+ All Categories
Transcript
Page 1: Certified Information Systems Security Professional (CISSP ...CISSP Exam Tips Requirements Minimum of 4 years of relevant experience or 3 years plus a degree Registration letter from

Certified Information Systems

Security Professional (CISSP)

Course 1 - Information Security and

Risk Management

Page 2: Certified Information Systems Security Professional (CISSP ...CISSP Exam Tips Requirements Minimum of 4 years of relevant experience or 3 years plus a degree Registration letter from

Slide 1

© Logical Security

Logical Security

9316 Yorktown St.

McKinney, TX 75071

www.LogicalSecurity.com

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

Page 3: Certified Information Systems Security Professional (CISSP ...CISSP Exam Tips Requirements Minimum of 4 years of relevant experience or 3 years plus a degree Registration letter from

Slide 2

© Logical Security

Logical Security Offers…

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

Page 4: Certified Information Systems Security Professional (CISSP ...CISSP Exam Tips Requirements Minimum of 4 years of relevant experience or 3 years plus a degree Registration letter from

Slide 3

© Logical Security

Holistic Security

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

Page 5: Certified Information Systems Security Professional (CISSP ...CISSP Exam Tips Requirements Minimum of 4 years of relevant experience or 3 years plus a degree Registration letter from

Slide 4

© Logical Security

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

Page 6: Certified Information Systems Security Professional (CISSP ...CISSP Exam Tips Requirements Minimum of 4 years of relevant experience or 3 years plus a degree Registration letter from

Slide 5

© Logical Security

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

Page 7: Certified Information Systems Security Professional (CISSP ...CISSP Exam Tips Requirements Minimum of 4 years of relevant experience or 3 years plus a degree Registration letter from

Slide 6

© Logical Security

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

Page 8: Certified Information Systems Security Professional (CISSP ...CISSP Exam Tips Requirements Minimum of 4 years of relevant experience or 3 years plus a degree Registration letter from

Slide 7

© Logical Security

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

Page 9: Certified Information Systems Security Professional (CISSP ...CISSP Exam Tips Requirements Minimum of 4 years of relevant experience or 3 years plus a degree Registration letter from

Slide 8

© Logical Security

Think of Us…

Risk Management

Enterprise Security Architect

Security Governance

Regulatory Compliance

Vulnerability Management

Data Leakage Protection

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

Page 10: Certified Information Systems Security Professional (CISSP ...CISSP Exam Tips Requirements Minimum of 4 years of relevant experience or 3 years plus a degree Registration letter from

Slide 9

© Logical Security

Holistic Security

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

Page 11: Certified Information Systems Security Professional (CISSP ...CISSP Exam Tips Requirements Minimum of 4 years of relevant experience or 3 years plus a degree Registration letter from

Slide 10

© Logical Security

Shon Harris CISSP®

Logical Security’s

CISSP Course

Logical Security

www.LogicalSecurity.com

Copyright © 2007. All rights reserved.

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

Page 12: Certified Information Systems Security Professional (CISSP ...CISSP Exam Tips Requirements Minimum of 4 years of relevant experience or 3 years plus a degree Registration letter from

Slide 11

© Logical Security

Common Body of Knowledge

Access Control

Application Security

Business Continuity and Disaster Recovery Planning

Cryptography

Information Security and Risk Management

Legal, Regulations, Compliance, and Investigation

Operations Security

Physical (Environmental) Security

Security Architecture and Design

Telecommunications and Network Security

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

Page 13: Certified Information Systems Security Professional (CISSP ...CISSP Exam Tips Requirements Minimum of 4 years of relevant experience or 3 years plus a degree Registration letter from

Slide 12

© Logical Security

Exam Specifics

CISSP Exam

250 questions

225 questions graded

25 questions are for research purposes

6 hours given to complete test

Average is 4 ½ hours

Passing grade is 700 points

Questions are weighted

Multiple choice – one answer is correct

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

Page 14: Certified Information Systems Security Professional (CISSP ...CISSP Exam Tips Requirements Minimum of 4 years of relevant experience or 3 years plus a degree Registration letter from

Slide 13

© Logical Security

Your Instructor

Recognized as one of the top 25 women in the security field by Information Security Magazine

Author of best-selling book CISSP All-In-One Study Guide and CISSP Passport

Gray Hat Hacking book 2nd edition

Former engineer in the Information Warfare unit for the Air Force

Security Consultant

President Logical Security

Security writer for Information Security Magazine and Windows 2000Shon Harris

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

Page 15: Certified Information Systems Security Professional (CISSP ...CISSP Exam Tips Requirements Minimum of 4 years of relevant experience or 3 years plus a degree Registration letter from

Slide 14

© Logical Security

What Have You Heard?

Do you know others who have taken this exam?

Why is it seen as such a difficult test?

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

Page 16: Certified Information Systems Security Professional (CISSP ...CISSP Exam Tips Requirements Minimum of 4 years of relevant experience or 3 years plus a degree Registration letter from

Slide 15

© Logical Security

Some Reasons Why the Exam Is Difficult

Covers a wide range of information

Many people may have experience in one or two domains of the CBK, but not in all

The types of questions

Very cognitive questions

You must understand the concepts deeply to answer the questions properly

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

Page 17: Certified Information Systems Security Professional (CISSP ...CISSP Exam Tips Requirements Minimum of 4 years of relevant experience or 3 years plus a degree Registration letter from

Slide 16

© Logical Security

We Will Cover It All!Access Control

Physical Security

Cryptography

Operations Security

Telecommunications and Network Security

Business Continuity and Disaster Recovery Planning

Security Architecture and Design

Legal, Regulations,

Compliance, and

Investigation

Information Security

and Risk Management

Application Security

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

Page 18: Certified Information Systems Security Professional (CISSP ...CISSP Exam Tips Requirements Minimum of 4 years of relevant experience or 3 years plus a degree Registration letter from

Slide 17

© Logical Security

CISSP Exam Tips

Requirements

Minimum of 4 years of relevant experience or 3 years plus a degree

Registration letter from (ISC)2

Candidate ID is required for day of the exam

You can write in booklets; pencils will be supplied

If English is NOT your native language…

You can bring a non-technical dictionary

Sponsor must sign off vouching for your experience

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

Page 19: Certified Information Systems Security Professional (CISSP ...CISSP Exam Tips Requirements Minimum of 4 years of relevant experience or 3 years plus a degree Registration letter from

Slide 18

© Logical Security

CISSP Associate

Do not have the experience to take the exam?

