How To Manage An Infrmatin Security Gvernance Prgram

Transcription

1 CCISO Ttal Duratin: 10 Days, 80 Hurs Dmain 1: Gvernance Qualifying areas under Dmain 1 include (but are nt limited t) the fllwing: Define, implement, manage and maintain an infrmatin security gvernance prgram that includes leadership, rganizatinal structures and prcesses. Align infrmatin security gvernance framewrk with rganizatinal gals and gvernance, i.e., leadership style, philsphy, values, standards and plicies. Establish infrmatin security management structure. Establish a framewrk fr infrmatin security gvernance mnitring (cnsidering cst/benefits analyses f cntrls and ROI). Understand standards, prcedures, directives, plicies, regulatins, and legal issues that affect the infrmatin security prgram. Understand the enterprise infrmatin security cmpliance prgram and manage the cmpliance team. Analyze all the external laws, regulatins, standards, and best practices applicable t the rganizatin. Understand the varius prvisins f the laws that affect the rganizatinal security such as Gramm-Leach-Bliley Act, Family Educatinal Rights and Privacy Act, Health Insurance Prtability and Accuntability Act [HIPAA], Federal Infrmatin Security Management Act [FISMA], Clinger-Chen Act, Privacy Act, Sarbanes-Oxley, etc. Be familiar with the different standards such as ISO series, Federal Infrmatin Prcessing Standards [FIPS]. Understand the federal and rganizatin specific published dcuments t manage peratins in a cmputing envirnment. Assess the majr enterprise risk factrs fr cmpliance. Crdinate the applicatin f infrmatin security strategies, plans, plicies, and prcedures t reduce regulatry risk. Understand the imprtance f regulatry infrmatin security rganizatins and apprpriate industry grups, frums, and stakehlders.

2 Understand the infrmatin security changes, trends, and best practices. Manage enterprise cmpliance prgram cntrls. Understand the infrmatin security cmpliance prcess and prcedures. Cmpile, analyze, and reprt cmpliance prgrams. Understand the cmpliance auditing and certificatin prgrams. Fllw rganizatinal ethics. Dmain 2 Management Cntrls and Auditing Management Infrmatin Security Management Cntrls: Identify the rganizatin s peratinal prcess and bjectives as well as risk tlerance level. Design infrmatin systems cntrls in alignment with the peratinal needs and gals and cnduct testing prir t implementatin t ensure effectiveness and efficiency. Identify and select the resurces required t effectively implement and maintain infrmatin systems cntrls. Such resurces can include human capital, infrmatin, infrastructure, and architecture (e.g., platfrms, perating systems, netwrks, databases, applicatins). Supervise the infrmatin systems cntrl prcess t ensure timely implementatin in accrdance with the utlined budget and scpe, and cmmunicate prgress t stakehlders. Design and implement infrmatin systems cntrls t mitigate risk. Mnitr and dcument the infrmatin systems cntrl perfrmance in meeting rganizatinal bjectives by identifying and measuring metrics and key perfrmance indicatrs (KPIs). Design and cnduct testing f infrmatin security cntrls t ensure effectiveness, discver deficiencies and ensure alignment with rganizatin s plicies, standards and prcedures. Design and implement prcesses t apprpriately remediate deficiencies and evaluate prblem management practices t ensure that errrs are recrded, analyzed and reslved in a timely manner. Assess and implement tls and techniques t autmate infrmatin systems cntrl prcesses. Prduce infrmatin systems cntrl status reprts t ensure that the prcesses fr infrmatin systems peratins, maintenance and supprt meet the rganizatin s strategies and bjectives, and share with relevant stakehlders t supprt executive decisi Auditing Management Understand the IT audit prcess and be familiar with IT audit standards.

