarily used wickerwork shields and
wooden swords made to standards but twice as heavy. If a soldier could fight
with these heavy dummy weapons then he would be twice as effective with
the standard weaponry.
The Roman heavy infantry typically was deployed, as the main body, facing the
enemy, in three approximately equal lines, with the cavalry on their wings to
prevent them being flanked and light infantry in a screen in front of them to hide
changes in deployment strategy. The heavy infantry, harass the enemy forces and,
in some cases, drive off units such as elephants that would be a great threat to
close-order heavy infantry.
Compliance Management
Risk Management
Identity Management
Authorization Management
Accountability Management
Availability Management
Configuration Management
Incident Management
Security Policy
Information Security Org
Asset Management
Human Resources
Physical & Environmental Security
Communications & Operations
Management
Access Control
Information System Acquisition,
Development & Maintenance
Information Security Incident
Management
Business Continuity Management
Compliance
Source: Computer Security Institute 2010/11 Survey



Large-scale breaches dropped dramatically while small attacks increased. The report notes there are several
possible reasons for this trend, including the fact that small to medium-sized businesses represent prime attack
targets for many hackers, who favor highly automated, repeatable attacks against these more vulnerable
targets, possibly because criminals are opting to play it safe in light of recent arrests and prosecutions of highprofile hackers.
Outsiders are responsible for most data breaches. Ninety-two percent of data breaches were caused by
external sources. Contrary to the malicious-employee stereotype, insiders were responsible for only 16 percent
of attacks. Partner-related attacks continued to decline, and business partners accounted for less than 1
percent of breaches.
Physical attacks are on the rise. After doubling as a percentage of all breaches in 2009, attacks involving
physical actions doubled again in 2010, and included manipulating common credit-card devices such as ATMs,
gas pumps and point-of-sale terminals. The data indicates that organized crime groups are responsible for most
of these card-skimming schemes.
Hacking and malware is the most popular attack method. Malware was a factor in about half of the 2010
caseload and was responsible for almost 80 percent of lost data. The most common kinds of malware found in
the caseload were those involving sending data to an external entity, opening backdoors, and key logger
functionalities.
Stolen passwords and credentials are out of control. Ineffective, weak or stolen credentials continue to wreak
havoc on enterprise security. Failure to change default credentials remains an issue, particularly in the financial
services, retail and hospitality industries.
Source: Verizon business 2011 Data Breach Investigations Report

#1: Abuse and Nefarious Use of Cloud Computing

#2: Insecure Interfaces and APIs
#3: Malicious Insiders
#4: Shared Technology Issues
#5: Data Loss or Leakage
#6: Account or Service Hijacking
#7: Unknown Risk Profile
Source: 2010 Cloud Security Alliance Threats Threat statistics
A1: Injection
A2: Cross-Site Scripting (XSS)
A3: Broken Authentication and Session Management
A4: Insecure Direct Object References
A5: Cross-Site Request Forgery (CSRF)
A6: Security Mis-configuration
A7: Insecure Cryptographic Storage
A8: Failure to Restrict URL Access
A9: Insufficient Transport Layer Protection
A10: Invalidated Redirects and Forwards
Source: 2010 OWSAP Top 10 Web Application Security Risks Threat statistics
Risk Assessment Threats:

Malware 67%
Fraudulent Phishing 39%
Laptop or mobile computer theft or lost 34%
Bots Zombies within the Infrastructure 29%
Insider abuse email and Internet 25%
Risk Assessment Vulnerabilities:

Inadequate governance
Inadequate security policy
Inadequate risk management methodology
Inadequate security training/awareness
Inadequate security architecture
Inadequate monitoring or surveillance capabilities
Inadequate incident response procedures
Inadequate vulnerability assessment methodologies
Clause 4 Information security management system

The organization shall establish, implement, operate,
monitor, review, maintain and improve a documented
ISMS within the context of the organizations overall
business activities and the risks it faces.
4.2.1 Establish the ISMS

a) Define the scope and boundaries
b) Define an ISMS policy
c) Define the risk assessment approach
d) Identify the risks
e) Analyse and evaluate the risks.
f) Identify and evaluate options for the treatment of risks.
g) Select control objectives and controls for the treatment of risks.
h) Obtain management approval of the proposed residual risks.
i) Obtain management authorization to implement /operate ISMS.
j) Prepare a Statement of Applicability.
4.2.2 Implement and operate the ISMS

a) Formulate a risk treatment plan
b) Implement the risk treatment plan
c) Implement controls
d) Define how to measure the effectiveness
e) Implement training and awareness
f) Manage operation of the ISMS
g) Manage resources for the ISMS
h) Implement procedures and controls
(produce comparable and reproducible results)
4.2.3 Monitor and review the ISMS

a) Execute monitoring and reviewing procedures
1) promptly detect errors
2) promptly identify security breaches and incidents
3) determine if the ISMS is performing as expected
4) help detect security events
5) determine if breach resolution actions were effective
b) Undertake regular reviews of the ISMS
c) Measure the effectiveness of controls
d) Review risk assessments at planned intervals
e) Conduct internal ISMS audits
f) Undertake a management review of the ISMS
g) Update security plans
h) Record actions and events
4.2.4 Maintain and improve the ISMS

a) Implement the identified improvements
b) Take appropriate corrective and preventive actions
c) Communicate the actions and improvements
d) Ensure that the improvements achieve their intended
objectives
4.3 Documentation requirements

a) documented ISMS policy
b) the scope
c) procedures and controls
d) the risk assessment methodology
e) the risk assessment report
f) the risk treatment plan
g) documented procedures needed for planning, operation
and control
h) records required by this International Standard
i) the Statement of Applicability
4.3.2 Control of documents

