Beruflich Dokumente
Kultur Dokumente
CISM Certification
Certified Information Security
Manager Courseware
Version 4.0
CISM
Firebrand Accelerated
Training
1
4/17/2015
Introduction
2
4/17/2015
Agenda
This introduction will address:
The CISM Certification
Course format
Examination format
Introduction of Attendees
To set the scene Recent Incidents
4
4/17/2015
5
4/17/2015
But it IS a Seminar
6
4/17/2015
CISM
Certified Information Security Manager
Designed for personnel that have (or want to
have) responsibility for managing an
Information Security program
Tough but very good quality examination
Requires understanding of the concepts
behind a security program not just the
definitions
7
4/17/2015
8
4/17/2015
CISM Qualifications
To earn the CISM designation, information
security professionals are required to:
Successfully pass the CISM exam
Adhere to the ISACA Code of Professional
Ethics
Agree to comply with the CISM continuing
education policy
Submit verified evidence of five (5) years of
work experience in the field of information
security.
9
4/17/2015
Daily Format
Lecture and Sample questions
Domain structure
Learning Objectives
Content
Sample Questions
Please note that the information in every
domain overlaps with the information in other
domains during the course we will introduce
topics that are expanded upon in latter domains
10
4/17/2015
Domain Structure
Information Security
Governance
Reports To
Mandates
Information
Risk
Management and Compliance Influences
Deploys
Information Security Program
Development and Management
Requires
Information Security
Incident
Management
11
4/17/2015
Course Structure
Start Time
Breaks
Meals
End of Day
End of class on last day
12
4/17/2015
Logistics
Fire Escapes
Assembly point
Mobile phones / pagers
13
4/17/2015
The Examination
14
4/17/2015
15
4/17/2015
16
4/17/2015
Information
Security
Program
Development
and
Management,
25%
Information
Security
Governance,
24%
Information
Risk
Management
and
Compliance,
33%
17
4/17/2015
18
4/17/2015
Examination Day
Be on time!!
The doors are locked when the instructions
start approximately 30 minutes before
examination start time.
Bring the admission ticket (sent out prior to
the examination from ISACA) and an
acceptable form of original photo
identification (passport, photo id or drivers
license).
19
4/17/2015
10
Introduction of Classmates
22
4/17/2015
HIGHLY
HIGHLY TECHNICAL
TECHNICALATTACKS
ATTACKS
23
4/17/2015
11
Stuxnet
Part of Operation Olympic Games, a 2006 operation designed
to disrupt Irans nuclear programme
General James E Cartwright, head of CyberOps inside the US
Strategic Command developed the Stuxnet plan
Stage 1: Plant code that extracts maps of the air-gapped
networks supporting nuclear labs & reprocessing plants in Iran
Stage 2: Payload development by NSAs Foreign Affairs
Directorate & IDFs Intelligence Corps Unit 8200
Code named: The Bug
Stage 3: Test against P-1 centrifuges
Stage 4: Plant the worm in Natanz via spies, and tricked
insiders ( engineers to maintenance workers anyone with
physical access to the plant). This was in 2008
The Op was successful
ICS were infected & high-speed centrifuges were infected
Iranians blamed themselves or suppliers for observed problems
24
4/17/2015
Stuxnet
20x more complex than any piece of previous malware
Array of capabilities
Increase pressure inside nuclear reactors while telling
system operators everything was normal
Does not carry a forged security clearance (used by
malware to escalate privilege). It had a real clearance,
stolen from one of the most Globally-reputable
technology companies
Exploited 20 zero-day vulnerabilities
Target specific. It remained dormant until target was
sighted. Target was the P-1 centrifuges. May have shut
down 1000 centrifuges in Natanz,
Iran has responded to the attack with an open call to
hackers to join the Iranian Revolutionary Guard. It now
has the 2nd largest online army
25
4/17/2015
12
GhostNet
GhostNet
represents
a
network
of
compromised computers resident in highvalue political, economic, and media
locations spread across numerous countries
worldwide
26
4/17/2015
GhostNet
Infected 986 machines across 93 countries
27
4/17/2015
13
GhostNet
Malware retrieving a sensitive document
This screen capture of the Wireshark network analysis tool shows an infected
computer at the Office of the Dalai Lama uploading a sensitive document to one
of the CGI networks control servers.
28
4/17/2015
GhostNet
The gh0st RAT interface:
29
4/17/2015
14
GhostNet
gh0st RAT demonstration
https://www.youtube.com/watch?v=6p7FqSav6
Ho
30
4/17/2015
31
4/17/2015
15
32
4/17/2015
Operation Aurora
Targeted 34 companies in the financial,
technology & defense sectors
Never before seen level of sophistication outside
the defense industry. Prior to this, commercial
attacks were SQL-injection or wireless breach
based
Highly sophisticated & coordinated hack attack
against Googles corporate network
Targeted & stole IP (source code repositories)
Accessed Gmail accounts of human rights
activists
33
4/17/2015
16
Operation Aurora
Used several pieces of malware, levels of encryption, stealth
programming & zero-day exploits in IE, Word, Excel & Adobe
PDFs
Attack was obfuscated & avoided common detection methods
Tailored to target a small number of corporate users
%System%\[RANDOM].dll: main file. Runs as a service and has back door capabilities
34
4/17/2015
Operation Aurora
Siphoned off live feed and/or data to C & C
servers in Illinois, Texas & Taiwan
One C&C server was hosted by RackSpace
Designed to occur during a holiday season
when co. SOC & IRTs would be thinly staffed
35
4/17/2015
17
4/17/2015
36
Drive-by Download
18
Downloaded encrypted
binary code in 2
encrypted .exes from
external node
Opened backdoor
Beachead
into other parts
of the corporate
network
4/17/2015
Established
encrypted covert
channel
masquerading as SSL
connection
38
19
End of Introduction
40
4/17/2015
20
ISACA
Trust in, and value from,
information systems
1
4/17/2015
Chapter 1
Information Security
Governance
2
4/17/2015
Course Agenda
Priorities for the CISM
Corporate Governance
Information Security Strategy
Information Security Program
Elements of a Security Program
Roles and Responsibilities
Evaluating a Security Program
Reporting and Compliance
Ethics
3
4/17/2015
Examination Content
4/17/2015
6
4/17/2015
CISM Priorities
The CISM must understand:
Requirements for effective information
security governance
7
4/17/2015
8
4/17/2015
Information Security
Information is indispensable to conduct
business effectively today
Information must be:
Available
Have Integrity of data and process
Be kept Confidential as needed
Protection of information is a responsibility
of the Board of Directors
9
4/17/2015
Information Security
Information Protection includes:
Accountability
Oversight
Prioritization
Risk Management
Compliance (Regulations and Legislation)
10
4/17/2015
13
4/17/2015
Corporate Governance
14
4/17/2015
17
4/17/2015
Information Security
Strategy
19
4/17/2015
20
4/17/2015
10
Elements of a Strategy
A security strategy needs to include:
Resources needed
Constraints
A road map
22
4/17/2015
11
12
Business Linkages
Business linkages
Start with understanding the specific
objectives of a particular line of business
Take into consideration all information flows
and processes that are critical to ensuring
continued operations
Enable security to be aligned with and
support business at strategic, tactical and
operational levels
25
4/17/2015
Project metrics
Value Proposition
Workload
Focus
Required resources
Deliverables
Commitments
13
27
4/17/2015
Question:
What steps/elements are
necessary to develop an
effective security program?
