ISACA CISM – Domain 03 – Information Security Program Development Part 9

64. Other Actions

All right, so there are some other actions that we can take, things that we do to kind of verify this entire set of getting to compliance. We do things like conducting a vulnerability analysis. A lot of times that’s just an automated process software that’s going to check different types of network objects or servers, see if they’re currently up to date on their patches, if they have easy default configurations. Some vulnerability analysis could also be for physical security. I mean, there’s a lot of things we can look at depending on what we’re trying to analyze. The risk and business impact assessment. We’ve certainly talked a lot about these. I’m not getting into as much detail because we really cover these in some of the other domains. But again, remember, there the big word impact, right? What would the loss of this asset do or impact our business resource dependency analysis? Again, where we’re saying the loss of this asset might not be that somebody hacked in and stole my records, but maybe I’ve lost network connectivity to it.

And so there’s some dependency there and we want to look at those. And of course, we should be looking at any external security service provider, whether it’s an outsourcing or a service contract. They might be responsible for things like your physical perimeter security. Like I said, it’s not at all unusual for me to go into a facility that has a high presence of physical security to know that those people don’t actually work for that company, which gives them that ability to be, hopefully without any conflict of interest, that they’re not going to worry about somebody as a vice president getting mad at them and saying, that’s it. You’re fired. Because you won’t let my friend Bob come in. And even though Bob doesn’t have any ID, those types of things, right? We want that kind of autonomy and some physical security. We also might have them involved in our business continuity.

Maybe they’re the offsite storage where we store all of our backups. We may hire independent penetration testing experts to come in there, which by the way, helps kind of add to the vulnerability assessment where we get the human factor to see if they can break into our networks or what their sense of security is. We often use them to help verify our assumptions of security audits. We might have a third party come in, we almost always do for financial audits on our organization. Again having that independence and lack of influence of the actual corporation. So no conflict of interest in setting those up. We might have outsiders do security reviews or maybe use them in a forensic investigation for looking for signs of fraud or theft or other illegal actions that might have occurred within the network world. So we still need to review what they do. Again, and it’s a trust and a trust no one type of idea.

65. Other Organizational Support

There are other sources of information that could be useful for security manager to be able to gather that information and help integrate it into the security program. Now of course we’re talking about groups or organizations that may just be some sort of good practice organization in today’s world. We have people following groups on Twitter, we have them listening to online audio programs, we have newsletters, all sorts of things we can get into to be able to exchange good ideas and good practices. It could be some security networking roundtables, groups of professionals from the area or around the world. Lots of security training organizations as well have different types of feeds that you can monitor discussions and hear interviews with experts in the field.

And there’s a lot of places that just do vulnerability alerting services where I get every few days or every couple of days these updates about all the new vulnerabilities and exploits and weaknesses that we have to be careful of with a variety of different types of operating systems or technology. All of this information is hopefully trying to keep us up to date as much as we can and some of it may be very relevant to your particular security program. That is, once you get this information can be helpful, as we said, in integrating it into that program.

66. Program Budgeting Part1

Program budgeting is a big part of the Information Security Program. It’s a big part of your development because it is your constraint on the success of your program. Now, when I say it is your constraint, I mean you need the budgeting, you’ll need funds for part of this, but you might not be able to put into your program every option that you had hoped for because there just isn’t the the funds to do that. So we need to make sure that as an Information Security Manager, we’re very familiar with that budgeting process and we should be familiar with it prior to our even developing the program. That means we need to understand what line items that we’re responsible for, what line items are doing, the funding, how the funding gets there, how often the funding is renewed, when is the end of years business cycle set up. All of these can be things that we need to consider as understanding it very well so that when we know how the budgeting works, then we can plan our program around that budgeting information.

67. Program Budgeting Part2

Now, there are many elements of the project that we need to think about when it comes to cost. Number one, just your ongoing operational costs. If I get this security program done, guess what? It still continues to run. And so it’s going to have an ongoing operational cost of the you could even consider the cost of the electricity of it’s, a technical control, the cost of maintaining it, of service contracts, of upgrades to software, of the people that are responsible for watching it, monitoring and maintaining it. Again, back to the service contracts. Many of your hardware and software devices have subscription services. I’ve seen a few VPN concentrators where the actual technology was very inexpensive.

