ISACA CISM – Domain 03 – Information Security Program Development Part 5

35. Lesson 6: Information Security Framework Components

So, in this lesson, we’re going to take a look at the information security framework components. That means we’ll take a look at the operational, management and administrative components, as well as the educational and informational components that we need to look at in our frameworks.

36. Operational Components Part1

So when we talk about operational components, what we’re really doing is we’re talking about things that are DayToday, week to week, month to month activities. That’s why it’s called operational. It’s actually making sure that we’re doing the ongoing management or administrative activities that we have to perform to make sure that we stay at this required level of security assurance. Security is not something that we would call a fire and fire forget type of a missile. It’s an ongoing process as security evolves, sometimes day by day. A lot of what you’ll see in this framework would be your standard operating procedures, your SOPs that we’d want to follow. And the goal, of course, here is to hopefully it would list the activities or it would list the types of things we should monitor or a number of different types of events that we have to go through. It should, as a framework, give you the business operations, security practices.

And by saying that, what we’re saying is that again, operations of how the business is going based on what we know that we need security practices. Again, it could be best practice types of practices that we’re going through sounds a little redundant, I know. It could be based on regulations or any other number of different reasons that we have those. And it should also cover the issues of maintenance and the administration of security technologies, even if it’s something like do I upgrade? What are the conditions? When do we check? So as I said, these are going to be a set of actions. Activities that may be done daily, could be done on a weekly basis. Some might be not as important and might be on a monthly basis. But we need to make sure that we are staying at a certain level of security that is meeting with what our needs are supposed to be.

37. Operational Components Part2

So let’s take a look at some examples here of the operational components, things just to think about. One might be checking on identity management and access control. Okay, so that is all about often what we call the AAA, the authentication authorization and accounting, the logging of what’s happening. I’ve used this story before about sometimes an Active Directory administration administrator might have a user that says, hey, I need to have access to a printer or a file. And so they have to figure out how to assign those permissions. And one of the best practices in Active Directory is not to assign it to an individual, but rather to have a group of people or an administrative group or I guess a user group that has permission to use that printer. And so we just put that user in the group, not in this direction. And having done that, though, this group might have access to a folder.

I hope that looks like a folder that the person who wanted the printer wasn’t supposed to have access to. So sometimes we really have to look at the auditing there as well. But that’s just, again, something we should do on a regular basis or whether we’re looking for dead user accounts. Again, that’s what they call the identity management. We should have security event monitoring and analysis. Again, there are some automated tools that you could use, like Sims, that can gather the logs from a variety of different devices from routers to servers to switches and firewalls and can automatically correlate that information for you rather than you have a group of people that daily have to look at the logs. But the idea again is that we want to be proactive. I’m going to put the word pro over here. System patching procedures.

right, so if I use Windows as an example, we know every few weeks that they’re going to have a series of hot fixes or security patches. Some of them may be more important than others. And we have to have a method, a procedure of how we’re going to push those out. Whether the procedure is to have the machines do an automatic update, which many corporations don’t like to do because other problems could ensue, or whether you want to do a pilot group to make sure nothing breaks and then push it out. It should be there as part of the operational. Again, configuration management. This should have something that is going to go through an approval process.

It’s dangerous really, for somebody to just take matters into their own hands and start making configuration changes no matter what the system is because it could inadvertently create holes in our security. Again, security metrics collections kind of goes back into getting a method of how we measure the different levels of security and then incident response. And we have a domain that’s going to talk a lot about incident response, but again, we’ve have that as a part of our operational right? Who do we call if we see a security breach? We need to have that set up, we need to have those team members, we need to know what the response is going to be. And it goes on and on and on. So those are, again, just examples of operational components.

38. Management Components

Now your management components. And again, we’re still in the operational part of this really, if you think about it. But in addition to the ongoing technical and operational security that we have, there’s going to be some management things that we need to continue to look at, such as standards, development or modifications. In other words, if you are going to have a series of standards or procedures, they are going to get outdated. We may be asked that question, are things outdated? Do I need something new? Because there’s a new security problem out in the world. So that goes kind of again, with policy reviews and having some sort of oversight of the different initiatives or program executions that are going on. So that goes into the management.