28
4/17/2015
14
29
4/17/2015
30
4/17/2015
15
What is Security
A structured deployment of risk-based
controls related to:
People
Processes
Technology
32
4/17/2015
16
Security Integration
Security needs to be integrated INTO the
business processes
The goal is to reduce security gaps through
organizational-wide security programs
Integrate IT with:
Physical security
Risk Management
Privacy and Compliance
Business Continuity Management
33
4/17/2015
Security Program
Starts with theory and concepts
Policy
Interpreted through:
Procedures
Baselines
Standards
Measured through audit
34
4/17/2015
17
Architecture
Information security architecture is similar physical
architecture
Requirements definition
Design / Modeling
Creation of detailed blueprints
Development, deployment
18
38
4/17/2015
19
20
Financial
Vision and
Strategy
Customer
Internal
Business
Processes
Learning and
Growth
41
4/17/2015
Contains:
14 Clauses, 35 Controls Objectives and 114
controls
42
4/17/2015
21
43
4/17/2015
44
4/17/2015
22
45
4/17/2015
23
47
4/17/2015
48
4/17/2015
24
Risk Management
The basis for most security programs is Risk
Management:
Risk identification
Risk Mitigation
Business impact
analysis
Confidentiality
Countermeasures
Criticality
Data classification
Exposures
Gap analysis
Governance
50
4/17/2015
25
Sensitivity
Impact
Standards
Integrity
Strategy
Layered security
Threats
Management
Vulnerabilities
Nonrepudiation
Enterprise
architecture
Security domains
Security metrics
Trust models
51
4/17/2015
Technologies
Personnel security
Organizational
structure
Skills
52
4/17/2015
26
Outsourced security
providers
Other organizational
support and assurance
providers
Facilities
Environmental security
53
4/17/2015
54
4/17/2015
27
55
4/17/2015
Executive management
Implementing effective security governance and
defining the strategic security objectives
Budget and Support
Steering committee
Ensuring that all stakeholders impacted by security
considerations are involved
Oversight and monitoring of security program
56
4/17/2015
28
58
4/17/2015
29
Steering Committee
Oversight of Information Security Program
Acts as Liaison between Management,
Business, Information Technology, and
Information Security
59
4/17/2015
60
4/17/2015
30
61
4/17/2015
IT Staff Responsibilities
Responsible for security design, deployment
and maintenance
System and Network monitoring
Reporting
Operations of security controls
Compliance
62
4/17/2015
31
64
4/17/2015
32
65
4/17/2015
66
4/17/2015
33
68
4/17/2015
34
70
4/17/2015
35
Correlation Tools
The CISM may use Security Event and Incident
Management (SEIM, SIM, SEM) tools to
aggregate data from across the organization
Data analysis
Trend detection
Reporting tools
71
4/17/2015
72
4/17/2015
36
Effect of Regulations
Requirements for business operations
Potential impact of breach
Cost
Reputation
Scheduled reporting requirements
Frequency
Format
74
4/17/2015
37
75
4/17/2015
Ethics
76
4/17/2015
38
Ethical Standards
Rules of behaviour
Legal
Corporate
Industry
Personal
77
4/17/2015
Ethical Responsibility
Responsibility to all stakeholders
Customers
Suppliers
Management
Owners
Employees
Community
78
4/17/2015
39
40
Practice Question
1.
82
4/17/2015
41
Practice Question
2. The BEST method of improving security
compliance is:
A. To make it easier for employees to follow
security rules.
B. To have comprehensive organization-wide
security policies.
C. To have an active security awareness program.
D. To inform all staff about legal regulations and
legislation..
83
4/17/2015
Practice Question
3. The MOST important task of the CRISC
regarding compliance with regulations is to:
A. Develop the policies and standards to be followed
by the organization.
B. Ensure that accurate and complete data is used in
reporting procedures
C. Provide guidance to business units on the legal
requirements for compliance.
D. Approve all reports prior to submission to outside
agencies
84
4/17/2015
42
Practice Question
4. The MOST important consideration in the
development of security policies is that:
A. The policies reflect the intent of Senior
Management.
B. The policies are legal.
C. All employees agree with the policies.
D. That the correct procedures are developed to
support the requirements of policy.