But the yearly rate that you paid for the license renewal, that’s where people made their money. So we have to account for those things. Obviously, the amount of time it takes from the employees to be able to work towards this programming, any outside contracting or consulting fees, or maybe if you had to bring people in to train somebody on how to use the new product or control or countermeasure. All right, the space, of course, if you don’t have sufficient space, you have to look to see if you have the budget to be able to expand or to move things or relocate other environmental requirements. Of course, if I’m adding more gear into the server room, that may generate more heat, require more power.

Does the HVAC, is it capable of handling that add on? All of those are things that we look at in budgeting. Of course, as I said, testing and validating the resource. We certainly have to produce documentation of what we’ve done that has a cost, and it’s creation, preparation, copying and distribution. Things break. So there’s maintenance and maintenance issues, unless you have a maintenance contract. But still, the contract again has a price tag to it. And you got to have some plans for the unknown, unknown contingencies that can come in and be an issue that you couldn’t have planned for, couldn’t have firstaft. But once it’s there, you need to make sure you have at least hopefully the budget to be able to deal with those unknown types of situations.

68. Lesson 8: Implementing an Information Security Program

So, in this lesson, we’re going to take a look at the information security framework components. That means we’ll take a look at the operational, management and administrative components, as well as the educational and informational components that we need to look at in our frameworks.

69. Policy Compliance

Now, your policies are really the basis you have for accountability at least with your security responsibilities. And when we talk about policies, the goal of course, is to achieve policy compliance. Now, we’ve said that policies are pretty much kind of a short document that kind of give the blueprint or architecture of what we’re trying to do. They are the things that help support the business objectives objectives and they can simply be sayings that are telling us that we are going to be in compliance with certain regulations or whatever the goal of the policy is. Now, having said that, the policy can be too short. I don’t want a policy that says our data will be secure. Okay, well there’s a lot of ways we could interpret that. So they must be comprehensive enough hopefully to cover all of the situations but also flexible to allow different processes and procedures to be able to evolve.

Now, the security manager should make sure that there are no orphaned systems or what we call systems that don’t have any policy compliance owners. That’s an interesting thought, right, is that we want our policies to also be encompassing all parts of our security infrastructure. And so that means that we shouldn’t have systems sitting out there that have no policy.And if they have no policy, then I have nothing to test them against to see if that system is in compliance with or operating the way we expect it to be. To me that sounds like a very large risk just sitting there. Now, there are going to be, of course, times when there are exceptions to the policy. That doesn’t mean it’s a bad thing, but those exceptions to the policy need to be very well documented. Now, another aspect of this when you think about your liability, when, let’s say we have had a breach, we have a data loss, and it may have affected a lot of our customer.

If they decide to take some sort of legal action against us. We have to start showing a defense, showing that we’ve had due diligence, that we have policies that covered the best practices, that we were doing everything that we were supposed to do. But if we are found to have gone outside or had an exception to a policy, it is not the end of the world when it comes to liability, as long as it is well documented so that everybody understands. The reasons why, the circumstances that were there and showing that we’ve still put our due diligence into coming up with a solution that worked well, that managed security, even if it went outside of policy. And sometimes when we see those exceptions, they may be a key indication to us that it’s time to review the policy to see if there needs to be any updates.

70. Standards Compliance

Another compliant we have to look at is standards. Now, to be standards compliance. Well, first of all, we have to make sure we understand what the standards are. Again, the standards are those boundaries of options that we have for our systems, processes and actions that help us in enforcing the policy. So what we’re saying is that standards are really kind of the set of rules that help us get to the compliance of policy and they have boundaries sometimes can be acceptable use types of issues. All right? Standards are those boundaries and we have to show that we are staying in compliance with those standards. Now, a standard should have or give some consistency for similar systems that might have been in the same domain and have similar configurations and operations.

If we don’t have some sort of consistency. Just from the people perspective, I could see where there would be confusion if I said well, on this particular server we don’t use strong passwords, but on this particular server we have to have strong passwords. And then suddenly you’re thinking, okay, which one was the weak password? Which one was the strong password? Right there could start seeing some confusion if you multiply that by a number of different systems. So we want to see some of those consistencies. I don’t want one firewall to allow people to get out to social networking sites. If we’ve said no, they can’t. But had a standard that said well, for this group of people over here using this firewall, sure they can. And while others using this firewall can’t. I mean, again, it’s a little more difficult to do some of those actual standard compliances.