a) approve documents
b) review and update documents as necessary
c) ensure that the current revision status are verified
d) ensure that relevant documents are available
e) ensure that documents remain legible
f) ensure that documents are available to those who need
them, and are transferred, stored and ultimately
disposed of in accordance with the procedures applicable to
their classification;
g) ensure that documents of external origin are identified
h) ensure that the distribution of documentation is
controlled
i) prevent the unintended use of obsolete documents
4.3.3 Control of records
Records shall be maintained in accordance with legal obligations

defined by statutes, regulations and contracts
Records shall be maintained to provide evidence of conformity
Records shall be protected and controlled in accordance with legal
obligations
Records shall remain legible, readily identifiable and retrievable.
Records shall be retained and processed in accordance with legal
obligations
Records shall be archived in accordance with legal obligations
Records shall be destroyed in accordance with legal obligations
5 Management responsibility
5.1 Management commitment

a) establishing the policy
b) ensuring that objectives and plans are established
c) establishing roles and responsibilities
d) communicating to the organization
e) providing sufficient resources
f) deciding the criteria for accepting risks & acceptable levels of risk
g) ensuring that internal audits are conducted
h) conducting management reviews
Roles and Responsibilities:

ISMS Consultant
ISMS Manager
ISMS Analyst
ISMS Auditor
Executives
Managers
Subject Matter Experts
External Parties
Customers
5.2 Resource management
5.2.1 Provision of resources

a) establishing the policy
b) ensuring that objectives and plans are established
c) establishing roles and responsibilities
d) communicating to the organization
e) providing sufficient resources
f) deciding the criteria for accepting risks & acceptable levels of risk
g) ensuring that internal audits are conducted
h) conducting management reviews
5.2.2 Training, awareness and competence

a) determining the necessary competencies for personnel
b) providing training or taking other actions
c) evaluating the effectiveness of the actions taken
d) maintaining records of education, training, skills, experience
and qualifications
6 Internal ISMS audits

a) conform to the requirements of this International Standard
and relevant legislation or regulations;
b) conform to the identified information security requirements;
c) are effectively implemented and maintained; and
d) perform as expected.
7 Management review of the ISMS (input)

a) results of ISMS audits
b) feedback from interested parties
c) techniques, products or procedures used to improve the ISMS
d) status of preventive and corrective actions
e) vulnerabilities or threats not adequately addressed
f) results from effectiveness measurements
g) follow-up actions from previous management reviews
h) any changes that could affect the ISMS
i) recommendations for improvement
7 Management review of the ISMS (output)

a) Improvement of the ISMS
b) Update of the risk assessment and risk treatment plan
c) Modification of procedures and controls due to internal or
external events such as:
1) business requirements
2) security requirements
3) business processes effecting the existing business
requirements
4) regulatory or legal requirements
5) contractual obligations
6) levels of risk and/or criteria for accepting risks
d) Resource needs
e) Improvement to how the effectiveness of controls is being
measured
8 ISMS improvement
8.1 Continual improvement

The organization shall continually improve the effectiveness of
the ISMS through the use of the information security policy,
information security objectives, audit results, analysis of
monitored events, corrective and preventive actions and
management review
8 ISMS improvement
8.2 Corrective action

a) identifying nonconformities
b) determining the causes of nonconformities
c) evaluating the need for actions to ensure that nonconformities do not
recur
d) determining and implementing the corrective action needed
e) recording results of action taken
f) reviewing of corrective action taken
8 ISMS improvement
8.3 Preventive action

a) identifying potential nonconformities and their causes
b) evaluating the need for action to prevent occurrence of
nonconformities
c) determining and implementing preventive action needed
d) recording results of action taken
e) reviewing of preventive action taken
Exclusions
Please note clause 1.2 - Any exclusion of controls found to be
necessary to satisfy the risk acceptance criteria needs to be
justified and evidence needs to be provided that the associated
risks have been accepted by accountable persons.
Where any controls are excluded, claims of conformity to this
International Standard are not acceptable unless such
exclusions do not affect the organizations ability, and/or
responsibility, to provide information security that meets the
security requirements determined by risk assessment and
applicable legal or regulatory requirements.

Malware 67%

Inadequate governance process
Inadequate risk assessment methodology
A.5 Security policy

A.5.1 Information security policy
A.5.1.1 Information security policy document
A.5.1.2 Review of the information security policy
A.6 Organization of information security

A.6.1 Internal organization
A.6.1.1 Management commitment to information security
A.6.1.2 Information security coordination
A.6.1.3 Allocation of information security responsibilities
A.6.1.4 Authorization process for information processing facilities
A.6.1.5 Confidentiality agreements
A.6.1.6 Contact with authorities
A.6.1.7 Contact with special interest groups
A.6.1.8 Independent review of information security
A.6 Organization of information security

A.6.2 External parties
A.6.2.1 Identification of risks related to external parties
A.6.2.2 Addressing security when dealing with customers
A.6.2.3 Addressing security in third party agreements
A.7 Asset management

A.7.1 Responsibility for assets
A.7.1.1 Inventory of assets
A.7.1.2 Ownership of assets
A.7.1.3 Acceptable use of assets
A.7.2 Information classification