85
4/17/2015
End of Domain
86
4/17/2015
43
17/04/2015
ISACA
Trust in, and value from,
information systems
1
4/17/2015
Chapter 2
Information Risk
Management and
Compliance
2
4/17/2015
17/04/2015
Course Agenda
4/17/2015
Information Asset
Classification
Identify regulatory, legal
and other requirements
Identify risk, threats and
vulnerabilities
Risk treatment
Evaluate security controls
Integrate risk management
into business processes
Report non-compliance
and other changes in risk
Exam Relevance
Ensure that the CISM candidate
Manages information risk to an acceptable
level to meet the business and compliance
requirements of the organization
The content area in this chapter will
represent approximately 33% of
the CISM examination
(approximately 66 questions).
4
4/17/2015
17/04/2015
5
4/17/2015
6
4/17/2015
17/04/2015
Information Asset
Classification
7
4/17/2015
Ownership
Roles and responsibilities
8
4/17/2015
17/04/2015
10
4/17/2015
17/04/2015
11
4/17/2015
17/04/2015
Asset Valuation
Information Asset valuation may be based on:
Financial considerations
Liability for lost data
Cost to create or restore data
Impact on business mission
Reputation
Customer or supplier confidence
13
4/17/2015
Valuation Process
Determine ownership
Determine number of
classification levels
Develop labeling
scheme
Identify all information
types and locations
De-classify when data
no longer needs
protection
14
4/17/2015
17/04/2015
Information Protection
Ensure that data is protected consistently
across all systems
Protect data in all forms paper, electronic,
optical, fax,
Protect data at all times:
Storage
Transmission
Processing
Destruction
15
4/17/2015
17/04/2015
Risk Management
17
4/17/2015
Definition of Risk
Risk is a function of the likelihood of a
threat-source exercising a vulnerability and
the resulting impact of that adverse event on
the mission of the organization.
Asset
Threat
Vulnerability
Likelihood (probability)
Impact (consequence)
18
4/17/2015
17/04/2015
19
4/17/2015
10
17/04/2015
21
4/17/2015
Quantitative and
Qualitative Measures
Reputation
22
4/17/2015
11
17/04/2015
12
17/04/2015
25
4/17/2015
Threat Analysis
Intentional versus Unintentional attacks
Natural
Man-made
Utility / Equipment
Threats affected by
The skill and motivation of the attacker
The existence of attack tools
26
4/17/2015
13
17/04/2015
Aggregate Risk
Aggregate risk must be considered
Aggregate risk is where a several smaller
risk factors combine to create a larger risk
(the perfect storm scenario)
27
4/17/2015
Cascading Risk
Cascading risks are the effect of one incident
leading to a chain of adverse events (domino
effect)
28
4/17/2015
14
17/04/2015
Identification of Vulnerabilities
Weaknesses in security controls
Patches not applied
Non-hardened systems
Inappropriate access levels
Unencrypted sensitive data
Software bugs or coding issues (buffer
overflow)
Physical security
29
4/17/2015
30
4/17/2015
15
17/04/2015
Impact
Examples of direct and indirect financial losses:
Direct loss of money (cash or credit)
Criminal or civil liability
Loss of reputation/goodwill/image
Reduction of share value
Conflict of interests to staff or customers or
shareholders
31
4/17/2015
Impact cont.
Examples of direct and indirect financial losses:
Breach of confidence/privacy
Loss of business opportunity/competition
Loss of market share
Reduction in operational efficiency/performance
Interruption of business activity
Noncompliance with laws and regulations resulting in
penalties
32
4/17/2015
16
17/04/2015
Risk
Treatment
(Control
Selection)
Evaluation
and
Assessment
33
4/17/2015
17
17/04/2015
35
4/17/2015
Likelihood
Impact
Low
Moderate
High
High
Moderate
Low
3
36
4/17/2015
18
17/04/2015
37
4/17/2015
19
17/04/2015
Risk Treatment
40
4/17/2015
20
17/04/2015
Risk Treatment
Risk Treatment takes the recommendations
from the risk assessment process and selects
the best choice for managing risk at an
acceptable level
Residual Risk
Risk Acceptance
Cost / Benefit
Priorities
Balance between security and business
41
4/17/2015
Risk Treatment
Risk Treatment Options
Reduction / mitigation implement changes
Enhance managerial, technical, physical
and operational controls
Acceptance
Transference
Avoidance
42
4/17/2015
21
17/04/2015
43
4/17/2015
Control Recommendations
Factors to be considered when recommending
new or enhanced controls are:
Cost-benefit analysis
Anticipated effectiveness
Compatibility with other controls, systems, and
processes
Legislation and regulation
Organizational policy, standards, and culture
Impact of control on business processes
Control reliability
44
4/17/2015
22
17/04/2015
45
4/17/2015
46
4/17/2015
23
17/04/2015
Value
Wish to minimize
Countermeasures
Impose
To
Reduce
Threat Agents
Give Rise to
Threats
Risk
To
That
increase
To
Assets
47
4/17/2015
48
4/17/2015
24
17/04/2015
50
4/17/2015
25
17/04/2015
51
4/17/2015
52
4/17/2015
26
17/04/2015
53
4/17/2015
27
17/04/2015
Rollback
Changes that bypass / overwrite controls
Interruption to service
55
4/17/2015
28
17/04/2015
Regulation
Incidents
Monitor controls frequently and report to
management
Standardized reporting (format)
Trend analysis
58
4/17/2015
29
17/04/2015
59
4/17/2015
30
17/04/2015
62
4/17/2015
31
17/04/2015
64
4/17/2015
32
17/04/2015
65
4/17/2015
Laptops
Remote access tokens
Blackberry/ cellphone
Documents
Review NDAs
66
4/17/2015
33
17/04/2015
Kickbacks
Piracy / imitations
Inappropriate relations / selection of
vendors
67
4/17/2015
68
4/17/2015
34
17/04/2015
Reporting to Management
Regular reporting
Standard format
Scheduled basis
Consistent metrics to allow comparison of
results over time
Reporting on an exceptional basis
Following an event
69
4/17/2015
Documentation
Typical risk management documentation
includes:
A risk register
An inventory of information assets
Threat and vulnerability analysis
Control effectiveness report
Initial risk rating
Risk report - consequences and likelihood of
compromise
A risk mitigation and action plan
70
4/17/2015
35
17/04/2015
36
17/04/2015
Practice Question
The PRIMARY purpose of a risk management
program is
a) To eliminate risk
74
4/17/2015
37
17/04/2015
Practice Question 2
The formula SLE x ARO relates to
a) Annualized Loss Expectancy (ALE)
b) Risk acceptance levels
c) The frequency of attacks
d) Calculation of the impact of a threat
75
4/17/2015
38
17/04/2015
ISACA
Trust in, and value from,
information systems
1
4/17/2015
Chapter 3
Information Security
Program Development and
Management
2
4/17/2015
17/04/2015
Course Flow
Chapter One
Information
Security
Governance
Influenced
by
Directs
changes
to
Chapter Four
Information
Security
Incident
Management
Chapter Two
Information
Risk
Management
Directs
development
of
Enforced by
Chapter Three
Develop and
Manage a
Security
Program
3
4/17/2015
Course Agenda
Learning objectives
Security Program Development
Objectives
Role of the Information Security
Manager
Information Security Program
Development
Elements of a Security Program
Information Security Concepts
Technology and Tools, Security Models
Integrating Security into the Business
4/17/2015
17/04/2015
Exam Relevance
Ensure that the CISM candidate
Understands how to manage the information
security program in alignment with the
information security strategy
5
4/17/2015
17/04/2015
Definition
Information security program management
includes:
Directing
Overseeing
Monitoring
Information-security-related activities in support
of organizational objectives.
