ISACA CISM – Domain 03 – Information Security Program Development Part 2

11. Defining Objectives Part2

So after the objectives have been defined and that we’ve done this work to close the gap, as I was just mentioning before, our goal is to get to that what do we call it, before the desired state. And that’s really what one of the big objectives is going to be. Now, a part of your program, of course, is you’re going to have to identify the control objectives. Remember, a control is often called a counter measure in other communications and other discussions. And so whether that’s something like a new firewall, something new with intrusion prevention, whatever the case may be, it has to be measurable.

But you have to just ask the question, what are you trying to measure? Really? You need to have suitable metrics. And to be able to go and measure against those suitable metrics, you’ll need to have monitoring and again, monitoring a control point. Again, some sort of countermeasure, whether it’s a firewall or some other device, you need to be able to monitor it. You need to have a way of tracking it, making sure that it meets those metrics, and to make sure that you’ve actually gotten to that desired state.

12. Lesson 3: Information Security Program Development Concepts Part1

So we’re going to take a look at the information security program development concepts. Now, as the Information Security Manager, you must have a good understanding of many of the management and process concepts. Now, when I talk about having a good understanding of it, remember, the goal is to understand the concepts, if not necessarily able to work directly hands on in any one of these different areas. Because many times understanding what to expect and what you can ask is a very important part of the management and having a way of rating it and determining if you meet the compliance of what you’re looking for are kind of the ideas of what we’re looking at here. So what kind of concepts? Well, we talked already a little bit about the lifecycle, lifecycle of the actual security program.

So being familiar with something like the software development lifecycle, the SDLC is very important. Now, we’re going to be having to deal with development of requirements. Again, conceptually, we have to understand what that means as far as coming up with a list of requirements, of what we’re trying to accomplish. Specifications, development. Again, many times as a part of this program, we are going to be doing a lot of documentation. That’s what we’re looking at as far as the development of requirements and specifications. Now, that may be different with each organization may have their own way of doing that, their own supporting documentation. That’s something we’ll become familiar with as we work with those organizations. The control, design and development objectives.

Okay, very again, a very important aspect of this because a part of security is just that is in the creation of controls. And remember, a lot of times when we refer to controls, we are talking about policies, about the standards, about the procedures and guidelines. And so we have to design those controls and of course have a purpose of what we’re attempting to get to as far as the development. Now, we also need to be able to understand what’s going on when we talk about the implementation and the testing of controls. Monitoring and Metrics now part of that monitoring and metrics is also to make sure we have a good understanding about the quality of the metrics, what it means to us. if they’re effective, for us to be able to utilize that information. As we said, in some other domains, you can’t manage what you can’t measure.

So that’s an important aspect we have to understand. We have to look at the architecture. Now in the architecture, as we talked about looking at different aspects of the security program, there are some architectures we can use as a framework to be able to help us or give us guidance into setting some of these things up. A lot of, not everything that we do at some point has to end up in documentation. The documentation has to be able to be communicated, communicated up through the organizational level and further down. It may also be documentation that has to be available to our stakeholders so they can understand that we are doing our best to meet the business objectives and having the security program in alignment with it. Quality assurance very important aspect. It’s an important aspect especially because we don’t want to make assumptions that things are working the way they’re supposed to.

As we said, to have quality assurance out there and looking for compliance, making sure that we are meeting the goals that we have stated that we’re going to. Program management well this is a program you have to deal with budgeting, with costing and other types of functional issues which could also deal with your resources like personnel and the rest of it. Risk management is a very complex part of the puzzle of coming up with effective controls. So we have to look at having a good understanding of what’s happening in the risk management, which will consist of your risk assessments and your risk analysis, your business impact analysis, and, of course, the communications processes need to be there for training and awareness, to communicate up to the upper parts of the executive management board of directors, as I said, and of course, through the training and awareness to everybody that might be involved.

13. Information Security Program Development Concepts Part2

It is also important that we understand the technology resources. Now, there could be a large variety of technologies as well as processes, policies and people that we’re putting together throughout this security program. And again, just having a good overview of what to expect from these devices is important. So when we talk about things like firewalls and security systems, including your network devices or intrusion detection, it’s important that you understand some of the distinct between them, especially where a lot of these devices are starting to kind of merge together. The goal of a firewall typically was to be able to stop the communications that we don’t want. Generally, we called them packets. We looked at things like the IP addresses and the type of protocols and made a decision if that kind of traffic even needs to come into my network, well, we can certainly do that with some of our networking devices as well.