A.7.2.1 Classification guidelines
A.7.2.2 Information labeling and handling
A.15 Compliance
A.15.1 Compliance with legal requirements
A.15.1.1 Identification of applicable legislation
A.15.1.2 Intellectual property rights (IPR)
A.15.1.3 Protection of organizational records
A.15.1.4 Data protection and privacy of personal information
A.15.1.5 Prevention of misuse of information processing facilities
A.15.1.6 Regulation of cryptographic controls
A.15.2 Compliance with security policies and standards, and technical

compliance
A.15.2.1 Compliance with security policies and standards
A.15.2.2 Technical compliance checking
A.15.3 Information systems audit considerations

A.15.3.1 Information systems audit controls
A.15.3.2 Protection of information systems audit tools

Malware 67%

A.8 Human resources security

A.8.1 Prior to employment
A.8.1.1 Roles and responsibilities
A.8.1.2 Screening
A.8.1.3 Terms and conditions of employment
A.8.2 During employment

A.8.2.1 Management responsibilities
A.8.2.2 Information security awareness, education and training
A.8.2.3 Disciplinary process
A.8.3 Termination or change of employment

A.8.3.1 Termination responsibilities
A.8.3.2 Return of assets
A.8.3.3 Removal of access rights

Malware 67%

A.13.1 Reporting information security events and weaknesses

A.13.1.1 Reporting information security events
A.13.1.2 Reporting security weaknesses
A.13.2 Management of information security incidents and
improvements
A.13.2.1 Responsibilities and procedures
A.13.2.2 Learning from information security incidents
A.13.2.3 Collection of evidence

Malware 67%

A.11 Access control

A.11.1 Business requirement for access control
A.11.1.1 Access control policy
A.11.2 User access management
A.11.2.1 User registration
A.11.2.2 Privilege management
A.11.2.3 User password management
A.11.2.4 Review of user access rights
A.11.3 User responsibilities

A.11.3.1 Password use
A.11.3.2 Unattended user equipment
A.11.3.3 Clear desk and clear screen policy
A.11.4 Network access control
A.11.4.1 Policy on use of network services
A.11.4.2 User authentication for external connections
A.11.4.3 Equipment identification in networks
A.11.4.4 Remote diagnostic and configuration port protection
A.11.4.5 Segregation in networks
A.11.4.6 Network connection control
A.11.4.7 Network routing control
A.11.5 Operating system access control

A.11.5.1 Secure log-on procedures
A.11.5.2 User identification and authentication
A.11.5.3 Password management system
A.11.5.4 Use of system utilities
A.11.5.5 Session time-out
A.11.5.6 Limitation of connection time
A.11.6 Application and information access control

A.11.6.1 Information access restriction
A.11.6.2 Sensitive system isolation

Malware 67%

A.9 Physical and environmental security

A.9.1 Secure areas
A.9.1.1 Physical security perimeter
A.9.1.2 Physical entry controls
A.9.1.3 Securing offices, rooms and facilities
A.9.1.4 Protecting against external and environmental threats
A.9.1.5 Working in secure areas
A.9.1.6 Public access, delivery and loading areas
A.9.2 Equipment security

A.9.2.1 Equipment sitting and protection
A.9.2.2 Supporting utilities
A.9.2.3 Cabling security
A.9.2.4 Equipment maintenance
A.9.2.5 Security of equipment off premises
A.9.2.6 Secure disposal or re-use of equipment
A.9.2.7 Removal of property

Malware 67%

A.12 Information systems acquisition, development and

maintenance
A.12.1 Security requirements of information systems
A.12.1.1 Security requirements analysis and specification
A.12.2 Correct processing in applications
A.12.2.1 Input data validation
A.12.2.2 Control of internal processing
A.12.2.3 Message integrity
A.12.2.4 Output data validation
A.12.3 Cryptographic controls

A.12.3.1 Policy on the use of cryptographic controls
A.12.3.2 Key management
A.12.4 Security of system files
A.12.4.1 Control of operational software
A.12.4.2 Protection of system test data
A.12.4.3 Access control to program source code
A.12.5 Security in development and support processes

A.12.5.1 Change control procedures
A.12.5.2 Technical review of applications after operating
system changes
A.12.5.3 Restrictions on changes to software packages
A.12.5.4 Information leakage
A.12.5.5 Outsourced software development
A.12.6 Technical Vulnerability Management

A.12.6.1 Control of technical vulnerabilities

Malware 67%

A.10 Communications and operations management

A.10.1 Operational procedures and responsibilities
A.10.1.1 Documented operating procedures
A.10.1.2 Change management
A.10.1.3 Segregation of duties
A.10.1.4 Separation of development, test and operational facilities
A.10.2 Third party service delivery management
A.10.2.1 Service delivery
A.10.2.2 Monitoring and review of third party services
A.10.2.3 Managing changes to third party services
A.10.3 System planning and acceptance

A.10.3.1 Capacity management
A.10.3.2 System acceptance
A.10.4 Protection against malicious and mobile code

A.10.4.1 Controls against malicious code
A.10.4.2 Controls against mobile code
A.10.5 Back-up
A.10.5.1 Information back-up
A.10.6 Network security management

A.10.6.1 Network controls
A.10.6.2 Security of network services
A.10.7 Media handling

A.10.7.1 Management of removable media
A.10.7.2 Disposal of media
A.10.7.3 Information handling procedures
A.10.7.4 Security of system documentation
A.10.8 Exchange of information

A.10.8.1 Information exchange policies and procedures
A.10.8.2 Exchange agreements
A.10.8.3 Physical media in transit
A.10.8.4 Electronic messaging
A.10.8.5 Business information systems
A.10.9 Electronic commerce services