8
4/17/2015
17/04/2015
17/04/2015
11
4/17/2015
Definition
Information security program development
is the integrated set of:
Activities
Projects
Initiatives
to implement the information security
strategy
12
4/17/2015
17/04/2015
13
4/17/2015
14
4/17/2015
17/04/2015
15
4/17/2015
Program Objectives
Implement the objectives of the security
strategy
Managerial controls
Technical controls
Physical controls
16
4/17/2015
17/04/2015
17/04/2015
Value delivery
Resource management
Assurance process integration
Performance measurement
19
4/17/2015
20
4/17/2015
10
17/04/2015
21
4/17/2015
Compliance
Prevention
Monitoring
Detection
Correction
Awareness
Implementation
22
4/17/2015
11
17/04/2015
Strategy
The first step to development of an
information security program (as seen in
chapter one) is to align the security strategy
with the objectives of the business
Governance
Resources
Reporting
Compliance
Regulations
23
4/17/2015
Policy
Policy provides:
Authority
Direction
Requires:
Background
Scope
Applicability
24
4/17/2015
12
17/04/2015
Awareness
People are the most important element of a
security program, therefore they must:
Understand their roles
Be capable of performing their roles
Be provided adequate training
Be accountable for results
26
4/17/2015
13
17/04/2015
Implementation
Converts strategy to practical tools and
techniques
Controls
Safeguards
Countermeasures
27
4/17/2015
Monitoring
Review of security controls,
countermeasures, safeguards
Continuous or periodic testing
Frequency is dependent on
Laws
Business changes
Culture
28
4/17/2015
14
17/04/2015
Compliance
Compliance ensures that business processes
and security measures meet the requirements
of corporate policy, local regulations,
industry-based standards, and best practices.
Compliance requires proof (not just theory)
Testing, logging
Reporting
29
4/17/2015
30
4/17/2015
15
17/04/2015
16
17/04/2015
System categorization
System description including system boundaries
Network diagram and data flows
Software and hardware inventory
Users and system owners
Business risk assessment
System risk assessment
Contingency plan
System security plan
33
4/17/2015
17
17/04/2015
4/17/2015
CISO
CIO
VP HR
Policy
Development
Business
Continuity
Incident
Management
36
4/17/2015
18
17/04/2015
50,000
Risk
37
4/17/2015
Security
Context
Security
Concept
Logical
Architecture
Physical
Architecture
Component
38
4/17/2015
19
17/04/2015
Firewall Implementation
project
Awareness Sessions
39
4/17/2015
20
17/04/2015
41
4/17/2015
Personnel (skills)
Outsourcing or contract staff
Infrastructure
Networks, databases, facilities, etc.
42
4/17/2015
21
17/04/2015
Selection of Controls
Controls are
Technical
Managerial
Physical
Tools designed to provide reasonable
assurance that:
Business objectives will be achieved
Undesirable events will be prevented or
detected and corrected
43
4/17/2015
22
17/04/2015
45
4/17/2015
Outsourced security
providers
Facilities
Environmental
security
46
4/17/2015
23
17/04/2015
Policies
Provide authority and direction for security
program from management
High level versus functional policies
Are interpreted by standards,
procedures, baselines
What are the characteristics of effective
policies? What makes a policy effective?
