2010 CISM The How To Pass On Your First Try Certification Study Guide PDF

Foreword
This Exam Preparation book is intended for those preparing for the
Certified Information Security Manager certification.
This book is not a replacement for completing a course. This is a

study aid to assist those who have completed an accredited course
and preparing for the exam.
Do not underestimate the value of your own notes and study aids.
The more you have, the more prepared you will be.
While it is not possible to pre-empt every question and content that

may be asked in the CISM exam, this book covers the main concepts
covered within the CISM discipline.
Due to licensing rights, we are unable to provide actual CISM Exam.

However, the study notes and sample exam questions in this book will
allow you to more easily prepare for a CISM exam.
Ivanka Menken
Executive Director
The Art of Service
1
Copyright The Art of Service│Brisbane, Australia│Email:service@theartofservice.com
Web: http://theartofservice.com │eLearning: http://theartofservice.org │Phone: +61 (0)7 3252 2055
Write a review to receive any free eBook from our Catalogue -
$99 Value!
If you recently bought this book we would love to hear from you!
Benefit from receiving a free eBook from our catalogue at
http://www.emereo.org/ if you write a review on Amazon (or the online
store where you purchased this book) about your last purchase!
How does it work?
To post a review on Amazon, just log in to your account and click on

the Create your own review button (under Customer Reviews) of the
relevant product page. You can find examples of product reviews in
Amazon. If you purchased from another online store, simply follow
their procedures.
What happens when I submit my review?
Once you have submitted your review, send us an email at

review@emereo.org with the link to your review, and the eBook you
would like as our thank you from http://www.emereo.org/. Pick any
book you like from the catalogue, up to $99 RRP. You will receive an
email with your eBook as download link. It is that simple!
2
Table of Contents
FOREWORD ............................................................................................................ 1
TABLE OF CONTENTS .............................................................................................. 3
1 CERTIFIED INFORMATION SECURITY MANAGER ............................................. 8
2 EXAM SPECIFICS............................................................................................. 9
3 INFORMATION SECURITY GOVERNANCE ...................................................... 11

3.1 INFORMATION SECURITY BASICS....................................................................... 11
3.1.1 Business Goals and Objectives ............................................................. 11
3.1.2 Information Security Concepts ............................................................. 12
3.1.3 Information Security Strategies ........................................................... 14
3.2 INFORMATION SECURITY GOVERNANCE ............................................................. 17
3.2.1 Governance Concepts .......................................................................... 18
3.2.2 Scope and Charter of Governance ....................................................... 20
3.2.3 Business Function Relationships .......................................................... 21
3.2.4 Information Security Governance Framework ..................................... 22
3.3 INFORMATION SECURITY REQUIREMENTS ........................................................... 23
3.3.1 Drivers for Information Security .......................................................... 23
3.3.2 Budget Planning .................................................................................. 24
3.3.3 Regulatory Requirements .................................................................... 25
3.3.4 Third Party Relationships ..................................................................... 26
3.4 INFORMATION SECURITY PREPARATION.............................................................. 27
3.4.1 International Standards ....................................................................... 27
3.4.2 Roles and Responsibilities .................................................................... 29
3.4.3 Information Security Officer ................................................................ 30
3.4.4 Policies and Objectives......................................................................... 32
3.4.5 Centralized and Distributed Methods .................................................. 33
4 INFORMATION RISK MANAGEMENT ............................................................ 35
4.1 RISK MANAGEMENT ...................................................................................... 35
4.1.1 Key Definitions ..................................................................................... 35
4.1.2 Principles and Practices ....................................................................... 36
4.1.3 Controls and Countermeasures............................................................ 36
4.2 INFORMATION SCHEMAS ................................................................................ 38
4.2.1 Information Classification .................................................................... 38
4.2.2 Information Ownership ........................................................................ 39
4.3 INFORMATION THREATS AND VULNERABILITIES.................................................... 40
4.3.1 Denial of Service
3
(DoS) 41
4.3.2 Buffer Overflows .................................................................................. 42
4.3.3 Mobile Code ......................................................................................... 42
4.3.4 Malicious Software .............................................................................. 43
4.3.5 Password Crackers ...............................................................................44
4.3.6 Spoofing/Masquerading ...................................................................... 46
4.3.7 Sniffers, Eavesdropping, and Tapping .................................................. 48
4.3.8 Emanations .......................................................................................... 48
4.3.9 Shoulder Surfing .................................................................................. 49
4.3.10 Object Reuse.................................................................................... 49
4.3.11 Data Remanence ............................................................................. 51
4.3.12 Unauthorized Targeted Data Mining ............................................... 52
4.3.13 Dumpster Diving .............................................................................. 53
4.3.14 Backdoors and Trapdoors ................................................................ 53
4.3.15 Theft ................................................................................................ 54
4.3.16 Social Engineering ........................................................................... 54
4.4 RISK ASSESSMENTS AND ANALYSIS.................................................................... 55
4.4.1 General Process ................................................................................... 55
4.4.2 Qualitative Risk Assessments ............................................................... 55
4.4.3 Quantitative Risk Assessments ............................................................ 56
4.4.4 Common Security Measurements ........................................................ 57
4.4.5 Assessment Methodologies ................................................................. 58
4.4.6 Baseline Modeling ............................................................................... 58
4.4.7 Gap Analysis ........................................................................................ 59
4.4.8 Cost Benefit Analysis ............................................................................60
4.4.9 Information Value ................................................................................61
5 INFORMATION SECURITY PROGRAM DEVELOPMENT................................... 63
5.1 SECURITY PROGRAM CONCEPTS ....................................................................... 63
5.1.1 Strategies ............................................................................................. 63
5.1.2 Program Activities................................................................................ 64
5.1.3 Managing Implementation .................................................................. 66
5.2 SECURITY CONTROLS ..................................................................................... 67
5.2.1 Control Categories ............................................................................... 69
5.2.2 Administrative Controls .......................................................................71
5.2.3 Technical Controls ................................................................................ 75
5.2.4 Access Control Models ......................................................................... 77
5.2.5 Integrity Models .................................................................................. 78
5.2.6 Rainbow Series..................................................................................... 78
5.2.7 Information Technology Security Evaluation Criteria (ITSEC) ............... 82
5.2.8 Common Criteria .................................................................................. 82
5.3 SECURITY TECHNOLOGIES ............................................................................... 84
5.3.1 Identity Management .......................................................................... 84
4
5.3.2 Access Control Technologies ................................................................ 87
5.3.3 Access Control Lists .............................................................................. 92
5.3.4 Types of Access Control ........................................................................ 92
5.3.5 Authentication Devices ........................................................................ 94
5.3.6 Integrated Circuit Cards ....................................................................... 96
5.3.7 Biometrics .......................................................................................... 102
5.3.8 Intrusion Detection Systems (IDS) ......................................................104
5.3.9 Cryptography Methods ......................................................................108
5.3.10 Cryptography Forms ......................................................................109
5.3.11 Access Control Technologies ..........................................................111
5.4 IP SECURITY (IPSEC) ...................................................................................114
5.4.1 Authentication Headers and Encapsulating Security Payload ...........115
5.4.2 Internet Key Exchange (IKE) ...............................................................116
5.4.3 The IKE Process .................................................................................. 117
5.4.4 Methods of Encryption and Integrity .................................................118
5.4.5 Renegotiating Lifetimes .....................................................................118
5.4.6 Subnets and Security Associations .....................................................119
5.5 SECURITY DOCUMENTATION .......................................................................... 120
5.5.1 Types of Documentation .................................................................... 120
5.5.2 Security Education .............................................................................122
5.6 COMPLIANCE .............................................................................................124
5.6.1 Certification and Accreditation ..........................................................124
5.6.2 Service Level Agreements .................................................................. 125
5.6.3 Laws and Standards ........................................................................... 126
5.6.4 1996 National Information Infrastructure Protection Act.................. 127
5.6.5 President's Executive Order on Critical Infrastructure Protection ...... 127
5.6.6 USA Patriot Act of 2001 .....................................................................128
5.6.7 Homeland Security Act of 2002 .........................................................129
5.6.8 Computer Fraud and Abuse Act .........................................................129
5.6.9 Electronic Communications Privacy Act (ECPA) .................................130
5.7 SECURITY MONITORING ...............................................................................130
5.7.1 Change Management ........................................................................130
5.7.2 Configuration Management ..............................................................132
5.7.3 Information Access Control ................................................................134
5.7.4 Problem Management .......................................................................136
5.7.5 Recovery and Continuity Planning .....................................................139
5.7.6 Continuity Planning Process ..............................................................140
5.7.7 Information Incident Management ...................................................144
5.7.8 Managing Evidence ...........................................................................146
5.8 FACILITIES .................................................................................................. 147
5.8.1 Entry Points ........................................................................................150
5.8.2 Defense in Depth ............................................................................... 153
5.8.3 Physical Security Implementation ......................................................154
5
6 PRACTICE EXAM......................................................................................... 155
6.1 REFRESHER “WARM UP QUESTIONS”.................... ERROR! BOOKMARK NOT DEFINED.
7 ANSWER GUIDE ......................................................................................... 172
7.1 ANSWERS TO QUESTIONS ................................... ERROR! BOOKMARK NOT DEFINED.
8 REFERENCES .............................................................................................. 181
6
Notice of Rights
All rights reserved. No part of this book may be reproduced or transmitted in any form
by any means, electronic, mechanical, photocopying, recording, or otherwise, without
the prior written permission of the publisher.
Notice of Liability
The information in this book is distributed on an “As Is” basis without warranty. While
every precaution has been taken in the preparation of the book, neither the author nor
the publisher shall have any liability to any person or entity with respect to any loss or
damage caused or alleged to be caused directly or indirectly by the instructions
contained in this book or by the products described in it.
Trademarks
Many of the designations used by manufacturers and sellers to distinguish their
products are claimed as trademarks. Where those designations appear in this book,
and the publisher was aware of a trademark claim, the designations appear as
requested by the owner of the trademark. All other product names and services
identified throughout this book are used in editorial fashion only and for the benefit of
such companies with no intention of infringement of the trademark. No such use, or
the use of any trade name, is intended to convey endorsement or other affiliation with
this book.
7
1 Certified Information Security Manager
The Certified Information Security Manager certification is for

experienced information security managers and those individuals with
responsibilities in information security management. The certification
covers the management, design, oversight, and assessment of an
enterprise's information security program using internationally
accepted practices.
The CISM is accredited by the American National Standards Institute

(ANSI) under ISO/IEC 17024:2003.
The exam covers the following disciplines and percentage scope:

 Information Security Governance 23%
 Information Risk Management 22%
 Information Security Program Development 17%
 Information Security Program Management 24%
 Incident Management and Response 14%
8
2 Exam Specifics
CISM Exams are proctored by ISACA. Registration and location

information can be found on the www.isaca.org web site. The exam is
administered twice a year: June and December.
Exams are delivered in a secure environment, proctored, and timed.
Specifics about the exam are:

 Price: See registration site
 Time Limit: 240 minutes
 # of Questions: 200
 Question Type: Multiple Choice
 Passing Score: 450 or higher
After passing the exam, the candidate has five years to apply for
certification. This is done by completing the certification and verifying
work experience. Experience required two years in information
security management. This requirement can be substituted with the
achievement of one of the following:
 Certification Information Systems Auditor (CISA) in good
standing.
 Certification Information Systems Security Professional
(CISSP) in good standing.
 Postgraduate degree in information security or related
field.
9
Partial credit to fulfill the requirement is possible with one of the
following:
 One full year of information systems management
experience.
 One full year of general security management experience.
 Skill-based security certification.
10
3 Information Security Governance
3.1 Information Security Basics
3.1.1 Business Goals and Objectives
Information Security Management is a subset of Enterprise IT

Management, Corporate Governance Framework, or Service
Management. Each of these disciplines relies on key principles which
are used to analyze and design current solutions and future
improvements. While the greater IT or Service Management principles
are in place to make the current capabilities and resources available
and useful to the customer, Information Security Management focuses
on protecting those capabilities and resources from unintentional loss
or malicious attack. These goals have to be reached within acceptable
levels of quality, cost, and risks.
At the core of every effort are the customer's goals and objectives for
their business. These are the valued products and services that the
customer provides to the marketplace. To make this provision,
possible, technologies and IT services are in place to provide support
in production, administration, and communication. Security
Management provides the policies, classifications, and guidelines for
protecting the informational and physical assets of the enterprise.
11
The goal of Enterprise IT Management is to create value for the
customer. The definition of value begins with the desired business
outcomes of the customer, but is also dependent on the perception of
value for the customer. From a business and/or IT perspective, the
questions often asked to determine and define value are:
 What is the business?
 Who is the customer?
 What does the customer value?
 Who needs our products and services?
 How are our products and services used?
 What makes our products and services valuable?
IT departments offer to business specific warranties that systems are

in place to fulfill business objectives. These warranties are usually
provided in terms of:
 Availability
 Capacity
 Continuity
 Security
3.1.2 Information Security Concepts
Information security is a management discipline which provides

strategic direction of all IT security activities. The objective of
information security management is to protect the interests of those
relying on the data stores, database and metadata used by the
12
enterprise, the systems and communication mediums used to deliver
that information, and providing protection from harm due to failures in
confidentiality, integrity, and availability.
Often referred to as the CIA triad, confidentiality, integrity, and

availability are the foundational pillars of security. IT governance
provides the framework for developing these pillars for the purpose of
safeguarding business assets and practices.
Confidentiality refers to the need for information to be safe from

disclosure to unauthorized individuals. Normally, several levels of
confidentiality may be found within an organization, ranging from
classified, sensitive, confidential, to protected and public.
Integrity describes the wholeness and completeness of the

information without any alteration except by authorized sources. The
integrity of a system has a direct affect on the integrity of the
information on that system. If the system has no integrity, the
information cannot be considered trusted. Integrity is different from
confidentiality, in that integrity focuses on one's trust in the information
and not its security.
Availability speaks to the need to access the information when it is

needed. Depending on the information, availability may be restricted
to users based on the confidentiality level of the information.
Traditional systems attributed higher integrity to lower availability;
however open sources have demonstrated that higher integrity is
13
often found when greater availability is provided to the user base.
The security objectives are typically met when:

 Information is disclosed to only those individuals who have
a right to know.
 Information is complete, accurate, and protected against
modification from unauthorized individuals.
 Information is available and usable by customers when
required and the systems supporting the provision and
delivery of this information can resist and recover from
failure or attack.
 Information exchanges and business transactions between
enterprises, partners, and customers can be trusted.
3.1.3 Information Security Strategies
The activities of Information Security Management are guided by and

concentrate on security policies. These policies are comprised of an
overall Information Security Policy and several underpinning security
policies specific to the individual IT technologies implemented. They
cover all aspects of security and should have the full support and
commitment of executive management.
These policies are the basis for creating an Information Security

Management System framework, which consists of five elements:
 Control
14
 Plan
 Implement
 Evaluate
 Maintain
Control of security relates to the management framework,

organization structure, roles and responsibilities, and documentation
required to provide a foundation for other elements of the framework
to succeed.
Planning is any attempt to define and recommend security measures

based on the organization's requirements. These requirements are
gathered from the plans, strategies, and risks of the business and IT
services, and well as service level and objective level agreements and
compliance to legal and regulatory agencies. Measures can be
proactive or reactive to known threats and vulnerabilities. They fall
into any of the following categories:
 Preventive – intended to stop the occurrence of a security
incident. Solutions related to authentication, authorization,
identification, and access control are typical examples of
preventive measures.
 Reductive – intended to minimize the possible damage
resulting from a security incident and typically consist of
regular backups and implementation of contingency plans.
 Detective – intended to provide the earliest detection of a
security incident possible. Primary example of a detective
measure is virus-checking software.
15
 Repressive – intended to reduce or stop the security
incident from occurring again. Disabling accounts after
several sequential failed login attempts is an example of
repressive measures.
 Corrective – intended to repair the damage resulting from
a security incident. Restoring, roll-back, and back-out
procedures are examples of corrective measures.
These measures eventually are implemented through a set of

procedures, tools, and controls needed to support the Information
Security Policy, specifically in the areas of asset accountability and
classifying information. A number of factors determine successful
implementation including:
 Integration of security policy with business need.
 Management justification and support of security
procedures.
 Effective marketing and education of security
requirements.
 Integrated continuous improvement.
Continuous evaluation of the implemented measures is required to

ensure compliance to security policy and meeting security
requirements. In addition, these evaluations provide regular audits of
the systems and provide information to external auditors and
regulators.
Continuous improvement mechanisms are in place to maintain and
16
improve the Information Security Management System to meet its
objectives and ensure the confidentiality, integrity, and availability of
information assets.
3.2 Information Security Governance
Information security governance is delivered by the Board of Directors

and senior executives and must be integrated with the governance of
the enterprise and aligned with IT governance. The framework
consists of leadership, organizational structures, and processes
necessary to protect informational assets. The outcomes of
information security governance include:
 Alignment of information security with business strategy to
meet organizational objectives.
 Implementation of risk management to reduce potential
impacts on information resources.
 Implementation of resource management to effectively and
efficiently use the knowledge and infrastructure of
information security.
 Measuring, monitoring, and reporting of performance
metrics related to information security governance.
 Delivery of value in security investments needed to support
organizational objectives.
Governance is different from management. The generally accepted

differences between the governance and management are:
17
 Oversight versus Implementation.
 Assigning authority versus Authorizing action.
 Enacting policy versus Enforcing policy.
 Accountability versus Responsibility.
 Strategic planning versus Project planning.
 Resource allocation versus Resource utilization.
Effective security programs are dependent on specific governance

characteristics:
 Institution wide scope.
 Accountability in leadership.
 Perceived as cost of doing business.
 Driven by risk management.
 Defines roles, responsibilities, and segregation of duties.
 Uses policy to address concerns and enforce security.
 Committed resources are adequate.
 Appropriate staff awareness and training.
 Definitive development life cycle.
 Security is planned, managed, measureable, and
measured.
 Security is reviewed and audited.
3.2.1 Governance Concepts
Governance aligns the framework with current best practices and

ensures an appropriate level of visibility, guidance and control to
18
support the stakeholder's requirements and obligations. Governance
over security may have elements specifically dedicated to the meeting
the requirements of security independently or is in cooperation with
other governance efforts such as architecture, IT, and process.
Governance is generally accepted as a distinct domain within a

hierarchy of governance structures, including:
 Corporate governance
 Technology governance
 IT governance
 Architecture governance
Governance has specific characteristics that amplify their value and

necessity in an enterprise:
 Discipline – commitment to adhere to procedures,
processes, and authority structures.
 Transparency – all activity and decision-making structures
available to inspection.
 Independence - processes, decision-making, and
mechanisms are established to minimize and avoid
potential conflicts of interest.
 Accountability – groups are authorized and accountable for
their actions.
 Responsibility – contracted parties required to act
responsibly.
 Fairness – activities and solutions do not create an unfair
advantage to a particular party.
19
3.2.2 Scope and Charter of Governance
IT governance defined by ITGI:

“A structure of relationships and processes to direct and control the
enterprise in order to achieve the enterprise's goals by adding value
while balancing risk versus return over IT and its processes.”
Intended to guarantee that appropriate security activities are

performed to:
 Reduce risks appropriately
 Direct security investments
 Executive oversight
 Determining effectiveness of the program
Conceptually, the Governance is a combination of a set of processes,

a cultural orientation, set of owned responsibilities, and an approach
for overseeing the integrity and effectiveness of the implemented
framework.
Within the scope of security, governance provides the policies,

compliance, dispensation, control, and management methods and
guidelines to ensure that information and assets remain confidential,
in integrity, and available to authorized personnel.
20
3.2.3 Business Function Relationships
Information Security Management is a subset of Corporate

Governance and aligned with IT Governance. Though security of
information is highly dependent on the IT systems where information
is stored, delivered, and communicated over, there are instances
where corporate technology is limited or not used to handle
information. For instance, physical security of the facility may or may
not be within the scope of IT security within the enterprise. As a result,
Information Security is often perceived as broader in scope than IT
Management.
Security is ultimately the responsibility of all employees to implement

and maintain. However, a few business functions have considerable
interest in the success of Information Security and are responsible for
its governance. The business functions typically involved in
Information Security Governance are:
 Board of Directors/Trustees – responsible for
understanding the existing information assets as they
relate to business operations and providing strategic
direction for securing those assets.
 Executives – responsible for implementing security
governance and translating the strategic objectives into
implementable tasks.
 Steering Committees – comprised of executives and
representatives from key business functions, such as
21
human resources, legal, risk management, audit,
operations, and public relations, to provide effective
communication of the security program and ensuring
continual alignment with organizational objectives.
 Chief Information Security Officer – may or may not be a
named position, but is responsible for providing an
authoritative voice to address information security
concerns.
3.2.4 Information Security Governance Framework
The Information security governance framework generally consists of:

 A risk management methodology.
 A security strategy aligned with business and IT objectives.
 A security organization structure.
 Defining the value of information protected and delivered.
 Security policies related to strategy, control, and
regulation.
 Security standards set for each defined policy.
 Monitoring processes for compliance.
 Feedback on the effectiveness of mitigating risk.
 Continued evaluation and update of security policies,
standards, procedures, and risks.
This framework supports the development of an information security

program that enables the fulfillment of the organization's goals and
22
limiting the impact of security incidents and potential threats.
3.3 Information Security Requirements
3.3.1 Drivers for Information Security
Information security is a business and governance issue, not just a

technical issue. For organizations to remain competitive in a global
market, constant demands are in place to automate systems which
increases the dependency on information systems and increases the
potential vulnerability to risks that threaten the enterprise.
Some of the factors that shape the scope and requirement of

deployed security solutions include:
 The criticality of the information required by the business.
 The investment in information security as required to
maintain alignment with the strategy of the organization
and the existence of risk.
 The development and implementation of a comprehensive
information security program.
 The reporting requirements of security for management
review.
 Increase dependency on information and the systems
supporting business need.
 Dependencies on outside vendors, partners, and
23
customers who are not in direct control of the enterprise.
 Impact on reputation and product value resulting from
security failures.
 Failure to set reasonable expectations related to the
importance of security.
3.3.2 Budget Planning
Budget planning for security operations should be aligned with

planning efforts with other services: first, in structure, and second, in
ensuring that all security policies are enforced and planned for in
those other services. Corporate financial systems are the most likely
constraint to how budget planning is performed and may require some
translation to adapt to security operations.
Some of the factors that should be managed are:

 Accounting – each deployment of a security policy should
have a cost entry in the budget. Depending on the
implementation of a security measure and the granularity
of these implementations, specific sub-components may
be identified or even have the cost shared between
departments or functions.
 Cost types – identifies the higher-level expense categories
to assist in reporting and analyzing demand and usage
and includes: hardware, software, labor, and
administration.
24
 Cost classification – identifies the end purpose of the cost
and includes:
o Capital/operational – required accounting
methodologies from the business and regulatory
agencies.
o Direct/Indirect – defines whether cost assignment
should be direct to the customer or shared across
multiple customers.
o Fixed/variable – identifies whether the cost is fixed
in time or price and to minimize the level variability
when cost is not fixed.
 Cost units – identifies the unit of consumption that can be
tracked.
3.3.3 Regulatory Requirements
Many corporations place themselves under regulatory requirements.

Some of the requirements are mandatory for the industry the
organization is in; the most heavily regulated is the financial industry
where the customer account information must have the highest level
of security while being available appropriately between financial
institutions. Some of the requirements are voluntary based on
adopted practices and accreditation.
Membership and compliance to regulatory bodies provide a “seal of

approval” that can provide greater competitiveness and marketability
25
to the enterprise. Many of these regulatory bodies provide only
guidelines or best practices, without given direct input on the solutions
to implement. In some cases, compliance is rated based on the
maturity of the implementation; where some parts of the
implementation may be more or less mature than others.
Whether mandatory or voluntary, understanding the regulations is the

first step. Translating those regulations into relevant requirements is
the next step. Those requirements are turned into applicable designs
and implemented solutions. Finally, ongoing evaluation of those
solutions against the regulations must be performed continuously.
3.3.4 Third Party Relationships
Most organizations are dependent on the products and services of

other organizations to meet business objectives. Whether in the form
of vendors, partnerships, or alliances, the probability that information
or the systems supporting the storage, delivery, and communication of
that information will be shared.
While technologies may be used to enforce the security requirements,

those requirements are derived from the security policies. Often these
policies must be shared in these situations to enable both parties to
fully support the requirements within their own systems. The more
interconnected the systems are, the greater need for granularity
required to manage the security requirements for both sides of the
interactions.
26
The situation is similar to different departments within the same
enterprise sharing information and systems. Varied interpretations in
classifying information, organizing that information, and managing its
distribution can cause multiple security related problems and
vulnerabilities. However within an enterprise, a consistent policy can
be enforced across departments and is under the control of a single
governance. When dealing with multiple organizations, policies may
not be the same and control is with multiple governance bodies. In
this case, the result must be the same as working within a single
enterprise. Normally, this requires additional resources to perform
continuous and specialized reviews and audits.
3.4 Information Security Preparation
3.4.1 International Standards
A large number of international standards and regulatory bodies deal

with information security in part or as a whole. Many focus on larger
disciplines where information security is only a part of the overall
focus. Many corporations may adopt multiple standards and
regulations. It is likely that while the approaches, organization, and
focus between them may be different, the security standards and
objectives are relatively consistent.
Below are some of the recognized standards and regulatory bodies

27
that deal with Information Security Management:
 COBIT 4.0 – developed and promoted by the IT
Governance Institute (ITGI) to define the IT requirements
of businesses in terms of effectiveness, efficiency,
availability, integrity, confidentiality, reliability, and
compliance.
 COBIT Security Baseline – published by ITGI to address
the benefits and risks of using IT security.
 Guidelines for the Security of Information Systems –
designed by the Organization of Economic Co-operations
and Development (OECD) to construct a framework for
security of information systems which covers the laws,
codes of conduct, technical measures, management and
user practices, and education awareness activities facing
countries and enterprises.
 Managing Security of Informational – defined the
importance of confidentiality, integrity, and availability by
the International Federation of Accountants.
 Guide for Assessing the Security Controls in Federal
Information Systems (NIST 800-53A) – developed by the
US National Institute of Standards and Technology (NIST)
for use by federal agencies to provide adequate
information security. Though the document is specifically
designed for federal use, it can be adopted by non-
governmental agencies voluntarily.
 Code of Practice for Information Security Management
(ISO 17799) – Developed by the International Organization
28
for Standardization (ISO) to provide a range of controls
needed when using information systems to preserve
confidentiality, integrity, and availability of information.
 Trust Services (SysTrust) Principles and Criteria for
Systems Reliability - a joint venture between the American
Institute of Certified Public Accountants (AICPA) and
Canadian Institute of Chartered Accountants (CICA) to
raise the assurance of services by public accountants
through the principles of availability, security, integrity, and
maintainability.
 Standard of Good Practice for Information Security –
developed by the Information Security Forum (ISF)
members to address security in terms of security
management, critical business applications, computer
installations, networks, and systems development.
 Information Security Governance: Call to Action – a report
from the Corporate Governance Task Force to provide a
plan of action to deal with cyber security issues and
concerns.
3.4.2 Roles and Responsibilities
Security is the responsibility of all employees in the organization. As a

result, how an organization treats its employees can impact the
security position of the company, whether the employee is current,
potential, or formal. Hiring and termination policies are key
29
vulnerabilities for security.
An effective security program will leverage the roles and

responsibilities of several levels of personnel including:
 Board of Directors/Trustees
 Executive Managers
 Steering Committee
 Asset Owners
 Business Managers
 Operational Personnel
 Certification Agents
 Audit Committee
 Internal and External Audit Personnel
Periodic performance reviews and ongoing supervision is crucial to

ensuring that security policies are being adopted properly from all
employees in the organization.
Different levels of care are important considerations for handling

terminations, especially related to whether they are friendly or
unfriendly.
3.4.3 Information Security Officer
The responsibility for ensuring the protection of all business

information assets from the loss, disclosure, alteration, destruction,
30
and unavailability falls within the job scope of the Information Security
Officer.
Primary duties include:

 Ensuring that security risks are appropriately
communicated to executive management.
 Establish and manage a budget to conduct all information
security activities.
 Ensures that appropriate and timely development of
security policies, procedures, baselines, standards, and
guidelines.
 Develop and provide a Security Awareness Program.
 Ensuring the business objectives are understood and
appropriately translated into security strategies.
 Maintaining an awareness of emerging threats and
vulnerabilities.
 Evaluate security incidents and the response provided to
identify strength and weaknesses in security solutions.
 Develop and enforce a Security Compliance Program
 Establish Metrics for Security Performance.
 Conduct and participate in meetings with management to
ensure that business concerns are appropriately
addressed and communicated.
 Ensure compliance to government regulations.
 Assist in the auditing efforts from internal and external
departments.
 Remain current of emerging technologies.
31
3.4.4 Policies and Objectives
Security activities are driven by policies. The Information Security

Policy covers all areas of security, is appropriate to the organization's
infrastructure and meets the needs and objectives of the business.
Supporting the Information Security Policy are distinct underpinning
policies, which can include, but not limited to:
 Proper use of IT assets
 Misuse of IT assets
 Access control
 Password control
 E-mail
 Internet
 Anti-virus
 Information classification
 Document classification
 Remote access
 Asset disposal
 Supplier access
 Social responsibility
 Asset classification
 Change Management
 Data protection
 Business continuity
 Disaster recovery
 Incident response
32
 Security awareness and education
 Security measurement
All policies should be reviewed annually and updated appropriately.

They should be readily available to all customers and users. They
should be referenced in all agreements, contracts, and service level
agreements.
3.4.5 Centralized and Distributed Methods
Centralized governance maintains budget control and ensure

implementation and adoption of security controls. Distributed
governance have responsibility over policy, oversight, and budgetary
over departmental security program. The structure used is based on
desired outcomes:
 Centralized – promotes sharing, reuse and asset utilization
of greater profitability.
 Distributed – promotes responsiveness and innovation for
greater revenue growth.
 Hybrid – to meet multiple performance goals.
In the most basic implementations, a centralized security program is

designed and enforced by a single authoritative department. They
provide the overall Information Security Policy. While individual
departments may contribute to the specific sections of the policy, the
overall responsibility is on this central group. They are also
33
responsible for auditing and improvements to the security policy.
In a distributed solution, the responsibilities are divided between

departments and specialty areas. The Information Security Policy
serves as a catalog of numerous, and potentially diverse policies that
are intended for use by individual departments. While the security
policies may be the responsibility of individual departments, they may
cover the security requirements of a centralized IT solution. E-mail is
an example of such a solution: while the IT solution is used by all
members of the organization, its centralized management is with one
department who has responsibility for the creation and enforcement of
the security policy governing e-mail use.
As the enterprise grows in size and depth, the more diverse the
solutions become. The governance structures can be hybrid.
34
4 Information Risk Management
4.1 Risk Management
Risk is usually defined as the possibility of loss. Risk management is

the technique used to assess, minimize, and prevent accidental loss
to a business.
4.1.1 Key Definitions
Risk management introduces or refines the following terms:

 Control – the policies, procedures, guidelines, practices,
and structures used to manage risk.
 Risk – the combination of an event's probability and its
consequence.
 Risk assessment – the overall process of analyzing and
evaluating risk.
 Risk management – the coordinated activities to direct and
control an organization's treatment of risk.
 Risk treatment – the process for selecting and
implementing measures to impact risk.
 Threat – the potential cause of an unwanted incident,
which may result in harm to a system and organization as
a whole.
 Vulnerability – a weakness of an asset to be exploited by
35
one or more threats.
4.1.2 Principles and Practices
Risk management utilizes several methods for dealing with risk

including:
 Risk Avoidance – involves creating solutions that ensure a
specific risk is not realized.
 Risk Transfer – involves passing a specific risk to another
entity.
 Risk Mitigation – attempts to eliminate or significantly
decrease the level of risk present.
 Risk Acceptance – weighs the cost and benefits of
handling the risks over accepting it.
4.1.3 Controls and Countermeasures
Controls and countermeasures are applied to IT and business

solutions to mitigate risk to information. Some basic characteristics
should be considered when making the application of each control
and countermeasure, such as:
 Accountability – who is responsible for ensuring the control
or countermeasure remains in place or to manage the
impact when it fails?
 Auditability – can it be reviewed and tested?
36
 Trusted source – is its design, implementation, and
maintenance performed by people who are committed to
maintaining the security policy?
 Independent – is its design, implementation, and
maintenance dependent on the existence of other controls
and countermeasures?
 Distinct – does it work without overlapping other controls
and countermeasures?
 Consistent application – can the control or
countermeasure be applied in the same manner across
the organization?
 Simple and Public – is the control or countermeasure
easily accessible and implementable by the general
population (employees)?
 Cost-effective – is the cost of implementation better than
the cost of not implementing?
 Reliability – will it serve its purpose under multiple
circumstances?
 Sustainable – will it continue to function as expected over
time and/or adapt as changes or new elements are
introduced to the environment?
 Minimal manual intervention – is it automated fully or
partially to ensure that the need for manual work is
minimal?
 Ease of use – is its use or applicability easy to use?
 Secure – is the control and countermeasure itself safe
from exploitation or attack?
37
 Protection – does it protect the confidentiality, integrity, and
availability of assets as expected?
 Reversibility – can the control and countermeasures be
“backed out” when an issue arises?
 Safe – are any additional issues created when the control
or countermeasure is applied?
 Clean – it leaves no residual data as a result of its function.
4.2 Information Schemas
4.2.1 Information Classification
The purpose of information classification is to provide a method for

determining the importance of each information type to the
organization. This determination provides the appropriate level and
method of protecting the information type. While all assets add value
to an organization, not all value provided is equal, nor require the
same care in handling.
When classifying information, the following basic steps are involved:

 Determining the requirements for classification.
 Determining the people responsible for classification.
 Determining the classification levels.
 Determining the methods and procedures for classification.
 Determining the impacted processes from classification.
38
Classification of data, or information, can be required by law,
regulations, or rules.
Several levels of classification may be involved, ranging from three to

five levels. Some of the more commonly adopted levels from lowest to
highest are:
 Public, Restricted, and Private
 Public, Sensitive, and Confidential
 Category III, Category II, and Category I
 Public, Official Use Only, and Confidential
4.2.2 Information Ownership
Each piece of information must have a clear “owner.” This is a role

within the organization fulfilled by personnel. The primary purpose of
the owner is to ensure the integrity of the information, including its
proper classification. Some organizations default ownership to the
creator of the information, while others give immediate responsibility
to the manager of the department or function storing the data. There
are a variety of methods to define the owner and these methods are
not consistent across systems and databases. Some of the more
popular methods are:
 Manager of the function using the information.
 Person responsible for determining the level of protection
over the information.
39
 Person responsible for determining appropriate usage of
the information.
 Person responsible for classifying the data.
 Person responsible for the business outcome of using the
information or information system.
4.3 Information Threats and Vulnerabilities
Any threat against the confidentiality, integrity, and availability of

enterprise assets is a threat to access control.
Recognized threats to access control consist of:

 Denial of service
 Buffer overflows
 Mobile code
 Malicious software
 Password cracker
 Spoofing/masquerading
 Sniffers
 Eavesdropping
 Emanations
 Shoulder surfing
 Tapping
 Object reuse
 Data remnants
 Unauthorized targeted data mining
40
 Dumpster diving
 Backdoor/trapdoor
 Theft
 Intruders
 Social engineering
4.3.1 Denial of Service (DoS)
Denial of service attacks consist of:

 Consuming specific resources.
 System services or applications becoming unusable by
users.
 Total failure of a system.
In the early 1990s, the most prevalent attacks were SYN attacks;
TCP/IP protocol manipulation caused when an overwhelming number
of open-ended session requests would be sent to a service, causing
the service to focus on processing these requests while delaying
legitimate requests. The result was that systems were virtually
unusable by valid users and applications of the service.
Denial of service is typically a result of finding a weakness in system

services and exploiting that weakness. One of the most common
characteristic of a DoS attack is the use of multiple events, systems,
or users to focus legitimate actions against a single system. The
result is a manipulation of system interactions for the purpose of
41
acquiring access or redirect communications.
4.3.2 Buffer Overflows
A portion of memory is usually allocated to temporarily store

information that is used for processing. This is called a buffer and is
essential to manage data input and outputs during system interaction.
A buffer overflow is a manipulation of the system's ability to manage

the buffer which, in turn, causes a system failure such as an outage,
failure to control the application state, or failure to control the data
required for processing.
Poor system memory access control and management is the typical

cause of buffer overflows. Proper coding of the application, services,
and operating systems managing the memory allocation is a good
start at preventing this threat. Adequate testing in the development
process can ensure that the coding is done properly and identify any
vulnerability to buffer overflows.
4.3.3 Mobile Code
Any software that is transmitted across a network from a remote

source to a local system and executed without any explicit action from
the user is referred to as mobile code. The local system can be a
personal computer, smart device, PDA, mobile phone, or Internet
42
appliance. Mobile code does not need to be installed or executed by
the user and is typically known as downloadable code and active
content.
Mobile code is not necessarily harmful and includes:

 ActiveX controls
 Java applets
 Browser scripts
 HTML e-mail
However, significant security implications surround mobile code

because of the capabilities of dynamic distribution, limited user
awareness, and potential for harm. Mobile code used maliciously can
track user activity, access vital information or install other applications
without the user’s knowledge. To prevent malicious mobile code, the
system has to be configured properly.
4.3.4 Malicious Software
Malicious software used to describe Trojans or spyware, but has

expanded to include any software, application, applet, script, or digital
material run on a computer system that can be a threat to the system,
applications, or information.
Falling into the category of malicious software, or malware, is:

 Viruses – parasitic code which requires human assistance
43
to transfer or insert into the system or is attached to
another program to allow replication and distribution.
 Worms – self-propagating code which exploit
vulnerabilities in systems or applications. Similar to viruses
without the need for human interaction.
 Trojan Horses – any program that appears to the user as
desirable but are, in the end, harmful.
 Spyware – hidden applications intended to track user's
activity, obtain personal data and even monitor system
inputs.
4.3.5 Password Crackers
Passwords are a grouping of secret characters used to prove the

identity of the user. Passwords are prone to discovering and given
that they range from an average or 5 to 15 characters, they are limited
by the number of potential combinations of characters.
Passwords are stored by a one-way hash, an algorithm producing a

unique representation of the password. When a system receives a
hashed password, it uses the same algorithm used to create the
password and compares it the hash on file. If the hash is correct, the
certainty that the password provided is on file increases. In most
cases, the password is never stored or saved, only the hash.
Password crackers work on the hashed password which has been
44
saved. When the file containing the hashed password is found, the
password cracker compares every possible password combination
against the hash. This is done by using or creating a list of possible
combinations, hash them, and compare the hash to stored password
on the file. The length and complexity of the password has an impact
on the time required to test every combination, ranging from minutes
to years.
Password crackers are easily obtainable and are useful for both
hackers and system administrators. System administrators use
password crackers to identify the strength of a particular password. If
the password is weak, a request can be made to the user to change
to a stronger password.
In 1980, Martin Hellman described a method of using precalculated

data stored in memory to reduce the time required for cryptanalysis.
By performing an exhaustive search and loading results into memory,
time required to create a list for use by password crackers can be
significantly decrease. This is commonly referred to as a time-memory
tradeoff where saving memory and the cost of processing time
compete with each other.
Many password hashes are generated by encrypting a fixed plaintext

with the user's password as the key. A poorly designed password
hashing scheme will result in the plaintext and encryption method
being the same for all passwords. This allows password hashes to be
calculated in advance and subjecting them to a time-memory tradeoff.
45
The Hellman concept is based on enciphering the plaintext with all
possible keys whose results are organized into chains. Only the first
and last elements are loaded into memory. As the number of stored
chains increased, so did the frequency of generating the same results
with different keys.
By 1982, Ron Rivest had introduced the concept of distinguishing

points which improved simple password hashes by reducing the
number of memory lookups. The distinguishing points were defined at
the ends of the chains based on the fact that the first ten bits of the
key were all zeros. When a plausible match is identified, a chain is
pulled from memory from the end. Focus on the distinguishing points
at the end reduced the time required to process passwords.
A faster time-memory trade-off was developed by Philippe Oechslin in

2003. The issue with the chaining process was the possibility of
collision between chains and eventual mergers within memory. To
limit the collision rates and reduce memory requirements, Oechslin
proposed an approach to the creation of chains. His new chain
structure was called rainbow chains and utilized the distinguished
points concept with a process for successive reduction of points.
4.3.6 Spoofing/Masquerading
An attack method utilizing weaknesses with Internet protocols to gain

access to systems based
46
on IP addresses and inherent trust relationships were first conceived
by Steve Bellovin. But Kevin Mitnick popularized the concept of IP
spoofing in the 1980s. IP spoofing allows a person to appear to come
from a trusted source when they are actually outside of the trusted
environment.
Earlier versions of spoofing were performed at the protocol layer by

sending packets to the server with the source address of a known
system in the packet header. Filtering devices would pass the packet
if they were configured to permit activity to and from the trusted
address or network. Though this would allow the packet to arrive, it
did not guarantee the desired response from the server.
Modern systems and firewalls compensate for spoofing attacks.

Similar attacks manipulating the trust of systems and users are still
prevalent. Phishing is another form of masquerading as a trusted
source. Domain Name Servers can be used to redirect Internet users
from valid websites to malicious sites. Spoofing is used in man-in-the-
middle attacks where users may believe they are interacting with a
desired destination when in fact they have been redirected through an
intermediary who is collecting information from both sides of the
communication.
Spoofing or masquerading has significant impact on the access

control environment since attackers gain access in such a way that
circumvents the established controls.
47
4.3.7 Sniffers, Eavesdropping, and Tapping
At some point in networking between to computers, communications

will pass through a physical device. Gaining access to the physical
device could provide insight into all layers of communication, in the
form of eavesdropping or tapping.
The same capabilities are utilized by IDSs which monitor

communications in an effort to detect unwanted activities.
Sniffers are devices collecting information from a communication

medium.
4.3.8 Emanations
Emanation is a proliferation or propagation of a signal which is most

evident in wireless networks. By being within range of the wireless
signal, an attacker can attempt to access the network without
physically accessing the facility.
Emanations can be tapped to allow eavesdropping. The key is

tapping into the electromagnetic properties of computing devices to
acquire data from a distance.
Encryption of signals can provide some protection. Reducing the

emanation of a signal can also provide some protection using
48
mechanisms such as TEMPEST.
4.3.9 Shoulder Surfing
Shoulder surfing is a form of social engineering where information is

gathered through direct observation. This is done by watching a
person entering a password or listening to a conversation containing
sensitive information.
Deterrents to shoulder surfing include:

 Awareness training
 One-time use passwords
 Multifactor authentication
 Screen filters
 Special polarized glasses
4.3.10 Object Reuse
The allocation or reallocation of system resources to an application or

process is referred to as object reuse. In essence, applications and
services create objects which are stored in memory. Those objects
can be used over and over by the application or service and are
shared with other applications and services. An object used to
perform a privileged task for an application or authorized user. If the
usage of this object is not controlled and remains in memory, it can
become available to
49
unauthorized use.
Application object reuse has two aspects:

 The direct employment of the object.
 The use of input or output data from the object.
To protect against the harmful reuse of an entire object, an application

should erase all residual data from the object before it is assigned to
another process to prevent the data from being intentionally or
unintentionally read.
Security requires a controlled sharing of object resources. Since these

resources are in memory, their management can be difficult. Many
systems are running multiple processes simultaneously. Memory may
be allocated to one process for a while, deallocated and reallocated to
another process making the constant processing a potential security
vulnerability. This is because residual information may still exist in a
memory section when it is reallocated to a new process.
The same concern is applicable to system media like hard drives,

magnetic media, and other forms of data storage. It is common
practice to reuse media to reduce costs in backup activities.
Removing all data from the media ensures that proprietary and
confidential information is not compromised. Standard methods
include:
 Degaussing
 Writing over media
50
4.3.11 Data Remanence
Similar to object reuse is data remanence which is often seen when

used computer equipment is reused or sold to another user. The
partial or entire remains of digital information still exist for the new
user.
Hard drives are comprised of platters organized into segments and

clusters. When files are written to the hard drive, it is placed in one of
more clusters in a series of spread across the disk. The file allocation
table is responsible for tracking the physical location information for
the file in order to retrieve it later.
Several situations can lead to data exposure:

 Deleting a file removes the information from the file
allocation table but not from the physical cluster.
 Sensitive or confidential data is stored in the slack space
of partially used clusters and remains until the entire
cluster is overwritten with new data.
 Malicious information or code is stored by attackers within
the slack space.
The most effective mechanism to destroy data is to overwrite the data

several times accomplishing:
 Providing enough randomization to prevent statistical
51
analysis of the data.
 Further masking the remnants of any electromagnetic
representation of the data with each rewrite.
4.3.12 Unauthorized Targeted Data Mining
Any collection of large amounts of information for the purpose of

creating predictions is considered data mining. There are several
reasons for data mining information and is often used to provide a
logical determination about the information over specific data.
Hackers generally perform reconnaissance in order to collect as much

information as possible to determine the operations, practices,
technical architecture, and business cycles. Though individual pieces
of data may be harmless, different combinations of data could be
created and analyzed to identify vulnerabilities that can be exploited.
One common area of concern is marketing; where security is

concerned that public information that is placed on a web site cannot
be used against the company. In the early days of the Internet, a large
amount of data was posted by companies to the Internet that aided
hackers in determining how and what to attack. Current awareness
ensures that sensitive information is not posted as easily, however the
evolution of search engines have made finding sensitive information
easier to discover.
52
4.3.13 Dumpster Diving
Dumpster diving is a simple tactic of rooting through trash to obtain

enough information to make a conclusion and create a strategy for
attacking a target. The process is similar to data mining in stringing
together small data of insignificant data together to obtain a large
more harmful fact about the target.
Destroying documentation is one of the best chances against this

vulnerability, as well as destruction of media to prevent exposure.
4.3.14 Backdoors and Trapdoors
Many creators of applications create special access capabilities into

their software code for troubleshooting purposes. These created
capabilities are commonly referred to as backdoors. If a person knows
the location of the backdoor, then they can obtain access to the
application or system without the knowledge of the system owner.
System Integrators create special rules and credentials to ensure they

have complete access to the systems installed for the purpose of
supporting their customer. Typically, the same methods and
credentials are used for multiple customers. If a person was to obtain
this information, they would have complete access over several
customers’ systems.
53
4.3.15 Theft
Physical theft is any item of value that an authorized person can

remove. Digital theft does not require removal, but simply needs to be
copied by an unauthorized person.
4.3.16 Social Engineering
Social Engineering is the use of coercion or misdirection to obtain

information. It always consists of a degree of interaction, though that
interaction may be on the telephone, through e-mail, or face-to-face.
E-mail social engineering is a common effort to use e-mail to obtain

information. In most cases, an e-mail is sent disguise as coming from
a trusted source. The message is a request for information. The victim
believes they are sending the information to a source that has the
right to know the information.
Help Desk fraud occurs when an attacker poses as an employee and

calls the Help Desk for help. The goal of the attack is usually to reset
a password. In some cases, remote-access phone numbers or IP
addresses can be obtained. Attackers will sometimes poise as
managers to obtain special privileges.
54
4.4 Risk Assessments and Analysis
4.4.1 General Process
The process for assessing risks follows a few general steps.

Developed risk assessments may have specific procedures in place
to provide specific focus to meet assessment objectives. The general
steps include:
1. Identify Vulnerabilities.
2. Identify Threats.
3. Determine Likelihood.
4. Determine Impact.
5. Determine Risk.
6. Report Findings.
7. Select Countermeasure.
8. Determine Information Value.
4.4.2 Qualitative Risk Assessments
Results of a qualitative risk assessment are descriptive over

measurable. They are usually performed when:
 The expertise of quantitative risk assessments is limited.
 The timeframe required to complete the assessment is
short.
55
 Data required to conduct a quantitative assessment is
limited.
Qualitative risk assessments are typically performed by:

1. Gaining management approval.
2. Formulating an assessment team.
3. Gathering documentation on:
 Strategy
 Policies, procedures, guidelines, and baselines
 Past assessments and audits
 Technical documentation
 Application development and operations documentation
 Business continuity and disaster recovery plans
 Security incident response documentation
 Data classification schemes
 Executive mandates
4. Interviews conducted with managers and employees.
4.4.3 Quantitative Risk Assessments
Quantitative risk assessments focus on the interpretation of

measurable data, covering:
 Frequency
 Probability
 Impact
 Countermeasure effectiveness
56
Quantitative risk assessments are conducted through a simple
process of:
1. Obtaining management approval.
2. Building an assessment team.
3. Review of information currently available within the
organization.
4.4.4 Common Security Measurements
Simple calculations used in quantitative risk assessments include:

 Single loss expectancy (SLE)
 Annualized rate of occurrence (ARO)
 Annualized loss expectancy (ALE)
 Local annual frequency estimate (LAFE)
 Standard annual frequency estimate (SAFE)
Formulas used include:

SLE = asset value ($) * exposure factor (%)
ALE = ARO * SLE
57
4.4.5 Assessment Methodologies
Qualitative Assessments
 NIST SP 800-30
 NIST SP 800-66
 OCTAVE
 FRAP – Facilitated Risk Analysis Process
 CRAMM – CCTA Risk Analysis and Management Method
Quantitative Assessments
 Spanning Tree Analysis
 Failure Modes and Effect Analysis
4.4.6 Baseline Modeling
Baselines are identified to mark significant states of a resource. They

are usually met to understand the effectiveness in change outcomes.
Baselines are agreed upon and approved. They can characterize:
 Functional – identifies the initial specifications before any
changes are made.
 Allocated – identifies the specifications that meet the
approved requirements.
 Developmental – identifies the state of the resources as it
is developed to meet or exceed expectations and
requirements.
58
 Product – the minimal specifications required by the
resource to meet business outcomes.
Typically attributed to processes such as configuration management

and project management, baselines provide a reference point to a
specific fixed state. Revision control is applied to manage changes to
the resource.
4.4.7 Gap Analysis
Gap analysis is a tool which compares the actual performance or a

resource to its potential performance, between delivery and
expectation. It is used to measure the investment of time, money, and
resources to achieve a particular outcome.
Analysis of a resource gap can pertain to a number of focus areas,

including:
 Performance – compares the actual performance of a
resource to the desired performance of the same resource,
identifying potential deficiencies in the solution and
required changes to configuration.
 Functional – compares the actual available functions of the
resource to the desired functions as defined by customer
perspective, business requirements, and market research
and identifies possible improvements.
 Usage – compares the level of current usage of the
resource to the desired usage, and identifies areas of
59
growth, propagation, and education.
4.4.8 Cost Benefit Analysis
Cost benefit analysis is an approach for making financial decisions

that can be informal or formal, such as to appraise a specific project
or proposal. The approach focuses on weighing the total costs
expected against the total benefits expected of one or more actions to
identify the best or most profitable option. Both benefits and costs are
expressed in terms of money and adjusted for the effect of time. The
adjustment for time is applicable to identify the value of the decisions
at different points of a project or proposal's life cycle, particular initial
costs versus the ongoing expenses against the expected return.
The benefits can be expressed as tangible effects, such as increased

revenue or profit, greater productivity, and greater functionality, or as
intangible effects, such as change in reputation or credibility, market
penetration, alignment to long-term strategies. The actual practice of
analysis may be performed differently between geographic regions,
industries, and departments, mainly because the type of impact and
the extent of those impacts may differ. Despite this, a basic set of key
cost-benefit indicators are shared, including:
 NPV (net present value)
 PVB (present value of benefits)
 PVC (present value of costs)
 BCR (benefit cost ratio= PVB/PVC)
 Net Benefit (PVB-PVC)
60
 NPV/k (k represents the level of funds available)
The accuracy of reported costs and estimated benefits contributes to

the accuracy of the cost-benefit analysis. As a result, relying on
analysis results with even a single inaccuracy is a risk in decision
making. Most often these risks are the result of poor estimation,
particularly when:
 Relying on similar past projects.
 Relying on experience of significant cost drivers.
 Relying on crude methods to estimate intangibles.
 Dealing with bias in team members or a drive to fulfill an
agenda.
4.4.9 Information Value
Value can be applied to all information and represents the cost of the
information and its perceived importance to the organization from
internal or external perspectives. The value of the information can
change over time. A change in value can be the result of a changing
environment, modification of the information itself, improper
disclosure, or miscalculated value to the organization. The
information's value should be evaluated periodically to determine its
currency in the organization.
The methods of determining value can be descriptive or metric.

Descriptive methods are subjective and are usually sourced through
61
information derived data collections such as checklists or surveys.
More objective value is determined by metrics, or statistical
measures.
62
5 Information Security Program Development
5.1 Security Program Concepts
5.1.1 Strategies
Adoption of organizational best processes can protect the security of

information, as well as identify areas of weakness in the organization:
Common best practices include:

 Job Rotation
 Separation of Duties
 Least Privileges
 Mandatory Vacations
 Job Position Sensitivity
Job rotations allow for a reduction in collusion of activities and

identifying activities which are outside the normal operating
procedures.
By dividing the steps of a particular process it ensures that a single

individual doesn't have absolute control and knowledge of the
process.
Granting access only for what is required to perform an individual's
63
tasks reduces the risk of inappropriate or unintended disclosure of
information. Mandatory vacations provide similar benefits as rotating
and separation of duties by providing opportunities to understand the
day-to-day performance of specific functions.
The access and duties of an individual can determine the sensitivity of

the position and determine the level of control on security practices.
5.1.2 Program Activities
The key activities around a successful security program involve

establishing and managing effective controls, building the awareness
and cultural of a security organization, and performing periodic checks
on the reliability of the program in the current environment. The
program deals with securing the current environment, putting
solutions in place to prevent previous security incidents, and
preparing for future threats.
Nearly every IT process and discipline contributes and/or is impacted

by the security program, including:
 Configuration Management
 Incident Management
 Problem Management
 Change Management
 Availability Management
 Access Control
64
 Cryptography
 Environmental Security and Facilities
 Business Continuity and Disaster Recovery
 Telecommunications
 Network Management
 Application Development and Management
 Operations Management
The direct results of an Information Security Program consist of:

 Comprehensive and overall Information Security
Management Policy.
 Security Management Information System (ISMS)
supporting the security solution.
 Current risk assessment processes and reports.
 Set of security controls with details on operation and
maintenance.
 Security audits and reports.
 Security test schedules and plans.
 Set of security classifications and classified information
assets.
 Reviews and reports of security breaches and major
incidents.
 Policies, processes and procedures for managing partners
and third parties.
65
5.1.3 Managing Implementation
The implementation of the information security management is

strongly dependent on establishing consistent support from the
business, senior management, and business security. The activities of
ISM must be aligned and integrated with the business and IT
operations of the organization, particularly in change management
and configuration management activities.
Some of the critical success factors facing ISM implementation are:

 Protecting the business against security violations.
 Determining a clear policy integrated with business need.
 Justified and appropriate security procedures.
 Support from senior management.
 Continuous Improvement mechanism.
 Integration with IT services.
 Protecting service availability from security incidents.
 Clear ownership and awareness of the security policies.
66
5.2 Security Controls
Security controls are classified in several ways and cover multiple

scenarios. Controls are put into place to prevent security incidents
from occurring, to identify and characterize incidents that are
occurring, and limit the extent of the damage that occurred from a
security incident.
Controls can be categorized as:

 Physical controls
 Procedural controls
 Technical controls
 Compliance controls
The NIST Special Publication SP 800-53rev1 standard used by the

US Federal Government defines the following practices and
structures required to manage information security controls:
 Access Control
 Awareness and Training
 Audit and Accountability
 Certification, Accreditation, and Security Assessments
 Contingency Planning
 Identification and Authentication
 Incident Response
67
 Maintenance
 Media Protection
 Physical and Environmental Protection
 Planning
 Personal Security
 Risk Assessment
 System and Services Acquisition
 System and Communications Protection
 System and Information Integrity
The US Department of Defense has a smaller list from its DoD

Instruction 8500.2 standard which includes 8 Information Assurance
(IA) components for each leg of the CIA Triad:
 Security Design and Configuration
 Identification and Authentication
 Enclave and Computing Environment
 Enclave Boundary Defense
 Physical and Environmental
 Personnel
 Continuity
 Vulnerability and Incident Management
The ISO/IEC 27001 standard addresses the practices required to

manage controls with the following areas:
 Risk assessment and treatment
 Security policy
 Governance of
68
information security
 Asset Management
 Human Resources security
 Physical and environmental security
 Communications and operations management
 Access control
 Information systems acquisition, development and
maintenance
 Incident management
 Business continuity management
 Compliance
5.2.1 Control Categories
Categories allow access control characteristics to be mapped to

control types. Six main access control characteristics are:
 Preventative – avoiding incidents
 Deterrent – discouraging incidents
 Detective – identifying incidents
 Corrective – applying remedies
 Recovery – restore conditions to normal
 Compensation – alternative control
Prevention of potential incidents is typically handled by restricting the

activities of users. Though access may be provided to a system,
privileges define what can be done on the system by the user.
69
Deterrents such as the identification and authentication of a user,
service, or application, attempt to minimize the frequency and impact
of incidents.
Properly implemented access controls provide visibility into the

access environment, such that incidents can be identified and tracked
for evidence or alerts. Visibility is provided by:
 Intrusion Detection Systems (IDS)
 Virus controls
 Applications
 Web filtering
 Network operations
 Administration
 Logs audit trails
Corrective activities usually occur after security incidents and focus on

identifying the actions required to prevent the incident or impact from
reoccurring. Corrective actions can also be a result of identifying
weaknesses in security.
Unlike corrective activities which focus on the recurrence of an

incident, recovery activities attempts to compensate for the sake of
returning to normal operations after an incident.
Compensating controls are used when existing capabilities do not

support the requirement of a policy. These controls can be technical,
70
procedural, or managerial.
5.2.2 Administrative Controls
Three types of access control exist:

 Administrative
 Physical
 Technical
Administrative describes the activities defining the roles,

responsibilities, policies, and administrative functions required. All the
actions, policies, and management of the control system fall into the
administrative realm. There are six major groups associated with the
administrative group:
 Operations policies and procedures
 Personnel security, evaluation, and clearances
 Security policies
 Monitoring
 User management
 Privilege management
The policies and procedures associated with access control and

security include:
 Change Control
 Business Continuity and Disaster Recovery
 Performance Management
71
 Vulnerability Management
 Product Life-Cycle Management
 Network Management
Security requirements should include all defined job roles and

responsibilities. Roles should be aligned to defined policies and
include general responsibilities for adhering to security policies and
specific responsibilities for ensuring the protection of associated
assets
Requirements for access control should be defined and documented,

usually as rules and rights for each user or group of users. This is
typically in the format of a policy which considers:
 Security requirements for individual applications, systems,
and services.
 Information authorization and dissemination.
 Access control consistency throughout different systems
and networks.
 Contractual and regulatory obligations.
 User access profile standards.
 Management of the access control system.
Monitoring provides a means of identifying deviations from

established access control policies in regards to:
 Authentication processing
 Authentication attempts
72
 Management of credentials
 Management of users
 Rights usage
 Denial of rights and access
Monitoring includes activities for logging and reviewing events.
Basic elements of a user management process include:

1. Approval of user to access systems.
2. Standard, uniquely defined user IDs, format, and other
specifics.
3. Checking the level of access is appropriate to the role and job
purpose.
4. Requiring a signed written statement with condition for access.
5. Documenting system changes.
6. Providing audits and status of the control environment.
7. Corrective action for unauthorized access.
User passwords are a vital component of an access control

environment. When governing passwords, consider:
 User agreements to keep passwords safe and confidential.
 Temporary passwords can only be used once and must be
changed by the user.
 Passwords are never stored unprotected or in clear text.
 Passwords should have a minimum and maximum length
and include various characters and formats.
 Passwords should be changed regularly.
73
 A history of passwords should be maintained to avoid
repeating old passwords.
Privilege management handles the allocation, administration, and use

or rights and privileges in systems. Procedures for privilege
management consider:
 Defining the privileges found and mapping them to
associated roles.
 Managing privileges based on what is required to perform
duties.
 Defining an authorization process and recording all
privileges allocation.
 Assigning extraneous duties for a user to a separate user
account.
Physical refers to the non-technical controls such as locks, fire

management, gates and guards. The most prevalent concern is
physical entry into a facility and considers:
 Clearing and supervising visitors.
 Defining access to controlled areas.
 Display of appropriate identification at all times.
 Reviewing and auditing access rights and privileges.
Many facilities will have multiple zones defined, with different levels of
security applied to them, often contributing to a defense-in-depth
solution.
74
5.2.3 Technical Controls
The technical type describes the mechanisms used within the digital
infrastructure to enforce the security policy. Technology controls
include a combination of firewalls, filters, operating systems,
applications, and routing protocols. Different considerations include:
 User controls
 Network access
 Remote access
 System access
 Application access
 Malware control
 Encryption
User controls are directly associated with the user and typically
revolve around authentication factors. The factors represent:
 Something the user knows.
 Something the user has.
 Something the user is or does.
A single-factor authentication method, such as a username and

password combination, focuses on the use of one factor. A two-factor
authentication method considers two factors such as a token, fob, or
smart device providing a one-time password, certificate, or biometric.
All factors are considered in the three-factor authentication and
typically utilizing fingerprints, retina scanning, hand geometry, facial
features, or keystroking.
75
The purpose of network access controls are to limit communication
and are associated with:
 Access control lists
 Remote-access solutions
 Virtual local area networks
 Protocols
 Firewalls
 Intrusion detection systems
 Intrusion prevention systems
The intent is to segment, filter, direct or reject communication to and
from the network.
Roaming users comprise a large portion of user communities.

Remote-access solutions provide services to acquire access to
systems and data from wireless points and remote locations. Virtual
private networks (VPNs) are a typical solution for controlling remote
access and are a combination of authentication with encryption.
Systems can be comprised of a single server or a set of servers

providing a service or function. The most common attributes of a
system are the server and the operating system. Access controls are
typically managed by the operating system and apply to users, file
systems, and processes.
The simplest form of system access is on a single system and host;

though the most common is access to the file system where access to
76
the system is validated as well as access to the individual files.
Applications utilize user and system access controls to protect from

threats and reduce exposure to any threats. The ability to protect from
attack lies significantly in the architecture of the application. Security
can be found in several layers of the application framework.
Technical controls are used to reduce the likelihood of impact from an

unwanted influence. The most common control for this purpose is
anti-virus solutions. Commonly found on the perimeter of the network,
the servers themselves, and on each client station, malware control
attempts to compensate for any known or unknown weaknesses in
systems, applications, and services.
Encryption, or cryptography, is used to ensure the confidentiality of

information or to authenticate the integrity of information.
5.2.4 Access Control Models
Four access control models exist:

 State machine model – operating system is allowed to
transition between well-defined states.
 Access matrix model – a combination of read, write, and
execute permissions are assigned to users. Within the
matrix, the users are represented by rows and resources
are represented by columns.
77
 Take-grant model – Uses graphs to illustrate the security
permissions taken and granted between objects.
 Bell-LaPadua model – a lattice-based model designed to
enforce the military's Mandatory Access Control (MAC)
mode with two rules:
o Simple security rule - information can only flow
from lower levels of security to higher levels.
o * Property rule - users can never write information
to lower clearance level.
5.2.5 Integrity Models
Two integrity models exist:

 Biba model - a lattice-based model complementing the
BellLapua model with two rules:
o Simple integrity axiom – information cannot be
written to higher security levels.
o * Integrity axiom – information at a lower security
cannot be read by a user with higher levels.
 Clark-Wilson model – maintains data integrity by enforcing
a separation of duty.
5.2.6 Rainbow Series
A series of books published in 1985 by the National Computer

Security Center. The books
78
are called the Rainbow Series because each one can be identified by
the color of their covers:
 Orange Book – includes the DoD Trusted Computer
System Evaluation Criteria (TCSEC).
 Red Book – the Trusted Network Interpretation of the
TCSEC.
 Purple Book – the DoD Trusted Database Management
System.
 Green Book – the DoD Password Management Guideline.
 Amber Book – the Guide to Understanding Configuration
Management in Trusted System.
The Trusted Computer System Evaluation Criteria (TCSEC) specifies

criteria for evaluation systems:
 A set of laws, rules, and practices called the security policy
must be available to describe how to regulate how an
organization manages, protects, and distributes sensitive
information.
 Each user of a trusted system must be uniquely identified.
 Each security object must be labeled to describe the
sensitivity of the object.
 The compliance of a trusted system to TCSEC criteria
must be completely documented.
 User actions must be auditable at an individually
identifiable level.
 Formal methods should be used to validate the system
design and implementation processes.
79
 The trusted computing system must be continuously
protected against unauthorized changes.
Specific designations are awarded under TCSEC as follows:

 Minimal Protection (D) systems have been evaluated but
fail to meet the requirements for a higher evaluation
criteria:
o Discretionary Protection (C1)systems satisfy the
criteria for discretionary access controls including:
o Identification and Authentication.
o Discretionary Access Control Security Policy.
o Operational Assurance of System Architecture and
System Integrity.
o Lifecycle Assurance of Security Testing.
o Proper documentation for:
 Security Features Users' Guide.
 Trusted Facility Manual.
 Test Documentation.
 Design Documentation.
 Controlled Access Protection (C2) systems build on C1
requirements to have more granular discretionary access
controls:
o Object Reuse Security Policy.
o Auditing procedures.
 Labeled Security Protection (B1) systems meet C2
systems requirements and introduce labeling requirements
such as:
80
o Label Integrity Policy.
o Policy on exportation of Labeled Information to
Single-Level Devices, MultiLevel Devices, and
Human-Readable Output.
o Mandatory Access Control Policy.
o Lifecycle Assurance of Design Specification and
Verification.
 Structured Protection (B2) systems build on B1
requirements making them relatively resistant to
penetration:
o Addresses Subject Sensitivity Labels and Device
Labels in the Labeling Policy.
o Trusted Path for Identification and Authentication.
o Adds to the Operational Assurance of Covert
Channel Analysis.
o Adds to the Trusted Facility Management.
o Configuration Management of Lifecycle Assurance.
 Security Domains (B3) systems are highly resistant to
penetration and builds on B2 requirements, adding:
o Trusted Recovery Operational Assurance.
o Uses a Trusted Computing Base (TCB) to allow
rigorous testing.
 Verified Design (A1) systems do not add any requirements
or features: certification is granted because formal
techniques for design specification and verification are in
place.
81
The techniques used by A1 systems follow a five step process:
 Development of a formal model of the security policy which
includes mathematical proof.
 Development of a formal top-level specification (FTLS) of
the design including definitions of functions.
 Formal and informal techniques used to verify the FTLS is
consistent with the model.
 Verify the implementation of the TCB is consistent with the
FTLS through informal techniques.
 Formal analysis performed to identify any covert channels
in the system.
5.2.7 Information Technology Security Evaluation Criteria

(ITSEC)
The ITSEC is used in Europe and addresses confidentiality, integrity,

and availability. The criteria results in two ratings: functionality (F1-
F10) and assurance (E0-E6).
ITSEC maps to and extends the TCSEC.
5.2.8 Common Criteria
Described by ISO/IEC15408, the Common Criteria for Information

Technology Security Evaluation (CC) was developed with the
cooperation of several
82
governments. The Common Criteria model replaces:
 The U.S. Trusted Computer System Evaluation Criteria
(TCSEC).
 The European Information Technology Security Evaluation
Criteria (ITSEC).
 The Canadian Trusted Computer Product Evaluation
Criteria (CTCPEC).
The model defines the use of:

 Protection profiles – product's security requirements.
 Security targets – vendor's design claims for a structured
system to evaluate IT products.
The evaluation of products results in the assignment of an Evaluation

Assurance Level (EAL):
 EAL1 – functionally tested
 EAL2 – structurally tested
 EAL3 – methodically tested and checked
 EAL4 – methodically designed, tested and reviewed
 EAL5 – semiformally designed and tested
 EAL6 – semiformally verified design and tested
 EAL7 – formally verified design and tested
83
5.3 Security Technologies
5.3.1 Identity Management
A set of technologies used to manage the identities of employees,

contractors, customers, partners, and vendors. The IT infrastructure is
designed to centralize and streamline the processes for managing the
user identity, authentication, and authorization data. All aspects of
access control are found within identity management.
Identity management focusing on the provisioning of users,

processes, and management of access control. The process typically
consists of:
 Creating a new user profile within the HR database.
 Creating a request for access for the profile.
 The request for access being approved by all necessary
managers.
 Approved requests sent to IT teams to grant required
access.
 Access granted and recorded in history files.
Challenges to successfully identify management solutions include:

 Consistency of user data across multiple systems.
 Efficient processes for granting access across multiple
84
systems to reduce repetitive tasks.
 Increase of usability by reducing the requirement for
multiple prompts to verify identity.
 Reliability of user profile data ensures the timely updates
of user information.
 Scalability of the solution across enterprises.
The technologies used by identity management are:

 Directories
 Web access management
 Password management
 Legacy single sign-on
 Account management
 Profile updates
Directories are typically a comprehensive system built to centralize

data management efforts by containing the data within a hierarchy of
objects. A directory can be stored on one or more servers which
replicate between themselves. Access to the data in the directory is
usually provided by a protocol, such as Lightweight Directory Access
Protocol (LDAP).
Directories provide a method for simplifying architectures and avoid

replication of information. Unfortunately, legacy systems do not
support using external systems, such as directories, to manage users.
Building on directories, data can be leveraged to manage user
85
identity, authentication, and authorization using a Web access
management (WAM) solution. These solution typically use a front-end
Web server to authenticate once when entering the web environment
and sustaining that authorization throughout the entire session.
Password management provides a method of tracking passwords

across multiple platforms and their various expiration times. Based on
the criticality of the application or service, different requirements may
exist for resetting or changing the password on a regular basis. Most
users have accounts on multiple systems. A password management
system can manage the passwords on all these systems and even
allow mundane user tasks, such as password resets and account
management, to be conducted.
In some cases, a single sign-on (SSO) is provided for users to access

one or more systems simultaneously during a single authentication
process. In these solutions, a central repository of user credentials is
provided, sometimes on a server or within a smart card. These
repositories are separate from the application or service being
accessed. Therefore some replication processes must be in place
whenever the user ID and/or password are changed within the
application or the repository. Single sign-on solutions have a greater
cost attributed to them.
Account management is designed to control the creation, modification

and decommission of users within a system. WANs typically manage
access control for web-based applications; but not enterprise based
86
solutions. Most account management solutions provide a centralized,
cross-platform security capability with features:
 Simultaneous management of user access to multiple
systems.
 An automated workflow system for submitting requests for
new, modified, or deleted accounts.
 Automatic replication of data.
 Ability to load batch changes to user directories.
 Policy-based changes automatically performed to create,
change, or remove access.
 Focus on enterprise system access.
Profiles are used to identify entities through a collection of associated

information. Most profiles will change at some point within the life
cycle of the user. Identifying and updating this information in a timely
basis is an important aspect of maintaining access control.
5.3.2 Access Control Technologies
Several technologies are used to manage access:

 Single, sign-on (SSO)
 Kerberos
 Secure European System for Applications in a Multi-
Vendor Environment (SESAME)
 Security domains
87
Also referred to as reduced sign-on or federated ID management,
single sign-on capabilities allow a user to sign-on to the system one
time and have access to multiple systems. Single sign-on solutions
allow for:
 Efficient log-on processes
 Stronger passwords
 Elimination of multiple passwords
 Enforcement of time-out and attempt thresholds
 Centralized administrations
The two challenges to single sign-on solution is the ability to support
unique platforms and the risk of access to multiple systems through a
compromised username and password.
Kerberos is a product of MIT's Project Athena. Its name is derived

from the mythological three-headed dog guarding the entrance to
Hades. Like its namesake, Kerberos uses three elements to guard a
network:
 Authentication
 Accounting
 Auditing
Used in open-distributed environments where users have a separate

unique ID for each application, Kerberos will verify the users and the
network services they use within a permission profile.
Kerberos meets the four basic requirements for access control:

 Security – protect the user's information.
88
 Reliability – ensures system availability when needed.
 Transparency – authentication process is hidden from the
user.
 Scalability – can support any number of clients and
servers.
The Kerberos authentication process is an interaction between three

systems:
 The principal or requesting system.
 The endpoint destination server.
 The Kerberos server.
Combined, these three systems are referred to as the Kerberos

Distribution Center (KDC) and serve two functions during an
authentication process:
 Authentication server (AS)
 Ticket-granting server (TGS)
Kerberos utilizes symmetrical encryption and a shared secret key. All

principals are preregistered with a secret key which is maintained in a
database by the KDC.
The predetermined key for each principal is created when the user or
system is added to the Kerberos structure. A realm key is provided
when introduced, which is a common key used for initial trusted
communication. A unique key is created during the introduction to
support future communication. The unique key is shared throughout
89
the domain through the realm key.
The basic structure of the Kerberos process is:

 The principal is authenticated using the predetermined
secret key.
 A ticket-granting ticket (TGT) is provided to the principal
upon authentication.
 This ticket establishes a trusted relationship between
multiple principals.
 When a server, application, or service is accessed, a
service ticket (ST) is requested.
 The TGT is presented as proof of authentication to the
KDS.
 The KDS will create a unique session key (SK1) that
allows the requesting principal and target principal to
communicate.
 The SK1will be encrypted twice with both principals secret
key, P1Key and P2Key.
 If P1 is authentic, the SK1 is decrypted and sent to P2 with
the encrypted P2Key.
 If P2 is authentic, it will be able to decrypt SK1.
TGTs are like passports and are only valid for a period of time,
generally 8 to 10 hours.
The purpose of the Kerberos process is to ensure private

communications between systems.
90
SESAME, or Secure European System for Applications in a Multi-
Vendor Environment, is a project funded by the European
Commission to address weaknesses in Kerberos and the name of the
technology that came out of the project.
Specific attributes for SESAME include:

 SSO using symmetric and asymmetric cryptographic
techniques.
 Privileged attribute certificates (PAC), similar to a Kerberos
ticket.
 Components are accessible through Kerberos v5 protocol.
 Public key cryptography.
 Role-based access control.
Security domains are trust-based hierarchical environments which

share a single security policy and management between resources
and services. The security policy will define which objects are
accessible by each user. The hierarchical structure allows objects to
be accessed which are in equal or lower domains. Higher privilege
domains are protected from lesser privileged domains.
Security domains have several characteristics:

 More than one domain can exist on a server.
 A subject's domain consists of the set of objects which a
user can access.
 If two distinct and separate domains exist on a server, only
91
those individuals, or subjects, authorized can access
information on a specific domain.
An object that is shared between multiple subjects, an equal number

of domains exist containing that object.
5.3.3 Access Control Lists
Access control lists (ACLs) are used to permit or limit traffic based on
an attribute or providing permissions within a specific system based
on policy. They are a form of a DAC.
ACLs are typically a list of users given access to a given system with
specific permission. They are often implemented with access control
matrices (ACMs).
An ACM is a table structure for an ACL. Subjects and objects are both
identified and permissions are incorporated.
5.3.4 Types of Access Control
When rules are used to determine what accesses should be granted,

the system is using rule-based access control. Also a form of DAC,
the rules are created by system owners and specify the privileges
granted to users.
92
The rules are enforced by a mediation mechanism to ensure only
authorized access.
When the functions performed by the user determine the access to

systems and applications, a role-based access control (RBAC) policy
is being used. The roles are defined and governed by the owner of
the data making RBAC a form of DAC. Several approaches to RBAC
can be applied to computer systems:
 non-RBAC – traditional mapping between user and
application.
 limited RBAC – users are mapped to application roles, as
well as applications or data.
 hybrid RBAC – roles are applied to more than one
application or system. Individuals can be assigned to roles
that are then applied to an application or to a role
specifically defined by the application.
 full RBAC – all roles are defined by policy, then applied to
applications and systems.
Content-dependent access control is based on the content of the

data. A decision for access is determined after an analysis of the data.
Within a constrained user interface, users are restricted to specific

functions. This is done by preventing users from requesting functions
or services which are beyond their role or privilege.
Capability tables can track, manage, and apply controls based on the
93
object and capabilities, or rights, of the user.
Temporal (time-based) access controls are provided at a given time

for a predetermined duration. A request outside of the defined time
frame is denied.
When the access decisions are made by a single entity, the solution
utilizes a centralized access control. The entity can be an individual,
department, or device. RADIUS, TACACS+ and DIAMETER are
examples of centralized access control systems.
When control for deciding on access is given to individuals close to

the resource, the solution is considered decentralized. This type of
solution can lead to non-standardization and overlapping rights.
5.3.5 Authentication Devices
Instead of using a password, or in addition to a password, for

authentication, a person may have a physical device that can be
used. There are two methods found here:
 Asynchronous token devices utilize a challenge and
response technology requiring interaction between the
user and the authenticating party or system. When access
is requested, the authenticating party will provide a
challenge which can only be answered by the token in
possession of the user. The token will provide the correct
94
response which is given to the authenticating party and
access is granted.
 Synchronous token authentication is similar in process but
relies on an event, location, or time-based synchronization
between the requester and authenticating party. The most
popular method is time-based where the token utilizes an
embedded key to produce a unique string of numbers
and/or characters in a given timeframe, usually one
minute. The user will enter the character string whenever
access is requested to authenticate themselves.
In addition to tokens, authentication devices exist which house the

credentials for the user. The two most popular devices are:
 Memory cards
 Smart cards
The difference between the two is processing power. A memory card

will hold information but does not process information. A smart card
will process information. A memory card is used like a password to
gain access after the user enters their unique id.
Typically, the process requires the user to present the memory card
and a user ID or PIN. If the authentication information on the memory
card matches with the user provided information, access is granted. A
memory card can be used with computers, but a reader is required to
process the information.
95
The cost of readers, as well as the overhead with generating PINs
and cards, needs to be considered in any security solution. These
costs need to be balanced with the benefits of implementing memory
cards, which is generally, a more secure solution then basic
passwords.
Despite this security, memory cards have a basic flaw: the data stored
on the card is not protected. The data can be extracted or copied.
Since the card cannot process information, the data is unencrypted.
Smart cards, on the other hand, can have security controls and logic
embedded into its integrated circuits.
A smart card is the size of a credit card and has a semiconductor chip
embedded in it. The chip is either a memory chip with
nonprogrammable logic or a microprocessor with internal memory.
The chip will accept, store, and send information. That information is
divided into four sections:
 Information that can be read only.
 Information that can be added only.
 Information that is updated only.
 Information that has no access available.
5.3.6 Integrated Circuit Cards
Smart cards are more correctly termed integrated circuit card (ICC) by
the International Organization for Standardization (ISO) to specify all
96
devices which are an ISO 1 identification card with an integrated
circuit (IC). The size of the card is 85.6x53.98x0.76 mm or the size of
a bank or credit card.
The capabilities of a smart card are:

 Ability to store personal information.
 A high degree of security and portability.
 Tamper-resistant storage.
 Security-critical computations isolated within the card.
 Secure enterprise-wide authentication.
 Use of encryption systems.
 Can perform encryption algorithms.
The IC is essentially a memory chip. There are several types of

memory that can be implemented into a smart chip:
 Read-only memory (ROM) – the data found in ROM is
predetermined by the manufacturer and is unchangeable.
 Programmable read-only memory (PROM) – the type of
memory can be modified if high voltages are applied to
enact links within the IC. Found to be unsuitable for ICC.
 Erasable programmable read-only memory (EPROM) – an
early implementation operating within a one-time
programmable mode (OTP) because of its architecture. To
erase the memory, ultraviolet light is required.
 Electrically erased programmable read-only memory
(EEPROM) – provides user access and can be rewritten
many times over. The amount of memory offered ranges
97
from 8 to 256 KB.
 Random-access memory (RAM) – With ROM solutions,
the data remains intact when power is removed. The
opposite is true for cards with RAM, requiring cards to
have their own power source. Though the risk is that
power will deplete, a RAM card has better storage and
speed capabilities.
A microcontroller is integrated into the chip to manage the data in

memory. Control logic is used to provide various services, including
security. The construction of the IC has great influence on the controls
associated with the data.
The configuration of these cards limits certain types of data to be

stored on the device, as well as be accessed indirectly from external
applications. To allow the card to function as intended and protect the
data, programs can be embedded into portions of the memory utilized
by the processor.
There are several features that are found in smart cards:

 64-KB EEPROM
 8-bit CPU microcontroller
 Cryptographic functions for DES, 3DES, RSA 1024 bit and
SHA-1
 2 to 5.5 V variable power
 1 to 7.5 MHz clock frequency
 250,00 to 500,000 write/erase cycles (endurance)
98
 7 to 10 years data retention
How smart cards interact with other system defines the type of smart
cards available. There are two basic types:
1. Contact cards require physical contact in order to communicate
with other systems.
2. Contactless cards use proximity technology to provide an
interface.
ISO 7816-2 allows eight electrical contacts for a contact ICC to

interact with other systems, though only six are used. Each contact
(Cn) has a designation starting with Vcc and is embedded
counterclockwise around the plate.
99
Contact Designation Use
C1 Vcc Power connection allowing operating power to the
microprocessor
C2 RST Allows reset signals from the interface device (IFD)
C3 CLK Clock signal line controlling the operation speed

and providing a common framework for data
communication
C4 RFU Reserved for future use
C5 GND Provides a common electrical ground between the

IFD and ICC
C6 Vpp Programming power connection used to program

EEPROM
C7 I/O Input/output line allowing half-duplex

communication channel between the reader and
the smart card
C8 RFU Reserved for future use.
Contactless cards are more durable, have greater speed and

convenience and have more applications in use than contact cards.
Because they do not require physical contact, less damage is
possible to the plate or magnetic strip. Contactless cards are found in
devices such as cell phones and PDAs
ISO 14442 defines the physical characteristics, radio frequency power

and signal interface, initialization and anticollision, and transmission
100
contactless cards, more commonly referred to as proximity integrated
circuit cards (PICC). A low frequency electronic magnetic radiation
used to provide power and data interchange. A proximity coupling
device (PCD) provides the required signal and power control for
communicating with the card. A radio frequency (RF) field is produced
by the PCD which activates any card that falls within its electrometric
field loop. The field operates at 13.56 MHz ± 7 kHz and constant
power range.
The PCD will alternate between two modulation, or signal, types until
a PICC is incorporated into the communication process. Both types,
type A and type B, support 106 kbps in bidirectional communications.
The log-on process for smart cards is done at the reader and not the
host, providing an advantage to the technology because the identifier
and password are not exposed while in transit to the host.
Public key infrastructure (PKI) technologies provide several functions

for authentication and information security on smart cards, including:
 Secure log-on
 Secure e-mail/digital signatures
 Secure web access/remote access
 VPNs
 Hard disk encryption
101
5.3.7 Biometrics
Biometrics use sophisticated technologies to calculate uniqueness

using behavioral characteristics or specific biological indicators of the
human body. There are two types of biometrics:
 Physiological
 Behavioral
Different physiological biometrics include

 Fingerprints – the oldest form of biometric used to identify
uniqueness.
 Hand geometry – draws conclusion by discerning
attributes to the user's hand including tension,
temperature, length, and width.
 Hand scans – combination of fingerprints and hand
geometry.
 Retina scans – scans the unique attributes of the back of
the eye.
 Iris scans - scans the colored material surrounding the
pupil.
 Voice patterns and recognition – determines the unique
sounds produced to identify the user in addition to what is
being said.
 Face scan – verifies the heat signatures and geometry of
the user.
102
Behavioral biometrics focus on determining patterns in a user's
actions:
 Keystroke pattern analysis will utilize the user's pin or
password along with how the information is entered; driven
by the assertion that different people will enter the same
information differently.
 Signature dynamics will analyze stroke speed,
acceleration, deceleration, and pressure along with the
content of a user's signature.
Where passwords, tokens, or smart devices offer static processes that

have a high level of accuracy and confidence; biometrics are a
technical and mathematical-based estimate. Most scans rely on
hundreds or thousands of environmental variables to perform an
accurate reading. Any variance in those conditions can impact the
scan including illness.
There are three categories of biometric accuracy measurements:

 Type I error, or false reject rate, identify when authorized
users are rejected as unidentified or unverified.
 Type II error, or false accept rate, identify when
unauthorized users are accepted as authentic.
 Crossover error rate (CER) is the point where the type I
and type II errors are equal. The lower the value of the
CER, the more accurate the system.
Sensitivity is the key determiner in proper authentication through the
103
use of biometrics. Tuning the system to maintain a low CER is the
best way to ensure neutrality.
To maintain the integrity of the control environment, biometrics

considers:
 Resistance to counterfeiting.
 Data storage requirements.
 User acceptance.
 Reliability and accuracy.
5.3.8 Intrusion Detection Systems (IDS)
An IDS is a reactive warning system meant to provide information to

administration to make decisions to respond to an attack.
Developments in technology have allowed some responses to
predefined attacks to be automated under limited conditions.
The unique traffic generated by the organization will require the IDS to
be tuned to support the network. If tuned incorrectly, the IDS can
create a significant vulnerability for the organization.
A Network Intrusion Detection System (NIDS) will monitor the traffic

traveling on the network segment which the system is attached. A
passive NIDS is attached to a hub using a network tap or mirroring
the ports on a switch to a NIDS dedicated port. The system will
inspect all packets and monitor sessions without impact.
104
NIDS have several essential characteristics:
 Monitors network packets and traffic in real time.
 Analyzes protocols and other packet information.
 Can send alerts or terminate offending connections.
 Can integrate with firewalls and define rules.
 Monitoring data packets can be disrupted by encryption.
Host-based intrusion detection systems (HIDS) are implemented at

the host level. The intrusion detection analysis is the primary
difference from NIDS. The scope of the HIDS is the boundaries of the
host, and increases the level of visibility and control available because
of its integration with the host.
Some HIDS have the ability to monitor multiple hosts and will share
policy information and real-time information between systems.
The characteristics of HIDS include:

 Apparent intrusions can be detected on the host.
 Event logs, critical system files, and other auditable
systems resources can be scrutinized.
 Monitors for unauthorized changes or suspicious behavior
patterns.
 Alerts are sent when unusual events are detected.
 Multihost HIDS will receive audit data from multiple hosts.
An IDS can utilize several analysis methods. Two basic types include:
105
 Pattern matching - the attack vector is known and an alert
is provided when the pattern is detected.
 Anomaly detection – draws conclusions from the use of
several tactics to determine if the traffic represents a risk.
Pattern matching technology was utilized by some of the first IDS

products and was based on signatures – collections of byte
sequences that represented a mode of attack. A single database in a
pattern matching IDS would have hundreds, or thousands, of
signatures.
Some attributes of a pattern matching IDS include:

 Known attacks are identified.
 Specific information for analysis and response is provided.
 False-positives may be triggered.
 Signatures need to be updated regularly.
 Attacks may be modified to avoid detection.
Another form of pattern matching is stateful matching where the IDS

scan for attack signatures within the traffic stream rather than the
individual packets. The main difference from basic pattern matching is
that signatures are detected across multiple packets.
Anomalies can include:

 Users logging in at strange hours.
 Unusual error messages.
 Unexplained system shutdowns or restarts.
106
 Unexplained changes to system checks.
 Multiple failed log-on attempts.
Statistical anomaly-based IDS will analyze the audit trail data by

comparing to predicted profiles to find potential breaches. The main
advantage of anomaly-based solutions is that they can detect
unknown attacks.
The attributes for statistical anomaly-based IDS are:

 A baseline for normal traffic and throughputs is developed
and monitored against.
 DoS floods and unknown attacks can be detected.
 Tuning the system properly can be difficult.
 The normal traffic conditions must be clearly understood.
A protocol anomaly-based IDS will use known protocols to determine

any unacceptable behavior. The benefits of this form of IDS are
directly impacted by the use of well-defined protocols.
Protocol anomaly-based IDS have attributes such as:

 Deviations from standards set by request for comments
(RFC) are monitored.
 Attacks not having signatures can be identified.
 Well-defined protocols can reduce the number of false-
positives.
 Protocol analysis has a longer deployment time than
signatures.
107
Analysis of the traffic structure can identify unaccepted deviation from
expected behaviors and is employed by traffic anomaly-based IDS.
The specific attributes include:
 Watches for new services or unusual traffic patterns.
 DoS floods and unknown attacks can be identified.
 Tuning the system can be difficulty.
 The normal traffic conditions must be clearly understood.
5.3.9 Cryptography Methods
Two primary methods are used to encrypt data: stream and block.
Stream-based ciphers are often found in hardware implementations

while block-based ciphers are found in software.
Stream-based ciphers are most commonly used in voice and video

transmission. The operation mixes the plaintext with a keystream
generated by the cryptosystem in an exclusive-or (XOR) process.
Substitution is the primary function of streaming: the substitution of

one character or bit for another. Specific rules need to be followed for
success stream-based ciphering:
 The strength of the keystream must not be predictable or
easily guessed.
 Key management processes must be secure from attack.
108
Block ciphers focus on blocks of text to encrypt. A message is broken
down into a preset size. These sizes typically follow ASCII character
sizes of 64, 128, 192, and so on.
Substitution and transposition are used within the operation of a block

cipher making it stronger than most stream-based ciphers. They are
usually more expensive to implement.
5.3.10 Cryptography Forms
The two primary forms of cryptography are symmetric and

asymmetric.
Symmetric ciphers utilize an algorithm that is operated on a single

cryptographic key that is used to encrypt and decrypt the message.
This encryption process comes in many names:
 Single key
 Same key
 Shared key
 Secret key
 Private key
The last two names represent the key factor in using symmetrical
algorithms: securing the cryptographic key. The result is extensive
focus on key management. This requires not only the generation of
the key but also the secure transmission of the key to both the sender
109
and receiver of the message. To ensure security, the key is often sent
separate from the message itself, called out-of-band distribution.
Some of the more common symmetric algorithms are:

 Data Encryption Standard (DES)
 Advanced Encryption Standard (AES)
 International Data Encryption Algorithm (IDEA)
 CAST
 Secure and Fast Encryption Routine (SAFER)
 Blowfish
 Twofish
 RC5
 RC4
The idea behind asymmetric algorithms was introduced in 1976 by

Drs. Whit Diffie and Martin Hellman The idea utilizes two different
keys linked mathematically to perform cryptographic operations.
Typically, one key is used to encrypt, while the other is used to
decrypt.
These concepts were the introduction to public key cryptography. To

use an asymmetric algorithm, a person would need to generate a key
pair. One half of the key pair would remain secret known only to the
key holder, called the private key. The other half of the key pair could
be presented to anyone who wanted a copy, called the public key.
Asymmetric algorithms are one-way functions. Any message that is
110
encrypted with a public key can only be decrypted with the private key
of the pair, retaining the confidentiality of the encrypted message. This
is because the sender would be encrypting the message with the
public key of the receiver. Any message that is encrypted using the
private key of the sender could be opened and read by anyone
possessing the corresponding public key. The process allows the
confidentiality of the message to remain intact and retain proof of
origin.
5.3.11 Access Control Technologies
Methodologies of access control are either centralized or

decentralized.
Centralized access control has all access control queries directed to a

central point of authentication allowing a single point of administration
for the entire system. Examples of a centralized method include:
 Remote Authentication Dial-In user Service (RADIUS)
 Terminal Access Controller Access Control System
(TACACS)
 Kerberos
Decentralized access control is particularly useful where connectivity

to a centralized access control system is difficult. Though more
difficult to maintain than a centralized system, it is typically less
expensive.
111
Small organizations can generally use the default authentication
method of the software providing remote access connectivity. As the
organization grows, more sophisticated solutions may be appropriate
such as RADIUS or TACACS/TACACS+.
With RADIUS, the access control subject provides authentication

credentials to the remote access server which passes the information
on the Radius Server of authentication. The RADIUS server will
respond to the remote access service either acceptance of the
credentials or denial. The key advantage of this system is the
communication between the RADIUS server and the remote access
server is encrypted, increasing the overall security position of the
system.
A similar procedure to RADIUS is the older TACACS system. The

authorization or denial of access is communicated between the
TACACS server and the user. There is no encryption used with the
TACACS system; however, the TACACS+ system does provide
encryption.
The purpose of Single Sign On (SSO) is to enable user authentication

once and pass that authentication on to each subsequent systems
that the user attempts to access. The most common SSO products
are:
 Kerberos
 SESAME
 NetSP
112
 Kryptoknight
 Snareworks
The advantages of SSO are:

 Access to systems can be quickly and efficiently enabled
or disabled.
 The administrative effort for forgotten passwords is
reduced.
 The experience of the user is improved.
SSO solutions are costly and difficult to implement. Additionally if a

user's password is compromised during an attack, all the systems the
user has access to are compromised.
Kerberos is a network authentication protocol providing strong

authentication for client/server applications. It uses symmetric-key
authentication and authentication tokens, or tickets, to drive the
system. Each Kerberos system has a private key and the Kerberos
server has copies of all these keys, allowing for cross-platform
authentication.
A Key Distribution Center (KDC) holds all the keys and provides a
centralized authentication service. The overall structure of control is
called a realm. Time-stamping tickets ensure the keys are not
compromised. All the systems within the realm have their clocks
synchronized to maintain a common reference for authentication.
113
Part of the KDC is the Authentication Server (AS) which is responsible
for authenticating each client. During this authentication, the Ticket
Granting Service (TGS) makes the tickets and distributes to the
clients.
The process for user logon follows:

1. User identifies themselves by presenting credentials to the
KDC.
2. The AS authenticates the credentials.
3. The TGS issues a Ticket Granting Ticket (TGT) that is
associated with the client's token and is valid as long as the
user continues the session.
The process for resource access follows:

1. The Ticket Granting Ticket is presented to the KDC with the
details about the remote resource being accessed by the
client.
2. The KDC returns a session ticket to the client.
3. The session ticket is presented to the remote resource and
access is granted.
5.4 IP Security (IPSec)
IP Security (IPSec) protocols enable each IP packets between two

network participants to be validated for access control, authentication,
and data integrity without modifying any network hardware or
114
software. Three main functions are provided by IPSec:
 Authentication only
 Authentication and encryption
 Key exchange
Two specific security protocols are added to the IP protocol:

 Authentication Header (AH) – provides connectionless
integrity, data origin authentication and anti-replay services
to detect any modification of the data.
 Encapsulating Security Payload (ESP) – provides
encryption of the payload.
5.4.1 Authentication Headers and Encapsulating Security

Payload
IPSec can accommodate different security needs by using AH or ESP

independently or jointly. Security Associations (SAs) are used to
establish agreements between two systems which are participating in
an IPSec connection. The SA is a represented connection used to
provide security services using a selected policy and keys. Individual
SAs are identified through a Security Parameter Index (SPI), an IP
destination address, and a protocol identifier.
SPIs are represented by an arbitrary 32-bit value which is selected by

the destination system to distinguish the SA from other SAs that may
be present with the node. Separate SAs are created in both directions
115
when both AH and ESP protocols are being used, forming four
separate SAs to accommodate the security needs of the connection.
Each protocol supports transport and tunnel modes of operations.