A.10.9.1 Electronic commerce
A.10.9.2 On-line transactions
A.10.9.3 Publicly available information
A.10.10 Monitoring
A.10.10.1 Audit logging
A.10.10.2 Monitoring system use
A.10.10.3 Protection of log information
A.10.10.4 Administrator and operator logs
A.10.10.5 Fault logging
A.10.10.6 Clock synchronization

Malware 67%

A.14 Business continuity management

A.14.1 Information security aspects of business continuity
management
A.14.1.1 Including information security in the business
continuity management process
A.14.1.2 Business continuity and risk assessment
A.14.1.3 Developing and implementing continuity plans
including Information security
A.14.1.4 Business continuity planning framework
A.14.1.5 Testing, maintaining and reassessing business
continuity plans
Goals
ISMS Goals
Reduce risks and threats to the Confidentiality, Integrity and Availability of the organizations
Information Assets and System Resources by providing policies, practices and standards
designed to mitigate or eliminate all known risks and threats.
Improve the effectiveness and efficiency of Information Security Management by
implementing a world class best practice and framework for consistent, concise information
security administration.
Improve effectiveness and efficiencies of existing information security mechanisms by
formalizing new practices to monitor compliance and maintain sensitive data awareness.
Improve reassurance testing and validation outcomes by Internal Audit and External Auditors
to further assure senior management and shareholders that Information Assets and System
Resources are secure.
Reduce the likelihood that an accidental incident originating from staff could have an adverse
affect on organizational reputation or liabilities potentially leading to financial losses, by
providing an ongoing information security program.
ITSM Goals
IT Security Management has two primary objectives that fit
perfectly with the ISMS Goals:
1). To meet the security requirements of SLAs and

external requirements further to contracts, legislation and
external imposed policies.
2). To provide a basic level of security, independent of
external requirements.
Quality Management
Quality Management
Quality Management for IT services is a systematic way of ensuring that all the
activities necessary to design, develop, implement and maintain IT services satisfy the
requirements of the organization and its employees while providing assurance that
strategic and tactical activities are carried out cost-effectively.
Quote
We have learned to live in a world of mistakes and defective products as if they
were necessary to life. It is time to adopt a new philosophy...
(W. Edwards Deming, 19001993)
Quality Management
Excerpts from Demings 14 points relevant to Service Management:
- break down barriers between departments (improves communications and management)
-management must learn their responsibilities, and take on leadership (process improvement
requires commitment from the top; good leaders motivate people to improve themselves and
therefore the image of the organization)
-improve constantly (a central theme for service managers is continual improvement; this is also a
theme for Quality Management. A process led approach is key to achieve this target)
-institute a programme of education and self-improvement (learning and improving skills have
been the focus of Service Management for many years)
-training on the job (linked to continual improvement)

-transformation is everyone's job (the emphasis being on teamwork and understanding).
Quality Management
Demings 14 point Service Management guidelines focuse on 4 repetitive activities, which
are Plan Do Check Act. Through the establishment of a common theme continuous
improvement. These activities are easily identifiable within both the ITSM and ISMS
frameworks and can also be linked in to the Capability Maturity Model.
PDCA
PLAN DO CHECK ACT
Plan-Do-Check-Act
The PDCA Methodology is an iterative process model
STEP #1
PLAN
Interested Parties
Design & Plan

Information Security
Program
STEP #4
DO
ACT
Lead Corrective,
Preventative, and
Continuous Improvement
action plans
Information
Security
requirements &
expectations
DO
CHECK
ACT
Maintain & Improve

Program
STEP #2
CHECK
STEP #3
PLAN
Interested Parties
Monitor, Audit,
Review Information
Security Program
Managed
Information
Security
Design, plan and initiate the information security program. These activities including creating a strategy,
socialization concepts, creating policies, goals, objectives and practices as necessary to manage risk.
Execute and control the information security strategy including the integration into organizational practices.
Facilitate semi-annual audits to determine conformance to the statement of applicability and identify
opportunities for improvement. Wherever appropriate develop and integrate performance matrices which
support information security program goals and objectives.
Upon the discovery of nonconformities and/or opportunities create and track corrective, preventive, and
continuous improvement action plans. Present findings from internal/external audit and risk assessments to
the Management Review Committee for decisions regarding the acceptance, rejection, or transfer of risk and
the commitment of resources and capital to facilitate subsequent efforts.
ITIL IT Security Management (ITSM)

Customer defines business requirements
SLA/Security Chapter
Agreement between
customer and provider
Reporting According to
SLA, OLA, UC
IT Service Provider implements SLA Security requirements
STEP #4
Act
MAINTAIN:
* Learn
* Improve
* Plan
* Implement
STEP #1
Plan
PLAN:
* Service Level Agreements
* Underpinning Contracts
* Operational Level Agreements
* Internal Policies
CONTROL:
* Organize
* Create Management Framework
* Allocate Responsibilities
STEP #2
Do
.
EVALUATE:
* Internal audits
* External audits
* Self Assessments
* Security incidents
STEP #3
Check
IMPLEMENT:
* Improve awareness
* Classification and management
resources
* Personal Security
* Physical Security
* Security management of hardware,
networks, applications, etc
* Access Control
* Resolve security incidents
Information Security Management System (ISMS)