47
4/17/2015
48
4/17/2015
24
17/04/2015
49
4/17/2015
Standards
Standards ensure that systems are
configured and operated in an similar manner
Compliance with standards should be
automated
Ensure that system configurations do not
(intentionally or unintentionally) deviate
from policy compliance
Standards are used to implement policy
Deviations from a standard must have formal
approval
50
4/17/2015
25
17/04/2015
Procedures
Procedures provide a defined, step by step
method of completing a task
i.e., new user registration / user ID
creation; incident management
51
4/17/2015
Guidelines
Provide recommendations for better security
practices:
Password creation, use of social media
52
4/17/2015
26
17/04/2015
Technology
One of the most important elements of a
security program
Without the right tools, an effective
security program is not feasible
Many tools available
53
4/17/2015
Personnel Security
Protect staff from being harmed
Duress alarms, cameras
Having the right people:
27
17/04/2015
Administrator
User
Level III
CISM
CCSP
SEC +
Level II
SEC +
GSEC
Awareness
Level I
Awareness
SEC +
Awareness
55
4/17/2015
Organizational Structure
Who should security report to
Normal reporting
Incident reports
Adequate:
Budget
Authority
Scope
56
4/17/2015
28
17/04/2015
57
4/17/2015
29
17/04/2015
Facilities
Secure operational areas
Server rooms
Equipment rooms
Administrator, developer, and operator
work areas
Consider factors such as:
Age of building (fire codes)
Shared facility with other companies
59
4/17/2015
Facilities Security
Physical controls may include:
Smart cards or access controls based on
biometrics
Security cameras
Security guards
Fences
Lighting
Locks
Sensors
60
4/17/2015
30
17/04/2015
Environmental Security
Heating, ventilation and humidity controls
Reliable power supplies
61
4/17/2015
62
4/17/2015
31
17/04/2015
Risk Management
Threats
Vulnerabilities
Integrity
Attacks
Availability
Exposure
Countermeasures
Architecture
Controls
Business impact
analysis (BIA)
Governance
Layered Defense
Data classification
63
4/17/2015
32
17/04/2015
Access Control
Controlling who and what has access to the
facilities, systems, people and data of the
organization
Ensuring the right people have the right
level of access
Preventing inappropriate use, modification
or destruction of organizational resources
Tracking all activity to the responsible
entity
65
4/17/2015
Identification
Access control starts with knowing who or
what is accessing our systems, data, facilities
or other resources.
Unique (track able to the correct
person/process)
Removed when no longer required
i.e., IDs, customer account numbers,
fingerprints
66
4/17/2015
33
17/04/2015
Authentication
Validating the claimed identity is the person
requesting access really who they say they
are?
Knowledge (password)
67
4/17/2015
Authorization
Granting the authenticated user the correct
level of permissions needed
Read
Write
Execute
Create
Delete
68
4/17/2015
34
17/04/2015
Accounting / Auditability
Logging, monitoring and tracking of activity
Ability to associate activity with a specific
user
Audit log:
Protection
Review
Analysis
69
4/17/2015
Criticality
How much is the ability of the organization to
deliver its products and services dependent
on:
Information
Information systems
What would the extent of the impact be on
the business (quantitatively and qualitatively)
if they were not available
This is a measure of the criticality of the
resource
70
4/17/2015
35
17/04/2015
Sensitivity
How much is the organization dependent on
the accuracy or confidentiality requirements
for:
Information
Information systems
This is a measure of the sensitivity of the
resource
71
4/17/2015
Trust Models
Multi-level security
Users have different levels of trust (access)
Domains of trust
Departmentalization/compartmentalization
Security perimeters
Trusted links between systems
72
4/17/2015
36
17/04/2015
73
4/17/2015
Technology-based Security
Technology-based controls
Many technologies available
Are used to implement controls
74
4/17/2015
37
17/04/2015
Technologies
There are numerous technologies relevant
to security that the CISM should be
familiar with including:
Firewalls
Routers and switches
IDS, NIDS, HIDS
Cryptographic techniques (PKI, DES)
Digital signatures
Smart cards
75
4/17/2015
38
17/04/2015
77
4/17/2015
39
17/04/2015
Operations Security
Operational security
Monitoring of systems
Maintenance of systems
Procedures
Change control
Backups
User access management
Patch Management
Usually performed by IT administrators
80
4/17/2015
40
17/04/2015
81
4/17/2015
41
17/04/2015
Technologies - SPAM
Email filtering to weed out unsolicited email
May contain malicious code
Causes network and storage congestion
Disable links and potentially malicious
attachments
83
4/17/2015
42
17/04/2015
Encryption
Allows data to be stored, transmitted or
displayed in a secure format unreadable
except to authorized personnel
Changes the format/structure of the data
Provides
Confidentiality
Integrity
Authenticity
Access control
Non-repudiation
85
4/17/2015
Technologies - Cryptography
Symmetric key algorithms
Use the same key to encrypt and decrypt a
message
86
4/17/2015
43
17/04/2015
44
17/04/2015
89
4/17/2015
Application
Presentation
Session
Transport
Network
Data Link
Physical
90
4/17/2015
45
17/04/2015
Application
Host to Host
Internetworking
Data Link /
Physical
91
4/17/2015
92
4/17/2015
46
17/04/2015
Technology - Firewalls
Regulate traffic flows between networks
Operate at various network layers
Application proxies
Session layer proxies
Network layer
Packet Filtering
93
4/17/2015
Emerging Technologies
The CISM must be aware of emerging
technologies and their impact on the
information security program:
Virtual environments
Cloud computing
Mobile computing
Apple and Android Apps
VOIP
SCADA networks
94
4/17/2015
47
17/04/2015
95
4/17/2015
48
17/04/2015
97
4/17/2015
IDS / IPS
Intrusion detection and prevention systems
should:
Identify and record any attempts to exploit a
system by an attacker
Adequately protect networks and systems from
security breaches
Be monitored and maintained daily
Protect logs for use in future investigations
98
4/17/2015
49
17/04/2015
Password Cracking
Many tools available
Software
Hardware (keystroke loggers)
Should be forbidden by policy except for
extraordinary, authorized purposes
Brute force attacks
Dictionary attacks
Rainbow tables
Restrict access to password files
Store passwords as hashed values
99
4/17/2015
Vulnerability Assessments
Discover potential weaknesses or gaps in the
security controls
Open ports or services
Lack of training
Improper rule-base configurations
Poor incident handling
100
4/17/2015
50
17/04/2015
51
17/04/2015
Penetration Testing
Attempt to exploit a perceived vulnerability
Usually more focussed than a vulnerability
scan
Indicates whether the vulnerability does
pose a serious risk of breach
Allows determination of potential impact
Can be done by external or internal testing
teams
Must have prior approval
103
4/17/2015
52
17/04/2015
106
4/17/2015
53
17/04/2015
Subcontractors
Joint ventures
Business partners
Outsourced functions
108
4/17/2015
54
17/04/2015
109
4/17/2015
55
17/04/2015
Phased Approach
The program should be phased in by:
Region
Department
Product / service / business process
Building
Application
According to priorities, staff availability and
regulation
111
4/17/2015
112
4/17/2015
56
17/04/2015
113
4/17/2015
57
17/04/2015
115
4/17/2015
Manual
Incremental reviews
Continuous Auditing techniques
Conducted by external or internal parties
116
4/17/2015
58
17/04/2015
117
4/17/2015
59
17/04/2015
120
4/17/2015
60
17/04/2015
Standards
Baselines
Deviations from the mandated levels of
compliance may require a review of the
policies, or the need to strengthen the
controls
121
4/17/2015
Sample Questions
122
4/17/2015
61
17/04/2015
Practice Question
1.) A security manger is most likely to be
concerned with pending changes when:
A. Rollback procedures have not been
documented
B. Users have not been notified of changes
C. System performance tests were not
conducted
D. Program changes have not been
documented
123
4/17/2015
Practice Question
2.)