No problem – you can be an “associate” and take the exam.

Once you have enough experience, submit it to (ISC)2 and join the ranks of CISSPs.

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

Page 20: Certified Information Systems Security Professional (CISSP ...CISSP Exam Tips Requirements Minimum of 4 years of relevant experience or 3 years plus a degree Registration letter from

Slide 19

© Logical Security

No Other World Exists Now

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

Page 21: Certified Information Systems Security Professional (CISSP ...CISSP Exam Tips Requirements Minimum of 4 years of relevant experience or 3 years plus a degree Registration letter from

Slide 20

© Logical Security

This Will Be Trickier than You Think

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

Page 22: Certified Information Systems Security Professional (CISSP ...CISSP Exam Tips Requirements Minimum of 4 years of relevant experience or 3 years plus a degree Registration letter from

Slide 21

© Logical Security

Question 1 Example

Which of the following is a reason to place security elements

in a lower layer of the system architecture?

a. Increases performance and provides a wider range of protection

b. Increases performance and provides a more granular approach to access

c. Allows for multitasking to not interfere or be affected by the restrictions of the security elements

d. Provides more control and flexibility in configuration for the user

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

Page 23: Certified Information Systems Security Professional (CISSP ...CISSP Exam Tips Requirements Minimum of 4 years of relevant experience or 3 years plus a degree Registration letter from

Slide 22

© Logical Security

Architecture Components

Granularity

Process

Intensive

Motherboard Components

BIOS and Firmware

Processor

OS Kernel

OS

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

Page 24: Certified Information Systems Security Professional (CISSP ...CISSP Exam Tips Requirements Minimum of 4 years of relevant experience or 3 years plus a degree Registration letter from

Slide 23

© Logical Security

Question 2 Example

Clipping levels come in many different forms. Which of the

following best describes a benefit of the use of clipping

levels?

a. Detection of IP spoofing and resetting of configurations

b. Alerting IT staff of attacks

c. Reducing the amount of unauthorized users from logging onto a system

d. Reduction in investigation by IT members

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

Page 25: Certified Information Systems Security Professional (CISSP ...CISSP Exam Tips Requirements Minimum of 4 years of relevant experience or 3 years plus a degree Registration letter from

Slide 24

© Logical Security

Information Security and Risk Management

Security Definitions and Goals

Control Types

Risk Management and Analysis

Components of a Security Program

Roles and Responsibilities in Security

Information Classification

Employee Management

Awareness Training

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

Page 26: Certified Information Systems Security Professional (CISSP ...CISSP Exam Tips Requirements Minimum of 4 years of relevant experience or 3 years plus a degree Registration letter from

Slide 25

© Logical Security

Where did We Come From?

In 1945, huge computers could not even do what our small

calculators do today – but it was a start!

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

Page 27: Certified Information Systems Security Professional (CISSP ...CISSP Exam Tips Requirements Minimum of 4 years of relevant experience or 3 years plus a degree Registration letter from

Slide 26

© Logical Security

Mainframe Days

And we evolved……

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

Page 28: Certified Information Systems Security Professional (CISSP ...CISSP Exam Tips Requirements Minimum of 4 years of relevant experience or 3 years plus a degree Registration letter from

Slide 27

© Logical Security

In the Good Old Days – Who Knew?

Network Configuration

TCP/IP

Ethernet

Sniffers

Layer 3ICMP

Hacking

Ports

APIs

Phishing

Protocols

Buffer Overflows

OSI

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

Page 29: Certified Information Systems Security Professional (CISSP ...CISSP Exam Tips Requirements Minimum of 4 years of relevant experience or 3 years plus a degree Registration letter from

Slide 28

© Logical Security

Today’s Environment

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

Page 30: Certified Information Systems Security Professional (CISSP ...CISSP Exam Tips Requirements Minimum of 4 years of relevant experience or 3 years plus a degree Registration letter from

Slide 29

© Logical Security

Agenda

Security Definitions and Components

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

Page 31: Certified Information Systems Security Professional (CISSP ...CISSP Exam Tips Requirements Minimum of 4 years of relevant experience or 3 years plus a degree Registration letter from

Slide 30

© Logical Security

Security Definitions

Vulnerability

Weakness in a mechanism that can threaten the

confidentiality, integrity, or availability of an asset

Lack of a countermeasure

Threat

Someone uncovering a vulnerability and exploiting it

Risk

Probability of a threat becoming real, and the corresponding potential damages

Exposure

When a vulnerability exists in an environment

Countermeasure

A control put into place to mitigate potential losses

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

Page 32: Certified Information Systems Security Professional (CISSP ...CISSP Exam Tips Requirements Minimum of 4 years of relevant experience or 3 years plus a degree Registration letter from

Slide 31

© Logical Security

Vulnerabilities

Not just open ports …

No policies or not following them

Poorly configured remote access server

No control over PDAs and smart phones

Lack of security awareness training

Etc., etc., etc.

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

Page 33: Certified Information Systems Security Professional (CISSP ...CISSP Exam Tips Requirements Minimum of 4 years of relevant experience or 3 years plus a degree Registration letter from

Slide 32

© Logical Security

Examples of Some Vulnerabilities that Are Not Always Obvious

Lack of security understanding

Real security requires real knowledge

Technical to the C-level in companies

Misuse of access by authorized users

Authorization creep

Can now be a criminal offense according to specific laws

Concentration of responsibilities

Separation of duties

Not being able to react quickly

No response team or procedures

Lack of communication structure

Lack of ways to detect fraud

Rotation of duties

Technologies and processes

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

Page 34: Certified Information Systems Security Professional (CISSP ...CISSP Exam Tips Requirements Minimum of 4 years of relevant experience or 3 years plus a degree Registration letter from

Slide 33

© Logical Security

Risk – What Does It Really Mean?

Risk Definition

Probability of a vulnerability being exploited by a threat and the resulting business impact

Vulnerability or risk management?