ISMS AUDIT
PROCESS
Risk Assessment
Strategies
include:
(1). Control SelfAssessment
(2). Privacy
Impact
Assessment,
(3). Threat-Risk
Assessment,
(4). OCTAVE
STEP #2
Do
InfoSec
Management
Review
Committee
Human
Resources
Manager
VP Finance,
Property
Administration
Manager,
VP of Product
Development,
Director of
Technical
Operations,
Director of
Product
Development,
VP of Payment
Services,
Director of
Online Banking
Services,
Director of
Internal Audit.
STEP #3
Check
A
A: Integrated into
the ITIL Incident
and Problem
Management
processes,
Project
Management,
Service Desk,
Human
Resources,
Systems
Development,
ISMS ISO27K
AUDIT
STATEMENT
OF
APPLICABILITY
ISMS RECORD
MANAGEMENT
YES
CONFORMITY
RECORDS/
EVIDENCE
NO
NO
THREAT/RISK
ASSESSMENT
Statutory,
Regulator
Registry
Contract
Registry
AUDIT
REPORT
YES
RA REPORT
RISK
ASSESSMENT
ASSET
INVENTORY
DATA
SENSITIVITY
PARTNER/
CUSTOMER
FEEDBACK
ISMS MANAGEMENT
REVIEW PROCESS
BUSINESS
PLANS
LEGISLATIVE
CHANGES
MANAGEMENT
REVIEW
Meeting
Minutes
ISMS EXTERNAL
INPUT
NO
ACCEPT,
REJECT OR
TRANSFER
RISK
RISK
TREATMENT
PLAN
YES
CORRECTIVE
OR
PREVENTATIVE
ACTION
ACTION PLANS/
PROJECT
PLANS
CONTINUOUS
IMPROVEMENT
PROGRAM
STEP #4
Act
B: Integrated
into the project
Management
Dashboards
STEP #1
Plan
ISMS / ITSM
under the covers
Program Inputs
ITSM:
ISMS:
Program Inputs
Inputs: SLA, OLA, Information Security Policy, Statutes, Regulations
Inputs:
a) Improve the effectiveness of ISMS;

b) Update the risk assessment and risk treatment plan;
c) Modification of practices and controls that effect information security, as necessary, to
respond to internal or external events that may impact the ISMS, including changes to:
1) business requirements;
2) security requirements;
3) business processes effecting the existing business requirements;
4) regulatory or legal requirements;
5) contractual obligations; and,
6) levels of risk and/or criteria for accepting risks;
d) Resource needs;
e) Improvement on how the effectiveness of controls is being measured.
Program Outputs
ITSM:
Program Outputs
Outputs: SLA status pertaining to Security Management Metrics,

Exceptions, routine security planning, ISMS Management Review Committee
ISMS:
Outputs:
a) results of ISMS audits and reviews;
b) feedback from interested parties;
c) techniques, products or procedures, which could be used in the organization to
improve the ISMS performance and effectiveness;
d) status of preventive and corrective actions;
e) vulnerabilities or threats not adequately addressed in the previous risk assessment;
f) results from effectiveness measurements;
g) follow-up actions from previous management reviews;
h) any changes that could affect the ISMS; and,
i) recommendations for improvement.
CYBERSECURITY
Program Integration
with operational level
processes
ITSM Integration Points

Incident Management
Problem Management
Change Management
Release Management
Capacity Management
IT Service Continuity Management
Service Level Management
ITSM:
Integration: The creation and maintenance of classified Configuration

Items (CI). This classification links the CI with specified security practices and standards.
This classification takes into consideration requirements for confidentiality, integrity and
availability based on business requirements for compliance with statutory, regulatory
and contractual obligations. These requirements are determined as the result of risk
assessments like the TRA, PIA and BIA
ISMS:
Integration: A.7.1.1 All assets shall be clearly identified and an

inventory of all important assets drawn up and maintained. A.7.2.1 Information shall
be classified in terms of its value, legal requirements, sensitivity and criticality to the
organization. A.7.2.2 An appropriate set of procedures for information labelling and
handling shall be developed and implemented in accordance with the classification
scheme adopted by the organization.
People - Staff and managers, particularly those in key knowledge management roles
such as senior/executive managers, software architects/developers/testers, systems
managers, security administrators, operators, legal and regulatory compliance
people.......
Information - Personal, financial, legal, research and development, strategic and
commercial, email, voicemail, databases, personal and shared drives, backup
tapes/CDs/DVDs and digital archives, encryption keys, Personal, financial, legal.......
Software - In-house/custom-written systems, client software (including shared or
single-user End User Computing desktop applications), commercial off-the-shelf
(COTS), ERP, MIS, databases, software utilities/tools, eBusiness applications,
middleware....
Hardware - "Computing and storage devices e.g. desktops, workstations, laptops,
handhelds, servers, mainframes, modems and line terminators, communications devices
(network nodes), printers/copiers/FAX machines and multifunction devices.
Telecommunications - "Fiber Internet Connection, DSL Internet Connection, General
Packet Radio Service (GPRS), Gateway GPRS Support Node (GGSN), Protocol/Port
Summary (- UDP 9000 (MO, MT), - UDP 53248 (MT), - FTP 21 (MO), - SSH 22 (MT), HTTP 8005 (MT), - TCP 1225, 1121, 2189 (MO), - UDP 1120, 1121, 2188 (MO), - Unicom IDC - ASN: 4808), Wireless Devices (GPRS, Public), Wireless Carriers, Internet Service
Providers.
Facilities - IT buildings, data centers, server/computer rooms, LAN/wiring closets,
offices, desks/drawers/filing cabinets, media storage rooms.....
Corrective/Preventative Actions
110 incidents of which the majority impacted the information security principle
availability.
Confidentiality was no surprise only impacting 7% of all tickets. Even though

