CISM - Firebrand Training · To earn the CISM designation, information security professionals are...
-
Upload
duongnguyet -
Category
Documents
-
view
222 -
download
0
Transcript of CISM - Firebrand Training · To earn the CISM designation, information security professionals are...
5/6/2016© 2016 Firebrand
CISM™
Certified Information
Security Manager
Firebrand Custom Designed Courseware
5/6/2016© 2016 Firebrand
Logistics
Start Time
Breaks
End Time
Fire escapes
Instructor
Introductions
5/6/2016© 2016 Firebrand
Introduction to Information Security
Management
5/6/2016© 2016 Firebrand
Course Mission
Educational Value
• Both theoretical and practical
• Up-to-date
• Relevant
5/6/2016© 2016 Firebrand
CISM
Certified Information Security Manager
• Designed for personnel that have (or want to
have) responsibility for managing an
Information Security program
• Tough but very good quality examination
• Requires understanding of the concepts
behind a security program – not just the
definitions
5/6/2016© 2016 Firebrand
CISM Exam Review Course Overview
The CISM Exam is based on the
CISM job practice.
• The ISACA CISM Certification
Committee oversees the
development of the exam and
ensures the currency of its
content.
There are four content areas
that the CISM candidate is
expected to know.
5/6/2016© 2016 Firebrand
Job Practice Areas
5/6/2016© 2016 Firebrand
Domain Structure
Information Security
Governance
Information Security
Incident
Management
Information
Risk
Management and Compliance
Information Security Program
Development and Management
Mandates
Requires
Deploys
Reports To
Influences
5/6/2016© 2016 Firebrand
CISM Qualifications
To earn the CISM designation, information security
professionals are required to:
• Successfully pass the CISM exam
• Adhere to the ISACA Code of Professional Ethics
• Agree to comply with the CISM continuing education
policy
• Submit verified evidence of five (5) years of work
experience in the field of information security.
5/6/2016© 2016 Firebrand
The Examination
The exam consists of 200 multiple choice
questions that cover the CISM job practice
areas.
Four hours are allotted for completing the
exam
See the Job Practice Areas including task
Statements and Knowledge Statements listed
on the ISACA website
5/6/2016© 2016 Firebrand
Examination Day
Be on time!!
• The doors are locked when the instructions start –
approximately 30 minutes before examination start
time.
Bring the admission ticket (sent out prior to the
examination from ISACA) and an acceptable form of
original photo identification (passport, photo id or
drivers license).
5/6/2016© 2016 Firebrand
Completing the Examination Items
• Bring several #2 pencils and an eraser
• Read each question carefully
• Read ALL answers prior to selecting the BEST answer
• Mark the appropriate answer on the test answer
sheet.
• When correcting an answer be sure to thoroughly
erase the wrong answer before filling in a new one.
• There is no penalty for guessing. Answer every
question.
5/6/2016© 2016 Firebrand
Grading the Exam
Candidate scores are reported as a scaled score
based on the conversion of a candidate’s raw score
on an exam to a common scale.
ISACA uses and reports scores on a common scale
from 200 to 800. A candidate must receive a score
of 450 or higher to pass.
Exam results will be mailed (and emailed) out
approximately 6-8 weeks after the exam date.
Good Luck!
5/6/2016© 2016 Firebrand
End of Introduction
Welcome to the CISM course!!
5/6/2016© 2016 Firebrand
2016 CISM Review Course
Chapter 1
Information Security Governance
5/6/2016© 2016 Firebrand
Information Security Management
The responsible protection of the information assets
of the organization
Supporting Security Governance and risk
management
Adoption of a security framework and standards
16ISACA CISM Review Manual Page 14
5/6/2016© 2016 Firebrand
Governance
Governance:
• Ensures that stakeholders needs, conditions and
options are evaluated to determine balanced,
agreed-on enterprise objectives to be achieved:
• Setting direction through prioritization and
decision-making:
• Monitoring performance and compliance against
agreed-on directions and objectives
ISACA CISM Review Manual Page 14
5/6/2016© 2016 Firebrand
Examination Content
The CISM Candidate understands:
• Effective security governance framework
• Building and deploying a security strategy aligned with
organizational goals
• Manage risk appropriately
• Responsible management of program resources
• The content area in this chapter will represent
approximately 24% of the CISM examination
(approximately 48 questions).
ISACA CISM Review Manual Page 14
5/6/2016© 2016 Firebrand
Learning Objectives
Align the organization’s Information security strategy with
business goals and objectives
• Obtain Senior Management commitment
Provide support for:
• Governance
• Business cases to justify security
• Compliance with legal and regulatory mandates
ISACA CISM Review Manual Page 14
5/6/2016© 2016 Firebrand
Learning Objectives cont.