Goal of risk management

Optimal security at minimal cost

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

Page 35: Certified Information Systems Security Professional (CISSP ...CISSP Exam Tips Requirements Minimum of 4 years of relevant experience or 3 years plus a degree Registration letter from

Slide 34

© Logical Security

Relationships

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

Page 36: Certified Information Systems Security Professional (CISSP ...CISSP Exam Tips Requirements Minimum of 4 years of relevant experience or 3 years plus a degree Registration letter from

Slide 35

© Logical Security

Who Deals with Risk?

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

Page 37: Certified Information Systems Security Professional (CISSP ...CISSP Exam Tips Requirements Minimum of 4 years of relevant experience or 3 years plus a degree Registration letter from

Slide 36

© Logical Security

Overall Business Risk

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

Page 38: Certified Information Systems Security Professional (CISSP ...CISSP Exam Tips Requirements Minimum of 4 years of relevant experience or 3 years plus a degree Registration letter from

Slide 37

© Logical Security

Who?

“Who deals with risk in our company?”

Response: “We don’t really understand it, so we ignore it.”

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

Page 39: Certified Information Systems Security Professional (CISSP ...CISSP Exam Tips Requirements Minimum of 4 years of relevant experience or 3 years plus a degree Registration letter from

Slide 38

© Logical Security

AIC TriadAvailability

Usability, timeliness Prevents disruption of services Protects production and

productivity

Integrity Accuracy, completeness

Prevents unauthorized modification

Protects data and production environment

Confidentiality Secrecy, sensitivity, privacy

Prevents unauthorized disclosure of data

Protects sensitive data and processes

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

Page 40: Certified Information Systems Security Professional (CISSP ...CISSP Exam Tips Requirements Minimum of 4 years of relevant experience or 3 years plus a degree Registration letter from

Slide 39

© Logical Security

Availability Manmade, technical, or natural disaster

Failure of components or a device

Denial-of-service attacks

Redundant technologies

Failover devices

Backup technologies

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

Page 41: Certified Information Systems Security Professional (CISSP ...CISSP Exam Tips Requirements Minimum of 4 years of relevant experience or 3 years plus a degree Registration letter from

Slide 40

© Logical Security

Integrity

Modifying data or configurations

Changing security log information

Software configurations

Hash algorithms and message authentication code

Authentication, logging, auditing

Change control, configuration management

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

Page 42: Certified Information Systems Security Professional (CISSP ...CISSP Exam Tips Requirements Minimum of 4 years of relevant experience or 3 years plus a degree Registration letter from

Slide 41

© Logical Security

Confidentiality

Unauthorized access

Protection of sensitive data or equipment

Access control

Encryption

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

Page 43: Certified Information Systems Security Professional (CISSP ...CISSP Exam Tips Requirements Minimum of 4 years of relevant experience or 3 years plus a degree Registration letter from

Slide 42

© Logical Security

Who Is Watching?

Shoulder surfing - different types

Think about ALL of the people who have access!

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

Page 44: Certified Information Systems Security Professional (CISSP ...CISSP Exam Tips Requirements Minimum of 4 years of relevant experience or 3 years plus a degree Registration letter from

Slide 43

© Logical Security

Social Engineering

In every security system, people are the weakest link.

Some of the most effective reconnaissance techniques target people.

People want to be helpful.

Nobody wants to get into trouble.

If you sound legitimate, most people will think you are.

Confidence and a clipboard will get you into a lot of places.

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

Page 45: Certified Information Systems Security Professional (CISSP ...CISSP Exam Tips Requirements Minimum of 4 years of relevant experience or 3 years plus a degree Registration letter from

Slide 44

© Logical Security

Social Engineering

To effectively collect information from human subjects, you

may need to gather background information first.

Organization’s website

Company directory

Other employees

Address and phone numbers

Background on the organization

News articles/press releases

Footprinting!

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

Page 46: Certified Information Systems Security Professional (CISSP ...CISSP Exam Tips Requirements Minimum of 4 years of relevant experience or 3 years plus a degree Registration letter from

Slide 45

© Logical Security

What Security People Are Really Thinking

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

Page 47: Certified Information Systems Security Professional (CISSP ...CISSP Exam Tips Requirements Minimum of 4 years of relevant experience or 3 years plus a degree Registration letter from

Slide 46

© Logical Security

Security Concepts

Security through Obscurity

Control Types

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

Page 48: Certified Information Systems Security Professional (CISSP ...CISSP Exam Tips Requirements Minimum of 4 years of relevant experience or 3 years plus a degree Registration letter from

Slide 47

© Logical Security

Security through Obscurity

The idea that the opponent will always be less

intelligent than the defender:

Designers think that if the flaws are not known then they will not be exploited

Some feel as though compiled code is more secure than open source code, because it is more difficult to identify flaws

Some algorithms are not publicly released, which is an example of security through obscurity

Usually used in replace of a robust security framework

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

Page 49: Certified Information Systems Security Professional (CISSP ...CISSP Exam Tips Requirements Minimum of 4 years of relevant experience or 3 years plus a degree Registration letter from

Slide 48

© Logical Security

Another Approach

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

Page 50: Certified Information Systems Security Professional (CISSP ...CISSP Exam Tips Requirements Minimum of 4 years of relevant experience or 3 years plus a degree Registration letter from

Slide 49

© Logical Security

Security?

Designers think that if the flaws are not known then they

will not be exploited.

Vendors do not release information on flaws.

Once found out – then patches have to be released.

A needle in haystack is hard to find, but someone will find it!

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

Page 51: Certified Information Systems Security Professional (CISSP ...CISSP Exam Tips Requirements Minimum of 4 years of relevant experience or 3 years plus a degree Registration letter from

Slide 50

© Logical Security

Security?

Some feel as though compiled code is more secure than open

source code, because it is more difficult to identify flaws.

Two camps continue to debate.

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

Page 52: Certified Information Systems Security Professional (CISSP ...CISSP Exam Tips Requirements Minimum of 4 years of relevant experience or 3 years plus a degree Registration letter from

Slide 51

© Logical Security

The Bad Guys Are Motivated

Do not rely on other’s ignorance or lack of interest.

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

Page 53: Certified Information Systems Security Professional (CISSP ...CISSP Exam Tips Requirements Minimum of 4 years of relevant experience or 3 years plus a degree Registration letter from

Slide 52

© Logical Security

If Not Obscurity – Then What?