the numbers are usually low within this category, events affecting
confidentiality typically result in the biggest headaches.
The real surprise was the high rate of incidents impacting the information
security principle integrity.
Incident Management
ITSM: Integration: Incident Management is an
important process for reporting security incidents. Information
security incidents are not clearly understood by most business
people, so its very likely the information security incidents may be
handled through a different practice other than incident
management. It is therefore essential that Incident Management
recognize security incidents as such. Any incident that may
interfere with achieving the SLA security requirements is classified
as a security incident by ITSM. It is useful to include a description
in the SLA of the type of incidents to be considered as security
incidents. In addition, any incident that interferes with achieving
the basic internal security level is also classified as a security
incident.
ISMS:
Incident Management
Integration: A.13.1.1 Information security events shall be reported

through appropriate management channels as quickly as possible.
Problem Management
ITSM:
Integration: Problem
Management is responsible for
identifying and solving structural security
failings. The resolution of a problem could
introduce a new security risk which is
why, Problem Management must involve
Security Management during the
resolution of the problem. This
certification should be based on
compliance with the SLA and
organizational security requirements.
Corrective/Preventative Management
ITSM: Integration:
Corrective action - 8.2 The documented procedure for corrective action shall define
requirements for:
a) identifying nonconformities;
b) determining the causes of nonconformities;
c) evaluating the need for actions to ensure that nonconformities do not recur;
d) determining and implementing the corrective action needed;
e) recording results of action taken (see 4.3.3); and
f) reviewing of corrective action taken.
Preventive action - 8.3 The documented procedure for preventive action shall define
requirements for:
a) identifying potential nonconformities and their causes;
b) evaluating the need for action to prevent occurrence of nonconformities;
c) determining and implementing preventive action needed;
d) recording results of action taken (see 4.3.3); and e) reviewing of preventive action taken.
Corrective/Preventative Management
ITSM:
Integration: 8.2 Corrective action and 8.3 Preventive action
Dept A
Dept E
Risk is measured in terms of High, Med, Low

Impact is accessed against the principles of
information security, Confidentiality, Integrity
and/or Availability
Dept B
Dept C
Dept D
23 Active Projects Monitored
Risk is measured in terms of High, Med, Low
Impact is accessed against the principles of
information security, Confidentiality, Integrity
and/or Availability
Project Managers facilitate a control self

assessment and the security and privacy office
follows up.
If the balance between the number of active
projects and impact/risk is relative then
generally projects continue without direct
involvement of the security and privacy office.
However, if the balance between the

number of active projects and impact/risk
appears out of balance then the security
and privacy office will get involved.
Change Management
ITSM:
Integration: Change
Management activities are often closely
associated with security because Change
Management and Security Management are
interdependent. There are a number of
standard operations to ensure that this security
is maintained including the Request For Change
(RFC) associated with governance for
acceptance. The RFC should also include a
proposal for dealing with security issues and
based on the SLA requirements Preferably, the
Security Manager (and possibly the customers
Security Officer) should be a member of the
Change Advisory Board (CAB).
Change Management
ISMS:
Integration: A.10.1.2 Changes to information processing facilities and

systems shall be controlled.
Purpose
Why are we collecting the
information?
Business Driver; we have

an opportunity and/or our
partners and clients have
requested a new function or
feature..
Manual
Operation
Request access to
classified information
assets
Protection
Facilitate Risk Assessment
select & implement
safeguards
C1
R1
Access (add,
change, delete)
Decision
Maintain Record
of distribution
i.e. email
record, courier
receipt
Process
Parallel information collection
CP1
NO
Are we removing
access?
YES
Transfer a
remove classified
information
Remove
Authorization
Remove
username from
an authorized list
Notify manager
Paper
Document
Digital
camera
Optical
scanner
video
fax
computer
phone
Mobile
phone
Parallel information collection

NO
1b
C3
Has the appropriate

manager approved?
R3
1g
YES
Assign or modify
the level of
authorization
C2
R2
C4
1a
What level of
authorization has
been assigned
Validate
R4
Apply document
control security
standards
DISPOSE
Release
information
SHARE
CP2
1i
R5
C1
Manager to
review annually
1c
DELETE
R1
Authorization
List
1e
- RBAC
- Workgroups
- SOD
SECURE
RECYCLE
1h
1d
C5
CREATE
Information
asset
1f
D= Declassified
O= Operational
C= Confidential
P= Private
Release method
(ftp, email, mail,
hardcopy)
MIGRATE
Notify user
AUDIT
CONSOLIDATE
ADD
DISCLOSE
Legend:
Activity
Decision
Document
Interface
Page
Connect
Data
Store
Risk
Tools
Control
Management
C: Control TS: Test Plan

R: Risk
T: Tools
CP: Communications Plan
USE
CHANGE
INTERFACE
ARCHIVE
INFORMATION SECURITY
Electronic
interface
Release Management
ITSM:
Integration: All new versions of software, hardware, data

communications equipment, etc should be controlled and rolled out by Release
Management. This process will ensure that:
* The correct hardware and software are used
* The hardware and software are tested before use
* The introduction is correctly authorized using change control
* The software is legal
* The software is free from viruses and that viruses are not introduced during
distribution
* The version numbers are known and recorded in the CMDB by Configuration
Management
* The rollout is managed effectively
ISMS:
Release Management
Integration: A.10.1.2 Changes to information processing facilities and

systems shall be controlled. A.10.1.4 Development, test and operational facilities
shall be separated to reduce the risks of unauthorized access or changes to the
operational system.
Request access to
classified information
assets
C1
R1
Access (add,
change, delete)
Maintain Record
of distribution
i.e. email
record, courier
receipt
CP1
NO
Are we removing
access?
NO
1b
C3
Has the appropriate

manager approved?
YES
Transfer a
remove classified
information
Remove
Authorization
R3
Remove
username from
an authorized list
1g
YES
Assign or modify
the level of
authorization
C2
R2
C4
1a
What level of
authorization has
been assigned
Validate
Notify manager
R4
Apply document
control security
standards
Release
information
1h
1d
CP2
C5
1i
R5
C1
Manager to
review annually
1c
R1
Authorization
List
1e
- RBAC
- Workgroups
- SOD
Information
asset
1f
D= Declassified
O= Operational
C= Confidential
P= Private
Legend:
Activity
Decision
Document
Interface
Page
Connect
Data
Store
Control
Risk
Tools
Management
Release method
(ftp, email, mail,
hardcopy)
Notify user
C: Control TS: Test Plan

