REVISION

CHAPTER 3
INFORMATION SECURITY PROGRAM DEVELOPMENT
AND MANAGEMENT

3
3.4 INFORMATION SECURITY PROGRAM MANAGEMENT OVERVIEW

• Information Security Management Trends

• Essential Elements of an Information Security Program
• The program must be the execution of a well-developed information security
strategy closely aligned with and supporting organizational objectives
• The program must be well-design with cooperation and support from
management and stakeholders
• Effective metrics must be developed for program design and implementation
phases as well as the subsequent ongoing security program management phase
to provide the feedback necessary to guide program execution to achieve the
defined outcomes

4
3.4 INFORMATION SECURITY PROGRAM MANAGEMENT OVERVIEW

3.4.1 IMPORTANCE OF THE INFORMATION SECURITY PROGRAM

3.4.2 OUTCOMES OF INFORMATION SECURITY MANAGEMENT
• SDLCs
• Requirements development
• Specification development
• Control Objectives
• Control design and development
• Control implementation and testing
• Control monitoring and metrics

5
3.4 INFORMATION SECURITY PROGRAM MANAGEMENT OVERVIEW

3.4.2 OUTCOMES OF INFORMATION SECURITY MANAGEMENT

• Architectures
• Documentation
• Quality assurance
• Project management
• Business case development
• Business process reengineering
• Budgeting, costing and financial issues
• Development and integration and approaches

6
3.4 INFORMATION SECURITY PROGRAM MANAGEMENT OVERVIEW

3.4.2 OUTCOMES OF INFORMATION SECURITY MANAGEMENT

• Training needs assessments and approaches
• Communications
• Problem resolution
• Contingency Planning
• Variance and noncompliance resolution
• Risk management
• Compliance monitoring and enforcement
• Personnel issues

7
3.6.2 TECHNOLOGY RESOURCES

• Firewalls
• Backup and archiving approaches such as redundant array of inexpensive disks
(RAID)
• Antivirus Systems
• Security features inherent in networking devices (e.g., routers, switches)
• Intrusion detections systems (IDSs), including host-based intrusion detection
systems (HIDSs), network intrusion detection systems (NIDSs)
• Intrusion-prevention systems (IPSs)

8
3.6.2 TECHNOLOGY RESOURCES

• Crypto graphic techniques (e.g., public key infrastructure [PKI], Advanced

Encryption Standard [AES], etc.)
• Digitals Signatures
• Smart Cards
• Authentication and authorization mechanism (one-time passwords [OTPs],
challenge-response, PKI certificates multifactor authentication, biometrics)
• Wireless security methodologies
• Remote access methodologies (Virtual Private Network [VPNs], etc.)
• Web security techniques
• Log collection, analysis and correlation tools (i.e., Security

9
3.6.2 TECHNOLOGY RESOURCES

• Security Information and Event Management [SIEM])

• Vulnerability scanning and penetration testing tools
• Data leak prevention methodologies (removable media security, content
filtering, etc.)
• Data integrity controls, e.g., backups, data snapchats, data replication, RAID,
SAN real time replication, etc.
• Identify and access management systems
• Mobile devices
• Local area networks (LANs)
• Wide area networks (WANs)
• Storage area networks (SANs)

10
3.6.2 TECHNOLOGY RESOURCES

• Internet and networks protocols (TCP/IP, UDP, etc.)

• Operating systems
• Network routing concepts and protocols
• Databases
• Servers
• Enterprise architectures
• Virtualization . Cloud Computing . Web-related technologies and architectures
• Bring your own devices (BYOD)

11
3.7 SCOPE AND CHARTER OF AN INFORMATION SECURITY PROGRAM
3.8 THE INFORMATION SECURITY MANAGEMENT FRAEWORK
• The program adds tactical and strategic value to the organization
• The programed is being operated efficiently and with concern to cost issues
• Management has a clear understanding of information security achievers,
activist, benefits and needs
• Information security knowledge and capabilities are growing as result of the
program
• The program fosters cooperation and goodwill between organizational units
• There is facilitation of information security stakeholders understanding their
roles, responsibilities and expectations
• The program includes provisions for the organization’s continuity of business

12
3.8 THE INFORMATION SECURITY MANAGEMENT FRAEWORK

3.8.1 COBIT 5 Principle

13
3.8.2 ISO/IEC 27001:2013

A.5: Information security policies

A.6: Organization of information security
A.7: Human resource security (controls that are applied before, during, or after
employment)
A.8: Asset management
A.9: Access control
A.10: Cryptography
A.11: Physical and environmental security
A.12: Operations security