Industry best practices

Standardization of protocols and communication

Interoperability in a safe manner

Everyone practicing security responsibly

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

Page 54: Certified Information Systems Security Professional (CISSP ...CISSP Exam Tips Requirements Minimum of 4 years of relevant experience or 3 years plus a degree Registration letter from

Slide 53

© Logical Security

Open Standards

Publicly available specifications to allow for interoperability.

Some of the organizations that develop open standards:

International Organization for Standardization (ISO) International Telecommunication Union (ITU)

The Institute of Electrical and Electronics Engineers Standards Association (IEEE - SA)

Structured security

programs and enterprise

architectures!

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

Page 55: Certified Information Systems Security Professional (CISSP ...CISSP Exam Tips Requirements Minimum of 4 years of relevant experience or 3 years plus a degree Registration letter from

Slide 54

© Logical Security

Common Open StandardsExamples of Some Open Standards:

TCP/IP

OSI Model

HTML, XML, SOAP

IEEE standards

802.3, 802.5, 802.11, etc.

ISO 1799

NIST

Risk Management

Formal frameworks

SABSA

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

Page 56: Certified Information Systems Security Professional (CISSP ...CISSP Exam Tips Requirements Minimum of 4 years of relevant experience or 3 years plus a degree Registration letter from

Slide 55

© Logical Security

Without Standards

If technology and security were not standardized…

Proprietary solutions and solution wars

Everyone can now try to make the best widget, it just has to be able to talk to all the other widgets out there

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

Page 57: Certified Information Systems Security Professional (CISSP ...CISSP Exam Tips Requirements Minimum of 4 years of relevant experience or 3 years plus a degree Registration letter from

Slide 56

© Logical Security

“Soft” Controls

Administrative Controls

Policies, procedures, standards, guidelines

Employee management

Testing and drills

Risk management and analysis

Information classification

Awareness training

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

Page 58: Certified Information Systems Security Professional (CISSP ...CISSP Exam Tips Requirements Minimum of 4 years of relevant experience or 3 years plus a degree Registration letter from

Slide 57

© Logical Security

Logical Controls

Technical Controls

Firewalls

IDS

Encryption

Protocols

Authentication mechanisms

Auditing

Access control technologies

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

Page 59: Certified Information Systems Security Professional (CISSP ...CISSP Exam Tips Requirements Minimum of 4 years of relevant experience or 3 years plus a degree Registration letter from

Slide 58

© Logical Security

Physical Controls

Physical Controls

Doors, windows, walls

Security guards and dogs

Fencing and lighting

Locks

Environmental controls

Intrusion detection systems

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

Page 60: Certified Information Systems Security Professional (CISSP ...CISSP Exam Tips Requirements Minimum of 4 years of relevant experience or 3 years plus a degree Registration letter from

Slide 59

© Logical Security

Are There Gaps?

Do the departments responsible for these different types of

security communicate and work well together in your

company?

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

Page 61: Certified Information Systems Security Professional (CISSP ...CISSP Exam Tips Requirements Minimum of 4 years of relevant experience or 3 years plus a degree Registration letter from

Slide 60

© Logical Security

Understanding Drivers

Legal requirements

Regulation requirements

Business objectives

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

Page 62: Certified Information Systems Security Professional (CISSP ...CISSP Exam Tips Requirements Minimum of 4 years of relevant experience or 3 years plus a degree Registration letter from

Slide 61

© Logical Security

Holistic Security

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

Page 63: Certified Information Systems Security Professional (CISSP ...CISSP Exam Tips Requirements Minimum of 4 years of relevant experience or 3 years plus a degree Registration letter from

Slide 62

© Logical Security

Not Always So Easy

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

Page 64: Certified Information Systems Security Professional (CISSP ...CISSP Exam Tips Requirements Minimum of 4 years of relevant experience or 3 years plus a degree Registration letter from

Slide 63

© Logical Security

What Is First?

Specific issues must be understood before the required

security program can be built.

Legal requirements

Regulation requirements

Business drivers

Threat profile

Acceptable risk levels

These are the “whys” and then we will get to the controls,

which are the “hows”.

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

Page 65: Certified Information Systems Security Professional (CISSP ...CISSP Exam Tips Requirements Minimum of 4 years of relevant experience or 3 years plus a degree Registration letter from

Slide 64

© Logical Security

Different Types of Law

Legal Issues

Federal laws

State laws

Administrative laws (mainly regulations)

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

Page 66: Certified Information Systems Security Professional (CISSP ...CISSP Exam Tips Requirements Minimum of 4 years of relevant experience or 3 years plus a degree Registration letter from

Slide 65

© Logical Security

How Is Liability Determined?

Due Diligence

Researching and identifying threats and risks

Due Care

Acting upon findings to mitigate risks

What are some examples of management carrying out

due diligence and due care?

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

Page 67: Certified Information Systems Security Professional (CISSP ...CISSP Exam Tips Requirements Minimum of 4 years of relevant experience or 3 years plus a degree Registration letter from

Slide 66

© Logical Security

Examples of Due Diligence

Due Diligence

Uncovering potential dangers

Carrying out assessments

Performing analysis on assessment data

Implementing risk management

Researching and understanding the environment’s vulnerabilities, threats, and risks

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

Page 68: Certified Information Systems Security Professional (CISSP ...CISSP Exam Tips Requirements Minimum of 4 years of relevant experience or 3 years plus a degree Registration letter from

Slide 67

© Logical Security

Examples of Due Care

Due Care

Doing the right thing

Implementing solutions based on analysis data

Properly protecting the company and its assets

Acting responsibly

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

Page 69: Certified Information Systems Security Professional (CISSP ...CISSP Exam Tips Requirements Minimum of 4 years of relevant experience or 3 years plus a degree Registration letter from

Slide 68

© Logical Security

Prudent Person Rule

Way of Determining Liability

Understanding activities and reactions of a reasonable and responsible person

Comparing your activities and reactions to this responsible person

Judging the rationale of your actions

Determining if you were negligent or not

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

Page 70: Certified Information Systems Security Professional (CISSP ...CISSP Exam Tips Requirements Minimum of 4 years of relevant experience or 3 years plus a degree Registration letter from

Slide 69

© Logical Security

Prudent Person

We have to ask ourselves if we were responsible and

reasonable in our actions – can be subjective.