3 Apply infrmatin systems audit principles, skills and techniques in reviewing and testing infrmatin systems technlgy and applicatins t design and implement a thrugh risk-based IT audit strategy. Execute the audit prcess in accrdance with established standards and interpret results against defined criteria t ensure that the infrmatin systems are prtected, cntrlled and effective in supprting rganizatin s bjectives. Effectively evaluate audit results, weighing the relevancy, accuracy, and perspective f cnclusins against the accumulated audit evidence. Assess the expsures resulting frm ineffective r missing cntrl practices and frmulate a practical and cst-effective plan t imprve thse areas. Develp an IT audit dcumentatin prcess and share reprts with relevant stakehlders as the basis fr decisin-making. Ensure that the necessary changes based n the audit findings are effectively implemented in a timely manner. n-making. Dmain 3 Management Prjects and Operatins. Qualifying areas under Dmain 3 include (but are nt limited t) the fllwing: Fr each infrmatin systems prject develp a clear prject scpe statement in alignment with rganizatinal bjectives. Define activities needed t successfully execute the infrmatin systems prgram, estimate activity duratin, and develp a schedule and staffing plan. Develp, manage and mnitr the infrmatin systems prgram budget, estimate and cntrl csts f individual prjects. Identify, negtiate, acquire and manage the resurces needed fr successful design and implementatin f the infrmatin systems prgram (e.g., peple, infrastructure, and architecture). Acquire, develp and manage infrmatin security prject team. Assign clear infrmatin security persnnel jb functins and prvide cntinuus training t ensure effective perfrmance and accuntability. Direct infrmatin security persnnel and establish cmmunicatins, and team activities, between the infrmatin systems team and ther security-related persnnel (e.g., technical supprt, incident management, security engineering). Reslve persnnel and teamwrk issues within time, cst, and quality cnstraints. Identify, negtiate and manage vendr agreement and cmmunicatin. Participate with vendrs and stakehlders t review/assess recmmended slutins; identify incmpatibilities, challenges, r issues with prpsed slutins.

4 Evaluate the prject management practices and cntrls t determine whether business requirements are achieved in a cst-effective manner while managing risks t the rganizatin. Develp a plan t cntinuusly measure the effectiveness f the infrmatin systems prjects t ensure ptimal system perfrmance. Identify stakehlders, manage stakehlders expectatins and cmmunicate effectively t reprt prgress and perfrmance. Ensure that necessary changes and imprvements t the infrmatin systems prcesses are implemented as required. Dmain 4 Infrmatin Security Cre Cmpetence Access Cntrl Identify the criteria fr mandatry and discretinary access cntrl, understand the different factrs that help in implementatin f access cntrls and design an access cntrl plan. Implement and manage an access cntrl plan in alignment with the basic principles that gvern the access cntrl systems such as need-t-knw. Identify different access cntrl systems such as ID cards and bimetrics. Understand the imprtance f warning banners fr implementing access rules. Develp prcedures t ensure system users are aware f their IA respnsibilities befre granting access t the infrmatin systems. Scial Engineering, Phishing Attacks, Identity Theft Understand varius scial engineering cncepts and their rle in insider attacks and develp best practices t cunter scial engineering attacks. Design a respnse plan t identity theft incidences. Identify and design a plan t vercme phishing attacks. Physical Security Identify standards, prcedures, directives, plicies, regulatins and laws fr physical security. Determine the value f physical assets and the impact if unavailable. Identify resurces needed t effectively implement a physical security plan. Design, implement and manage a cherent, crdinated, and hlistic physical security plan t ensure verall rganizatinal security. Establish bjectives fr persnnel security t ensure alignment with verall security gals fr the enterprise. Design and manage the physical security audit and update issues.