With routers, they can certainly be screening capable to be able to stop those types of packets coming in. With intrusion detection we can do the same thing. But intrusion detection goes beyond that. Layer three and four that I just described with the IP and the protocols, it actually looks at the content of what’s being delivered, whereas the IP address just tells us where it’s being delivered. And by looking at that content, we can add even more inspection to make sure that we’re not seeing viruses or malware or abnormal activities that we’re not used to seeing on the network. And we can put all of these together in layers of defense. As I quickly talk about this, my router at the beginning can screen a lot of what we might call spoofed IP packets. And it doesn’t have often the ability to keep track of full sessions, but can block a lot of traffic.

So that now when the traffic that gets through gets to the firewall, there won’t be as much of that traffic, it will already have been in some aspects, scrubbed by that router, and then it can look at the remaining traffic and make the decision about what can come through. Now, the good news about that is the firewall might stop from 95% to 98% of the traffic that is garbage and allow just the traffic we specify to come in. At that point, we know that the firewall typically might not have looked at the content of the packets. Many do today. That’s why I said they’re kind of merging together. And so at that point, then the intrusion detection system can look at the remaining packets coming through to see if there’s any types of attacks that they have to worry about.

And then after all of those different layers, we can then control the way in which the data traverses our network. Even in the switches, we can implement filters based on the way we segment the network through the use of VLANs to keep voice traffic away from data traffic so that people can’t eavesdrop on conversations. And again, you don’t need to know the specifics of how to configure any of those things. But just having that kind of an understanding, as I’ve explained to you, helps you with the decision process to say, okay, I get it, I know what my expectations are, I know what I’m looking for and how some of these technologies can interact together. Well, in the cryptographic arena we have different types of techniques that we can use. Things like the PKI, the public key infrastructure that we might use for digital signatures.

Now, what does that mean for us, the public key infrastructure? Well, it’s a method of encryption that uses multiple keys, at least two keys, so that we can be able to prove that messages sent came from a specific person. Great for authentication capabilities. We can also use it to encrypt messages so that people can’t eavesdrop on the conversations. Great for email as well. We might even use it for these techniques for the encryption of data on our hard drives as well as the encryption for the communications that I just talked about the authentication Options we talk about multifactor authentication. Why that’s important to us, knowing that authentication options come in a wide variety of actual technologies. When we talk about multifactor.

It’s a matter of knowing that we can ask somebody something they know, like a username and password or something they have like a smart card or a token generator or maybe something they are, such as a biometric use of their palm identity or their fingerprint. And that if we put multiple options together, we’ve increased the security of authentication so that no one person can just have their password stolen. They would also need to have a fingerprint or they would have to have a smart card with them and it improves that option. And knowing that there are many types of authentication servers that we can use to help the scalability and add even more communication secrecy through the use of radius or Tacax, these are again just options you need to know about your application security methodologies.

When we talk about the application security, we often are talking about a couple of things. Number one, the security of the source code. Can somebody get the hold of the source code and try to figure out how to reverse with the actual source code? They don’t even need to reverse engineer anything, but look for weaknesses in the design to use that as a way to attack. We also want to know that the application is working well as far as putting out correct information, that’s an important aspect. If it’s issuing out information, what’s the integrity and the accuracy? Do we have methods of checking that? And also how does the application work if people begin putting bad information in purposely, maybe trying to crash a program or to find a way to break in through what we come might call fuzzing attacks.

14. Technology Resources

With the web security. We’re not talking about just the web applications, although that’s an important aspect because a lot of people do things like SQL script injections by entering information into the fields on a web application. But we also mean what is the security of the underlying web server and of course, any supporting technologies that that web server may be talking to, like a database server. Now, we know that most of these devices I’ve talked about so far are going to, if you ask them to compile the information of their activities and logs. So what about the compilation of logs? Do we want to have them in a centralized location to make it easy to analyze? There’s a variety of different software platforms that can analyze logs from a variety of different vendors and be able to help analyze those and give you a heads up notice about potential problems.

Rather than hoping somebody can have the time to read through all of the logs individually, we also can test our security as another part of our technology resource through the use of vulnerability scans and penetration testing. And hopefully what you’re seeing here is you’re seeing we talk about some as we said, these technologies could be processes, they could be policies and they could be people involved. Compilation of logs might be an automation, but reviewing them might involve the people. Vulnerability scans and penetration testing might use some automated processes, some technologies, but some of them have people actually doing the test.