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

Page 71: Certified Information Systems Security Professional (CISSP ...CISSP Exam Tips Requirements Minimum of 4 years of relevant experience or 3 years plus a degree Registration letter from

Slide 70

© Logical Security

Taking the Right Steps

Might need to start off slow and deliberate to ensure each

risk is properly identified and dealt with.

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

Page 72: Certified Information Systems Security Professional (CISSP ...CISSP Exam Tips Requirements Minimum of 4 years of relevant experience or 3 years plus a degree Registration letter from

Slide 71

© Logical Security

Regulations

Regulations – security professional’s best friend!

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

Page 73: Certified Information Systems Security Professional (CISSP ...CISSP Exam Tips Requirements Minimum of 4 years of relevant experience or 3 years plus a degree Registration letter from

Slide 72

© Logical Security

Why Do We Need Regulations?

Corporate and

security governance

is now all the rage!

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

Page 74: Certified Information Systems Security Professional (CISSP ...CISSP Exam Tips Requirements Minimum of 4 years of relevant experience or 3 years plus a degree Registration letter from

Slide 73

© Logical Security

Risk Management

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

Page 75: Certified Information Systems Security Professional (CISSP ...CISSP Exam Tips Requirements Minimum of 4 years of relevant experience or 3 years plus a degree Registration letter from

Slide 74

© Logical Security

Why Is Risk Management Difficult?

Risk Management

Trying to predict the future

Incredible number of variables to identify

Surmising all possible threats and providing solutions to them

Gathering data from many sources

Dealing with many unknowns

Quantifying qualitative items

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

Page 76: Certified Information Systems Security Professional (CISSP ...CISSP Exam Tips Requirements Minimum of 4 years of relevant experience or 3 years plus a degree Registration letter from

Slide 75

© Logical Security

Necessary Level of Protection Is Different for Each Organization

Need to strike a balance between potential loss, acceptable risk level, and cost to protect assets

To help determine “how much is enough security” the following items must be understood:

Adversaries and their motivation and means to cause damage

Assets values

Vulnerabilities and threats

Acceptable risk and resulting residual risk

Countermeasure costs and benefits

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

Page 77: Certified Information Systems Security Professional (CISSP ...CISSP Exam Tips Requirements Minimum of 4 years of relevant experience or 3 years plus a degree Registration letter from

Slide 76

© Logical Security

Security Team/Committee

Team Members Security

Internal audit

Administrators

Business process and data owners

Operations

HR, Legal

Custodian

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

Page 78: Certified Information Systems Security Professional (CISSP ...CISSP Exam Tips Requirements Minimum of 4 years of relevant experience or 3 years plus a degree Registration letter from

Slide 77

© Logical Security

Review

3 control categories

Type of control – auditing

Due diligence versus due care

Definition of risk

What is security through obscurity?

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

Page 79: Certified Information Systems Security Professional (CISSP ...CISSP Exam Tips Requirements Minimum of 4 years of relevant experience or 3 years plus a degree Registration letter from

Slide 78

© Logical Security

Risk Management Process

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

Page 80: Certified Information Systems Security Professional (CISSP ...CISSP Exam Tips Requirements Minimum of 4 years of relevant experience or 3 years plus a degree Registration letter from

Slide 79

© Logical Security

Planning Stage – Team

Risk Assessment Team

Should represent different departments of a company

IT department

Auditors

Management

Security department

Physical security

Business unit leaders

Advisors

Legal, human resources, management, safety officers

Management will help decide upon team members

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

Page 81: Certified Information Systems Security Professional (CISSP ...CISSP Exam Tips Requirements Minimum of 4 years of relevant experience or 3 years plus a degree Registration letter from

Slide 80

© Logical Security

Analysis Paralysis

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

Page 82: Certified Information Systems Security Professional (CISSP ...CISSP Exam Tips Requirements Minimum of 4 years of relevant experience or 3 years plus a degree Registration letter from

Slide 81

© Logical Security

Planning Stage – Scope

Scope of Project

Is just one facility being assessed?

Is it an enterprise-wide assessment?

What type of assets will be assessed?

Tangible and intangible assets

What type of threats will be considered?

Manmade, natural disasters, technical

Scope creep will be expensive and timely.

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

Page 83: Certified Information Systems Security Professional (CISSP ...CISSP Exam Tips Requirements Minimum of 4 years of relevant experience or 3 years plus a degree Registration letter from

Slide 82

© Logical Security

Planning Stage – Analysis Method

Quantitative

Assigning numeric and monetary values to risk components

Asset value, business impact, frequency, countermeasure costs and values, uncertainty

Difficult to fully achieve complete quantitative analysis requires a lot of resources and time

Qualitative Opinion-based with the use of a rating system

Scenario-based

Purely qualitative analysis is possible and not as time consuming

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

Page 84: Certified Information Systems Security Professional (CISSP ...CISSP Exam Tips Requirements Minimum of 4 years of relevant experience or 3 years plus a degree Registration letter from

Slide 83

© Logical Security

Risk Management Tools

Tools of the Trade

Automated tools require less repetitive data input

Can run same data through several scenarios

Analysis is still a time-consuming task

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

Page 85: Certified Information Systems Security Professional (CISSP ...CISSP Exam Tips Requirements Minimum of 4 years of relevant experience or 3 years plus a degree Registration letter from

Slide 84

© Logical Security

Defining Acceptable Levels

The risk acceptance level is the maximum overall exposure to risk that should be accepted, based on the benefits and costs involved.

If the responses to risk cannot bring the risk exposure to below this level, the activity will probably need to be stopped.

Hence the level must be agreed with the appropriate level of management.

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

Page 86: Certified Information Systems Security Professional (CISSP ...CISSP Exam Tips Requirements Minimum of 4 years of relevant experience or 3 years plus a degree Registration letter from

Slide 85

© Logical Security

Acceptable Risk Level

Each organization will have its own acceptable risk level, which is derived from its legal and regulatory compliancy responsibilities and their threat profile.

Management must set this acceptable risk level and then it is the responsibility of the designated risk management roles to ensure that this level is not exceeded.