Provide support for:
• Organizational priorities and strategy
• Identify drivers affecting the organization
• Define roles and responsibilities
• Establish metrics to report on effectiveness of the
security strategy
ISACA CISM Review Manual Page 14
5/6/2016© 2016 Firebrand
CISM Priorities
The CISM must understand:
• Requirements for effective information security
governance
• Elements and actions required to:
• Develop an information security strategy
• Plan of action to implement it
ISACA CISM Review Manual Page 14
5/6/2016© 2016 Firebrand
Information Security Governance
Information is indispensable to conduct business
effectively today
Information must be:
• Available
• Have Integrity of data and process
• Be kept confidential as needed
Protection of information is a responsibility of the
Board of Directors
ISACA CISM Review Manual Page 31
5/6/2016© 2016 Firebrand
Information Security
Information Protection includes:
• Accountability
• Oversight
• Prioritization
• Risk Management
• Compliance (Regulations and Legislation)
ISACA CISM Review Manual Page 31
5/6/2016© 2016 Firebrand
Information Security Governance
Overview
Information security is much more than just IT
security (more than technology)
Information must be protected at all levels of the
organization and in all forms
• Information security is a responsibility of everyone
• In all forms – paper, fax, audio, video, microfiche,
networks, storage media, computer systems
ISACA CISM Review Manual Page 31
5/6/2016© 2016 Firebrand
Security Program Priorities
Achieve high standards of corporate
governance
Treat information security as a critical
business issue
Create a security positive environment
Have declared responsibilities
5/6/2016© 2016 Firebrand
Security versus Business
Security must be aligned with business needs
and direction
Security is woven into the business functions
• Provides
•Strength
•Resilience
•Protection
•Stability
•Consistency
5/6/2016© 2016 Firebrand
Security Program Objectives
Ensure the availability of systems and data
• Allow access to the correct people in a
timely manner
Protect the integrity of data and business
processes
• Ensure no improper modifications
Protect confidentiality of information
• Unauthorized disclosure of information
•Privacy, trade secrets,
5/6/2016© 2016 Firebrand
Selling the Importance of Information
Security
Benefits of effective information security governance
include:
• Improved trust in customer relationships
• Protecting the organization’s reputation
• Better accountability for safeguarding information
during critical business activities
• Reduction in loss through better incident handling
and disaster recovery
ISACA CISM Review Manual Page 31
5/6/2016© 2016 Firebrand
The First Priority for the CISM
Remember that Information Security is a business-
driven activity.
• Security is here to support the interests and needs
of the organization – not just the desires of security
• Security is always a balance between cost and
benefit; security and productivity
ISACA CISM Review Manual Page 31
5/6/2016© 2016 Firebrand
Corporate Governance
5/6/2016© 2016 Firebrand
Business Goals and Objectives
Corporate governance is the set of
responsibilities and practices exercised by
the board and executive management
Goals include:
–Providing strategic direction
–Reaching security and business objectives
–Ensure that risks are managed appropriately
–Verify that the enterprise’s resources are used
responsibly
ISACA CISM Review Manual Page 32
5/6/2016© 2016 Firebrand
Outcomes of Information Security
Governance
The six basic outcomes of effective security
governance:
• Strategic alignment
• Risk management
• Value delivery
• Resource optimization
• Performance measurement
• Integration
ISACA CISM Review Manual Page 32
5/6/2016© 2016 Firebrand
Benefits of Information Security
Governance
Effective information security governance can offer
many benefits to an organization, including:
• Compliance and protection from litigation or
penalties
• Cost savings through better risk management
• Avoid risk of lost opportunities
• Better oversight of systems and business operations
• Opportunity to leverage new technologies to
business advantage
ISACA CISM Review Manual Page 32
5/6/2016© 2016 Firebrand
Performance and Governance
Governance is only possible when metrics are in place to:
• Measuring
• Monitoring
• Reporting
On whether critical organizational objectives are achieved
Enterprise-wide measurements should be developed
ISACA CISM Review Manual Page 33
5/6/2016© 2016 Firebrand
Governance Roles and Responsibilities
Board of Directors/Senior Management
• Effective security requires senior management
support
Steering Committee
• Ensure continued alignment between IT and
business objectives
CISO – Chief Information Security Officer
• Ensures security is addressed at a senior
management level
ISACA CISM Review Manual Page 35, 36
5/6/2016© 2016 Firebrand
Governance Roles and Responsibilities cont.
