Beruflich Dokumente
Kultur Dokumente
HARSHAD SHAH
CISO(CHIEF INFORMATION SECURITY OFFICER)
GLOBAL CYBER SECURITY RESPONSE TEAM
CHAPTER 1 – WE WILL TALK ABOUT
• THE CIA TRIAD PROVIDES FOR THE SECURITY OBJECTIVES. THIS IS ALSO CALLED
THE AIC TRIAD.
CONFIDENTIALITY (60)
NOW THAT WE KNOW THE 3 PRINCIPLES OF SECURITY LETS TALK ABOUT HOW WE
CAN MANAGE SECURITY
SECURITY MANAGEMENT
(BACK TO PG 53)
ATTEMPTS TO MANAGE SECURITY.
• INCLUDES RISK MANAGEMENT, IS POLICIES, PROCEDURES,
STANDARDS, GUIDELINES, BASELINES, INFORMATION
CLASSIFICATION, SECURITY ORGANIZATION. *
• THESE BUILD A SECURITY PROGRAM – PURPOSE… PROTECT
THE COMPANIES ASSETS
• A SECURITY PROGRAM REQUIRES BALANCED APPLICATION
OF TECHNICAL AND NON-TECHNICAL METHODS!*
• PROCESS IS CIRCULAR, ASSES RISKS, DETERMINE NEEDS,
MONITOR, EVALUATE… START ALL OVER.
SECURITY MANAGEMENT
• EACH COMPANY WILL HAVE IT’S OWN METHODS FOR THE ABOVE TO
ACCOMPLISH THEIR OWN SECURITY MODEL.
• THIS IS PROBABLY TIME FOR A BREAK… YOU PROBABLY ARE ASLEEP NOW…
DON’T WORRY IT WILL GET MORE INTERESTING IN A BIT.
INFORMATION RISK
MANAGEMENT
• MANAGEMENT!
• MANAGEMENT MAY DELEGATE TO DATA CUSTODIANS OR BUSINESS UNITS THAT
SHOULDER SOME OF THE RISK. HOWEVER ULTIMATELY IT IS SENIOR
MANAGEMENT THAT IS RESPONSIBLE FOR THE COMPANIES HEALTH AND AS
SUCH THEY ARE ULTIMATELY RESPONSIBLE FOR THE RISK. (YOU REALLY NEED TO
UNDERSTAND THIS FOR THE EXAM)
VALUE OF INFORMATION AND
ASSETS? (85)
• QUANTITATIVE ANALYSIS
• QUALITATIVE ANALYSIS
• ASSET VALUE
• SAFEGUARDS' COSTS
• THREAT FREQUENCY
• PROBABILITY OF INCIDENT
(MORE)
QUANTITATIVE ANALYSIS (93)
IF THE COST PER YEAR OF THE COUNTERMEASURE IS MORE THAN THE ALE, DON’T
IMPLEMENT IT. (OR DO SOMETHING ELSE LIKE BUY INSURANCE)
DETERMINE SLE
(5 SALES * 4 HOURS EACH * $40) + (1 IT * 4 HOURS *
50) = $1000 COST PER INCIDENT
ARO = 12 MONTHS * .50 LIKELIHOOD PER MONTH= 6
ALE = SLE ($1000) * ARO (6) = $6000.00
COST TO PROTECT = $20,0000.00 A YEAR
NO IT COSTS MORE TO PROTECT THAN IT’S WORTH.
IF YOU BOUGHT THE AV SYSTEM, YOU’D WASTE
$14,000 A YEAR.
TOTAL RISK VS. RESIDUAL RISK
(106)
(MORE)
TOTAL RISK VS. RESIDUAL RISK
(106)
A CONTROL GAP* IS THE PROTECTION A COUNTERMEASURE
CANNOT PROVIDE
QUALITATIVE CONS –
• SUBJECTIVE
• NO DOLLAR VALUES
• NO STANDARDS
(MORE)
REVIEW OF Q VS. Q
QUANTITATIVE CONS
• COMPLEX CALCULATIONS
• EXTREMELY DIFFICULT WITHOUT TOOLS
• LOTS OF PRELIMINARY WORK REQUIRED
POLICIES STANDARDS, BASELINES,
GUIDELINES AND PROCEDURES
(109)
A SECURITY PROGRAM MUST HAVE ALL THE PIECES
NECESSARY TO PROVIDE OVERALL PROTECTION TO A
COMPANY AND LAY OUT A LONG TERM STRATEGY.
POLICIES, STANDARDS, BASELINES, GUIDELINES AND
PROCEDURES ARE PART OF THE SECURITY PROGRAM
YOU NEED TO UNDERSTAND THE TERMS IN THE
FOLLOWING SLIDES FOR THE EXAM. (POLICES,
STANDARDS, BASELINE, GUIDELINES AND
PROCEEDURES)
SECURITY POLICY* (110)
(MORE)
BASELINE
• EXAMPLE: A BASELINE MAY ALSO SPECIFY ALL LINUX SYSTEMS RUN SELINUX IN
ENFORCING MODE.
GUIDELINES* (114)
• ACCESS CONTROLS
• ENCRYPTION OF DATA IN TRANSIT* AND AT REST*
(WHAT ARE THESE TERMS)
• DATA ACCESS SHOULD BE LOGGED AND AUDITED
• PERIODICALLY REVIEW CLASSIFICATIONS
(MORE)
CLASSIFICATION CONTROLS
• FOR THE EXAM, YOU SHOULD KNOW ALL THE POSITIONS WE ARE ABOUT TO
TALK ABOUT*
DATA OWNER* (130)
(MORE)
DATA OWNER*
HELPS DEFINE A SECURITY PROGRAM ELEMENTS AND ENSURES THE ELEMENTS ARE
BEING IMPLEMENTED PROPERLY BY THE TECHNICAL PEOPLE AND PROCEDURES.
ENSURES HAT DATA IS STORED IN A WAY THAT MAKES THE MOST SENSE FOR IT’S
APPLICATION.
• WORK WITH DATA OWNERS TO ENSURE THE STRUCTURES SUPPORT THE BUSINESS
OBJECTIVES.
PROCESS OWNER (133)
SOMEONE WHO USES THE DATA, DAY TO DAY TO ACCOMPLISH WORK TASKS AND
BUSINESS OBJECTIVES
THE EXAM MIGHT ALSO REFER TO AN AUDITOR IN THE ROLE OF SOMEONE IN THE
COMPANY THAT GOES THOUGH SECURITY, OR USAGE LOGS TO DETERMINE IF
DATA AND TECHNICAL SYSTEMS ARE BEING USED/ABUSED/ATTACKED ETC.
MEANS THAT AT LEAST TWO PEOPLE MUST WORK TOGETHER TO PULL OFF
SOME TYPE OF NEGATIVE ACTION.
• DRUGS TESTS
• EDUCATION CHECKS
• REFERENCE CHECKS
ROTATION OF DUTIES* (138)
LIKE SPLIT KNOWLEDGE, BUT IN THIS CASE TWO OR MORE PEOPLE MUST BE
AVAILABLE AND ACTIVE TO PERFORM AN ACTION.
WE COVERED A LOT.
LET’S LOOK OVER THE QUICK TIPS AND QUESTIONS.