5 Establish a physical security perfrmance measurement system. Risk Management Identify the risk mitigatin and risk treatment prcesses and understand the cncept f acceptable risk. Identify resurce requirements fr risk management plan implementatin. Design a systematic and structured risk assessment prcess and establish, in crdinatin with stakehlders, an IT security risk management prgram based n standards and prcedures and ensure alignment with rganizatinal gals and bjectives. Develp, crdinate and manage risk management teams. Establish relatinships between the incident respnse team and ther grups, bth internal (e.g., legal department) and external (e.g., law enfrcement agencies, vendrs, and public relatins prfessinals) Develp an incident management measurement prgram and manage the risk management tls and techniques. Understand the residual risk in the infrmatin infrastructure. Assess threats and vulnerabilities t identify security risks, and regularly update applicable security cntrls. Identify changes t risk management plicies and prcesses and ensure the risk management prgram remains current with the emerging risk and threat envirnment and in alignment with the rganizatinal gals and bjectives. Determine if security cntrls and prcesses are adequately integrated int the investment planning prcess based n IT prtfli and security reprting. Disaster Recvery and Business Cntinuity Planning Develp, implement and mnitr business cntinuity plans in case f disruptive events and ensure alignment with rganizatinal gals and bjectives. Define the scpe f the enterprise cntinuity f peratins prgram t address business cntinuity, business recvery, cntingency planning, and disaster recvery/related activities. Identify the resurces and rles f different stakehlders in business cntinuity prgrams. Identify and priritize critical business functins and cnsequently design emergency delegatins f authrity, rders f successin fr key psitins, the enterprise cntinuity f peratins rganizatinal structure and staffing mdel. Direct cntingency planning, peratins, and prgrams t manage risk. Understand the imprtance f lessns learned frm test, training and exercise, and crisis events. Design dcumentatin prcess as part f the cntinuity f peratins prgram.

6 Design and execute a testing and updating plan fr the cntinuity f peratins prgram. Understand the imprtance f integratin f IA requirements int the Cntinuity f Operatins Plan (COOP). Identify the measures t increase the level f emergency preparedness such as backup and recvery slutins and design standard perating prcedures fr implementatin during disasters. Firewall, IDS/IPS and Netwrk Defense Systems Identify the apprpriate intrusin detectin and preventin systems fr rganizatinal infrmatin security. Design and develp a prgram t mnitr firewalls and identify firewall cnfiguratin issues. Understand perimeter defense systems such as grid sensrs and access cntrl lists n ruters, firewalls, and ther netwrk devices. Identify the basic netwrk architecture, mdels, prtcls and cmpnents such as ruters and hubs that play a rle in netwrk security. Understand the cncept f netwrk segmentatin. Manage DMZs, VPN and telecmmunicatin technlgies such as PBX and VIP. Identify netwrk vulnerabilities and explre netwrk security cntrls such as use f SSL and TLS fr transmissin security. Supprt, mnitr, test, and trublesht issues with hardware and sftware. Manage accunts, netwrk rights, and access t systems and equipment. Wireless Security Identify vulnerability and attacks assciated with wireless netwrks and manage different wireless netwrk security tls. Virus, Trjans and Malware Threats Assess the threat f virus, Trjan and malware t rganizatinal security and identify surces and mediums f malware infectin. Deply and manage anti-virus systems. Develp prcess t cunter virus, Trjan, and malware threats. Secure Cding Best Practices and Securing Web Applicatins Develp and maintain sftware assurance prgrams in alignment with the secure cding principles and each phase f System Develpment Life Cycle (SDLC). Understand varius system-engineering practices.

7 Cnfigure and run tls that help in develping secure prgrams. Understand the sftware vulnerability analysis techniques. Install and perate the IT systems in a test cnfiguratin manner that des nt alter the prgram cde r cmprmise security safeguards. Identify web applicatin vulnerabilities and attacks and web applicatin security tls t cunter attacks. Hardening OS Identify varius OS vulnerabilities and attacks and develp a plan fr hardening OS systems. Understand system lgs, patch management prcess and cnfiguratin management fr infrmatin system security. Encryptin Technlgies Understand the cncept f encryptin and decryptin, digital certificates, public key infrastructure and the key differences between cryptgraphy and stegangraphy. Identify the different cmpnents f a cryptsystem. Develp a plan fr infrmatin security encryptin techniques. Vulnerability Assessment And Penetratin Testing Design, develp and implement a penetratin testing prgram based n penetratin testing methdlgy t ensure rganizatinal security. Identify different vulnerabilities assciated with infrmatin systems and legal issues invlved in penetratin testing. Develp pre and pst testing prcedures. Develp a plan fr pen test reprting and implementatin f technical vulnerability crrectins. Develp vulnerability management systems. Cmputer Frensics And Incident Respnse Develp a plan t identify a ptential security vilatin and take apprpriate actin t reprt the incident. Cmply with system terminatin prcedures and incident reprting requirements related t ptential security incidents r actual breaches. Assess ptential security vilatins t determine if the netwrk security plicies have been breached, assess the impact, and preserve evidence. Diagnse and reslve IA prblems in respnse t reprted incidents. Design incident respnse prcedures.