Now, the scan is usually an automated system that’s looking for signs of problems, whereas the penetration test is the actual person knocking on the doors trying to break into the network with permission to test the assumptions you have on security. And of course, business continuity programs are very important because another aspect of security is availability. And I want to know, do we have in place the correct types of technologies or processes or people to take care of if a server fails, I can bring it back to life very quickly. That might be done through a series of backup and restorations.

Today though, with the world of virtualization, we see that we can have a server fail and have it come back up in just mere minutes at most through the use of motioning a machine to another virtualization host and seeing some great business continuity solutions by being able to eliminate as much downtime as possible. So again, knowing about these technologies and what their capabilities are, are very important as far as a management process. But that doesn’t mean that you’ve ever had to create a virtualized server, that you’ve ever configured a firewall, that you’ve ever written your own cryptographic algorithm. I certainly haven’t done that. But it’s important that we understand what we’re looking for.

15. Information Security Manager

Now with the Information Security manager. Good governance includes having clearly defined roles and responsibilities. The Information Security Manager is included in that definition of responsibilities. So they’re the ones that are in charge of meeting your security objectives. They can, of course, delegate roles and responsibilities as they should because we have people with different skill levels of different expertise that might be in charge of different aspects of the overall security. That is then one way of talking about the use of proper resources. Resources can also be, of course, your time constraints and financial capabilities of what you can purchase or costs and the rest of it.

Again, the Security Manager should have a way of verifying that we are on track, that we are doing good with meeting the compliance. That means creating a set of monitoring and management metrics, useful metrics, and having a way of being able to use that information through quality assurance to make sure that we’re in compliance or maybe see that we have security issues we have to deal with. And they also need to be a part of the top down commitment. That means that you’re there to enforce the different controls that you put out there. If there are policies, standards and procedures that you’re a part of that that you not only helping the enforcement, helping the training, making people aware, but that you follow them yourselves. Right. Leading again by a good example.

16. Lesson 4: Scope and Charter of Information Security Program Development

We’re going to take a look at the scope and charter of information security program development. Now remember, the implementation of a security program is going to impact an organization’s normal way of doing business, or at least it possibly could, especially if you haven’t had a security program in place before now. The extent of management support and the implementation of the strategy and risk management activities are basically going to help you in determining what what that charter is. The charter is the agreement or the contract of what we’re trying to do.

17. Assurance Function Integration

Let’s take a look at the assurance function integration. Now, any security program to be effective is going to have to include activities of many different department functions. Again, we don’t want these individual little silos of departments working on their own security functions maybe overlapping the work that they do, increasing more costs for the overall business and not having protection between the gaps between those different departmental functions. We want them to work together. Now, one of the problems we have is that each department has its own vernacular, right? They have their own acronyms, their own language, the way they speak. But there still needs to be some organization to the integration of policy within that entire business. As an example, I might have one department that does their own risk assessment maybe for physical security.

But I’m thinking if that facility is the same facility that we’re housed in then it would seem to have some relevance to the overall security that would even encompass the information systems because certainly physical security is an important aspect of protecting our information systems. And so the goal here is to say why should information systems do their own assessment of physical security? Another department doing the same things. Maybe they have a large amount of equipment that they’re worried about being stolen when together they can put those same efforts in hopefully a lower cost solution. And it’s a part of the overall policy, the overall strategy, and still, hopefully we can make it in alignment with the business policies or the business objectives.

18. Challenges in Developing Information Security Program

There are some challenges in developing an information security program. It does take a lot of cooperation to be able to get a program into place. And it’s not really unusual at all for the security program development to be impacted by people, by processes and policy issues. Some that could be in conflict. You make changes to a program and some people are reserved distant to change. Some people may be saying, this is how we’ve done it for 40 years. There’s no reason to do it this other way. I’ve gone so far as to hear people say I’ve been to this company so long, I’ve seen them try this before and roll it back and try it again and roll it back and it never works. I wonder sometimes if it’s not working because of the attitude that it never works and it’s a change that people don’t want to take.

There are other issues may result, of course,in cost overruns, especially if they have any unanticipated issues that might show up or new requirements that might come to light. It’s not unusual during the course of this program to hear about new regulations coming down from your governmental agency that suddenly change, maybe even significantly the direction that you have to go to reach certain security objectives. Certainly over the last several years there’s been a lot of debates about a lot of objectives in the world of or regulations in the world of banking and commerce. And if you’re in the middle of a program and suddenly those regulations have changed, I mean, I can’t help but think that your target has just moved. You’ve spent all the time, effort and energy going in one direction and suddenly you need to start making some detours to be able to get to whatever that policy was and maybe even a change of the policy. Worst case scenario, you may have to start this strategy over.

• Category: Uncategorized