In other words, if a new program is in the process of being developed, there should be some oversight to that program just to make sure that it’s on track, that it’s not falling behind, hasn’t gone over budget. A lot of different ideas that I’m trying to throw out there for you. So when we think of these management objectives, the requirements and policies, they are a big key in shaping the rest of what the information security program is going to do, which in turn should also define what we have to manage. And again, that’s very important. It’s an ongoing or periodic analysis of the assets, the threats that are out there, the risks, the organizational impacts. It’s something that we don’t want to stop doing it’s. Again, not something that you just, you write it up and you say it’s good until I retire.

39. Administrative Components

All right, let’s take a look at the administrative components. So here if you think about it, as the scope and responsibilities of the information security management functions grow, so are going to be the resources. Resources, again, could be a variety of equipment, software programs, the personnel that are running that, and of course, the financial aspects. And these are things costs are something that administrators are owed always asked to be careful of here we’re talking not about who I’m going to hire or fire as far as the personnel, but maybe the responsibilities of what the people in my department are supposed to do. Now, if we take a bigger look at the financial administration, that’s generally going to be dealing with budgeting. Many companies go on a yearly budget plan.

Hopefully they do anyway. And some of that would be ongoing service contracts that they have to maintain for the different devices. For example, if you buy any networking equipment, you’re going to have a yearly service contract of some kind, firewall router or the rest of it, licensing for your operating systems, all of that. That’s part of budgeting. Timeline planning is another part of what we have to deal with. And again, I guess if you think about it in the timeline, it’s not like we get a bulk of money at the beginning of the year and we just spend it. Well, maybe some of you think of it that way if you’re in government work, because I think that’s kind of how they do their budgets. Not that I’ve done budgets for governments, but generally they say, here’s what you have at the beginning of the year.

And even if you did, you don’t want to spend it upfront all at once. Maybe you do for some big purchases, but that should be a part of what we look at. Another part that we’re going to be required is to look at the total cost. The TCO and the idea behind the total cost is that we’re trying to find a way to say that we’re being efficient with how we’re spending the money. It’s part of what we want to look at. And then of course, the next part is the return on investments. So again, if an investment is in some sort of new control, is that control going to help you efficiently? If I were to think again of kind of the idea, let’s say you’re a company that produces paper, you sell paper around the world and your factory doesn’t have Sprinklers.

What would happen if you had a fire? You get the idea I’m talking about paper and how easy it burns. Would it be a return on investment for you to invest in sprinklers, to be able to try to reduce the chance of the type of damage that could happen? So whether it’s the total cost of ownership, return on investment, timeline budgeting, that’s a lot of what we have to look at in the administrative aspect. And of course, that does go with the whole world of the security realm. Because, again, if you’re going to buy new equipment and we start asking the questions, is the price of that equipment, the service contracts, the labor involved, is that worth putting it in place? As far as the risk reduction, the possibility of lowering the potential impact, those are studies that we have to be responsible for.

40. Educational and Informational Components

Now, lastly, educational informational components. This is a big thing and it’s important to remember that employees are sometimes the first ones that might notice something. So we want to educate them, make them aware, make sure they understand what information security is, let them know what social engineering is as an example. So if they get a suspicious phone call, they know that they can report that and saying, hey, somebody’s trying to get my passwords. A lot of times employee orientation and the initial training of the employees is very important. I know that I was going to go teach a class at a military facility and they made it mandatory that I took this online training.

So I knew things like don’t bring USB drivesinto the military base, can’t bring any smartphone or object that has a camera acceptable use policies that might be like what we’re allowed to do or say or send on email, right? Can we attach documents? If so, do the documents have a classification where some yes, some no. And of course we should also have employee monitoring policies. I’ll put that back in email many times. We see that when we start with a company that they tell us right away that all of our email that sent on a company server on the company email is going to be read or potentially could be read by security personnel. And we don’t want to have privacy violations, so we want to make sure we have those in place as well.