System Owners
• Responsible to ensure that adequate protection is
in place to protect systems and the data they
process
Information Owners
• Responsible for the protection of data regardless of
where it resides or is processed
ISACA CISM Review Manual Page 37
5/6/2016© 2016 Firebrand
Gaining Management Support
Formal presentation
• From a business perspective
• Align security with the business
• Identify risk and consequences
• Describe audit and reporting procedures
ISACA CISM Review Manual Page 38
5/6/2016© 2016 Firebrand
Communication Channels
Track the status of the security program
Share security awareness and knowledge of risk
Communicate policies and procedures
Deliver to all staff at appropriate level of detail
ISACA CISM Review Manual Page 38
5/6/2016© 2016 Firebrand
GRC
The combination of overlapping activities into
a single business process to recognize the
importance to senior management of
information security and assurance
• Governance
• Risk
• Compliance
ISACA CISM Review Manual Page 40
5/6/2016© 2016 Firebrand
BMIS
The business model for information security is
one approach to show the interraltionship
between several elements of a robust
security management program:
• Organization Design and Strategy
• People
• Process
• Technology
ISACA CISM Review Manual Page 41
5/6/2016© 2016 Firebrand
BMIS
The interaction of these processes is
important to provide coordination between
the dynamic elements of security:
• Governance
• Culture
• Enablement and Support
• Emergence
• Human Factors
• Architecture
ISACA CISM Review Manual Page 42
5/6/2016© 2016 Firebrand
Governance of Third-Party Relationships
As organizations move more towards the use
of third parties for support (e.g., the Cloud),
the need to govern and manage these
relationships is of increasing importance.
• Service providers
• Outsourced operations
• Trading partners
• Merged or acquired organizations
ISACA CISM Review Manual Page 43
5/6/2016© 2016 Firebrand
Information Security Metrics
A framework that cannot be measured,
cannot be trusted. The security program must
be accountable for its budget, deliverables
and strategy.
• Meaningful
• Accurate
• Cost-effective
• Repeatable
• Predictive
• Actionable
• Genuine
ISACA CISM Review Manual Page 44
5/6/2016© 2016 Firebrand
KPIs and KGIs
Indicate attainment of service goals,
organizational objectives and milestones.
Key Goal Indicators
Key Risk Indicators
ISACA CISM Review Manual Page 46
5/6/2016© 2016 Firebrand
Security Integration
Security needs to be integrated INTO the
business processes
The goal is to reduce security gaps through
organizational-wide security programs
Integrate IT with:
• Physical security
• Risk Management
• Privacy and Compliance
• Business Continuity Management
ISACA CISM Review Manual Page 46
5/6/2016© 2016 Firebrand
Areas to Measure (Metrics)
Risk Management
Value Delivery
Resource Management
Performance Measurement
• Incident reporting
• Benchmarking
ISACA CISM Review Manual Page 47
5/6/2016© 2016 Firebrand
Developing Information Security
Strategy
Information Security Strategy
• Long term perspective
• Standard across the organization
• Aligned with business strategy / direction
• Understands the culture of the organization
• Reflects business priorities
ISACA CISM Review Manual Page 49
5/6/2016© 2016 Firebrand
The Desired State of Security
The “desired state of security” must be defined in terms of attributes, characteristics and outcomes
• It should be clear to all stakeholders what the intended security state is
ISACA CISM Review Manual Page 53
5/6/2016© 2016 Firebrand
The Desired State cont.