R: Risk
T: Tools
CP: Communications Plan
ITSM:
Integration: Availability Management addresses the technical availability of IT

components in relationship to the availability of the service. The quality of availability is assured by
continuity, maintainability and resilience. Availability Management is the most important process
related to the information security principle, availability and the availability of information assets.
As many security measures benefit both availability and the security principles confidentiality and
integrity, effective coordination of measures between Availability Management, IT Service
Continuity Management, and Security Management is essential.
Capacity Management
ITSM:
Integration: Capacity Management is responsible for the best use of IT resources,

as agreed with the customer. The performance requirements are based on the qualitative and
quantitative standards defined by Service Level Management. Almost all the activities of Capacity
Management affect availability and therefore also Security Management.
ISMS:
Capacity Management
Integration: A.10.10.5 Faults shall be logged, analyzed, and appropriate action

taken. A.14.1.1 A managed process shall be developed and maintained for business continuity
throughout the organization that addresses the information security requirements needed for
the organization's business continuity.
IT Service Continuity Management

ITSM:
Integration: IT Service
Continuity Management ensures that the
impact of any contingencies is limited to the
level agreed with the customer.
Contingencies need not necessarily turn into
disasters. The major activities and defined,
maintained, implemented, and testing the
contingency plan, and taking preventative
action. Because of security aspects, there
are ties with Security Management. On the
other hand, failure to fulfill basic security
requirements may be considered itself
contingency.
Business Continuity
Your Service
Providers
Your Business
Consumer &
Business
Requirements
764536748 BOB
Information
DataBase
GTH4567
CUSTOMER
NBMJRL9087
12343536475 MARY
SERVICE REQUIRES INFORMATION TO FUNCTION

BUSINESS DRIVERS
CUSTOMERS DEMAND
NEW SERVICES AND
IMPROVEMENTS TO
EXISTING SERVICES
REQUIREMENTS
To deliver these
services well need
specific information
gathered and stored,
maintained, processed
and exchanged
TECHNOLOGY + TELECOMMUNICATIONS
+ BUSINESS SYSTEMS
+ HARDWARE
+ SKILLED LABOR
To deliver these services well need business systems created in a program language to ensure consistent and
effective processing. Well also need reliable hardware and telecommunication suitable for the requirements and
skilled people/resources to write code, trouble shoot administered security, patching/fixes, configure systems,
configures communications, build in redundancy
Service Level Management

ITSM: Integration: Service Level Management ensures that agreements about services to
be provided to customers are defined and achieved. The Service Level Agreements should also
address security measures. The objective is to optimize the level of service provided. Service
Level Management includes a number of related security activities, in which Security
Management plays an important role:
(a). Identification of the security needs of the customers. Naturally, determining the security
needs is the responsibility of the customer as these needs are based on their business
interests verifying the feasibility of the customers security requirements
(b). Proposing, discussing and defining the security level of IT services in the SLA
Identifying, developing and defining the internal security requirements for IT services
through OLA
(c). Monitoring the security standards defined within OLA
(d). Reporting on the IT services provided
Service Providers
Organizational Security and Privacy group will assist Managers by reviewing and recommending
amendments to contracts and agreements to ensure they address information security and privacy
obligations as outlined within data protection statutes (PIP Act, PIPED Act, and FOIPP Act). Some of
these provisions may include the following:
Physical and Environmental Security
Security standards for sensitive Databases
Disclosure of Personal Information
Transmission and Back-ups of Personal Information
Annual Compliance Certificate
Ownership and Control of Personal Information Information handling for Database/Media
System Logs, Audit Logs
Privacy Strategy/Plan
Breach or Demand Notification
Training/Awareness
Security Controls for Authorized Personnel
Risk Assessments (PIA, TRA, CSA)
Agreements with contractors/service providers
Testing and Development Work
US based companies
Removal of Personal Information
Destruction of sensitive information and media Sensitive information sharing
Collection of Personal Information
Containing sensitive information
Non-Compliance Reports
Executives
Organizational
Security and
Privacy
Managers
Service
Providers
Service Catalogue
SLA, OLA, and UC
Key Performance Indicators

If the risk rating equals High for Internet facing system then Immediate action is require.
If the risk rating is high for an internal system then a resolution must be applied within 7 days, all
other systems must be have 60 days to remediate;
If the risk rating equals Medium for Internet facing systems then remediation is required within 7
days.
If the risk rating is Medium for an Internal system then remediation is required within 60 days. All
other systems have a 90 day time span to remediate gaps in security;
If the risk rating is Low for Internet facing system then remediation is required within 30 days.
If the risk rating is Low for an Internal system then remediation is required within 180 days.
All other systems have up to 18 months for remediation or until the next maintenance cycle,
whichever is first.
ISMS:
Contractual Obligations
Integration: A.15.1.1 All relevant statutory, regulatory and contractual requirements

and the organization's approach to meet these requirements shall be explicitly defined, documented,
and kept up to date for each information system and the organization.
Customer Service Reports