Transport mode is found between two nodes, while tunnel mode is
found when one end of the SA is a security gateway which acts as an
intermediary that implement IPSec protocols. The different modes
determine where the AH and ESP header are inserted. In transport
mode, the AH or ESP header is inserted after the IP header but before
any upper layer protocol headers. The AH will authenticate the
original IP header, while the ESP will protect anything that follows the
ESP header. In tunnel mode, the original IP header and payload are
encapsulated by the IPSec protocols. A new IP header will specify the
tunnel destination and the AH or ESP headers will protect the
package.
5.4.2 Internet Key Exchange (IKE)
Symmetric cryptography systems have both parties using the same

key for encryption and decryption of information. The components of
these keys must be exchanged between the two parties in a secure
manner and must remain exclusive to the two parties. Internet Key
Exchange (IKE) is designed to allow both sides to independently
produce the same symmetrical key. It builds a VPN tunnel by
authentication both ends and negotiating an agreement on the
methods for encryption and integrity. The intended results of an IKE
negotiation is an
116
established Security Association (SA).
Diffie-Hellman (DH) is a part of the IKE protocol for exchanging the

components of the symmetrical keys used. The DH algorithm builds
an encryption key from the private key of one endpoint and the public
key of the second endpoint, creating a shared secret between the two
endpoints.
5.4.3 The IKE Process
The IKE Process is composed of two phases. The first phase sets the
foundation for the second phase. In the first phase:
 Peers authenticate using certificates or a pre-shared
secret.
 A DH key is created.
 Keys and methods are exchanged and/or negotiated
between peers.
The security association is now established for users in the second

phase. The creation of the DH key is slow and requires lots of
computations, causing a decrease in performance.
The second phase focuses on exchanging materials between peers to

build the IPSec keys, which results in the establishment of the IPSec
Security Association.
117
5.4.4 Methods of Encryption and Integrity
Negotiation in both phases of the process set the parameters for the:
 Encryption Algorithm
 Hash Algorithm
The encryption algorithms negotiated in the first phase (IKE SA) are
AES-256 (default), 3DES, DES, and CAST. The second phase (IPSec
SA) will negotiate 3DEA, AES-128 (default), AES-256, DES, CAST,
DES-40CP, CAST-40, or NULL (no encryption). The hash algorithms
negotiated for both phases are the same – MD5 and SHA1: The
default hash algorithm is different for each phase: MD5 for phase II
and SHA1 for phase I.
In addition to the algorithms used, mathematical groups are decided

upon. In the DH key computation is based on mathematical groups. A
group sets the length of the key in terms of bits. The longer the key,
the harder it is to break and the more CPU cycles required to
generate.
5.4.5 Renegotiating Lifetimes
IKE Phase I is more process intensive than IKE phase II, and
therefore performed less frequently. The IKE SA is valid for a specific
period of time and must be renegotiated. The IPSec SA is valid for an
even shorter period of time requiring the IKE phase II to be performed
118
more frequently.
The period between renegotiations is referred to as the lifetime. The

shorter the lifetime, the more secure the IPSec tunnel, but increases
the number of process intensive IKE negotiations. The longer the
lifetime, the quicker future VPN connections are be set up. By default,
IKE phase I negotiations occurs once a day, while IKE phase II occurs
every hour.
5.4.6 Subnets and Security Associations
By default, a VPN tunnel is created for the complete subnets that

hosts reside, not just for the hosts themselves. When communicating
between two hosts in different subnets protected by gateways, a total
of four SAs are established when a VPN tunnel is created:
 SA between the two gateways.
 SA between the subnet and their respective gateway (2).
 SA between the two subnets.
By disabling the option, Support Key Exchange for Subnets, on each

gateway, a unique SA can be created for a pair of peers. If the option
is disabled on one gateway but not the other, a single host will create
a unique SA with a subnet associated with the gateway with the
enabled option.
119
5.5 Security Documentation
5.5.1 Types of Documentation
The primary driver of security in an IT environment is the security

policy. To support the implementation of the security policies,
mechanism s are installed, such as:
 Standards
 Procedures
 Guidelines
 Baselines
Policies communicate management expectations.
The policy creation practice should be clearly defined and cover:

 Initiation
 Creation
 Review
 Recommendation
 Approval
 Distribution
Best practices for creating good security policies:

1. Write policies that last two to three years.
120
2. Use directive wording.
3. Avoid technical implementation details.
4. Keep length to a minimum.
5. Provide links from policy to supporting documents.
6. Review details before publishing.
7. Conduct management review and sign-off.
8. Avoid technical language.
9. Adjust policies based on incident review.
10. Review policies regularly.
11. Develop noncompliance sanctions.
Changes to policy will be more frequent when the policy is detailed.

Therefore high level organizational polices may last several years,
while system-specific policies would be much shorter as technologies
mature and new technologies are added to the environment.
Policies define what an organization needs and standards define the

minimum requirements for the organization. Standards address
hardware and software mechanisms to control security risks. They
create agreements to ensure interoperability within the organization
through common protocols.
Procedures are detailed instructions to support the policies,

standards, guidelines, and baselines. They indicate how to implement
the policy and who performs the tasks required to fulfill the policy.
They clarify the requirements of security and enable a common
understanding of the operations required.
121
Development of procedures should involve all departments interfacing
with the instructions. This is also beneficial to create a common
understanding of the entire procedure by interacting organizations.
Baselines ensure the implementation of security packages are

consistent across the organization. Baselines are impacted by
differences in:
 Software packages
 Hardware platforms
 Networks
 Security methods
 Security options
 Security settings
There are specific rules required to implement the security controls

required to support the developed policies and standards. Testing of
the security controls ensure the baselines are implemented
appropriately.
5.5.2 Security Education
Security awareness is the understanding in the importance of security

for the organization, the processes, and the customers. Security
awareness training is a method of informing employees of their roles
and related expectations as they relate to maintaining minimal
122
information security requirements. In some cases, security awareness
programs are a requirement for compliance to regulations, such as:
 HIPAA
 Sarbanes-Oxley Act
 Gram-Leach-Bliley Act
Training and education may involve any combination of:

 Awareness activities
 Job training
 Professional Training
Performance metrics are a clear method of determining security

needs and the effectiveness of training in the organization.
The architecture and design of the security solution must address the
design, implementation, and operations of those controls used to
enforce the levels of confidentiality, integrity, and availability required.
123
5.6 Compliance
5.6.1 Certification and Accreditation
Security professionals define distinct processes for certification and

accreditation. Specific definitions provided by the U.S. Department of
Defense are:
 Accreditation is a formal declaration by the Designated
Accrediting Authority (DAA) that shows an IT system is
approved to operate in a particular security mode with a
set of prescribed safeguards used at an acceptable level of
risk.
 Certification provides a comprehensive evaluation of
technical and non-technical security features of an IT
system and safeguard to determine if a particular design or
implementation meets specified security requirements.
124
5.6.2 Service Level Agreements
Service Level Agreements (SLAs) are negotiated levels of assurance

or warranty to service quality. These SLAs are agreed upon based on
business need and capabilities of the service provider. As the service
is rendered, it is monitored and measured to ensure that the SLA is
fulfilled. In many cases, the several services may have to exist in
order to fulfill a single SLA.
Objective Level Agreements (OLA) are different from SLAs only in

they are not part of a formal agreement and can be set as additional
goals for the service provider. Where SLAs usually define a minimum
level of warranty required, OLAs can be higher. In those cases where
several services are required to fulfill a single SLA, each service may
have an associated OLA involved.
There are several types of Service Level Agreements that may be

found in any organization:
 Service-based SLA – covers the service for all customers
of that service. From a security standpoint, a service-
based SLA may be applied to general admissions into the
building or to ensure the minimal level of awareness and
compliance in conducting safe business transactions.
 Customer-based SLA – covers the requirements of a
single customer. For security, this may translate into
defining special requirements and security relationships
125
with customers of the business, or individual departments
within the organization. Departments like Finance and
Research and Development may have more stringent
requirements for security than Customer Support. Different
classifications of information may contribute to different
SLAs being applied.
 Multi-level SLA – A three-layer structure for adopting
agreements. The levels are corporate, customer, and
service. The corporate level covers all generic concerns
and requires less frequent changes. Customer level
relates to a specific customer or business unit regardless
of the service provided, while the service level relates to a
specific service for a specific customer.
SLAs should be clear and concise and leave no room for

interpretation. They do not define how a service is provided, only the
result of the service.
5.6.3 Laws and Standards
Several laws and regulations are applicable to all IT solutions, and

wireless networking specifically.
Within the United States, laws may be the result of:

 Statutory law which becomes United States Code after
being enacted by Congress.
126
 Administrative law is part of the Code of Federal
Regulations which is enacted by agencies of the executive
branch.
 Case law exists within the judicial branch and documents
the legal precedents of the court.
5.6.4 1996 National Information Infrastructure Protection Act
One of the most difficult problems with the rapid growth of computer
technology is ensuring the laws and regulations to protect against
computer crimes remain abreast of emerging technologies. This was
present in 1994 when the Computer Emergency and Response Team
(CERT) reported that a 498 percent increase in the number of
computer intrusions and 702 percent rise in the number of sites
affected by these intrusions. U.S. legislature chose to add
amendments to the Computer Fraud and Abuse Act to address
specific abuses from misuse of new technologies. The result is the
1996 National Information Infrastructure Protection Act.
5.6.5 President's Executive Order on Critical Infrastructure

Protection
The terrorist attack on the United States on September 11, 2001

identified a number of concerns related to the vulnerability of the
national infrastructure. With two months, the President of the United
States issued the Executive Order on Critical Infrastructure Protection
127
to ensure protection of information systems used for the critical
infrastructure. Part of this infrastructure includes the emergency
preparedness communications and the physical assets supporting the
systems. In essence, the president created an official security policy
for the United States.
5.6.6 USA Patriot Act of 2001
Shortly after the Executive Order mentioned above, Congress passed

Public Law 107-56, titled the “Uniting and Strengthening America by
Providing Appropriate Tools Required to Intercept and Obstruct
Terrorist Act or 2001.” Its short name is the USA Patriot Act. The law
covers several items pertinent to IT solutions or the use of IT in
dealing with terrorist activity, including:
 Title II authorizes the interception of wire, oral, and
electronic communication to produce evidence of terrorism
offenses, computer fraud and abuse.
 Title III focuses on monetary transactions used in
supporting terrorist activities.
 Title IV provides guidelines of border control and
immigration laws involving electronic sharing of
intelligence.
 Title V provides guidelines for removing obstacles when
investigating terrorism.
 Title VII covers increasing information sharing for critical
infrastructure protection.
128
 Title VIII strengthens criminal laws as they apply to
terrorism.
5.6.7 Homeland Security Act of 2002
Another result of 9/11 was the creation of the Department of

Homeland Security, a government agency charged with the following
tasks:
 Control U.S. borders and prevent terrorists from entering.
 Quick and effective response to emergencies in
cooperation with state and local authorities.
 Develop technologies to detect and protect from biological,
chemical, and nuclear weapons.
 To provide a single daily report of threats from intelligence
and information from several law enforcement agencies.
The act creating this government agency was the Homeland Security
Act of 2002.
5.6.8 Computer Fraud and Abuse Act
U.S. legislation, 18 U.S.C. § 1030 (Computer Fraud and Abuse Act),

defines the activities that are considered felony offenses of computer
fraud and abuse. It also describes the actions available to law
enforcement in investigating and apprehending suspects of computer
fraud and abuse.
129
5.6.9 Electronic Communications Privacy Act (ECPA)
The ECPA governs the accessibility of stored electronic

communication for law enforcement. Electronic communication
consists of email messages. What was not originally covered is stored
wired communication, namely voice mail. Later amendments
redefined wired communication to include stored wired messages
allowing law enforcement access to stored voicemail.
5.7 Security Monitoring
5.7.1 Change Management
Change management is a process of standardized methods and

procedures to ensure that all changes are handled appropriately and
efficiently. In the business world, the introduction of change is risky
and can result in costly oversights, failed attempts, and loss of
business. The goal of change management is to respond to changing
business requirements while minimizing risk and reducing the levels
of incidents and re-work experience.
There are three change models that are recognized:

 Standard Changes – identifies pre-authorized low-risk, and
well-tested changes. Individual Account Creation and
Deletions are examples of these types of changes, as well
130
as, system updates.
 Normal Change Model – identifies changes that must go
through some effort of assessment, authorization, and
agreement before the change can be implemented. Adding
a new resource to the network, or allowing a contracting
firm to do facilities work are examples of these types of
changes.
 Emergency Change – used for highly critical changes that
must be put into place immediately, usually as a result of
failure in availability or service quality.
Regardless of the type of change that may be introduced, the change

management process ensures that the appropriate level of
information is obtained to ensure the proper handling of the event. At
minimum, the following information should be identified for every
change (based on the 7 Rs of Change Management):
 RAISED – Who is introducing the change?
 REASON – Why is the change required?
 RETURN – What is the expected outcome of the change?
 RISKS – What can go wrong or should be of concern
about the change?
 REQUIRED – What resources are required to implement
and support the change?
 RESPONSIBLE – Who will be building, testing, and
implementing the change?
 RELATIONSHIP – How does this change impact other
changes already in place or expected to be in place?
131
Many enterprises will adopt a Change Advisory Board (CAB) which is
responsible for reviewing all changes and providing authorization to
proceed. The CAB will prioritize changes based on business need
and will be asked to reject changes if they do not meet or could harm
the business objectives. Several stakeholders may be represented on
the CAB, including:
 Customers
 User Managers
 User Groups
 Application developers and support
 Security specialists and consultants
 IT Operations staff
 Facilities staff
 Contractors
5.7.2 Configuration Management
Many of the changes that are made to an IT environment are within

the configurations of the systems. Configuration Management is a
process that focuses on managing the impact of changes to the
applied configurations in the environment. Where Change
Management may be used as a communication tool and to manage
the implementation plan, Configuration Management is used to make
the actual change. The reason for this distinction is grounded in what
a configuration really is.
132
A Configuration Item (CI) can be any asset, service component, or
item that is managed by the Configuration Management process.
They can vary in complexity, size, and type. Groups of CIs may be
managed together, or selected thorough established criteria,
groupings, classifications, or other identification. The different types of
CIs can include:
 Service Lifecycle – broad descriptions of services and
major components of those services.
 Service – identifies the assets and resources for a service,
including any models, packages and acceptance criteria.
 Organization – identifies the information assets of the
organization, such as the business strategy.
 Internal – represents the tangible and intangible assets
delivered, such as applications, software licenses,
computers, and the like.
 External – requirements and agreements with third party
customers of suppliers.
 Interfaces – those assets required to deliver a service.
From an information security management perspective, each security

policy can be considered a different configuration item as well as the
individual components of the solutions developed to ensure the
fulfillment of those policies. The most important concept about a
configuration item is its relationship to other configuration items. As
changes are made to one configuration item, the impact of the change
will carry over to other configuration items. Understanding the nature
133
of these relationships will aid in determining how to minimize the
impact and risk of changes.
To support this understanding, configuration items are managed using

a support system, often known as a Configuration Management
System (CMS). This system will store all the detailed information for
the configuration items tracked. Because of the level of information
that could be contained in the CMS, the system is often used for other
purposes, such as financial asset management. In addition to
maintaining the relationships between CIs, the CMS can also maintain
the relationship between an individual CI and any related incidents,
problems, known errors, and change information.
5.7.3 Information Access Control
Information Access Control, or Access Management, is a process

translating user requirements into logical accounts that extensively
adhere to the security policies. Users which have a right to use a
service get the access, while users who do not are denied that
access. Though access management will ensure that users have the
right to access a service, it works with availability management to
ensure that a user can access that service at any time.
Access Management is a part of all network and application access

requirements. Traditionally, the individual support groups would be
responsible for their own processes and security policies governing
their own scope of service.
134
In modern IT deployments, access management duties are more
often centralized with the Service Desk being the facing IT unit for
requesting access. Once the request has been made, the access
management activities are done centrally to ensure that security
policies are enforced and the accountability for providing access falls
in one area. The support groups for the network and individual
applications are responsible for providing the training and tools to
appropriately support the access capabilities of their product.
A centralized access management solution provides greater control of

access to ensure that information confidentiality is maintained. It
ensures that employees have the right level of access required to
effectively perform their jobs. The likelihood of errors in data entry or
unskilled users is greatly reduce, as well as the abuse of services
typically seen when access control activities are distributed out into
the organization.
The lifecycle flow of access control should focus on:

 Requesting access
 Verifying access
 Providing access
 Monitoring status of identity
 Logging and tracking access use
 Restricting or removing access
135
5.7.4 Problem Management
Problem Management is responsible for the entire lifecycle of a

problem. Though the objectives of problem management are to
prevent problems and minimize the impact of incidents, this is done
by clearly understanding the problem and putting an appropriate and
effective solution in place. The process defines the activities required
to determine the root cause of incidents and provide an appropriate
solution to that root cause. Implementation of the solution is
implemented using any number of control procedures, especially
Change Management and Release Management.
Problem Management is also responsible for maintaining information

about problems and their appropriate workarounds and resolutions. A
Known Error Database aids the Service Desk and end-users in
diagnosing and resolving their own problems with minimal risk of
harm or causing another incident.
There are two major processes to Problem Management:

 Reactive Problem Management – generally initiated
through the Incident Management process and occurs
after a problem created an incident.
 Proactive Problem Management – generally driven by
continuous improvement efforts and occurs before a
problem causes an incident.
136
The problem management process consists of several general steps:
 Problem Detection
 Problem Logging
 Problem Categorization
 Problem Prioritization
 Problem Investigation
 Problem Diagnosis
 Problem Workaround
 Known Error Record
 Problem Resolution
 Problem Closure
 Problem Review
Problem detection can happen in several ways. The most obvious is

through the occurrence of a failure, or incident with an unknown
cause. Some incidents may be resolved even when the root cause is
still unknown, which in turn initiates a problem record. Analysis of the
incident is performed to find the underlining cause. Incidents may be
raised when automated monitoring systems detect specific patterns
that may require a problem report. Problem notifications may also
come from suppliers or contractors who have detected problems
outside their scope of responsibility.
All reported problems are logged and referenced back to the related
incidents. The typical details contained in a problem record include:
 Information about the user.
 Information about the service.
137
 Information about the equipment.
 Initial log data and time.
 Priority and categorization details.
 Incident description.
 All diagnostic or recovery actions taken.
Incidents and problems are categorized and prioritized in the same

way. Prioritization is based on the frequency of the incident and the
impact on the environment, real or imagined. The severity of the
problem may also drive priority. The priority will determine the speed
and nature of the resulting investigation into the problem. The
appropriate level of resources and expertise used during the
investigation can allow the investigation to become more effective and
efficient.
Investigations lead to diagnosing the problem. An immediate

workaround may be found to minimize the impact of the problem and
reduce the severity and prioritization of the problem. These
workarounds can be applied, but the problem record must remain
open for further work to find a resolution. A Known Error Record is
generated to identify the problem quickly and apply the found
workaround. Problem resolution will identify the controls and solutions
that will prevent the problem from reoccurring. Usually, these
resolutions require a change in the environment. After completing the
change, the problem record can be formally closed.
138
5.7.5 Recovery and Continuity Planning
The preservation of business operations in the face of major

disruptions is a primary focus of business continuity planning (BCP)
and disaster recovery planning (DRP). The activities include the
preparation, processes, and practices to protect the critical business
processes from the impact of disruption and recovery of business
operations.
The purpose of continuity planning is driven by the existence of:

 Terrorist attack
 Natural disaster
 Internal and external audit oversight
 Legislative and regulatory requirements
Industry and professional standards are in place which provides

guidelines for effective business continuity including:
 National Standard on Preparedness, or NFPA 1600
 ISO 17799
 Defense Security Service (DSS)
 National Institute of Standards and Technology (NIST)
 Standard of Due Care
BCP/DRP processes focus on increasing the probability of surviving a

major disruption by concentrating on potential loss categories, which
include
139
 Revenue loss
 Extra expenses
 Compromised customer service
 Embarrassment or loss of confidence
5.7.6 Continuity Planning Process
The major phases for business continuity planning include:

 Project Initiation
 Current State Assessment
 Design and Development
 Implementation
 Management
The project initiation phase involves all the pre-planning activities

required to start BCP/DRP efforts properly. The primary goal is to
adequately identify management intentions and commitment. The
activities common for this phase are:
 Establishing the scope and objectives for continuity
planning.
 Gaining management support.
 Building a project team for continuity planning activities
and defining the roles within the team.
 Defining project resource requirements.
 Identifying and leveraging existing and planned disaster
avoidance preparations.
140
The development of the scope should focus on:
 Disaster recovery planning (DRP).
 Business continuity planning (BCP).
 Crisis management planning (CMP).
 Continuous availability (CA).
 Incident command systems (ICS).
Management support is required to:

 Formalize a continuity planning policy.
 Establish and manage a budget.
 Define continuity planning metrics.
The current state assessment phase consists of activities to provide

appropriate information about the current environment to make
informed decisions about future business planning needs. The
activities will complete:
 A threat analysis.
 A business impact assessment (BIA).
 An assessment of the current state of the continuity
planning process.
 A benchmark or peer review.
The result of this phase will provide a comprehensive understanding

of the strategies, goals and objectives of the organization. The
assessment should cover various areas including:
 Enterprise business processes analysis.
141
 People and organizations.
 Time dependencies.
 Motivation, risks and control objectives.
 Budgets.
 Technical issues and constraints.
Specific security concerns involve:

 Physical security.
 Personnel security.
 Environmental security.
 Information security.
Using the information gathered in the current state assessment

phase, the project team creates the most effective and efficient
recovery strategies. The primary activities for this stage include:
 Developing and designing appropriate strategies.
 Developing the crisis management plan (CMP) and
structures for BCP and DRP.
 Developing the required infrastructure testing and
maintenance activities.
 Planning the acquisition of recovery resources.
 Designing the initial acceptance testing of the plans.
One of the key considerations in disaster recovery is predetermining

the need for alternative recovery sites which are needed:
 Cold sites – IT locations with the capability but not the
equipment.
142
 Warm sites – IT locations with the capability and some
equipment.
 Hot sites – IT locations with the capability and equipment.
 Mobile sites – remote mobile IT locations for temporary
use.
 Multiple processing sites – provides workload balancing
when one location fails.
 Workspace and facilities – provided by commercial
recovery site vendors.
 Virtual business partners – utilizes outside business
partner's IT when required
Within the implementation phase, the project team works with the
organization's business process owners to implement:
 Continuity plans.
 Short-term and long-term testing.
 Short-term and long-term maintenance strategies.
 Training, awareness, and education processes.
 Management processes.
The management phase handles the day-to-day activities of continuity

planning.
143
5.7.7 Information Incident Management
An incident is described as any event where the service is, or could

be disrupted. For information security, the service provided is the
provision of access to information resources and the prevention of
unauthorized access to information systems. An incident, in these
terms, would identify a failure to provide such access or a breach in
the system rending a leak of information.
Incident management is a process used to control the activities

related to identifying, managing, and overcoming an incident. Many
incidents are reoccurring; and therefore, pre-defined incident models.
These methods describe the steps for handling an incident.
Specifically, the model defines:
 The steps to be taken.
 Order of steps, including dependencies.
 Responsible parties.
 Timelines and thresholds for completing steps.
 Escalation procedures.
 Activities for preserving evidence.
The process for incident management is similar to problem

management. A couple of steps are extensive because of the
immediacy of the incident, such as escalations and closure.
Escalation serves two functions in incident management. The first is
functional escalation when the Service Desk is unable to resolve an
144
incident entirely or within a specific time frame and requires the
incident record to be sent to another level of support. Hierarchical
escalation is performed for incidents with a high severity, when IT and
business management must be notified.
Resolution, recovery, and closure of an incident can be more involved

in incident management. A request in change management is usually
not required. Potential resolutions are applied and tested. Typically,
closure is initiated when both the incident is resolved and the user is
satisfied with the resolution. As a result, the Service Desk usually
checks the following before closing the record:
 Closure categorization – ensure the incident is properly
categorized, or has been changed from initial
understanding.
 User satisfaction survey – to determine the satisfaction of
the user and find potential service improvements.
 Incident documentation – ensuring all information related
to the incident including the description of the event and
resolution attempts are documented.
 Recurring problem determination – making the decision to
introduce the incident details to problem management.
 Formal closure – provides the final closing procedures for
the incident.
145
5.7.8 Managing Evidence
Evidence is important for supporting conclusions related to events.

Depending on how the evidence is used, there are two types of
evidence that an organization would be concerned with:
 Evidence for audit purposes, including
o Physical examination
o Documentation
o Observation
o Injury
o Mechanical accuracy
o Analytical procedures
o Confirmation
 Evidence of legal procedures, including:
o Best evidence
o Secondary
o Direct
o Conclusive
o Circumstantial
o Corroborative
o Opinion
o Hearsay
For evidence to be admissible in a court of law, it must meet three

standards:
 Relevancy – must provide information related to the crime.
146
 Reliability – cannot be tampered with requiring a
documented chain of custody.
 Legality – must be gathered within the parameters of the
law and respecting the rights of the accused.
For any event requiring an investigation, a computer incident

response team (CIRT) is the best choice to lead the effort.
The planned outcome of the investigation should be an early decision,

to determine the appropriate scope and actions of the investigating
team. If criminal prosecution is the goal, digital forensic procedures
must be followed and appropriate law enforcement agency involved.
5.8 Facilities
Physical security addresses the common risks against the physical

and environmental elements where the information system is
managed.
Three types of threats to physical security exist:

 Natural
 Utility systems
 Man-made
Natural threats can range from water leakage to excessive

temperatures, to disaster. Utility systems, such as power, can
147
fluctuate or be completely lost as a resource to the organization. Man-
made threats are usually malicious in nature and can consist of
physical attack, sabotage, vandalism, arson, or theft.
Some threats are indeed accidental and make up approximately 70%

of the attacks done by insiders. Most threats and vulnerabilities are
inadequate or lapsed working practices and weak measures for
physical security.
Site location is a major consideration for determining what physical

security precautions are required. Some concerns for physical
security based on the building include:
 Site layout, including entry points.
 Building materials used.
 Age of the building.
 Provision of infrastructure.
 Statutory health and safety requirements.
The layered defense model is a layered combination of

complementary countermeasures. The number of layers required is
dependent on the site configuration but typically includes:
 Outermost perimeter.
 Inner perimeter.
 Security zone or restricted areas.
The outermost perimeter defines the furthest physical reach

controllable by the organization. In rural areas, the perimeter may
148
include fencing, landscaping, and parking areas. Urban environments
may be a building or single floor within a shared building. Inner
perimeters are areas found within the outermost perimeter. In a
campus situation, a perimeter may be set around every building. In a
single building, each floor may have their own inner perimeter.
Security zones are areas within all perimeters that require a higher
level of security because of the information or operations being
performed.
Other departments have concerns related to security. Partnerships

can sometimes identify the best approach to ensuring physical
security requirements are met and enforced, by:
 Providing the actual security and procedures providing that
security.
 Addressing the risks ongoing.
 Preventing redundant security systems.
 Preventing security gaps due to accountability issues.
Procedural controls are designed to manage the perimeters and open

areas. They should consist for:
 Guard posts.
 Checking and escorting site visitors.
 Managing deliveries.
 Managing contractor work.
Environmental controls allow sites to comply to health and safety

regulations. Security implementations must also comply to these
149
regulations and work in partnership with the environmental controls.
Infrastructure systems to work with include:
 Fire detection and suppression systems.
 Perimeter walls, fences, and barriers.
 Vehicle and personnel entry and exit gateways.
5.8.1 Entry Points
Entry points are major elements of physical security. Key locks require
a physical key to open the lock, while deadbolts have one or more
bolts that are thrown to prevent opening the door. Key systems are
required to manage who has a key and to what facilities those keys
can be used. Duplication of keys should be managed appropriately.
Combination locks reduce the need for managing physical keys but
require additional effort to manage who has knowledge of particular
combinations. Keypad and pushbutton locks are similar to
combination locks which have a combination of numbers to be
learned and secured.
Smart locks are sophisticated mechanisms to reduce access. They

can usually be programmed for certain times or specific people.
The design and construction of entry points, such as doors and

windows, can provide different levels of security. Sensors used to
detect noise or vibrations can be used to identify potential attacks.
150
The use of card, badge, and pass identifiers provide access controls
to physical facilities. More sophisticated access controls include
biometric controls.
Closed-Circuit Television (CCTV) is designed to be a deterrent to

attack and monitoring mechanisms to ensure security. An effective
CCTV solution requires:
 Positioning cameras at adequate height.
 Distribution of cameras to exclude blind spots.
 Adequate lighting in all conditions.
 Ability to adjust angle and focus remotely.
 Ability to record.
 Tying camera system to the alarm system.
 Regular servicing of movable parts.
 Human monitoring and intervention.
Physical Intrusion Detection Systems can offer protection for specific

areas. Different technologies for IDS include:
 Electrical circuits.
 Light beams.
 Passive infrared detector (PIR).
 Microwave and ultrasonic systems.
Remote computing and telecommuting require particular physical and

procedural protection for devices, associated media, and information
managed. These measures include:
 Carrying devices in unmarked bags or briefcases.
151
 Transporting the hard disk separately from the laptop.
 Using tamper detective measures, tracing software, or
invisible marking systems.
 Protecting against illicit access.
Some organizations may contract out for physical security services

and therefore should address:
 Contractually binding managed services to meet physical
and procedural security requirements.
 Ensuring the ability to audit or test provided security
services.
 Maintaining the communication path between the
organization and contracted service.
To test the capabilities of the security measures, audits, drills, and

exercises should be performed on a regular basis. Vulnerability and
penetration tests allow active attempts to gain unauthorized access to
fully test the current implementation.
Lack of regular maintenance and service can lead to potential

vulnerabilities in security solutions. Active education and awareness
can re-enforce the security requirements of the organization.
152
5.8.2 Defense in Depth
Defense in Depth is a strategy intended to delay rather than prevent

the advance of an attacker. A delay allows time for countermeasures
to be applied effectively. Also referred to as elastic defense or deep
defense, this strategy is based on military practices where a single,
strong defensive line is replaced with a defense line where the attack
loses momentum over a period of time or spread out over a large
geographic area. Once this is done, counter attacks are applied to the
attacker's weak points.
A defense-in-depth strategy applied to the environment addresses

four protection aims:
 Identifying and authenticating individuals requiring access.
 Authorization of individuals.
 Monitoring and accounting for action within the
environment.
 Providing a contingency capability in the environment.
Implementation of Defense in Depth looks at the physical and logical

aspects of access to a system and addresses possible vulnerabilities
in personnel, technology, and operations.
153
5.8.3 Physical Security Implementation
The physical security implementation of defense in depth strategies

applies checkpoints of access to facilities and networks. At each
checkpoint, the following protections aims are exploited:
 Identifying and authenticating individuals requiring access.
 Authorization of individuals.
 Monitoring and accounting for action within the
environment.
 Providing a contingency capability in the environment.
Each of the following is possible layers that can be applied in a

defense in depth strategy:
 Authentication and password security.
 Antivirus software.
 Firewalls.
 Demilitarized zones.
 Intrusion detection systems.
 Packet filters.
 Routers and switches.
 Proxy servers.
 Virtual Private Networks.
 Logging and Auditing.
 Biometrics.
 Timed access control.
154
6 Practice Exam
The following multiple-choice questions are a refresher.
Question 1
Which of the following is not normally a part of the Information

Security Management System framework created by security
policies?
A) Control
B) Evaluate
C) Report
D) Plan
Question 2
Which of the following is a function of Information Security

Management?
A) Oversight
B) Utilization of resources
C) Allocation of resources
D) Strategic planning
155
Question 3
Which of the following is part of a security governance framework?
A) Risk Management
B) Organization Structure
C) Compliance Monitoring
D) All of the above
Question 4
Which of the following standards was introduced by the ITGI?
A) COBIT
B) NIST 800-53A
C) ISO 17799
D) SysTrust
Question 5
Improved response is a benefit of what implementation form of

information security governance?
A) Fast path
B) Distributed
C) Centralized
D) All of the above
156
Question 6
Ownership of information provides support to what security objective?
A) Confidentiality
B) Availability
C) Integrity
D) Accountability
Question 7
Which security practice is used to reduce the collusion of activities?
A) Least Privileges
B) Job Sensibility
C) Separation of Duties
D) Job Rotation
Question 8
Which of the following control models is specifically used to provide

structure for access control and integrity?
A) Access matrix
B) Bell-LaPadua
C) Take-grant
D) Clark-Wilson
157
Question 9
Which of the following is not used by Kerberos to protect the network?
A) Authorization
B) Accounting
C) Authentication
D) Auditing
Question 10
Which change model is used to handle highly critical changes?
A) Critical Change
B) Normal Change
C) Standard Change
D) Emergency Change
Question 11
Pattern matching is used by what security technology?
A) Biometric scan
B) Authentication device
C) Intrusion Detection System
D) Access Control List
158
Question 12
What technology of identity management is used to avoid replication

of data?
A) Directories
B) Profiles
C) Web access
D) Account management
Question 13
Smart devices are a form what type of technical control?
A) Single-factor authentication
B) Two-factor authentication
C) Three-factor authentication
D) All of the Above
159
Question 14
Comparison of current performance against potential performance is

a function of what type of risk assessment method?
A) Baseline Modeling
B) Cost Benefit Analysis
C) Qualitative Analysis
D) Gap Analysis
Question 15
When a control operates without needing to overlap its activities with

another control, the control is considered what?
A) Distinct
B) Independent
C) Reliable
D) Sustainable
160
Question 16
Which security policy covers the behavior of remote employees in

conducting business off site?
A) Data Protection
B) Proper use of IT assets
C) Social Responsibility
D) Security Awareness
Question 17
Which of the following cost classifications are used to define whether

the assignment of cost is shared across multiple customers?
A) Operational
B) Variable
C) Fixed
D) Indirect
161
Question 18
The authoritative voice behind information security governance falls to

what business function?
A) Steering Committee
B) Chief Information Security Officer
C) Board of Directors
D) Executives
Question 19
The alignment of information security objectives with business

strategy is the function of what discipline?
A) Information Security Management

B) Information Security Controls
C) Information Security Governance
D) All of the above.
162
Question 20
What is the security concern that incorporates preventing the

accuracy and completeness of information from being altered from
unauthorized sources?
A) Integrity
B) Availability
C) Confidentiality
D) Accountability
Question 21
What type of security measure ensures that security incidents can be

handled at the earliest moment possible?
A) Preventive
B) Detective
C) Reductive
D) Repressive
163
Question 22
Ensuring all decision-making structures and activities are available to

inspection describes what characteristic of Information Security
Governance?
A) Responsibility
B) Fairness
C) Accountability
D) Transparency
Question 23
Which of the following statements are true?
A) Risks are a primary driver of security solutions.

B) Information security is a technical issue.
C) All security policies can be automated.
D) Security solutions would not be required if people were
trustworthy.
164
Question 24
What group designed the Guidelines for the Security of Information

Systems?
A) ISF
B) NIST
C) OECD
D) AICPA
Question 25
An exploitable weakness of an asset is called what?
A) Threat
B) Vulnerability
C) Risk
D) Control
165
Question 26
What type of malicious software is used to track user's information

and activities?
A) Password crackers
B) Mobile code
C) Trojan horses
D) Spyware
Question 27
How many components are listed in the DoD Instruction 8500.2

standard?
A) 3
B) 8
C) 12
D) 15
166
Question 28
Which TCSEC specification describes systems that are resistant to
penetration?
A) Structured Protection
B) Controlled Access Protection
C) Security Domains
D) Verified Design
Question 29
Traffic can be permitted and denied using what security control?
A) Passwords
B) Routers
C) Access Control Lists
D) All of the above
Question 30
Which of the following encryption algorithms is an example of an

asymmetric algorithm?
A) DES
B) RSA
C) AES
D) RD5
167
Question 31
Retina scans is a form of what type of authentication device?
A) Biometric
B) Synchronous
C) Asynchronous
D) Integrated Circuit
Question 32
Which Evaluation Assurance Level of the Common Criteria describes

formally verified design and testing of products?
A) EAL4
B) EAL5
C) EAL6
D) EAL7
Question 33
Which of the following is not an administrative security control?
A) Monitoring
B) Protocols
C) User management
D) Policies
168
Question 34
Which word below best describes qualitative risk assessments?
A) Objective
B) Measurable
C) Descriptive
D) Time-consuming
Question 35
Insurance is a form what risk management technique?
A) Risk Mitigation
B) Risk Avoidance
C) Risk Acceptance
D) Risk Transfer
Question 36
What are security activities driven by?
A) Policies
B) Risks
C) Problems
D) all of the above
169
Question 37
Tracking the consumption of a resource for accounting purposes is

done using which of the following budgeting factors?
A) Cost Classification
B) Consumption Type
C) Cost Units
D) Cost Types
Question 38
Which of the following is not a characteristic of Information Security