124
4/17/2015
62
17/04/2015
Practice Question
3.) Which of the following would be the BEST
approach when conducting a security
awareness campaign?
A. Provide interesting technical details of past
exploits.
B. Target high risk groups like system
administrators and the help desk.
C. Provide customized messages for different
groups.
D. Clearly describe acceptable use policies and
procedures
125
4/17/2015
Practice Question
4.) The MOST appropriate metric to measure how
63
17/04/2015
127
4/17/2015
64
17/04/2015
ISACA
Trust in, and value from,
information systems
1
4/17/2015
Chapter 4
Information Security
Incident Management
2
4/17/2015
17/04/2015
Exam Relevance
Ensure that the CISM candidate
Plan, establish and manage the capability to detect,
investigate, respond to and recover from information
security incidents to minimize business impact.
3
4/17/2015
4
4/17/2015
17/04/2015
5
4/17/2015
6
4/17/2015
17/04/2015
Definition
Incident
Any event that has the potential to
adversely impact the ability of the business
to meet its objectives
Incident management
The capability to effectively manage
unexpected disruptive events
Minimize impacts
Maintain and restore normal business
operations within defined time limits
7
4/17/2015
Definition
Incident response
The operational capability of incident
management that identifies, prepares for
and responds to incidents
Provide forensic and investigative
capabilities
Restore normal operations as defined in
service level agreements (SLAs)
Manage the impact of unexpected disruptive
events to acceptable levels
8
4/17/2015
17/04/2015
Definition
Incident Management will ensure that
incidents are detected, recorded and
managed to limit impacts.
9
4/17/2015
17/04/2015
11
4/17/2015
12
4/17/2015
17/04/2015
Deletion of files
Weather-related issues
13
4/17/2015
History of Incidents
Past incidents provide valuable information
on risk trends, threat types and business
impact due to an incident
Can be used to evaluate the existing plans
Used as input to know the types of incidents
that must be considered and planned for
14
4/17/2015
17/04/2015
15
4/17/2015
16
4/17/2015
17/04/2015
17
4/17/2015
18
4/17/2015
17/04/2015
10
17/04/2015
22
4/17/2015
11
17/04/2015
12
17/04/2015
26
4/17/2015
13
17/04/2015
27
4/17/2015
14
17/04/2015
30
4/17/2015
15
17/04/2015
31
4/17/2015
32
4/17/2015
16
17/04/2015
17
17/04/2015
36
4/17/2015
18
17/04/2015
Preparation
Identification
Containment
Eradication
Recovery
Lessons learned
38
4/17/2015
19
17/04/2015
Crisis Communications
One of the greatest challenges in a crisis is
effective communications
Internal
Staff, management, business units
External
Business partners
Shareholders
General public
Government and regulatory bodies
Law Enforcement
39
4/17/2015
20
17/04/2015
41
4/17/2015
Personnel
An Incident Response Team usually
consists of
The Incident Manager (often an Information
Security Manager)
The Team Leader
Steering committee/advisory board
Provide oversight and authority
42
4/17/2015
21
17/04/2015
Personnel cont.
An Incident Response Team usually
consists of
Permanent/dedicated team members
Specialized skills forensics, audit,
communications, legal
Representation from key departments
Operations, IT, HR, Finance, Security,
Executive, etc.
Virtual/temporary team members
External experts
43
4/17/2015
Personnel cont.
The composition of the incident response team
will depend on a number of factors such as
Mission and goals of the incident response program
Nature and range of services provided
22
17/04/2015
Skills cont.
Personal skills
Communication
Presentation skills
Ability to follow policies and procedures
Team skills
Integrity
Confidence
Problem solving
Time management
46
4/17/2015
23
17/04/2015
Skills cont.
Technical skills
Basic understanding of the underlying
technologies used by the organization
Understanding of the techniques,
decision points and supporting tools
required in incident management
47
4/17/2015
Network applications
and services
Network security
issues
The Internet
Operating systems
Network protocols
Malicious code
Programming skills
48
4/17/2015
24
17/04/2015
50
4/17/2015
25
17/04/2015
Value Delivery
To deliver value, incident management
should:
Integrate and align with business processes
and structures
Improve the capability of businesses to
manage incidents effectively
Integrate incident management with risk
and business continuity
Become part of an organizations overall
strategy and effort to protect and secure
critical business function and assets
51
4/17/2015
Performance Measurement
Performance measurements for incident
management and response will focus on
achieving the defined objectives and
optimizing effectiveness
26
17/04/2015
53
4/17/2015
Audits
Audits (internal and external) must be
performed to verify
Incidents have been resolved and closed
off
Lessons learned applied to the
organization
Adherence by the incident response team
to the policies and procedures defined by
the organization
54
4/17/2015
27
17/04/2015
55
4/17/2015
Responding to an Incident
56
4/17/2015
28
17/04/2015
During an Incident
The initial response to an incident should
include:
Retrieving information needed to confirm an
incident
False positive or real event
Notify incident manager and activate incident
response teams
58
4/17/2015
29
17/04/2015
Containment Strategies
During an incident it is critically important to
contain the crisis and attempt to minimize
the amount of damage that occurs.