The objective of this stage is to determine the overall level of risk which the organization can tolerate for the given situation.

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

Page 87: Certified Information Systems Security Professional (CISSP ...CISSP Exam Tips Requirements Minimum of 4 years of relevant experience or 3 years plus a degree Registration letter from

Slide 86

© Logical Security

Collecting and Analyzing Data Methods

Data Collection

Surveys

Interviews

Vulnerability tests

Penetration tests

You must understand the business to understand risk in the correct context!

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

Page 88: Certified Information Systems Security Professional (CISSP ...CISSP Exam Tips Requirements Minimum of 4 years of relevant experience or 3 years plus a degree Registration letter from

Slide 87

© Logical Security

What Is a Company Asset?

What are you trying to protect?

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

Page 89: Certified Information Systems Security Professional (CISSP ...CISSP Exam Tips Requirements Minimum of 4 years of relevant experience or 3 years plus a degree Registration letter from

Slide 88

© Logical Security

Data Collection – Identify Assets

Tangible

Equipment

Facilities

Intangible

Data

Trade secrets

Reputation

Customer database

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

Page 90: Certified Information Systems Security Professional (CISSP ...CISSP Exam Tips Requirements Minimum of 4 years of relevant experience or 3 years plus a degree Registration letter from

Slide 89

© Logical Security

Data Collection – Assigning Values

An asset’s value is calculated by

reviewing: Cost of acquisition

Replacement cost

Cost of developing the asset

Role of the asset in the company

Amount adversaries are willing to pay for the asset

Cost of maintaining and protecting the asset

Production and productivity losses resulting from compromise of asset

Liability if asset is not properly protected

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

Page 91: Certified Information Systems Security Professional (CISSP ...CISSP Exam Tips Requirements Minimum of 4 years of relevant experience or 3 years plus a degree Registration letter from

Slide 90

© Logical Security

Asset ValueThe value of an asset consists of its intrinsic value and the

near-term impacts and long-term consequences of its

compromise.

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

Page 92: Certified Information Systems Security Professional (CISSP ...CISSP Exam Tips Requirements Minimum of 4 years of relevant experience or 3 years plus a degree Registration letter from

Slide 91

© Logical Security

Data Collection – Identify Threats

Common Threats

Errors and omissions

Fraud and theft

Employee sabotage

Loss of physical or infrastructure support

Malicious hackers

Industrial espionage

Malicious code

Threats to privacy

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

Page 93: Certified Information Systems Security Professional (CISSP ...CISSP Exam Tips Requirements Minimum of 4 years of relevant experience or 3 years plus a degree Registration letter from

Slide 92

© Logical Security

Review

Two types of approaching risk

Acceptable risk level

Prudent man rule

Security through obscurity

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

Page 94: Certified Information Systems Security Professional (CISSP ...CISSP Exam Tips Requirements Minimum of 4 years of relevant experience or 3 years plus a degree Registration letter from

Slide 93

© Logical Security

Data Collection – Calculate Risks

From here the team will carry out qualitative analysis

steps or quantitative analysis steps.

Quantitative

Assigning numeric and monetary values

Qualitative

Opinion and scenario-based

Use of a rating system

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

Page 95: Certified Information Systems Security Professional (CISSP ...CISSP Exam Tips Requirements Minimum of 4 years of relevant experience or 3 years plus a degree Registration letter from

Slide 94

© Logical Security

Scenario Based – Qualitative

Create scenarios and identify threats

Identify the range of threats possible

Write a scenario for each large threat identified

Functional managers review to make sure the scenarios are credible

Evaluate security controls to address threats

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

Page 96: Certified Information Systems Security Professional (CISSP ...CISSP Exam Tips Requirements Minimum of 4 years of relevant experience or 3 years plus a degree Registration letter from

Slide 95

© Logical Security

Risk Approach

Probability of Occurrence

Con

se

qu

en

ce

of

Occu

rre

nce

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

Page 97: Certified Information Systems Security Professional (CISSP ...CISSP Exam Tips Requirements Minimum of 4 years of relevant experience or 3 years plus a degree Registration letter from

Slide 96

© Logical Security

Qualitative Analysis StepsSteps to Qualitative

Analysis

1. Gather company “experts”

2. Present risk scenarios

3. Rank seriousness of threats

4. Rank countermeasures

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

Page 98: Certified Information Systems Security Professional (CISSP ...CISSP Exam Tips Requirements Minimum of 4 years of relevant experience or 3 years plus a degree Registration letter from

Slide 97

© Logical Security

Want Real Answers?

Delphi Method

Anonymous input

More honest data collected

Helps ensure no intimidation

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

Page 99: Certified Information Systems Security Professional (CISSP ...CISSP Exam Tips Requirements Minimum of 4 years of relevant experience or 3 years plus a degree Registration letter from

Slide 98

© Logical Security

Qualitative Risk Analysis Ratings

Organizations can develop internal qualitative risk ratings:

A-F

1-10

Low, medium, high

Highly likely, likely, unlikely, highly unlikely

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

Page 100: Certified Information Systems Security Professional (CISSP ...CISSP Exam Tips Requirements Minimum of 4 years of relevant experience or 3 years plus a degree Registration letter from

Slide 99

© Logical Security

Qualitative Risks

The following is an example of the Australia/New Zealand Standard approach to qualitative ratings.

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

Page 101: Certified Information Systems Security Professional (CISSP ...CISSP Exam Tips Requirements Minimum of 4 years of relevant experience or 3 years plus a degree Registration letter from

Slide 100

© Logical Security

Quantitative Analysis Steps

1. Calculate estimated potential losses

2. Carry out a threat analysis

3. Calculate annual loss expectancy

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

Page 102: Certified Information Systems Security Professional (CISSP ...CISSP Exam Tips Requirements Minimum of 4 years of relevant experience or 3 years plus a degree Registration letter from

Slide 101

© Logical Security

Quantitative Analysis

Step 1 = Estimate potential loss

Single Loss Expectancy

Asset Value x Exposure Factor (EF) = SLE

Exposure factor = the percentage of loss that could be experienced

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

Page 103: Certified Information Systems Security Professional (CISSP ...CISSP Exam Tips Requirements Minimum of 4 years of relevant experience or 3 years plus a degree Registration letter from