Governance?
A) Responsibility
B) Dependency
C) Accountability
D) Fairness
170
Question 39
Access control is an example of what type of security measure?
A) Preventive
B) Detective
C) Corrective
D) Reductive
Question 40
Which of the following is an objective of information security

management?
A) Ensuring trust in information exchanges between enterprises,

partners, and customers.
B) Preventing unauthorized modification of information.
C) Ensuring the availability of information when required.
D) All of the above
171
7 Answer Guide
Question 1
Answer: C
Reasoning: The five elements of an Information Security Management
System are control, plan, implement, evaluate, and maintain. Report
is not one of those elements, but may be a by-product of Evaluate.
Question 2
Answer: B
Reasoning: Information Security Management is generally driven by
implementation of solutions, authorizing action, enforcing policy and
responsibility, planning in terms of projects, and proper utilization of
resources. This is different from governance of information security
which provides a higher level of support and oversight.
Question 3
Answer: D
Reasoning: An information security governance framework will have
the listed components as well as a security strategy, security policies,
standards, feedback, and continual improvement.
Question 4
Answer: A
Reasoning: COBIT was introduced by ITGI to define the IT
requirements related to effectiveness, efficiency, availability, integrity,
confidentiality, reliability, and compliance.
172
Question 5
Answer: B
Reasoning: A distributed governance solution increases the
responsiveness of the solution and solution innovation to generate
revenue growth.
Question 6
Answer: C
Reasoning: Ownership provides the greatest level of integrity to the
information by providing a single person responsibility over how
information is used or by whom.
Question 7
Answer: D
Reasoning: By rotating jobs, the organization can ensure that a fresh
look is provided to determine the requirements and activities of a
specific job.
Question 8
Answer: B
Reasoning: the Bell-LaPadua model is used for both access control
and integrity with different implementation of the rules.
Question 9
Answer: A
Reasoning: Kerberos is named after the mythological three-headed
dog with the elements of authentication, accounting, and auditing.
173
Authorization is not distinguished.
Question 10
Answer: D
Reasoning: Emergency changes represent those changes that must
be done immediately to handle highly critical issues to the business or
service.
Question 11
Answer: C
Reasoning: IDS systems used pattern matching and anomaly
detection.
Question 12
Answer: A
Reasoning: Directories are used within identity management to
simplify the architecture and prevent duplication of information.
Question 13
Answer: B
Reasoning: Tokens, fobs and smart devices provide two-factor
authentication by using what a person has and knows.
Question 14
Answer: D
Reasoning: Gap analysis compares actual and expected delivery of
performance, functional, and usage requirements.
174
Question 15
Answer: A
Reasoning: Distinct controls do not overlap its operations with other
controls and countermeasures.
Question 16
Answer: C
Reasoning: Though all policies have may touch on required behaviors
of employees, Social Responsibility policies address the primary
behaviors expected of all employees under all conditions, including
onsite and offsite.
Question 17
Answer: D
Reasoning: The Indirect cost classification is normally used to identify
the assignment of cost across several customers, rather than Direct
for the assignment of cost to a single customer.
Question 18
Answer: B
Reasoning: The Chief Information Security Officer serves as the
authority to address all security concerns.
Question 19
Answer: C
Reasoning: Information Security Governance is responsible for
175
aligning business strategy with security objectives. Controls are
implemented to support those security objectives. While management
ensures the controls are maintained throughout the life cycle.
Question 20
Answer: A
Reasoning: Confidentiality serves to keep information private:
Integrity, to keep information accurate: and Availability, to keep
information accessible at all times.
Question 21
Answer: B
Reasoning: Detective measures are applied to the environment to
provide the earliest detection of a security incident for the purpose of
handling it.
Question 22
Answer: D
Reasoning: Decision-making structures and activities should be
transparent as a part of Information Security Governance.
Question 23
Answer: A
Reasoning: Security is not a technical issue only, but also a business
and governance concern. Though many of the security controls can
be automated, it does not disregard the responsibility of people to
adopt security practices. These controls and practices would have to
176
be adopted whether or not the people are trustworthy, in order to
ensure that the systems are managed effectively and efficiently. Most
security controls address the potential risks to the environment and
the business.
Question 24
Answer: C
Reasoning: The Guidelines for the Security Information Systems was
designed by the Organization of Economic Co-operations and
Development (OECD).
Question 25
Answer: B
Reasoning: A threat is the potential cause of a security incident, which
exploits a vulnerability. The likelihood of a threat exploiting a
vulnerability defines the risk of a security incident, which is counter
measured to reduce that risk using controls.
Question 26
Answer: D
Reasoning: Spyware are hidden applications used to track user's
activity and information.
Question 27
Answer: B
Reasoning: The DoD Instruction 8500.2 standard has 8 Information
Assurance components for each leg of the CIA triad.
177
Question 28
Answer: A
Reasoning: Structured Protection (B2) systems build on previous
specifications to create systems which are resistant to penetration.
Question 29
Answer: C
Reasoning: ACLs are used to permit or limit traffic based on an
attribute. They provide information to routers to provide the rules for
managing traffic. Passwords will ensure users have access to the
system.
Question 30
Answer: B
Reasoning: RSA is an asymmetric algorithm.
Question 31
Answer: A
Reasoning: Retina scans are a biometric authentication method.
Question 32
Answer: D
Reasoning: The Common Criteria evaluation of products, EAL7,
describes products whose design has been formally verified and
tested.
178
Question 33
Answer: B
Reasoning: Protocols are considered a technical control. Other
administrative controls include personnel clearance and privilege
management.
Question 34
Answer: C
Reasoning: Qualitative risk assessments are descriptive and usually
performed when information, expertise, resources, and time are
limited.
Question 35
Answer: D
Reasoning: Risk Transfer is an attempt to pass on risk to another
entity. Insurance is used to cover the organization against the
occurrence of a security incident by passing on the impact to another
entity.
Question 36
Answer: A
Reasoning: Policies drive the type and extent of activities in the
information security.
Question 37
Answer: C
Reasoning: Cost units describe the unit of consumption that can be
179
tracked and is used for accounting, budgeting, and billing.
Question 38
Answer: B
Reasoning: The characteristics of Information Security Governance
are discipline, transparency, independence, accountability,
responsibility, and fairness.
Question 39
Answer: A
Reasoning: Access controls ensure that security incidents are
prevented by ensuring the information is accessed only by authorized
persons.
Question 40
Answer: D
Reasoning: The security objectives revolve around ensure that
information remains confidential, available, and maintains integrity.
180
8 References
Information Security Governance: Guidance for Boards of Directors

and Executive Management 2nd Edition, IT Governance Institute,
www.itgi.org.
ITIL Service Design, The Stationary Office, Norwich: 2007
The Official Introduction to the ITIL Service Lifecycle, The Stationary
Office, London: 2007
CompTIA Network+ ExamObjectives. Computing Technology Industry
Association: 2008.
Tipton, Harold F. and Henry, Kevin. Official (ISC)2 Guide to the CISSP
CBK. Auerbach Publications, Boca Raton:2007.
Stewart, James Michael. (ISC)2 SSCP Systems Security Certified
Practitioner. PrepLogic, Inc: 2006.
Certified Wireless Network Administrator Planet3 Wireless, Bremen
Georgia: 2002.
Virtual Private Networks Administration Guide Version NGX R65,
Check Point Software Technologies LTD: March 2007.
Information: www.isaca.org
Websites
www.artofservice.com.au
www.theartofservice.org
www.theartofservice.com
181
9 Index
access 13, 42-3, 46-8, 53, 63-4, 69, 73, 76-7, 84-8, 91-6, 112-14, 134-5, 144, 150,
153-4, 178
accountability 67, 135, 157, 163-4, 170, 180
accounting 153-4, 158, 173, 180
accreditation 5, 25, 67, 124
accuracy 61, 103-4, 163
ACLs (Access control lists) 5, 76, 92, 167, 178
agreements 33, 115-16, 121, 126, 131, 133
AH (Authentication Header) 5, 115-16
algorithm 44, 109, 118
applications 36, 41-4, 49-50, 53, 70, 72, 75, 77, 86-8, 90-1, 93, 100, 133, 135
assessment 8, 55-6, 131, 141
assets 20-1, 32, 35, 38, 133, 161, 165
attributes 91-2, 102, 106-8, 178
audits 22, 27, 56, 73, 152
authentication 15, 70, 76, 80-1, 84, 86, 90, 94, 101, 103, 111-14, 116, 158, 173
authorization 15, 86, 112, 131-2, 158, 174
availability 13-14, 17, 28-9, 38, 40, 82, 123, 131, 157, 163, 171-2, 176
baselines 31, 58-9, 107, 121-2

BCP (business continuity planning) 139-42
biometrics 5, 75, 102-4, 168
book 1-2, 7
building 57, 64, 85, 125, 131, 148-9
business 11-12, 15-16, 18, 22-3, 25, 28, 31-2, 35, 66, 125-6, 130, 132, 161, 174,
176-7
capabilities 11, 43, 48, 53, 70, 94, 97, 125, 142-3, 152
card, smart 86, 95-101
certification 5, 8-9, 81, 124
change management 5, 66, 130-2, 145
changes 37, 45, 58-61, 87, 121, 130-4, 138, 174
classifications 11, 38-9, 126, 133
compliance 5, 15-16, 20, 22, 25-6, 28, 31, 79, 123-5, 172
components 68, 73, 116-17, 133, 166
confidentiality 13, 17, 28-9, 38, 40, 77, 82, 111, 123, 157, 163, 172, 176
configuration 59, 98, 132
Configuration Item (CI) 133-4
continuity planning 5, 139-40, 143
cost 11, 18, 24-5, 36-7, 45, 50, 60-1, 86, 96, 161, 175
Cost Benefit Analysis 4, 60, 160
182
countermeasures 3, 36-8, 55, 153, 175
credentials 53, 95, 112, 114
Crisis management planning (CMP) 141-2
customers 11-12, 14, 24-5, 33, 53, 84, 122, 125-6, 171, 175
damage 7, 15-16, 67, 100

defense 5, 68, 124, 153-4
departments 12, 24, 27, 34, 39, 60, 94, 126, 149
design 8, 11, 37, 82, 123-4, 150, 178
designations 7, 80, 99-100
devices 48, 81, 94, 97-8, 100, 151
disaster recovery planning (DRP) 139, 141-2
disciplines 8, 11, 27, 64, 162, 180
DoS (Denial of Service) 3-4, 41
DRP (disaster recovery planning) 139, 141-2
duties 18, 63-4, 74, 78, 157
effectiveness 20, 22, 28, 58, 123, 172

effort 11, 48, 131, 147, 150
employees 21, 29-30, 37, 54, 56, 84, 135, 175
encryption 5, 76-7, 105, 112, 115-16, 118
enterprise 11-14, 17, 19-21, 23-4, 26-8, 34, 85-6, 132, 171
entity 7, 36, 87, 94, 179
environment 9, 37, 64, 120-1, 132, 138, 141, 153-4, 176-7
errors 6, 103, 134-5
ESP (Encapsulating Security Payload) 5, 115-16
evaluation 16, 22, 26, 71, 83
exam 1, 3, 8-9
facilities 5, 21, 48, 74, 143, 147, 150, 154

failure 13-14, 42, 131, 137, 144
file 44-5, 51, 77
focus 27, 41, 46, 55, 70, 109, 135, 141, 151
framework 13, 15, 17-18, 22, 28
functions 24, 37-9, 59, 64, 76, 82, 89, 93, 98, 101, 115, 144, 155, 160, 162
governance 3, 13, 17-21, 176

groups 19, 33, 71-2, 165
ICC (integrated circuit card) 5, 96-7, 100-1
183
identification 15, 70, 74, 80-1, 133
identity 44, 84-6
IDS (Intrusion Detection Systems) 5, 48, 70, 104-5, 107, 151, 158
IKE (Internet Key Exchange) 5, 116
implementation 15-16, 18, 23-4, 26, 33, 37, 66, 82, 120, 122-4, 136, 152, 172-3
incidents 35, 65, 67, 70, 130, 134, 136-8, 144-5
individuals 8, 14, 92-4
information security 3, 9, 12, 17, 21, 23, 27-9, 65, 69, 101, 144, 164, 172, 179
Information Security Governance 3, 11, 17, 21, 156, 162, 172, 175-6, 180-1
information security management 8-9, 11-12, 14, 21, 28, 66, 155, 162, 171-2
Information Security Policy 14, 16, 32-4
Information System (ISMS) 9-10, 23, 28-9, 40, 65, 69, 128, 144, 147, 165, 177
integrity 5, 13, 17, 20, 28-9, 38-40, 77, 82, 104, 116, 118, 123, 157, 163, 172-3, 176
interaction 26, 54, 89, 94
ISO 28-9, 96-7, 99-100, 156
ITSEC (Information Technology Security Evaluation Criteria) 4, 82-3
Kerberos 88-9, 91, 113, 158, 173

keys 29, 45-6, 48, 89-90, 109-10, 113, 115-16, 118, 150
laws 5, 28, 39, 79, 126-8, 146-7

locations 53, 95, 142-3
management 8, 11-12, 17, 21, 28, 31, 42, 50, 71-2, 74, 84-6, 91, 159, 176
managers 39, 54, 56, 84
memory 42, 45-6, 49-50, 97-8
message 54, 109-11
model 82-3, 133, 144
network 29, 42, 47-8, 72, 76-7, 88, 104, 131, 134-5, 154, 158
NIST (National Institute of Standards and Technology) 28, 139, 165
objectives 3, 11, 17, 22, 27, 32, 136, 140-1

organization 13, 23, 25-7, 29-30, 34-5, 37-9, 57, 61, 63, 104, 112, 121-3, 125-6,
141-2, 148, 152
passwords 44-5, 49, 54, 73-5, 86, 88, 94-5, 101, 103, 113, 167, 178
performance 59, 64, 117, 160, 174
184
phases 117-18, 140-1
policies 3, 11, 14, 18, 20, 26-7, 32-5, 70-2, 81, 92-3, 120-2, 133, 168-9, 175, 179
power 98, 101, 147
privileges 69, 74, 92-3, 157
problems 27, 127, 134, 136, 138, 169
processes 4, 17, 19-20, 35, 46, 49-50, 53, 55, 57, 63-5, 84, 95, 114, 118-19, 136,
144
products 7, 12, 26, 83, 88, 135, 168, 178
projects 60-1, 91, 172
protection 13, 30, 39, 48, 72, 128, 151
protocols 85, 91, 105, 107, 114, 116, 168, 179
Quantitative Assessments 56, 58
RADIUS (Remote Authentication Dial-In user Service) 94, 111-12

Rainbow Series 4, 78-9
Reasoning 172-80
regulations 22, 26-7, 39, 123, 126-7, 150
requirements 9-10, 15, 23, 25-6, 28, 38, 58, 70, 72, 80-1, 85-6, 123, 125, 133, 172-3
resources 11, 27, 41, 50, 58-9, 77, 91, 94, 131, 133, 138, 148, 155, 170, 172, 179
responsibilities 3, 8, 15, 18, 20-1, 29-30, 33-4, 39, 71-2, 137, 164, 170, 172, 176,
180
rights 7, 72-4, 94, 147
risk management 3, 17-18, 22, 35-6, 156
risks 11, 15, 20, 22-3, 28, 35-6, 55, 61, 64, 88, 98, 106, 124, 134, 164-5, 177
roles 3, 15, 18, 29-30, 39, 71-3, 93, 122, 140
SA (Security Association) 5, 115-17, 119

scope 3, 8, 18, 20-1, 23, 105, 134, 137, 140-1, 147
security 13-15, 18-21, 23-5, 28-30, 32, 50, 52, 63, 70-1, 77-8, 96-8, 115-16, 120-3,
125-6, 149-51, 175-6
security incidents 15-16, 23, 31, 64, 66-7, 70, 163, 176-7, 179-80
security policies 14, 16, 22, 24, 26, 30-1, 34, 37, 66, 72, 75, 79, 82, 91, 120, 133-5
software 24, 42-3, 108, 112, 115
SSO (Single Sign On) 86-7, 112-13
standards 5, 22, 31, 121-2, 126, 139, 146, 156, 172
strategies 4, 15, 22-3, 53, 63, 141-2, 153
TACACS 94, 111-12

TCSEC (Trusted Computer System Evaluation Criteria) 79-80, 82-3
technologies 11, 14, 26, 31, 84-5, 87, 91, 101-2, 104, 121, 127, 129, 139, 151, 153,
159
185
threats 15, 31, 36, 40, 42-3, 55, 64, 77, 129, 147-8, 165, 177
time 25, 37, 45-6, 59-61, 88, 90, 94, 118, 134, 138, 153, 179
tokens 75, 94-5, 103, 174
traffic 92, 104-6, 108, 167, 178
types 5, 60, 71, 92, 94, 97-9, 101-3, 120, 125, 130-1, 133, 146-7, 159-60, 163, 166,
168
understanding 21, 26, 122, 133-4, 136

usage 24, 40, 49, 59
value 1-2, 12, 17, 19-20, 22, 38, 54, 60-1, 103
vendors 23, 26, 84
visibility 18, 70, 105
vulnerabilities 3, 15, 27, 30-1, 40, 42, 52-3, 55, 104, 127, 148, 152-3, 165, 177
weaknesses 31, 35, 41, 46, 63

workarounds 136, 138
186

2010 CISM The How To Pass On Your First Try Certification Study Guide PDF

Hochgeladen von

Dokumentinformationen

Originaltitel

Copyright

Verfügbare Formate

Dieses Dokument teilen

Dokument teilen oder einbetten

Freigabeoptionen

Stufen Sie dieses Dokument als nützlich ein?

Sind diese Inhalte unangemessen?

Copyright:

Verfügbare Formate

2010 CISM The How To Pass On Your First Try Certification Study Guide PDF

Hochgeladen von

Copyright:

Verfügbare Formate

Foreword

This book is not a replacement for completing a course. This is a

While it is not possible to pre-empt every question and content that

Due to licensing rights, we are unable to provide actual CISM Exam.

How does it work?

To post a review on Amazon, just log in to your account and click on

What happens when I submit my review?

Once you have submitted your review, send us an email at

TABLE OF CONTENTS .............................................................................................. 3

1 CERTIFIED INFORMATION SECURITY MANAGER ............................................. 8

3 INFORMATION SECURITY GOVERNANCE ...................................................... 11

The Certified Information Security Manager certification is for

The CISM is accredited by the American National Standards Institute

The exam covers the following disciplines and percentage scope:

CISM Exams are proctored by ISACA. Registration and location

Exams are delivered in a secure environment, proctored, and timed.

Specifics about the exam are:

3.1 Information Security Basics

3.1.1 Business Goals and Objectives

Information Security Management is a subset of Enterprise IT

IT departments offer to business specific warranties that systems are

3.1.2 Information Security Concepts

Information security is a management discipline which provides

Often referred to as the CIA triad, confidentiality, integrity, and

Confidentiality refers to the need for information to be safe from

Integrity describes the wholeness and completeness of the

Availability speaks to the need to access the information when it is

The security objectives are typically met when:

3.1.3 Information Security Strategies

The activities of Information Security Management are guided by and

These policies are the basis for creating an Information Security

Control of security relates to the management framework,

Planning is any attempt to define and recommend security measures

These measures eventually are implemented through a set of

Continuous evaluation of the implemented measures is required to

Continuous improvement mechanisms are in place to maintain and

3.2 Information Security Governance

Information security governance is delivered by the Board of Directors

Governance is different from management. The generally accepted

Effective security programs are dependent on specific governance

3.2.1 Governance Concepts

Governance aligns the framework with current best practices and

Governance is generally accepted as a distinct domain within a

Governance has specific characteristics that amplify their value and

IT governance defined by ITGI:

Intended to guarantee that appropriate security activities are

Conceptually, the Governance is a combination of a set of processes,

Within the scope of security, governance provides the policies,

Information Security Management is a subset of Corporate

Security is ultimately the responsibility of all employees to implement

3.2.4 Information Security Governance Framework

The Information security governance framework generally consists of:

This framework supports the development of an information security

3.3 Information Security Requirements

3.3.1 Drivers for Information Security

Information security is a business and governance issue, not just a

Some of the factors that shape the scope and requirement of

3.3.2 Budget Planning

Budget planning for security operations should be aligned with

Some of the factors that should be managed are:

3.3.3 Regulatory Requirements

Many corporations place themselves under regulatory requirements.

Membership and compliance to regulatory bodies provide a “seal of