14
3.8.2 ISO/IEC 27001:2013

A.13: Communications security

A.14: System acquisition, development and maintenance
A.15: Supplier relationships
A.16: Information security incident management
A.17: Information security aspects of business continuity management
A.18: Compliance (with internal requirements, such as policies, and with external
requirements, such as law)

15
The ISO 27xxx set of published standards and practices now cover
virtually all aspects of security. They include:
. ISO/IES 27000 Overview and vocabulary
. ISO/IES 27001 Formal ISMS specification
. ISO/IES 27002 InfoSec controls
. ISO/IES 27003 ISMS implementation guide
. ISO/IES 27004 Infosec metrics
. ISO/IES 27005 Infosec risk management
. ISO/IES 27006 ISMS certification guide
. ISO/IES 27007 management system auditing
. ISO/IES 27008 Technical auditing

16
The ISO 27xxx set of published standards and practices now cover
virtually all aspects of security. They include:
. ISO/IES 27010 for interorganizational communication
. ISO/IES 27011 for telecommunication industry
. ISO/IES 27013 for ISMS + Service management
. ISO/IES 27014 infosec governance
. ISO/IES TR 27015 for financial services
. ISO/IES TR 27016 infosec economics
. ISO/IES TR 27019 Process Control

17
The ISO 27xxx set of published standards and practices now cover
virtually all aspects of security. They include:
. ISO/IES TR 27031 ICT business continuity
. ISO/IES TR 27032 Cybersecurity
. ISO/IES TR 27033 -1 to -5 network security
. ISO/IES TR 27034 application security
. ISO/IES TR 27035 incident management
. ISO/IES TR 27036 -3 ICT supply chain
. ISO/IES TR 27037 digital evidence
. ISO 27799 ISO27k for healthcare industry

18
3.9 INFORMATION SECURITY FRAMEWORK COMPONENTS

3.9.1 OPERATIONAL COMPONENTS

• Identity management and access control administration
• Security event monitoring and analysis
• System patching procedures and configuration management
• Change Control and/or release management processes
• Security metrics collection and reporting
• Maintenance of supplemental control technologies and program support
technologies
• Incident response, investigation and resolution
• Retirement and sanitization of data processing equipment and media storage

19
3.11 INFORMATION SECURITY INFRASTRUCTURE AND ARCHITECTURE

3.11.1 ENTERPRISE INFORMATION SECURITY ARCHITECTURE

• The objectives of EISA include:
–Provide overarching structure, coherence and cohesiveness
–Server as a program development road map
–Ensure strategic alignment between business and security
–Support and enable achievement of business strategy
–Implementation security policies and strategy

20
21
3.11 INFORMATION SECURITY INFRASTRUCTURE AND ARCHITECTURE

3.11.1 ENTERPRISE INFORMATION SECURITY ARCHITECTURE

–Ensure traceability back to the business strategy, specific business requirements and
key principles
–Provide a level of abstraction independent of specific technologies and preferences
–Establish a common “language” for information security within the organization
–Allow many individual contributors to work together to achieve objectives

22
3.11 INFORMATION SECURITY INFRASTRUCTURE AND ARCHITECTURE

Enterprise Architecture Domains

• A business (or business process) architecture defines the business strategy,
governance, organization and key business process.
• A data architecture describes the structure of an organization’s logical and
physical data assets, and data management resources.
• An applications architecture provides a blueprint for the its application systems
to be developed, there interaction and relationships to be core business
process of the organization.
• A technology architecture describes the architectural process components
relationships, and hardware and software infrastructure intended to support
the development of co-mission-critical applications.

23
3.11.2 OBJECTIVES OF INFORMATION SECURITY ARCHIECTURES

. Providing a Framework and Road Map

. Simplicity and Clarity Trough Layering and Modularization
. Business Focused Beyond the Technical Domain
. Architecture and Control Objectives

24
3.12 ARCHITECTURE IMPLEMENTATION

• Database Management systems (to restrict application access).

• Telecommunications (to mitigates threats of phone fraud).
• Web application access.

25
3.13 SECURITY PROGRAM MANAGEMENT AND ADMINISTRATIVE
ACTIVITIES
• Checklist for a comprehensive, well-managed security program:
• A security strategy intrinsically linked with business objectives that has senior
management acceptance and support.
• Security Policy and supporting standards that are complete and consistent with
strategy.
• Complete and accurate security procedures for all important operations.
• Clear assignments of roles and responsibilities.

26
3.13 SECURITY PROGRAM MANAGEMENT AND ADMINISTRATIVE
ACTIVITIES
• Established method to ensure continued alignment with business goals and
objectives such as a security steering committee.
• Information assets that have been identified and classified by criticality and
sensitivity.
• Security architecture that is complete and consistent with strategy, and in line
with business objectives.
• Effective controls that have been well-designed, implemented and maintained.
• Effective monitoring processes in place.
• Tested and functional incident and emergency response capabilities.

27
3.13 SECURITY PROGRAM MANAGEMENT AND ADMINISTRATIVE
ACTIVITIES
• Tested business continuity/disaster recovery plans.
• Appropriate information security involvement in change management, SDLC
and project management processes.
• Established processes to ensure that risk is properly identified, evaluated,
communicated and managed.
• Established security awareness training for all users.
• Established activities that create and sustain a corporate culture that values
information security.
• Established process to maintain awareness of current and emerging regulatory
and legal issues.

28
3.13 SECURITY PROGRAM MANAGEMENT AND ADMINISTRATIVE
ACTIVITIES
• Effective integration with procurement and third-party management processes.
• Resolution of noncompliance issues and other variances in a timely manner.
• Processes to ensure ongoing interaction with business process owners.
• Business supported processes for risk and business impact assessments,
development of risk mitigation strategies, and enforcement of policy and
regulatory compliance.
• Established operational, tactical and strategic metrics that monitor utilization
and effectiveness of security resources.
• Effective communication and integration with other organizational assurance
providers.

29
Program Administration

• Ongoing administration might include such tasks as:

• Personnel performance, time tracking and other record keeping
• Resource utilization
• Purchasing and/or acquisition
• Inventory management
• Project monitoring and tracking
• Awareness program development
• Budgeting, financial management and assets control
• Business case development and financial analysis

30
Program Administration

• HR administration and personnel management

• Project and program management
• Operations and services delivery management
• Implementation and administration of metrics and reporting
• Information technology development life cycle management.

31
Program Administration

• There may be a number of technical administrative and operational

requirements as well. These may include:
–Cryptography key management
–Log reviews and monitoring
–Change request review and oversight
–Configuration, patch and other life cycle management review and oversight
–Vulnerability scanning
–Threat monitoring
–Compliance monitoring
–Penetration testing

32
3.13.1 PERSONNEL, ROLES, SKILLS AND CULTURE
3.13.2 SECURITY AWARENESS, TRAINING AND EDUCATION
• Who is the intended audience (senior management, business managers, IT staff,
end users)?
• What is the intended message (Policies, procedures, recent events)?
• What is intended results (improved policy compliance, behavioral change,
better practices)?
• What communication method will be used (computer-based training [CBT], all-
hands meeting, intranet, newsletters, etc.)?
• What is the organizational structure and culture?

33
3.13.1 PERSONNEL, ROLES, SKILLS AND CULTURE
3.13.2 SECURITY AWARENESS, TRAINING AND EDUCATION
A number of different mechanisms available for raising information security awareness includes:
• Computer-based security awareness and training programs
• E-mail reminders and security tips
• Written security policies and procedures (and update)
• Nondisclosure statements signed by the employee
• Use of different media in promulgating security
• Visible enforcement of security rules
• Simulated security incidents for improving security
• Rewarding employees who report suspicious events
• Job descriptions
• Performance reviews

34
3.13.3 DOCUMENTATION

• Policies, standards, procedures, and

guidelines
• Technical diagrams of infrastructure and
architectures, applications and data flows
• Training and awareness documentations
• Risk analysis, recommendations and related
documentation

35
3.13.3 DOCUMENTATION

• Security system designs, configuration

policies and maintenance documentation
• Operational records such as shift reports
and incident tracking reports
• Operational procedures and process flows
• Organizational documentation such as
organization charts, staff performance
objectives and RACI models

36
3.13.3 DOCUMENTATION

• Program Objectives
• Road Maps
• Business Cases
• Resources required
• Controls
• Budgets
• Systems designs/architectures
• Policies, standards, procedures, guidelines

37
3.13.3 DOCUMENTATION

• Project plan milestones, time lines

• KGIs, KPIs, CSFs, other metrics
• Training and awareness requirements
• Business impacts and risk analysis
• Service level agreement (SLAs)
• Severity Criteria
• Declaration Criteria
3.13.4 PROGRAM DEVELOPMENT AND PROJECT MANAGEMENT

38
3.13.5 RISK MANAGEMENT

Risk Management Responsibilities

• Knowledge of program development life cycle risk
• Knowledge of program management risk
• Knowledge of methods for assessing the vulnerabilities in technical and operational
environments
• Ability to analyze exposures, that general threat environment and threats specific to
their information security manager’s organization
• Knowledge of risk analysis approaches including mitigation, elimination, transfer, and
informed acceptance
• Ability to understand and assess potential impacts if risk are exploited
• Knowledge of methods for tracking, documenting and communicating risk and impact
issues

39
3.13.6 BUSINESS CASE DEVELOPMENT

• The principle purposes of the formal business case process are:

• Introduce a way of thinking that causes people with the authority to
recommend projects to consider their value, risk and relative priority as a
fundamental element of submitting the project proposal
• Require those proposing a project to justify its value to the enterprise and to
eliminate any proposal that is not of demonstrable value
• Enable management to determine whether the project proposed is of value to
the business and achievable compared to the relative merits of alternative
proposals
• Enable management to objectively measure the subsequent achievement of
the benefits of the business case.

40
3.13.6 BUSINESS CASE DEVELOPMENT

• References- Project name, origins/background/current state

• Context- Business objectives/opportunities, business strategic alignment
• Value Proposition- Desired business outcomes, outcomes road map, business
benefits (by outcomes), qualified value, costs/ROI financial scenarios, risk/costs
of not proceeding, project risk (to project, benefits and business)
• Focus-Problem/solution scope, assumptions/constraints, options
identified/evaluated, size, scale and complexity assessment
• Deliverables- Outcomes, deliverables and benefits planned; organizational
areas impacted (internally and externally); key stakeholder

41
3.13.6 BUSINESS CASE DEVELOPMENT

• Dependencies- KGIs, KPIs

• Project metrics- Approach, phase/stage definitions
• Workload- Project leadership team, project governance team, team resources,
deliverables schedule, financial budget/schedule
• Required resources- Project controls, review schedule, reporting processes,
deliverables schedule, financial budget/schedule

42
3.13.6 BUSINESS CASE DEVELOPMENT

• Business Case Objectives

–Adaptable
–Consistent
–Business oriented
–Comprehensive
–Understandable
–Measurable
–Transparent
–Accountable

43
3.13.7 PROGRAM BUDGETING

• Elements of an information security program budget

–Employee time
–Contractor and consultant fees
–Equipment (hardware, software) costs
–Space requirements (data center rack space, etc.)
–Testing resources (personnel, system time, etc.)
–Training costs (staff, users, etc.)
–Travel

44
3.13.7 PROGRAM BUDGETING

• Elements of an information security program budget

–Creation of supporting documentation
–Ongoing maintenance
–Contingencies for unexpected costs

• 3.13.8 GENERAL RULES OF USE/ACCEPTABLE USE POLICY

• 3.13.9 INFORMATION SECURITY PROBLEM MANAGEMENT PRACTICES
• 3.13.10 VENDOR MANAGEMENT

45
3.13.11 PROGRAM MANAGEMENT EVALUATION

Program Objectives
• Where program goals aligned with governance objectives?
• Are objectives measurable, realistic and associated with specific time line?
• Do Program objectives align with organizational goals, initiatives, compliance
needs and operational environment?
• Is there consensus on program objectives? Were Objectives developed
collaboratively?
• Have metrics been implemented to measure program objective success and
shortfalls?
• Are there regular management reviews of objectives and accomplishments?

46
Program Management

Considerations of program management components include:

• Is there through documentation of the program itself? Have Key policies, standards
and distributed to responsible parties?
• Do responsible individuals understand their roles and responsibilities?
• Are roles and responsibilities defined for members of senior management, boards,
etc.? Do these organizations understand and enough their responsibilities?
• Are responsibilities for information security represented in business managers’
individual objectives and part of their individual performance rating?
• Are policies and standards defined, formally approved and distributed?
• Are policies and standards defined, formally approved and distributed?

47
Program Management

Considerations of program management components include:

• Are business unit managers involved in guiding and supporting information security
program activities? Is there a formal Steering Committee?
• How is the program positioned within the organization? To whom is the program
accountability? Does this positioning impact an appropriate level of authority and
visibility for the objectives that the program must fulfill?
• Does the program implement effective administration functions, e.g., budgeting,
financial management, HR management, knowledge management?
• Are meaningful metrics used to evaluate program performance? Are these metrics
regulatory collected and reported?
• Are there forums and mechanisms for regular management oversight of program
activities? Does management regularly reassess program effectiveness?

48
Security Operations Management

• Are security requirements and processes included in security, technology and

business unit standard operating procedures (SOPs)?
• Do security-related SOPs provider for accountability, process visibility and
management oversight?
• Are there documents SOPs for security-related activities such as access
management, security systems maintenance, event analysis and incident
response?
• Is there a schedule of regulatory performed procedures, e.g., technical
configuration review? Does the program provide for records of scheduled
activities?

49
Security Operations Management

• Is there separation of duties between system implementers, security

administrators and compliance personnel?
• Does the program provide for effective operational metrics oversight? Are there
other oversight mechanisms in place?
• Does management regularly review security operations? IS there a forum for
operational issues to be escalated to management for resolution?

50
Technical Security Management

• Are there technical standards for the security configuration of individual

network, system, application and other technology components?
• Do standards exit that address architectural security issues such as topology,
communication protocols and compartmentalization of critical systems?
• Do standards support and enforce high-level politics and requirements? Are
standards a collaborative effort between technology, operations and security
staff?
• Are technical standards uniformly implemented? Do procedures exit to
regularly evaluate and report on compliance with technical standards? Is there
a formal process to manage exception?

51
Technical Security Management

• Is separation of development, test and production environment enforced?

• Do systems enforce separation of duty, especially where high levels of administrative
access are concerned?
• Is there reliable and comprehensive visibility (logging) into system activities,
configurations, accessibility continual or intermittent?
• Are proper decommissioning processes in place to prevent data leakage?
• Resource Levels
–Financial resource allocation
–HR
–Technical resources

52
53
54
• 3.13.13 LEGAL AND REGULATORY REQUIREMENTS
• 3.13.14 PHYSICAL AND ENVIREONMENTAL FACTORS
• 3.13.15 ETHICS
• 3.13.16 CULTURE AND REGIONAL VARIANCE

55
3.13.17 LOGISTIC

• Cross-organizational strategic planning and execution

• Coordination of committee meetings and activities
• Developing schedules of regularly performed procedures
• Resourcing prioritization and workload management
• Coordination of security resources and activities with larger projects and
operations

• 3.14 SECURITY PROGRAM SERVICES AND OPERATIONAL ACTIVITIES

56
3.14.1 INFORMATION SECURITY LIAISON RESPONSIBILITIES

• Physical/Corporate Security • Privacy

• IT Audit • Training
• Information Technology Unit • Quality Assurance
• Business Unit Managers • Insurance
• Human Resource
• Third Party Management
• Legal Department
• Project Management Office
• Employee
• Procurement
• Compliance

57
3.14.2 CROSS-ORGANIZATIONAL RESPONSIBILITIES
3.14.3 INCIDENT RESPONSE
3.14.4 SECURITY REVIEWS AND AUDITS
• An Objective . A scope
• Constraints . An approach
• A result
• Audits
• Auditors
3.14.5 MANAGEMENT OF SECURITY TECHNOLOGY
• Technology Competencies

58
3.14.6 DUE DILIGENCE

• Senior management support

• Comprehensive policies, standards and procedure
• Appropriate security education, training and awareness throughout the organization
• Periodic risk assessments
• Effective backup and recovery processes
• Implementation of adequate security controls
• Effective monitoring and metrics of the security program
• Effective compliance efforts
• Tested business continuity and disaster recovery plans
• Protection data (in transit and at rest)

59
3.14.7 COMPLIANCE MONITORING AND ENFORCEMENT

• Policy Compliance
• Standards Compliance
• Resolution of Noncompliance Issues
• Normal Monitoring
• Audit Reports
• Security Reviews
• Vulnerability Scans
• Due Diligence Work
• Compliance Enforcement

60
3.14.8 ASSESSMENT OF RISK AND IMPACT

• Vulnerability Assessment
• Threat Assessment
• Risk and Business Impact Assessment
• Resource Dependency Assessment

61
3.14.9 OUTSOURCING AND SERVICE PROVIDERS

• Loss of essential skills

• Lack of visibility into security processes
• New Access and other control risk
• Viability of the third-party vendor
• Complexity of incident management
• Unanticipated costs and service inadequacies
• Some common issues to be considered include:
• Isolation of external party access to resources

62
3.14.9 OUTSOURCING AND SERVICE PROVIDERS

• Integrity and authenticity of data and transactions

• Protection against malicious code or content
• Privacy/confidentiality agreements and procedures
• Security standards for transacting systems
• Data transmission confidentiality
• Identity and access management of the third party
• Incident contact and escalation procedures
• Compliance enforcement of critical sole source vendors

63
Outsourcing Contracts

• Detailed specification of outsourced service

• Specific security requirements
• Restrictions on copying information and securing assets
• Prohibiting accesses without explicit authorization and maintaining a list of individuals
who have access
• Right to audit and/or inspect
• Indemnity clauses to mitigate impact caused by the service provider
• Requirements for incident response and BCPs
• Level of service quality
• Integrity and confidentiality of business assets

64
Outsourcing Contracts

• Nondisclosure agreements to be signed by the employees/agents of third parties

• Protection of intellectual property
• Ownership of information
• Requirement that applicable legal and regulatory requirements are met
• Ensure return and/or destruction of information /assets at the end of the contract
• Duration up to which the confidentiality shall be maintained
• Employee or agents of the third party required to comply with security policies of the
organization
• Escalation processes

65
Outsourcing Contracts

• Third-Party Access
• Criticality of information to which access rights are given
• Criticality of privileges given
• Period of contract

66
3.14.10 CLOUD COMPUTING

• On-demand self-service
• Board network access
• Resourcing pooling
• Elasticity
• Measured service

67
Security as a service (SecaaS) comes in two major forms:

• The cloud service provider (CSP) provides stand-alone managed security

services ranging from antivirus scanning and mail security to full developments
of end-point security.
• The CSP offloads appliance utilization for the client, and CPU- and memory-
intensive activities are moved to cloud services. For example, antivirus activities
on unified threat management (UTM) devices are often offloaded to a SecaaS
provider to reduce the number of chassis at the client site. The advantage to
the client is minimized risk when applying patches or updates, because they are
no longer directly linked to the device.

68
ISACA CISM REVIEW MANUAL 69
ISACA CISM REVIEW MANUAL 70
ISACA CISM REVIEW MANUAL 71
• The cost for an in-house DR infrastructure is reduced significantly. Because DR
in often considered to be a necessity rather than core business, the return on
investment (ROI) in DR services can be significant.
• Offsite storage means that the DR environment is less likely to fail in the case of
a major disaster.
• Identity as service (IDaaS) is a relatively new cloud service and currently has
two interpretations:
• The management of identities in the cloud that is separated from the users and
applications that use the identities. This can be either managed identity
services, including provisioning, or management for both onsite or offsite
services. Delivering a single sign-on (SSO) solution can also be part of the cloud
service offering.

72
• The delivery of an identity and access management (IAM) solution.
IDaaS is often a hybrid solution where access and roles are
configured by the CSP and users are authorized by enterprise
internal solutions. This is known as a federated model.
• Data storage and data analysis as a service, or big data
• Information as a service (InfoaaS)
• Integration platform as a service (IPaaS)
• Forensics as a service (FRaaS)

73
• Advantages
• Optimized resource utilization
• Cost savings
• Better responsiveness
• Faster cycle of innovation
• Reduced time for implementation
• Resilience

74
• Security Consideration
• Evaluation of Cloud Service Provider
• Existing widely accepted frameworks customizable for the cloud
(i.e., COBIT, ISO 2700x)
• Frameworks built for the cloud (i.e., CSA Cloud Control Matrix,
Jericho Forum Self-Assessment Scheme)

75
3.14.11 INTEGRATION WITH IT PROCESSES

• Integration
• System Life Cycle Processes
• Initiation
• Development or acquisition
• Implementation
• Operational and maintenance
• End of life/disposition
• Establishing requirements

76
3.14.11 INTEGRATION WITH IT PROCESSES

• Feasibility
• Architecture and design
• Proof of concept
• Full Development
• Integration testing
• Quality and Acceptance testing
• Deployment

77
3.14.11 INTEGRATION WITH IT PROCESSES

• Maintenance
• System end of life
• Change Management
• Configuration Management
• Release Management
• 3.15 CONTROLS AND COUNTERMEASURES
• 3.15.1 CONTROL CATEGORIES
–Preventive . Detective . Corrective
–Compensatory . Deterrent

78
3.15.2 CONTROL DESIGN CONSIDERATIONS

• Controls as Strategy Implementation Resources

• Logical Access Control
• Secure Failure
• Principle of least privileges
• Compartmentalize to minimize damage
• Segregation of duties
• Transparency
• Trust
• Trust no one

79
80
• 3.15.3 CONTROL STRENGTH
• 3.15.4 CONTROL METHODS
• 3.15.4 CONTROL RECOMMENDATIONS
–Effectiveness of recommended options
–Compatibility with other impacted systems, processes and controls
–Relevant legislation and regulation
–Organizational policy and standards
–Organizational Structure and culture
–Operational impact
–Safety and reliability

81
• 3.15.6 COUNTERMEASURES
• 3.15.7 PHYSICAL AND ENVIRONMENTAL CONTROLS
• 3.15.8 CONTROL TECHNOLOGY CATEGORIES
–Native Control Technologies
–Supplemental Control Technologies
–Management Support Technologies
–Security information management (SIM) tools
–Security information and event management (SIEM) systems

82
• 3.15.6 COUNTERMEASURES
• 3.15.7 PHYSICAL AND ENVIRONMENTAL CONTROLS
• 3.15.8 CONTROL TECHNOLOGY CATEGORIES
–Compliance monitoring and management tools
–Access management workflow systems
–Vulnerability Scanning tools
–Security configuration monitoring tools
–Policy management and distribution Systems

83
3.15.9 TECHNICAL CONTROL COMPONENTS AND ARCHITECTURE

• Analysis of Controls
• Control Placement
• Control Effectiveness
• Control Efficiency
• Control Policy
• Control Implementation

84
• 3.15.10 CONTROL TESTING AND MODIFICATION
• 3.15.11 BASELINE CONTROLS
• 3.16 SECYRITY PROGRAM METRICS AND MONITORING
• 3.16.1 METRICS DEVELOPMENT
–Strategic
–Management
–Operational

85
3.16.1 METRICS DEVELOPMENT

• There a number of other considerations for developing metrics. The essential

attributes that must be considered include:
–Manageable
–Meaningful
–Actionable
–Unambiguous
–Reliable
–Accurate
–Timely
–Predictive
–Genuine

86
3.16.1 METRICS DEVELOPMENT

• Number of unremediated vulnerabilities n

• Number of open or closed audits items
• Number or percentage of user accounts in compliance with standard
• Perimeter penetrations
• Unresolved security variances
• Qualitative metrics that should be monitored can be used to determine trends
and can include such things as:
• CMM levels at periodic intervals

87
3.16.2 Monitoring APPROACHES

• Monitoring Security Activities in Infrastructure and business

Applications
• Determining Success of Information Security Investments
• Costs to administer controls
• Training costs
• Maintenance costs
• Update fees
• Consultant or help desk fees
• Fees associated with other interrelated systems that may have been
modified to accommodate security objectives

88
3.16.3 MEASURING INFORMATION SECURITY MANAGEMENT PERFORMANCE

• Minimize risk and loss related to information security issues.

• Support achievement of overall organizational objectives.
• Support organizational achievement of compliance.
• Maximize the program’s operational productivity.
• Maximize security cost-effectiveness.
• Establish and maintain organizational security awareness.
• Facilitate effective logical, technical and operational secure
architecture.
• Maximize effectiveness of program framework and resources.
• Measure and manage operational performance.

89
3.16.4 MEASURING INFORMATION SECURITY RISK AND LOSS

• The technical vulnerability management

• The Risk management
• The loss prevention
• Do risk management activities occur as scheduled?
• Have incident response and BCPs been tested?
• Are asset inventories, custodianships, valuations and risk analyses up-to-date?
• Is there consensus among information security stakeholders as to acceptable
levels of risk to the organization?
• Do executive management oversight and review activities occur as planned?

90
3.16.5 MEASURING SUPPORT ORGANIZATIONAL OBJECTIVES

• Is there documented correlation between key organizational

milestones and the objectives of the information security program?
• How many information security objectives were successfully
completed in support of organizational goals?
• Were there organizational goals that were not fulfilled because
information security objectives were not met?
• How strong is consensus among business units, executive
management and other information security stakeholders that
program objectives are complete and appropriate?

91
• 3.16.6 MEASURING COMPLIANCE
• 3.16.7 MEASURING OPERATIONAL PRODUCTIVITY
• 3.16.8 MEASURING SECURITY COST-EFFECTIVENESS
• Costs of vulnerability assessment per application
• Costs for workstation security controls per user
• Costs for e-mail spam and virus protection per mailbox

• 3.16.9 MEASURING ORGANIZATIONAL AWARENESS

92
3.16.10 MEASURING EFFECTIVENESS OF TECHNICAL SECURITY ARCHITECTURE

• Probe and attack attempts repelled by network access control devices;

qualify by asset or resource targeted, source geography and attack type
• Probe and attack attempts detected by IDs on internal network; qualify
by internal versus external source, resource targeted and attack type
• Number and type of actual compromise; qualify by attack severity, attack
type, impact severity and source of attack
• Statics on viruses, worms and other malware identified and neutralized;
qualify by impact potential. Severity of larger internet outbreaks and
malware vector

93
3.16.10 MEASURING EFFECTIVENESS OF TECHNICAL SECURITY ARCHITECTURE

• Amount of downtime attributable to security flaws and unpatched systems

• Number of messages processed, sessions examined, and kilobytes (KB) of data
examined by IDs
• Individual technical mechanisms have been tested to verify control objectives
and policy enforcement
• The security architecture is constructed of appropriate controls in a layered
fashion
• Control mechanisms are properly configured and monitored in real-time, self-
protection implemented, and information security personnel alerted to faults
• All critical systems stream events to information security personnel or to event
analysis automation tools for real-time threat detection

94
3.16.11 MEASURING EFFECTIVENESS OF MANAGEMENT FRAMEWORK AND
RSOURCES
• Tracking the frequency of issue recurrence
• Monitoring the level of operational knowledge capture and dissemination
• The degree to which process implementations are standardized
• Clarity and completeness of documented information security roles and
responsibilities
• Information security requirements incorporated into every project plan
• Efforts and results in making the program more productive and cost-effective
• Overall security resource utilization and trends
• Ongoing alignment with, and support of, organizational objectives

95
3.16.12 MEASURING OPERATIONAL PERFORMANCE

• Time to detect, escalate, isolate and contain incidents

• Time between vulnerability detection and resolution
• Quantity, frequency and severity of incidents discovered after their
occurrence
• Average time between vendor release of vulnerability patches and their
application
• Percentage of systems that have been audited within a certain period
• Number of changes that are released without full change control
approval

96
3.16.13 MONITORING AND COMMUNICATION

• Failed access attempts resources

• Processing faults that may indicate system tempering
• Outages, race conditions and faults related to design or other issues
• Changes to system configurations, particularly security controls
• Privileged system access and activities
• Technical security components and fault detection

97
3.17 COMMON INFORMATION SECURITY PRORAM CHALLENGES

• Organizational resistance due to changes in areas of responsibility

introduced by the program
• A perception that increased security will reduce access required for job
functions
• Overreliance on subjective metrics
• Failure of strategy
• Assumptions of procedural compliance without confirming oversight
• Ineffective project management, delaying security initiatives
• Previously uneducated, broken or buggy security software

98
Management Support

• Funding
• Management not recognizing the value of security investments
• Security being viewed as low-value cost center
• Management not understanding where existing money is going
• The organizational need for a security investment not being
understood

99
Management Support

• The need for more awareness of industry trends in security investment

• Leverage the budgets of other organization units (e.g., product
development, internal audit, information systems) to implement needed
security program components
• Improving the efficiency of existing information security program
components
• Working with the information security steering committee to reprioritize
security resource assignments and providing senior management with
analysis of what security components will become underresourced and
the associated risk implications
100
Management Support

• Staffing
• Poor understanding of what activities new resources will do
• Questioning the need or benefit of new resource activities
• Lack of awareness of existing staff utilization levels or activities
• Belief that existing staff are underutilized
• Desire to examine outsourcing alternatives

101
Management Support

• Collaborate with other business units to determine if they can assume

more information security responsibilities; delegate appropriate tasks
with oversight
• Analyze outsourcing possibilities, especially for high-volume operational
activities; be prepared to demonstrate how freed resources would be
immediately redeployed to higher-value activities
• Work with the information security steering committee to reprioritize
security personnel assignments; provide senior management with
analysis of what security activities will not be addressed with current staff
and communicate risk implications

102
Management Support

• Desire to examine outsourcing alternatives

• Collaborate with other business units to determine if they can assume
more information security responsibilities; delegate appropriate tasks
with oversight
• Analyze outsourcing possibilities, especially for high-volume operational
activities; be prepared to demonstrate how freed resources would be
immediately redeployed to higher-value activities
• Work with the information security steering committee to reprioritize
security personnel assignments; provide senior management with
analysis of what security activities will not be addressed with current staff
and communicate risk implications

103
104
Q&A

105