Slide 102

© Logical Security

How Often Will This Happen?Step 2 = Threat analysis

ARO (annual

rate of

Occurrence) =

Number of

expected

incidents

annually

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

Page 104: Certified Information Systems Security Professional (CISSP ...CISSP Exam Tips Requirements Minimum of 4 years of relevant experience or 3 years plus a degree Registration letter from

Slide 103

© Logical Security

ARO Values and Their Meaning

One time in a 12-month period

ARO = 1.0

Once in 10 years

ARO = 0.1

Once in 100 years

ARO = 0.01

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

Page 105: Certified Information Systems Security Professional (CISSP ...CISSP Exam Tips Requirements Minimum of 4 years of relevant experience or 3 years plus a degree Registration letter from

Slide 104

© Logical Security

Calculate ALE

Step 3 = Calculate annual loss expectancy

Annualized Loss Expectancy

SLE x Annualized Rate of Occurrence (ARO) = ALE

Annualized rate of occurrence (ARO) = frequency of

threat taking place

What is the ALE value used for?

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

Page 106: Certified Information Systems Security Professional (CISSP ...CISSP Exam Tips Requirements Minimum of 4 years of relevant experience or 3 years plus a degree Registration letter from

Slide 105

© Logical Security

ALE Value Uses

Categorize risks

Build a security budget

Amount to spend on risk mitigation

Use to understand business risk overall

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

Page 107: Certified Information Systems Security Professional (CISSP ...CISSP Exam Tips Requirements Minimum of 4 years of relevant experience or 3 years plus a degree Registration letter from

Slide 106

© Logical Security

Relationships

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

Page 108: Certified Information Systems Security Professional (CISSP ...CISSP Exam Tips Requirements Minimum of 4 years of relevant experience or 3 years plus a degree Registration letter from

Slide 107

© Logical Security

Calculate Risks – ALE Example

1. If an e-commerce site is attacked (value = $300,000), it is estimated to cause 40% in damages to a company based on:

Liability costs

Confidential data being corrupted

Loss in revenue

Asset Value EF = SLE

300,000 .4 = 120,000

2. Based on current safeguards, this threat is estimated to happen once in 12 months.

SLE ARO = ALE

120,000 1.0 = 120,000

3. Management should not spend over this amount to protect this asset.

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

Page 109: Certified Information Systems Security Professional (CISSP ...CISSP Exam Tips Requirements Minimum of 4 years of relevant experience or 3 years plus a degree Registration letter from

Slide 108

© Logical Security

Your Turn!

A facility has a value of $650,000. It is estimated that a

tornado would hit once in ten years. If 35% of the facility

would be damaged, what would the ALE be?

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

Page 110: Certified Information Systems Security Professional (CISSP ...CISSP Exam Tips Requirements Minimum of 4 years of relevant experience or 3 years plus a degree Registration letter from

Slide 109

© Logical Security

ALE Calculation

SLE = $227,500

$650,000 x 0.35 = $227,500

ALE = $22,750

$227,500 x 0.1 = $22,750

What does the company do with this value?

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

Page 111: Certified Information Systems Security Professional (CISSP ...CISSP Exam Tips Requirements Minimum of 4 years of relevant experience or 3 years plus a degree Registration letter from

Slide 110

© Logical Security

Can a Purely Quantitative Analysis Be Accomplished?

NO!

A quantitative analysis requires quantifying many

qualitative items.

How do you assign a value to a reputation?

How can you know the potential customers that will be lost?

How can you properly predict market share loss?

All of these questions are difficult, but are required in a

quantitative analysis.

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

Page 112: Certified Information Systems Security Professional (CISSP ...CISSP Exam Tips Requirements Minimum of 4 years of relevant experience or 3 years plus a degree Registration letter from

Slide 111

© Logical Security

Risk Types

Risks

Potential loss

Ramifications of exposure

Delayed loss

Secondary ramifications of exposure

Much harder to identify and calculate

List Examples of…

Potential losses

Delayed losses

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

Page 113: Certified Information Systems Security Professional (CISSP ...CISSP Exam Tips Requirements Minimum of 4 years of relevant experience or 3 years plus a degree Registration letter from

Slide 112

© Logical Security

Examples of Types of Losses

Potential Losses

Loss in production and productivity

Cost of repairing damages

Cost of consultants’ or experts’ services

Loss in revenue

Loss of customers

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

Page 114: Certified Information Systems Security Professional (CISSP ...CISSP Exam Tips Requirements Minimum of 4 years of relevant experience or 3 years plus a degree Registration letter from

Slide 113

© Logical Security

Delayed Loss

Delayed Losses

Loss in reputation

Loss of potential customers

Late fees or penalty fees

Loss in market share

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

Page 115: Certified Information Systems Security Professional (CISSP ...CISSP Exam Tips Requirements Minimum of 4 years of relevant experience or 3 years plus a degree Registration letter from

Slide 114

© Logical Security

Review – Steps of Analysis

Identify a company’s assets

Assign values to assets

Identify the assets’ vulnerabilities and threats

Calculate their associated risks

Estimate potential loss and damages

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

Page 116: Certified Information Systems Security Professional (CISSP ...CISSP Exam Tips Requirements Minimum of 4 years of relevant experience or 3 years plus a degree Registration letter from

Slide 115

© Logical Security

Review

ALE formula

SLE formula

What is ARO?

If an event will potentially occur once in 100 years, what is the ARO?

Steps of a qualitative analysis

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

Page 117: Certified Information Systems Security Professional (CISSP ...CISSP Exam Tips Requirements Minimum of 4 years of relevant experience or 3 years plus a degree Registration letter from

Slide 116

© Logical Security

Cost/Benefit Analysis

Cost/Benefit Analysis

The annualized cost of countermeasures should not be more than potential losses

If a server is worth $3,000, a countermeasure that costs $4,000 should not be used

Not as cut and dried as it may seem

How do you determine the cost of a countermeasure?