Network isolation and segmentation
30
17/04/2015
31
17/04/2015
63
4/17/2015
64
4/17/2015
32
17/04/2015
65
4/17/2015
33
17/04/2015
Plan Development
67
4/17/2015
34
17/04/2015
Recovery Strategies
Recovery strategies must be sustainable for
the entire period of recovery until business
processes are restored to normal
Strategies may include:
Doing nothing until recovery facilities are
ready
Using manual procedures / workarounds
Focusing on the most important customers,
suppliers, products, and systems with
resources that are still available
69
4/17/2015
Recovery Strategies
The most appropriate recovery strategy is
based on:
The ability to recover within acceptable
recovery times at a reasonable cost
70
4/17/2015
35
17/04/2015
36
17/04/2015
Recovery of Communications
Recovery of IT facilities involves
telecommunications and network recovery
37
17/04/2015
Notification Requirements
Plan should include a call tree with a prioritized
list of contacts
Representatives of equipment and software
vendors
Contacts within companies that have been
designated to provide supplies and equipment
or services
Contacts at recovery facilities, including hot
site representatives or predefined network
communications rerouting services
75
4/17/2015
38
17/04/2015
Response Teams
Number of teams depends upon size of
organization and magnitude of operations examples include:
The emergency action team
Damage assessment team
Emergency management team
Relocation team
Security team
77
4/17/2015
Insurance
39
17/04/2015
Types of Tests
Tests can include:
Desk check / Table-top walk-through of the
plans
Table-top walk-through with mock disaster
scenarios (simulation tests)
Testing the infrastructure and communication
components of the recovery plan
Testing the infrastructure and recovery of the
critical applications (parallel tests)
Full restoration and recovery tests with some
personnel unfamiliar with the systems
80
4/17/2015
40
17/04/2015
Test Results
The test should strive to:
Verify the completeness and effectiveness of
the response and recovery plans
Evaluate the performance of the personnel
involved in the exercise
Evaluate the coordination among the team
members and external vendors and suppliers
Indicate areas where improvements to the
plan are necessary
81
4/17/2015
41
17/04/2015
84
4/17/2015
42
17/04/2015
Practice Question
1. The PRIMARY goal of a post-incident review is
to:
A. Gather evidence for subsequent disciplinary
action.
B. Identify key individuals who provided critical
support during the crisis.
C. Prepare a report on the incident for further
management review
D. Derive ways to improve the response process.
85
4/17/2015
Practice Question
2. Which of the following is the MOST important
skill for an incident handler to possess?
A. Presentation skills for management reporting
B. Ability to follow policy and procedures
C. Integrity
D. Ability to cope with stress
86
4/17/2015
43
17/04/2015
Practice Question
3. What is the PRIMARY reason for conducting
triage?
A. To set the priorities for incident response
B. To determine the root cause of the incident
C. To mitigate the damage being caused by the
incident
D. To detect the presence of an incident
87
4/17/2015
Practice Question
4. Which of the following is MOST important
factor when deciding whether to build an
alternate facility or subscribe to a hot site
operated by a third party?
A. Cost to restore lost data following the incident
B. Incremental cost of losing different systems
C. Location, availability, and cost of commercial
recovery facilities
D. Estimated annualized loss expectancy (ALE)
from key risks
88
4/17/2015
44
17/04/2015
Practice Question
5.
89
4/17/2015
45
Table of Contents
ISACA Certification .................................................................3
JuneImportant Date Information .......................................5
SeptemberImportant Date Information .............................6
DecemberImportant Date Information ..............................7
Exam Day Information............................................................8
Post Exam Information .........................................................10
About ISACA
With more than 115,000 constituents in 180 countries, ISACA (www.isaca.org) helps business
and IT leaders build trust in, and value from, information and information systems. Established in
1969, ISACA is the trusted source of knowledge, standards, networking, and career development
for information systems audit, assurance, security, risk, privacy and governance professionals.
ISACA offers the Cybersecurity NexusTM, a comprehensive set of resources for cybersecurity
professionals, and COBIT, a business framework that helps enterprises govern and manage their
information and technology. ISACA also advances and validates business-critical skills and knowledge
through the globally respected Certified Information Systems Auditor (CISA), Certified Information
Security Manager (CISM), Certified in the Governance of Enterprise IT (CGEIT) and Certified in
Risk and Information Systems Control (CRISC) credentials. The association has more than
200 chapters worldwide.
CISM
CGEIT
CRISC
Description
The management-focused
CISM certification promotes
international security practices
and recognizes the individual who
manages, designs, and oversees
and assesses an enterprises
information security.
Eligibility
Requirements
Domains (%)
Number of
exam questions*:
length of exam
Exam Languages
English
Japanese**
Korean**
Spanish
English
English
Spanish
* Consists of multiple choice items that cover the respective job practice areas created from the most recent job practice analysis. See page 11 for related links.
** June exam only
*** June and December exam only.
ISACA
member
US $440
US $490
Non-ISACA
member
US $625
US $675
Notes:
The CISA Chinese Mandarin Traditional, German, Hebrew, and Italian languages will only be offered at the June exam.
The CISM Japanese and Korean languages are only offered at the June Exam.
Visit www.isaca.org/examlocations for a listing of the exam sites. Please select the appropriate tab for the June, September or December locations.
Please contact exam@isaca.org for further information.
Member Through
31 December 2015
31 December 2015
31 December 2016
Due Dates
Deadlines are based on Chicago, Illinois, USA, 5 P.M. Central Time (UTC/GMT-06:00 Chicago, Illinois, USA). If not registering online, please mail or fax the
registration form to ISACA. Do not do both. Submitting duplicate registrations online and/or by hard copy to ISACA may result in multiple registrations
and charges. Final registration forms and payment must be postmarked or received by fax on or before the final registration date for the exam you are registering
for. Both pages of the registration form must be received to complete a registration.
ACKNOWLEDGMENT OF REGISTRATION
An email acknowledgement of the exam registration, exam test site and exam language will be sent to registrants shortly after the processing of the registration.
Please review the exam registration details carefully and contact the ISACA certification department at exam@isaca.org for any corrections or changes. A receipt
letter acknowledging exam registration and payment with a link to ISACAs Exam Candidate Information Guide should be received by exam registrants within four
weeks (depending on your worldwide location and local postal delivery) of the processing of the registration form and payment. We encourage exam candidates to
review this Guide to familiarize themselves with exam day information and rules.
Special Accommodations
Upon request, ISACA will make reasonable accommodations in its exam procedures for candidates with documented disabilities or religious requirements.
Consideration for reasonable alterations in scheduling, exam format, presentation, and allowance of food or drink at the exam site must be requested.
Documented disability requests must be accompanied by a doctors note. Requests for a religious requirement must be accompanied by a note from the
candidates religious leader. Unless requested and approved, no food or drink is allowed at any exam site. Requests for consideration must be submitted to
ISACA International Headquarters in writing, accompanied by appropriate documentation, no later than 10 April 2015 to exam@isaca.org.
Exam locations
For a complete listing of the exam sites for the June exam administration visit www.isaca.org/examlocations and select the June Exam Locations tab.
All deadlines are based on Chicago, Illinois, USA, 5 p.m. Central Time (UTC/GMT-06:00 Chicago, Illinois, USA). No refunds or exchanges will be given for
study aids, associated taxes, shipping and handling charges, or membership dues. Exam registration and membership fees are nontransferable.
Special Accommodations
Upon request, ISACA will make reasonable accommodations in its exam procedures for candidates with documented disabilities. Consideration for
reasonable alterations in exam format, presentation, and allowance of food or drink at the exam site must be requested and accompanied by a doctors
note. Unless requested and approved, no food or drink is allowed at any exam site. Requests for consideration must be submitted to ISACA International
Headquarters in writing, accompanied by appropriate documentation, no later than 27 July 2015 to exam@isaca.org.
Exam Locations
For a complete listing of the exam sites for the September exam administration visit www.isaca.org/examlocations and select the September Exam
Locations tab.
All deadlines are based on Chicago, Illinois, USA, 5 p.m. Central Time (UTC/GMT-06:00 Chicago, Illinois, USA). No refunds or exchanges will be given for
study aids, associated taxes, shipping and handling charges, or membership dues. Exam registration and membership fees are nontransferable.
Special Accommodations
Upon request, ISACA will make reasonable accommodations in its exam procedures for candidates with documented disabilities or religious requirements.
Consideration for reasonable alterations in scheduling, exam format, presentation, and allowance of food or drink at the exam site must be requested.
Documented disability requests must be accompanied by a doctors note. Requests for a religious requirement must be accompanied by a note from the
candidates religious leader. Unless requested and approved, no food or drink is allowed at any exam site. Requests for consideration must be submitted to
ISACA International Headquarters in writing, accompanied by appropriate documentation, no later than 23 October 2015 to exam@isaca.org.
Exam Locations
For a complete listing of the exam sites for the December exam administration visit www.isaca.org/examlocations and select the December Exam Locations tab.
All deadlines are based on Chicago, Illinois, USA, 5 p.m. Central Time (UTC/GMT-06:00 Chicago, Illinois, USA). No refunds or exchanges will be given for
study aids, associated taxes, shipping and handling charges, or membership dues. Exam registration and membership fees are nontransferable.
ISACA utilizes an internationally recognized professional testing agency to assist the construction, administration and scoring of the exams.
Candidates wishing to comment on the test administration conditions may do so at the conclusion of the testing session by completing the Test Administration
Questionnaire. The Test Administration Questionnaire is presented at the back of the examination booklet with corresponding instructions for completion.
Candidates who wish to address any additional comments or concerns about the examination administration, including site conditions or the content of the
exam, should contact ISACA international headquarters by letter or by email (exam@isaca.org). Please include the following information in your comments:
exam ID number, testing site, date tested and any relevant details on the specific issue. Only those comments received by ISACA during the first 2 weeks
after the exam administration will be considered in the final scoring of the exam. Appeals undertaken by a certification exam taker, certification applicant or
by a certified individual are undertaken at the discretion and cost of the exam taker, applicant or individual.
10
CISM Exam
CGEIT Exam
CRISC Exam
Certification
www.isaca.org/cisa
www.isaca.org/cism
www.isaca.org/cgeit
www.isaca.org/crisc
www.isaca.org/cisaprep
www.isaca.org/cismprep
www.isaca.org/cgeitprep
www.isaca.org/criscprep
Requirements for
Certification
Job Practice
www.isaca.org/cisarequirements
www.isaca.org/cismrequirements
www.isaca.org/cgeitrequirements
www.isaca.org/criscrequirements
Applying for
Certification
Maintaining your
Certification
Glossary of Terms
Acronyms
www.isaca.org/cisaapp
www.isaca.org/cismapp
www.isaca.org/cgeitapp
www.isaca.org/criscapp
www.isaca.org/cisacpepolicy
www.isaca.org/cismcpepolicy
www.isaca.org/cgeitcpepolicy
www.isaca.org/crisccpepolicy
www.isaca.org/glossary
www.isaca.org/glossary
www.isaca.org/glossary
www.isaca.org/glossary
www.isaca.org/cisaprep
www.isaca.org/cismprep
CGEIT:
CGEIT Review Manual 2015
CGEIT Review Questions, Answers & Explanations Manual 2015
CGEIT Review Questions, Answers & Explanations Manual Supplement 2015
COBIT5
CRISC:
CRISC Review Manual 2015
CRISC Review Questions, Answers & Explanations Manual 2015
CRISC Review Questions, Answers & Explanations Manual Supplement 2015
CRISC Review Questions, Answers & Explanation Database
12 month subscription
11