ITSM:
Integration: Customer Service Reports must be provided at the

intervals agreed in the SLA. These reports compare the agreed service levels and the
service levels that were actually measured. Examples include the following:
* availability and downtime during a specific period

* average response times during peak periods
* transaction rates during peak periods
* number of functional areas
* frequency and duration of service degradation
* average number of users at peak periods
* number of successful and unsuccessful attempts to circumvent security
* proportion of service capacity used
* number of completed and open changes
* cost of service provided
ISMS:
External Reports
Integration: Statement of Applicability, Compliance Management, Risk

Treatment Plan, etc.
Management Reports
ITSM:
Integration: Management reports, in contrast to service level reports,

are not for the customer, but to control or manage the internal process. The may
contain metrics about actual service levels supported, and trends such as:
* total number of SLA in the pool
* number of time SLA was not fulfilled
* cost of measuring and monitoring the SLA
* customer satisfaction, based on survey/complaints
* statistics about incidents, problems, and changes
* progress of continuous improvement action plans
ISMS:
Internal Reports
Integration: Compliance Management, Asset Management, Risk

Treatment Management, Continuous Improvement, TRA, PIA, CSA, etc
Multiple Threat Vectors can

attack and exploit the same
vulnerability in multiple ways
making it difficult to take
effective corrective action or
preventive action.
The ISMS mitigates threats by

applying a strategy that deploys
a reduced set of controls in a
matrix effect which addresses
specific security weaknesses.
This CyberSecurity Tactical
Manager is responsible for the
Defense-in-Depth , properly
executed is will be more effective
than any other approach.
Currently there is no other

security framework available
that is internationally accepted
other than the ISMS.
CyberSecurity is important and the ISO/IEC 27001 ISMS framework can be utilized to provide assurance to customers,
shareholders and partners.
A crucial aspect of managing CyberSecurity effectively is the
active engagement of managers and employees, especially those
who have been assigned specific accountabilities and
responsibilities for various aspects of CyberSecurity.
If you have questions please contact .
Mark E.S. Bernard

Skype; Mark_E_S_Bernard
Twitter; @MESB_TechSecure
LinkedIn; http://ca.linkedin.com/in/markesbernard

Cyber Security - Defense in Depth

Transféré par

Informations du document

Titre original

Copyright

Formats disponibles

Partager ce document

Partager ou intégrer le document

Options de partage

Avez-vous trouvé ce document utile ?

Ce contenu est-il inapproprié ?

Droits d'auteur :

Formats disponibles

Cyber Security - Defense in Depth

Transféré par

Droits d'auteur :

Formats disponibles

*** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***

Compiled by; Mark E.S. Bernard, ISO 27001 Lead Auditor,

*** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***

Mark is an independent contractor who formerly worked in BC Government

*** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***

Probably the most famous German castle. Neuschwanstein Castle is a

Fort Bourtange: Eighty Years' War (c. 15681648) when William I of

Marching and Physical Training:

*** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***

*** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***

*** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***

Source: Computer Security Institute 2010/11 Survey

Source: Computer Security Institute 2010/11 Survey

Source: Computer Security Institute 2010/11 Survey

Source: Verizon business 2011 Data Breach Investigations Report

#1: Abuse and Nefarious Use of Cloud Computing

*** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***

*** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***

Source: Computer Security Institute 2010/11 Survey

*** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***

*** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***

*** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***

*** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***

*** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***

*** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***

*** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***

*** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***

Risk Assessment Threats:

Risk Assessment Vulnerabilities:

*** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***

Clause 4 Information security management system

*** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***

4.2.1 Establish the ISMS

*** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***

4.2.2 Implement and operate the ISMS

(produce comparable and reproducible results)

*** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***

4.2.3 Monitor and review the ISMS

*** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***

4.2.4 Maintain and improve the ISMS

*** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***

4.3 Documentation requirements

*** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***

4.3.2 Control of documents

4.3.3 Control of records

Records shall be maintained in accordance with legal obligations

*** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***

5.1 Management commitment

*** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***

Roles and Responsibilities:

*** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***

5.2 Resource management

5.2.1 Provision of resources

*** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***

5.2.2 Training, awareness and competence

*** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***

6 Internal ISMS audits

*** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***

7 Management review of the ISMS (input)

*** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***

7 Management review of the ISMS (output)

8.1 Continual improvement

*** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***

* THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS *

* THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS *

* THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS *

* THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS *

* THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS *

* THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS *

* THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS *

* THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS *

* THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS *

* THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS *

* THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS *

* THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS *

* THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS *

* THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS *

* THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS *

* THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS *

* THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS *

* THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS *

* THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS *

* THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS *

* THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS *

* THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS *

* THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS *

* THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS *

* THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS *

* THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS *

* THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS *

* THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS *

* THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS *

* THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS *

* THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS *

* THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS *

* THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS *

* THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS *

* THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS *

* THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS *

* THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS *

* THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS *

* THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS *

* THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS *

* THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS *

* THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS *

* THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS *

* THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS *

* THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS *

* THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS *

* THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS *

* THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS *

* THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS *

* THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS *

* THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS *

* THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS *

* THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS *

* THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS *

* THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS *

* THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS *

* THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS *

* THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS *

* THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS *

* THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS *

* THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS *

* THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS *

* THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS *

* THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS *

* THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS *

* THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS *