LVISSA CISSP Course Winter 2017 Domain 1 JGlvissa.org/mentor_slides/LVISSA CISSP Course Winter 2017... · 2017. 3. 4. · A.CISSP-certified analyst B. Chief information officer C

3/4/2017

1

Jae Gianelloni, CPA, CISA, CISSPDirector of Internal AuditStation [email protected]

3/4/2017

2

What would you do if you were a CEO Exam preparation tips

Official student handbook Official question bank Cram courses Other sources Domains to score

On the day of the exam Exam duration

Security functions that align with the goal, mission, and objective of an organization

Confidentiality, integrity, and availability Information security governance with due care

and diligence Management of third-party governance Managing personnel security, including security

training, education, and awareness System life cycle approach Risk management concepts

Introduction to information security governance and risk management

Information security governance

The risk management process

3/4/2017

3

Overview of the information security environment Business objectives, goals, business mission Regulations, stakeholders, competitors Risk management -primary objective of security

program Proper handling of a risk is based on its potential

to have a negative impact on the organization’s assets.

Wait, Have you see a company that puts an emphasis on security?

Aspects of security in a manner that can be understood by management

ConfidentialityEnsuring that information is accessible only to those authorized to have access

IntegritySafeguarding the accuracy and reliability of information and processing methods

AvailabilityEnsuring that authorized users have access to information and associated assets when required.

3/4/2017

4

Which one of the following individuals would be the most effective organizational owner for an information security program? A.CISSP-certified analyst B. Chief information officer C. Manager of network security D. President and CEO

*Source: CISSP Official (ISC)2 Practice Tests, 2016

Which one of the following individuals would be the most effective organizational owner for an information security program? A.CISSP-certified analyst B. Chief information officer C. Manager of network security D. President and CEO


John’s network begins to experience symptoms of slowness. Upon investigation, he realizes that the network is being bombarded with ICMP ECHO REPLY packets and believes that his organization is the victim of a Smurf attack. What principle of information security is being violated?

A. Availability B. Integrity C. Confidentiality D. Denial


3/4/2017

5

Beth is the security administrator for a public school district. She is implementing a new student information system and is testing the code to ensure that students are not able to alter their own grades. What principle of information security is Beth enforcing?

A. Integrity B. Availability C. Confidentiality D. Denial


Which of the following is an administrative control that can protect the confidentiality of information? A. Encryption B. Non-disclosure agreement C. Firewall D. Fault tolerance


Gary is implementing a new RAID-based disk system designed to keep a server up and running even in the event of a single disk failure. What principle of information security is Gary seeking to enforce? A. Denial B. Confidentiality C. Integrity D. Availability


3/4/2017

6

Who is the ideal person to approve an organization’s business continuity plan?

A. Chief information officer B. Chief executive officer C. Chief information security officer D. Chief operating officer


• Board of Directors• Unbiased and independent• Ensure shareholder interest is being protected• Sets Risk Appetite (Risk Tolerance) and Security Strategy• Sarbanes-Oxley Act can hold director responsible if an

internal corporate governance framework does not exist• Practice Due Diligence

• Executive Management• Responsible for Asset Management, Risk Assessment, Privacy

Impact Analysis, Planning & Strategy, Controls and Performance Management, Reviews, Certifications, Audits

• CEO• CFO• CSO/CISO• CPO• CIO

3/4/2017

7

• IS Security Steering Committee• Responsible for decision-making capabilities on

tactical and strategic security issues• Define acceptable risk for the organization• Develop security objectives and strategies• Determine priorities of security initiatives based

on business needs• Review risk assessment and auditing reports• Monitor the business impact of security risks• Review major security breaches and incidents• Approve major changes to security policy and

programs

• Data Owners• Ultimately responsible for protection and use of data• Responsible for determining sensitivity of classification

levels of the data as well as maintaining accuracy and integrity of the data resident on the information system

• Responsible for ensuring proper security controls are in place

• Due care responsibility, else can be held negligent• Data custodian

• Responsible for maintenance & protection of the data once classified

• Performing regular backups and/or restores• Periodically validating integrity of the data• Retaining records of activity• Fulfilling records specified in the company’s security

policy, standards, and guidelines

• System Owner• Responsible for the systems which process the data• Must integrate security considerations into purchasing

decisions• Security Administrator

• Responsible for • New account creation• Implementation of new solutions• Testing security patches and components• Issuing new passwords

• Security Analyst• Aids in development of policies, standards, and guidelines• Helps set various baselines

• Application Owner• Responsible for access control and security for relevant

applications

3/4/2017

8

• Change Control Analyst• Responsible for approval or rejection of change requests

• Data Analyst• Responsible for ensuring data stores and structures support

business objectives• Process Owner

• Responsible for defining, improving, and monitoring security processes

• Users• Uses data in compliance with access rights/security policy

• Product Line Manager• Responsible for vendor negotiations and compliance to

license agreements• Auditors

• Examine security practices and control mechanisms to assure compliance with regulatory or industry standards

• Service level agreements (SLAs) • Prior to providing access to an outsider, care

must be taken to ensure that the outsider has proper clearance and awareness of policies and procedures. Contractors and third parties should be bound by SLAs that mandate how work must be done and procedures and timelines that must be followed.

• Security awareness and training

Security Education Training Awareness

Attribute Why How What

Level Insight Knowledge Information

Objective Understanding Skill Awareness

Training Method

Discussion,

Seminar,

Reading, Research

Lecture,

Case Study, Hands-on

Interactive, Video, Posters,

Games, Newsletters

Test Measure Essay Problem Solving T/F, Multiple Choice

Impact Timeframe

Long-Term Intermediate Short-Term

3/4/2017

9

• Three audiences• Management• Staff• Technical Employees

• Examining• Responsibilities• Liabilities• Expectations

• Used to influence behavior• Functions as a data and system control

• Focuses attention on behavior in the enterprise

• Reminds the user of appropriate behaviors

• Used to teach a specific skill

• Usually attended by personnel who are responsible for implementing and monitoring security controls

• Often oriented to the data custodian

3/4/2017

10

• Knowledge Driven• Integrates security skills and competencies

into a common body of knowledge• Adds multidisciplinary study of concepts,

issues, and principles• Strives to produce IT security specialists and

professionals capable of vision and pro-active response

• Management oriented or those involved in the decision making process (information owner)

• Training is a control• Must be monitored and evaluated for

effectiveness• Utilization of questionnaires and surveys to

gauge retention levels and feedback

• Due Care • Leadership to exercise the care that ordinarily

prudent and reasonable persons with the same training and experience would exercise under the same circumstances

• U.S. Courts expect organizations to behave with due care by having the right policies and procedures, access controls, and other security matters

• Due Diligence • Is the enforcement of due care policy and

provisions to ensure that the due care steps taken to protect assets are working effectively.

• An organization may be charged with negligence if it does not properly secure assets and harm occurs

3/4/2017

11

Which one of the following security program is designed to provide employees with the knowledge they need to perform their specific work tasks? A. Awareness B. Training C. Education D. Indoctrination


In 1991, the federal sentencing guidelines formalized a rule that requires senior executives to take personal responsibility for information security matters. What is the name of this rule? A. Due diligence rule B. Personal liability rule C. Prudent man rule D. Due process rule


Which one of the following principles imposes a standard of care upon an individual that is broad and equivalent to what one would expect from a reasonable person under the circumstances? A. Due diligence B. Separation of duties C. Due care D. Least privilege


3/4/2017

12

Which one of the following individuals is normally responsible for fulfilling the operational data protection responsibilities delegated by senior management, such as validating data integrity, testing back-ups, and managing security policies?

A. Data custodian B. Data owner C. User D. Auditor


Which one of the following security program is designed to establish a minimum standard common denominator of security understanding?

A. Training B. Education C. Indoctrination D. Awareness


System of all necessary policies, procedures, plans, processes, practices, roles, responsibilities, resources, and structures used to protect and preserve info.• Corporate Governance – COSO• Financial Compliance - SOX, GLBA, PCI-

DSS• Technology – CobiT 5, SSAE-16• Medical Compliance – HIPAA, HITECH• Federal Mandates, State and Local

Requirements• Industry Standards - ISO/IEC

3/4/2017

13

COSO NIST Critical Security Controls for Effective Cyber

Defense Formerly SANS Top 20 Critical Controls

COBIT Regulatory

PCI HIPAA FERPA Others

ISO 27000

Goal:Identify five areas of internal control necessary to

meet the financial reporting and disclosure objectives

Public companies working toward SOX 404 compliance have adopted the COSO internal control model framework

Goal:Examines the effectiveness, efficiency,

confidentiality, integrity, availability, compliance, and reliability aspects of the high-level control

objectives Focus is on adequate management and

control of information technology Trademark of ISACA

3/4/2017

14

Goal:Provide best recommendations on information security management, risks, and controls within

the context of an overall information system governance structure

Use the standards as the basis for developing security standards and security management practices

Goal:Help organizations prioritize security efforts

Do not deal with important non-technical aspects of security

Emphasize: Addressing most common attack activities Establishing consistency Promote automation

Goal:To enhance cardholder data security and facilitate

broad adoption of international standards

Defines “in scope” and “out of scope” systems 288 + specific “tests”

More if you are shared hosting provider

3/4/2017

15

Goal:To establish controls to safeguard protected health

information (PHI)

Defines “in scope” and “out of scope” systems Provides implementation guidance for controls

Required Addressable No guidance provided

• Strategic • High-level, long-range requirements focusing on

enabling security, IT, and business objectives• Overarching security policy, the alignment of the

security program with the direction of the organization • Tactical

• More mid-term focus on events that will affect the entire organization

• Network redegisn, installation of new equipment and controls, tracking of incidents over a period of months

• Operational • “Fighting fires” - Short-term plans for mitigating risk until

mid or long-term solutions can be put into place• Detecting, responding, and recovering from incidentsAnd monitoring compliance and system operations

• Cost-effective (cost-benefit analysis)• Risk-based approach

• Identify security risks• Identify and evaluate risk treatments • Select control objective and controls to treat risks and

present them to management for approval• Meet functional requirements

• Layered and meet a specific security requirement. They should not depend on another control in the event of a failure. Due care function

• Meet assurance requirements• Confirming that security solutions are selected

appropriately, and performing as intended and having the desired effect (i.e., audit logs). Due diligence function

• Other factors • Accountability, flexibility, audit capability

3/4/2017

16

• Administrative• Development and publishing of policies, standards,

procedures, and guidelines; risk management; screening of personnel; conducting security awareness training; implementing change control procedures

• Technical (Logical)• Implementing and maintaining access control

mechanisms, password and resource management, identification and authentication methods, security devices, and configuration of the infrastructure

• Physical• Controlling access into a facility and departments,

locking systems, removing unnecessary media drives, protecting perimeter of the facility, monitoring for intrusion, and environmental controls

• Deterrent • Discourage an attacker

• Preventive• Avoid an incident

• Corrective• Fixes components after an incident

• Recovery• Bring to regular operation

• Detective• Helps identify attacker activities, possibly the attacker

• Compensating• Alternative measure of control

Yolanda is the chief privacy officer for a financial institution and is researching privacy issues related to customer checking accounts. Which one of the following laws is most likely to apply to this situation? A. GLBA B. SOX C. HIPPA D. FERPA


3/4/2017

17

Tim’s organization recently received a contract to conduct sponsored research as a government contractors. What law now likely applies to the information systems involved in this contract? A. FISMA B. PCI DSS C. HIPPA D. GISRA


Which one of the following control categories does not accurately describe a fence around a facility? A. Physical B. Detective C. Deterrent D. Preventive


Which one of the following is an example of an administrative control? A. Intrusion detection system B. Security awareness training C. Firewalls D. Security guards


3/4/2017

18

Renee is designing the long-term security plan for her organization and has a three-to-five-year planning horizon. What type of plan is she developing? A. Operational B. Tactical C. Summary D. Strategic


An accounting employee was arrested for participation in an fraud scheme. The employee transferred money to a personal account and then shifted funds around between other accounts every day to disguise the fraud for months. Which one of the following controls might have best allowed the earlier detection of this fraud?

A. Separation of duties B. Least privilege C. Defense in depth D. Mandatory vacation


3/4/2017

19

• Risk Management is the process of identifying and assessing risk, reducing it to an acceptable level, and implementing the right mechanisms to maintain that level

• No 100% secure environment• Risk Categories

• Physical Damage• Human Interaction• Equipment Malfunction• Inside and Outside attack• Misuse of data• Loss of data• Application error

• Risk AnalysisA method of identifying vulnerabilities, threats, and assessing potential impacts to determine which countermeasures/safeguards should be implemented

• 4 goals• Identify assets and their value to the organization • Identify vulnerabilities and threats• Quantify the probability and business impact of these

potential threats • Application of cost-benefit analysis to the proposed

countermeasures

3/4/2017

20

• Assets must be valued correctly in order to • Perform effective cost/benefit analysis• Select specific countermeasures and safeguards• Determine proper level of insurance coverage to purchase• Understand risks cohesively• Conform with due care• Comply with legal and regulatory requirements

• Tangible• Facilities• Resources• Systems• Information

• Intangible• Reputation• Intellectual Property

• Actual value of an asset is determined by the cost it takes to acquire, develop, and maintain it

• Considerations:• Cost to acquire or develop the asset• Cost to maintain and protect the asset• Value of the asset to owners and users• Value of the asset to adversaries• Value of IP• Price others are willing to pay• Cost to replace• Operational and production activities affected if asset is

unavailable• Liability issues if the asset is compromised• Usefulness and role of the asset in the organization

• Potential Threat Agents• Malware• Hackers• Attackers• Intruders• Users• Fire• Employee• Contractor

• Identify all known threats in the environment

3/4/2017

21

• Assigns numeric and monetary values• Attempts to assign independently objective numeric

values to components of the risk assessment and to potential losses• Present value analysis – considers time value of

money• Payback method – does not consider the time

value of money• Net Present Value (NPV) – the higher the value, the

greater the benefit• Benefit-Cost Ratio (BCR) – the higher the ratio, the

larger the return• Internal Rate of Return (IRR) – the higher the return,

the greater the benefit

• Assigns a subjective rating (H/M/L)• Does not attempt to assign numeric values to risk

assessment components• Scenario or opinion oriented

• Rank threats• List vulnerable assets

• Techniques• Delphi – group decision making method• Brainstorming• Storyboarding• Focus Groups• Surveys• Questionnaires• Checklists• Interviews• Meetings

• Qualitative• Pro

• Requires no calculation• Provides opinions of the individuals who know the

processes best• Provides general areas and indications of risk

• Con• Involves guesswork• Assessments and results are subjective• Eliminates opportunity to create a dollar value for

cost/benefit discussions• Standards are not available• Difficult to track risk management objective due

to subjectivity

3/4/2017

22

• Quantitative• Pro

• Easier to automate and evaluate• Used in risk management performance tracking• Provides credible cost/benefit analysis• Shows clear cut losses that can be accrued within a

one-year timeframe• Uses independently verifiable and objective metrics

• Con• Process laborious without automated tools• Requires complex calculations• Complexity of calculation may cause misunderstanding

as to value derivation• Additional work necessary to gather environment

information• Standards are not available

• Single Loss Expectancy (SLE)• SLE = Asset Value X Exposure Factor (EF)

• EF = Estimated Percentage of Loss given a realized threat

• Asset Value = $100,000• EF = 35% • SLE = $35,000

• Annualized Rate of Occurrence (ARO)• ARO = Estimated probability of the threat occurring

within a one year time frame • Range is 0.0 (never) to 1.0 (always)

• Annual Loss Expectancy (ALE)• ALE = SLE x Annualized Rate of Occurrence (ARO)

• The ALE value is the one used in cost/benefit analysis to choose the appropriate Risk Action

• Example: Earthquake could create 50%damage to a facility if it occurs. The value of the facility is $1,000,000. The probability of an earthquake is one in ten years

• Asset Value x EF = SLE• $1,000,000 x .50 = $500,000 (SLE)

• SLE x ARO = ALE• $500,000 x (1/10) = $50,000 (ALE)

• ALE is $50,000, so management should not spend over that value in countermeasures trying to protect against that risk

3/4/2017

23

• Combine potential loss and probability• Calculate Annualized Loss Expectancy (ALE)

per threat• SLE x Annualized Rate of Occurrence (ARO) = ALE

• Choose remedial measures to counteract each threat

• Analyze each countermeasure using a cost/benefit analysis

• Step 1 – Assign Value to Assets• Step 2 – Estimate Potential Loss Per Threat• Step 3 – Perform a Threat Analysis• Step 4 – Derive the Overall Annual Loss Potential

per Threat• Step 5 – Reduce, Transfer, Avoid, or Accept the Risk

• Note• Accept • Reduce (=mitigate)• Transfer (=insurance)• Avoid (=do not use)

Hal systems decided to stop offering public NTP services because of a fear that its NTP servers would be used in amplification DDoS attacks. What type of risk management strategy did Hal pursue with respect to its NTP services? A. Risk mitigation B. Risk acceptance C. Risk transference D. Risk avoidance


3/4/2017

24

Who is the ideal person to approve an organization’s business continuity plan? A. Chief information officer B. Chief executive officer C. Chief information security officer D. Chief operating officer


Which one of the following components should be included in an organization’s emergency response guidelines? A. List of individuals who should be notified of

an emergency incident B. Long tern business continuity protocols C. Activation procedures for the

organization’s cold sites D. Contact information for ordering

equipment


Ben is seeking an control objective framework that is widely accepted around the world and focuses specifically on information security controls. Which one of the following frameworks would best meet his needs?

A. ITILB. ISO 27002C. CMMD. PMBOK Guide


3/4/2017

25

Which one of the following stakeholders is not typically included on a business continuity planning team?

A. Core business function leadersB. Information technology staffC. CEOD. Support departments


Asset: Data centerThreat: TornadoRebuilding and reconfiguring the data center would cost $10M. A typical tornado would cause $5M damage. They are likely to experience a tornado one every 200 years.

A. EFB. AROC. ALE


121

Q & A

Jae [email protected]

Documents

LVISSA CISSP Course Winter 2017 Domain 1 JGlvissa.org/mentor_slides/LVISSA CISSP Course Winter 2017... · 2017. 3. 4. · A.CISSP-certified analyst B. Chief information officer C