When you look in the industry of technology, there are probably just a handful of different vendors that don’t have or offer some sort of centralized management system. In other words, there’s usually some system that is used so that a person who is configuring, let’s say a security policy on a firewall or a set of rules for an intrusion detection system that they’re creating, that one. Set of policy and then through that centralized management, pushing it out to all of their security devices so they have the same manageable set, so they are consistent with each other. In other words, enforcing standards at all points without having that kind of capability. It doesn’t mean you still couldn’t have the same outcome. But you certainly do run the risk of having more introduction of human error as you try to copy them in or retire them in. But what I’m saying and suggesting here is that one of the reasons why that centralized management works so well is that it helps us maintain a standards compliance and have consistency across similar devices in the same domain.

71. Training and Education

We’ve made a lot of talk about training and education and it is a part of any security program because our security programs are dependent on people and people are said to be the weakest link in our security programs. That means that training and education needs to be on the roadmap as far as training and the education of everybody that’s going to be involved in this process. Now the goal, of course, of the training is to help educate the employees about number one operational requirements and the responsibilities of their activities. The operational requirements are basically telling us how things work and how we should be interacting with them and what our restrictions might be and of course also what are our responsibilities. If I’m working on the data entry of a certain type of set of data, I’m not necessarily going to say, well, I’m kind of bored of this, let me go work on somebody else’s project.

Unless of course there’s some sort of an approval process. We need to make sure that we’re responsible for what our activities are. Now as long as people have an understanding of why a policy is enforced, it can also help motivate them to help follow those policies. In other words, if you explain the reason for the procedure or explain the reason for the policy, people can get behind that and they say, okay, I understand the game plan. I could use similar sports analogies as well. As far as if you don’t know the game plan or if somebody just says, well, this is what I want you to do in this little game plan, I’m not going to let you see the big picture. Letting them see the big picture and understand their piece of it, their roles and responsibilities and why it’s in place that can help them in motivating to wanting to make sure that they do their part.

72. ISACA Control Objectives

Now the ISACA has a set of control objectives and they in fact identify eleven control objectives as the minimum controls that are needed to be in place for system security. Of course, starting at the top is actually having management of It security. Now that’s really kind of the goal of our entire course is to talk about being a certified information security manager. And it is an important aspect, don’t get me wrong. We need to be able to understand all aspects of what it takes to manage security. Now what are we going to manage? Well, as we manage our systems, hopefully we have some sort of a plan. We have an idea of what it’s supposed to look like, so we have the It security plan. Now some other things we might have to manage are things like identity management.

Identity management is a big issue for us. Having a single sign on capability helping make it easier for end users to be able to have multiple identities for different services, but stored perhaps in one location. That’s an option. Or you can look at identity management of how it is we’re going to authenticate people. We need user account management. There’s all sorts of best practices about user account management. How long do we go before we declare a user account dead and actually delete the account? Remember, leaving an account hanging around gives somebody else an opportunity to try to break into that account that nobody may notice. Sometimes we have things about employees who go on vacation, how we disable their account during their absence so that somebody can’t try to log in while they’re gone.

We look at all aspects of security testing, surveillance and monitoring. We talk about doing audits of all sorts. The vulnerability tests, the penetration tests, looking at the logs to determine how things are operating, to constantly seek the controls are in compliance.We also have to have a definition of what a security incident is. That’s one of those things that needs to be a part of our training and education is so that people can recognize what a security incident is and understand when they need to report it, how it needs to be reported. We look at the protection of security technology. Now that can be done physically, of course. That can be done through a lot of technical types of controls.

It can be done through our organizational controls, the policies and procedures we may have to deal with cryptographic management. That simply is again talking about methods of ways to store things securely, to be able to transmit things securely. We also have to find ways to manage the presence of malware. That means we look for things to prevent the malware sometimes that’s training as well. And awareness of the people through the use of anti malware antivirus software to help us in not only the prevention through education, but the detection and correction if it’s there. We have lots of aspects of network security. We haven’t really got into a lot of the inner workings of the routing and switching, nor should we, because that’s really not our focus is to become routing and switching engineers here.

We need to have a good overview, but there are a lot of types of attacks that can occur internally within our networks. All sorts of attacks on the Ethernet, Mac address, attacks against the IP addresses, attacks through the transport protocols and there are a lot of mechanisms in today’s equipment that are designed to be able to detect, avoid and prevent those types of attacks. So we want to make sure that we have a look at that because they are still devices considered as controls. And of course we need to really concentrate on the exchange of sensitive data. As we have said so many times, that data needs to be secured when it’s in motion and at rest, and especially if it’s sensitive data.

• Category: Uncategorized