One definition of the desired state:
“Protecting the interests of those relying on information,
and the processes, systems and communications that
handle, store and deliver the information, from harm
resulting from failures of availability, confidentiality and
integrity”
• Focuses on IT-related processes from IT
governance, management and control perspectives
ISACA CISM Review Manual Page 53
5/6/2016© 2016 Firebrand
Elements of a Strategy
A security strategy needs to include:
• Resources needed
• Constraints
• A road map
•Includes people, processes, technologies and
other resources
•A security architecture: defining business
drivers, resource relationships and process flows
Achieving the desired state is a long-term
goal of a series of projects
ISACA CISM Review Manual Page 53
5/6/2016© 2016 Firebrand
Business Linkages
Business linkages
• Start with understanding the specific
objectives of a particular line of business
• Take into consideration all information flows
and processes that are critical to ensuring
continued operations
• Enable security to be aligned with and
support business at strategic, tactical and
operational levels
ISACA CISM Review Manual Page 53
5/6/2016© 2016 Firebrand
Objectives of Security Strategy
The objectives of an information security
strategy must
• Be defined
• Be supported by metrics (measureable)
•Capability Maturity Model (CMM)
• Provide guidance
ISACA CISM Review Manual Page 55
5/6/2016© 2016 Firebrand
Balanced Scorecard (BSC)
See next slide for diagram
Ensures that multiple perspectives are
considered when developing a security
strategy
Seeks balance between competing interests
ISACA CISM Review Manual Page 55
5/6/2016© 2016 Firebrand
Balanced Scorecard (BSC)
Financial
Customer Learning
Process
Information
ISACA CISM Review Manual Page 55
5/6/2016© 2016 Firebrand
The Maturity of the Security Program
Using CMM
0: Nonexistent - No recognition by organization of need for
security
1: Ad hoc - Risks are considered on an ad hoc basis – no
formal processes
2: Repeatable but intuitive - Emerging understanding of risk
and need for security
3: Defined process - Companywide risk management
policy/security awareness
4: Managed and measurable - Risk assessment standard
procedure, roles and responsibilities assigned, policies and
standards in place
5: Optimized - Organization-wide processes
implemented, monitored and managed
ISACA CISM Review Manual Page 55
5/6/2016© 2016 Firebrand
The ISO27001:2013 Framework
The goal of ISO27001:2013 is to:
Establish
Implement
Maintain, and
Continually improve
An information security management system
Contains:
• 14 Clauses, 35 Controls Objectives and 114
controls
ISACA CISM Review Manual Page 56
5/6/2016© 2016 Firebrand
Risk Management
The basis for most security programs is Risk
Management:
• Risk identification
• Risk Mitigation
• Ongoing Risk Monitoring and evaluation
The CISM must remember that risk is
measured according to potential impact on
the ability of the business to meet its mission
– not just on the impact on IT.
ISACA CISM Review Manual Page 56
5/6/2016© 2016 Firebrand
Examples of Other Security
Frameworks
SABSA (Sherwood Applied Business Security
Architecture)
COBIT
COSO
Business Model for Information Security
• Model originated at the Institute for Critical
Information Infrastructure Protection
ISACA CISM Review Manual Page 49, 61
5/6/2016© 2016 Firebrand
Examples of Other Security
Frameworks
• ISO standards on quality (ISO 9001:2000)
• Six Sigma
• Publications from NIST and ISF
• US Federal Information Security
Management Act (FISMA)
ISACA CISM Review Manual Page 56
5/6/2016© 2016 Firebrand
Constraints and Considerations for a
Security Program
Constraints
Legal—Laws and regulatory requirements
Physical—Capacity, space, environmental
constraints
Ethics—Appropriate, reasonable and customary
Culture—Both inside and outside the
organization
Costs—Time, money
Personnel—Resistance to change, resentment
against new constraintsISACA CISM Review Manual Page 59
5/6/2016© 2016 Firebrand
Constraints and Considerations for a
Security Program cont.
Constraints
Organizational structure—How decisions
are made and by whom, turf protection
Resources—Capital, technology, people
Capabilities—Knowledge, training, skills,
expertise
Time—Window of opportunity, mandated
compliance
Risk tolerance—Threats, vulnerabilities,
impacts
ISACA CISM Review Manual Page 59
5/6/2016© 2016 Firebrand
Security Program
Starts with theory and concepts
• Policy
Interpreted through:
• Procedures
• Baselines
• Standards
Measured through audit
ISACA CISM Review Manual Page 60
5/6/2016© 2016 Firebrand
Architecture
Information security architecture is similar physical
architecture
• Requirements definition
• Design / Modeling
• Creation of detailed blueprints
• Development, deployment
Architecture is planning and design to meet the needs
of the stakeholders
Security architecture is one of the greatest needs for
most organizationsISACA CISM Review Manual Page 60
5/6/2016© 2016 Firebrand
Using an Information Security
Framework
Effective information security is provided
through adoption of a security framework
− Defines information security objectives
− Aligns with business objectives
− Provides metrics to measure compliance and
trends
− Standardizes baseline security activities
enterprise-wide
ISACA CISM Review Manual Page 62
5/6/2016© 2016 Firebrand
The Goal of Information Security
The goal of information security is to
protect the organization’s assets,
individuals and mission
This requires:
• Asset identification
•Classification of data and systems
according to criticality and sensitivity
•Application of appropriate controls
ISACA CISM Review Manual Page 62
5/6/2016© 2016 Firebrand
Controls
Non-IT controls (
• Labeling, handling requirements
Countermeasures
• Reduce a vulnerability (reduce likelihood or
impact of an incident)
Layered Defense
ISACA CISM Review Manual Page 63
5/6/2016© 2016 Firebrand
Elements of Risk and Security
The next few slides list many factors that go
into a Security program.
ISACA CISM Review Manual Page 64
5/6/2016© 2016 Firebrand
Information Security Concepts
Access
Architecture
Attacks
Auditability
Authentication
Authorization
Availability
Business dependency
analysis
Business impact
analysis
Confidentiality
Countermeasures
Criticality
Data classification
Exposures
Gap analysis
Governance
ISACA CISM Review Manual Page 64-69
5/6/2016© 2016 Firebrand
Information Security Concepts cont.
Identification
Impact
Integrity
Layered security
Management
Nonrepudiation
Risk / Residual risk
Security metrics
Sensitivity
Standards
Strategy
Threats
Vulnerabilities
Enterprise architecture
Security domains
Trust models
ISACA CISM Review Manual Page 64-69
5/6/2016© 2016 Firebrand
Security Program Elements
Policies
Standards
Procedures
Guidelines
Controls—physical,
technical,
procedural
Technologies
Personnel security
Organizational
structure
Skills
ISACA CISM Review Manual Page 64-69
5/6/2016© 2016 Firebrand
Security Program Elements cont.
Training
Awareness and
education
Compliance
enforcement
Outsourced security
providers
Other organizational
support and assurance
providers
Facilities
Environmental security
ISACA CISM Review Manual Page 64-69
5/6/2016© 2016 Firebrand
Centralized versus Decentralized
Security
Which is better?
Consistency versus flexibility
Central control versus Local ownership
Procedural versus responsive
Core skills versus distributed skills
Visibility to senior management versus
visibility to users and local business units
ISACA CISM Review Manual Page 65
5/6/2016© 2016 Firebrand
Audit and Assurance of Security
Objective review of security risk, controls
and compliance
Assurance regarding the effectiveness of
security is a part of regular organizational
reporting and monitoring
ISACA CISM Review Manual Page 66
5/6/2016© 2016 Firebrand
Ethical Standards
Rules of behaviour
• Legal
• Corporate
• Industry
• Personal
ISACA CISM Review Manual Page 68
5/6/2016© 2016 Firebrand
Ethical Responsibility
Responsibility to all stakeholders
• Customers
• Suppliers
• Management
• Owners
• Employees
• Community
ISACA CISM Review Manual Page 68
5/6/2016© 2016 Firebrand
Evaluating the Security Program
Metrics are used to measure results
Measure security concepts that are
important to the business
Use metrics that can be used for each
reporting period
• Compare results and detect trends
ISACA CISM Review Manual Page 71
5/6/2016© 2016 Firebrand
Effective Security Metrics
Set metrics that will indicate the health of
the security program
• Incident management
• Degree of alignment between security and
business development
•Was security consulted
•Were controls designed in the systems or
added later
ISACA CISM Review Manual Page 71
5/6/2016© 2016 Firebrand
Effective Security Metrics cont.
Choose metrics that can be controlled
• Measure items that can be influenced or
managed by local managers / security
• Not external factors such as number of
viruses released in the past year
• Have clear reporting guidelines
• Monitor on a regular scheduled basis
ISACA CISM Review Manual Page 71
5/6/2016© 2016 Firebrand
Key Performance Indicators (KPIs)
Thresholds to measure
• Compliance / non-compliance
• Pass / fail
• Satisfactory / unsatisfactory results
A KPI is set at a level that indicates action
should / must be taken
• Alarm point
ISACA CISM Review Manual Page 71
5/6/2016© 2016 Firebrand
End to End Security
Security must be enabled across the
organization – not just on a system by system
basis
Performance measures should ensure that
security systems are integrated with each
other
• Layered defenses
ISACA CISM Review Manual Page 74
5/6/2016© 2016 Firebrand
Correlation Tools
The CISM may use Security Event and Incident Management (SEIM, SIM, SEM) tools to aggregate data from across the organization
Data analysis
Trend detection
Reporting tools
Added value on exam but not in the ISACA book
5/6/2016© 2016 Firebrand
Regulations and Standards
The CISM must be aware of National
• Laws
•Privacy
• Regulations
•Reporting, Performance
Industry standards
• Payment Card Industry (PCI)
• BASEL II
Added value on exam but not in the ISACA book
5/6/2016© 2016 Firebrand
Effect of Regulations
Requirements for business operations
• Potential impact of breach
•Cost
•Reputation
• Scheduled reporting requirements
•Frequency
•Format
Added value on exam but not in the ISACA book
5/6/2016© 2016 Firebrand
Reporting and Analysis
Data gathering at source
• Accuracy
• Identification
Reports signed by
Organizational Officer
Added value on exam but not in the ISACA book