8 Develp guidelines t determine whether a security incident is indicative f a vilatin f law that requires specific legal actin. Identify the vlatile and persistent system infrmatin. Set up and manage frensic labs and prgrams. Understand varius digital media devices, e-discvery principles and practices and different file systems. Develp and manage an rganizatinal digital frensic prgram. Establish, develp and manage frensic investigatin teams. Design investigatin prcesses such as evidence cllectin, imaging, data acquisitin, and analysis. Identify the best practices t acquire, stre and prcess digital evidence. Cnfigure and use varius frensic investigatin tls. Design anti-frensic techniques. Dmain 5 Strategic Planning and Finance. Strategic Planning Design, develp and maintain enterprise infrmatin security architecture (EISA) by aligning business prcesses, IT sftware and hardware, lcal and wide area netwrks, peple, peratins, and prjects with the rganizatin s verall security strategy. Perfrm external analysis f the rganizatin (e.g., analysis f custmers, cmpetitrs, markets and industry envirnment) and internal analysis (risk management, rganizatinal capabilities, perfrmance measurement etc.) and utilize them t align infrmatin security prgram with rganizatin s bjectives. Identify and cnsult with key stakehlders t ensure understanding f rganizatin s bjectives. Define a frward-lking, visinary and innvative strategic plan fr the rle f the infrmatin security prgram with clear gals, bjectives and targets that supprt the peratinal needs f the rganizatin. Define key perfrmance indicatrs and measure effectiveness n cntinuus basis. Assess and adjust IT investments t ensure they are n track t supprt rganizatin s strategic bjectives. Mnitr and update activities t ensure accuntability and prgress. Finance Analyze, frecast and develp the peratinal budget f the IT department.

9 Acquire and manage the necessary resurces fr implementatin and management f infrmatin security plan. Allcate financial resurces t prjects, prcesses and units within infrmatin security prgram. Mnitr and versee cst management f infrmatin security prjects, return n investment (ROI) f key purchases related t IT infrastructure and security and ensure alignment with the strategic plan. Identify and reprt financial metrics t stakehlders. Balance the IT security investment prtfli based n EISA cnsideratins and enterprise security pririties. Understand the acquisitin life cycle and determine the imprtance f prcurement by perfrming Business Impact Analysis. Identify different prcurement strategies and understand the imprtance f cstbenefit analysis during prcurement f an infrmatin system. Understand the basic prcurement cncepts such as Statement f Objectives (SOO), Statement f Wrk (SOW), and Ttal Cst f Ownership (TCO). Cllabrate with varius stakehlders (which may include internal client, lawyers, IT security prfessinals, privacy prfessinals, security engineers, suppliers, and thers) n the prcurement f IT security prducts and services. Ensure the inclusin f risk-based IT security requirements in acquisitin plans, cst estimates, statements f wrk, cntracts, and evaluatin factrs fr award, service level agreements, and ther pertinent prcurement dcuments. Design vendr selectin prcess and management plicy. Develp cntract administratin plicies that direct the evaluatin and acceptance f delivered IT security prducts and services under a cntract, as well as the security evaluatin f IT and sftware being prcured. Develp measures and reprting standards t measure and reprt n key bjectives in prcurements aligned with IT security plicies and prcedures. Understand the IA security requirements t be included in statements f wrk and ther apprpriate prcurement dcuments.

10