41. Lesson 7: Information Security Program Resources

We’re going to talk about the Information security program resources. Now, we already realized that there are going to be a lot of resources required to really develop to implement a security program and it’s important that the Information Security Manager understand what those resources are and how they can be used. Now, we can think of resources as the mechanisms that are available in some mixture that can help us to achieve the desired state of security. Now remember, a resource, again, can be issues of finances, costs, budgetary items. The people that we have, if we have a sufficient number of people, their skill sets that they have, the existing controls that are in place, all of these items that we hopefully have reviewed that help us understand our current state.

But as a part of that inventory, those are what we have to work with to be able to get to that desired state. And sometimes it may just end up that we find we need other resources which might be having people with different skill sets that could then say part of the plan, maybe a budgetary cost of getting those types of resources or whether or not we bring third parties in. All of those are parts of what we have to consider in trying to create this suspect security program. But to have a program we need to know what our resources are. Because if we create a plan that needs resources we don’t have available, then the plan is not going to go anywhere, right? We need to be able to support the overall security program.

42. Resources

Now when we talk about those resources, as I was trying to list them, most of those should have already been as a part of the overall review that you looked at. And we’ve enumerated some of these in some of the other domains that we’ve talked about here with CISM. But again, remember some of the examples of your resources, things like your policies, your standards, procedures and guidelines. Now it’s important we understand that because policies, number one, can also be a constraint. And what I mean by that is that the policies may very well say that as a part of meeting our business objectives, number one, we are not going to change our policy about meeting our business objectives because that’s what keeps the company running. But we may also have certain regulatory requirements that we have to follow. There may be certifications that we must maintain, especially for the stakeholders and for the way we do business.

And so in a way, those policies are pretty rigid in that some of those statements aren’t going to change. And again, that should act, I say, as a constraint, like that’s a negative thing. It’s not. Remember, our goal is to make our security program in alignment with the business objectives. Of course standards have constraints within them. They tell us the way in which we have to do business. We need to know what we have, maybe even a review of the standards to see if there are changes that we need. But again, these are parts of our resources that are already in place. We certainly have the entire architecture to look at and we’ll talk a little bit more about architecture as far as some of the resources to kind of get a bigger picture of what we’re really talking about. But a lot of times that’s the who, what, when, where, how that we answer about the organization.

Now we have controls already in place, at least I hope we did. Those are resources we can use. We have physical, technical and procedural types of controls. And nobody said that a part of getting to this new goal of desired state needs a new firewall. Maybe it just needs a change in the configuration. Nobody said we needed to change the way in which we’re doing physical security. Maybe it’s adequate or maybe just a few new policies or standards or even procedures that they have to go by, but we have them in place. So we have those as a resource. Again, the countermeasures right and layer defenses as well as other technologies may be sufficient for what we need as a resource. But again, a change of either deployment of configuration of the way in which they’re being used. Now I’ve mentioned it over and over again, the personnel and the organizational structure very important as a resource, we’re not going to get anywhere without having actual personnel that can help us.

And hopefully we have also inventory their strengths, their weaknesses, their skill sets. If we don’t have that, maybe more training is needed. But part of the resources we have could be skills and training, especially in the awareness and education of security. Now we also have the potential of having your threat and vulnerability assessments that we can use. The results of those as a resource. Especially useful was we are trying to evaluate where we are currently and testing to see if we’re making progress towards our goal. And those should also be a part of what we’ve seen with our risk assessment and risk management. That again is a way of understanding our start point, knowing where we are currently and using those resources to continue to look at risk all the way through this process.

43. Documentation

A part of what we’re going to see is the documentation. Documentation is part of what we looked at our resources. Those are those existing policies, standards and procedures and guidelines. Those are your primary documentation. And again, I said, they are not only a resource, but they are also constraints. And that, again, is not a negative connotation because in reality, our goal, as I said, and have said, and we’ll probably continue to repeat, is to be in alignment with the business objectives. And so as a constraint, that hopefully gives us the way of which saying, okay, we have to operate within these constraints. And that’s a good thing because it’s going to take us to the overall goal of our security program. Now, remember, again, policies, as I said, are often designed around your regulatory requirements, and they often list the security requirements that are going to be there in alignment with the business.

• Category: Uncategorized