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

Page 118: Certified Information Systems Security Professional (CISSP ...CISSP Exam Tips Requirements Minimum of 4 years of relevant experience or 3 years plus a degree Registration letter from

Slide 117

© Logical Security

Cost of a Countermeasure

Some of the items that can go into the calculation:

Purchase amount

Maintenance amount

Negative effects on production environment

Man-hours to maintain

IDS is an expensive countermeasure in this respect

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

Page 119: Certified Information Systems Security Professional (CISSP ...CISSP Exam Tips Requirements Minimum of 4 years of relevant experience or 3 years plus a degree Registration letter from

Slide 118

© Logical Security

Cost/Benefit Analysis Countermeasure Criteria

A Countermeasure Should …

Mitigate the identified risk

Be cost-effective

(ALE before implementing countermeasure) – (ALE after implementing countermeasure) – (annual cost of countermeasure) = value of the countermeasure to the company

If ALE for a specific asset is $78,000, and after implementation of the control the new ALE is $20,000 and the annual cost of the control is $60,000, what is the value of the control to the company?

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

Page 120: Certified Information Systems Security Professional (CISSP ...CISSP Exam Tips Requirements Minimum of 4 years of relevant experience or 3 years plus a degree Registration letter from

Slide 119

© Logical Security

Calculating Cost/Benefit

If ALE for a specific asset is $78,000, and after

implementation of the control the new ALE is $20,000 and

the annual cost of the control is $60,000, what is the value of

the control to the company?

$78,000 – $20,000 = $58,000

$58,000 – $60,000 = -$2,000

Company should not implement this control.

Not cost-beneficial.

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

Page 121: Certified Information Systems Security Professional (CISSP ...CISSP Exam Tips Requirements Minimum of 4 years of relevant experience or 3 years plus a degree Registration letter from

Slide 120

© Logical Security

Controls

“How do we decide what controls we buy within the company?”

Response: “We follow industry buzz words and buy the next silver bullet. They must be right – they are the industry.”

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

Page 122: Certified Information Systems Security Professional (CISSP ...CISSP Exam Tips Requirements Minimum of 4 years of relevant experience or 3 years plus a degree Registration letter from

Slide 121

© Logical Security

Control Selection Requirements

Modular in nature

Provides uniform protection

Provides override functionality

Defaults to least privilege

Independence of safeguard and the asset it is protecting

Flexibility and security

Clear distinction between user and administrator

Minimum human intervention

Easily upgraded

Does not panic personnel

Identifies suspect

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

Page 123: Certified Information Systems Security Professional (CISSP ...CISSP Exam Tips Requirements Minimum of 4 years of relevant experience or 3 years plus a degree Registration letter from

Slide 122

© Logical Security

Control Selection Requirements

Auditing functionality

Minimizes dependence on other components

Easily useable, acceptable, and tolerated by personnel

Must produce output in usable and understandable format

Must be able to reset safeguard

Testable

Does not introduce other compromises

System and user performance

Proper alerting

Does not negatively affect asset

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

Page 124: Certified Information Systems Security Professional (CISSP ...CISSP Exam Tips Requirements Minimum of 4 years of relevant experience or 3 years plus a degree Registration letter from

Slide 123

© Logical Security

Quantitative Analysis

Quantitative Advantages:

Results are based on independently objective processes and metrics

Cost/benefit assessment is possible

Risk management can be tracked and evaluated

Results can be expressed in monetary value, percentages, probabilities

Very useful for management to understand risks and create new security budgets

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

Page 125: Certified Information Systems Security Professional (CISSP ...CISSP Exam Tips Requirements Minimum of 4 years of relevant experience or 3 years plus a degree Registration letter from

Slide 124

© Logical Security

Quantitative Analysis Disadvantages

Quantitative Disadvantages

Requires a large amount of preliminary work

Hard to carry out manually

Formulas are usually complex and inflexible

No real standard on how to carry this out

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

Page 126: Certified Information Systems Security Professional (CISSP ...CISSP Exam Tips Requirements Minimum of 4 years of relevant experience or 3 years plus a degree Registration letter from

Slide 125

© Logical Security

Qualitative Analysis Approach

Qualitative Advantages

Assigning rating values are simplistic

Allows for flexibility in processes and reporting results

Requires less preliminary work

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

Page 127: Certified Information Systems Security Professional (CISSP ...CISSP Exam Tips Requirements Minimum of 4 years of relevant experience or 3 years plus a degree Registration letter from

Slide 126

© Logical Security

Qualitative Analysis Disadvantages

Qualitative Disadvantages

Very subjective

No use of independent objective metrics or processes

Difficult to map to security budget needs

Cost/benefit analysis not possible

Cannot track risk management performance objectively

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

Page 128: Certified Information Systems Security Professional (CISSP ...CISSP Exam Tips Requirements Minimum of 4 years of relevant experience or 3 years plus a degree Registration letter from

Slide 127

© Logical Security

Can You Get Rid of All Risk?Total Risk versus Residual Risk

Amount of risk that exists before a safeguard is put into place is total risk.

After a safeguard is implemented, the remaining risk is called residual risk.

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

Page 129: Certified Information Systems Security Professional (CISSP ...CISSP Exam Tips Requirements Minimum of 4 years of relevant experience or 3 years plus a degree Registration letter from

Slide 128

© Logical Security

Calculating Residual Risk

Threats x Vulnerability x Asset Value = Total Risk

(Threats x Vulnerability x Asset Value) x Control Gap =

Residual Risk

(Control Gap = What the control cannot protect against)

Total Risk – Controls = Residual Risk

Analysis team needs to determine if residual risk is within the

acceptable risk level of the company. Management will have

to sign off on accepting this risk.

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

Page 130: Certified Information Systems Security Professional (CISSP ...CISSP Exam Tips Requirements Minimum of 4 years of relevant experience or 3 years plus a degree Registration letter from

Slide 129

© Logical Security

Uncertainty Analysis

There are primary sources of uncertainty in the risk

management process:

A lack of sufficient information to determine the exact value of the elements of the risk model, such as threat frequency, safeguard effectiveness, or consequences

Relative magnitude of uncertainties and their implications on the assessment results

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

Page 131: Certified Information Systems Security Professional (CISSP ...CISSP Exam Tips Requirements Minimum of 4 years of relevant experience or 3 years plus a degree Registration letter from

Slide 130

© Logical Security

Dealing with Risk

Team presents the analysis results to management.

Management makes the decisions about the next steps.

Management has several choices when dealing with risk.

Management knows how to deal with business risk, which is different from security risk.

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

Page 132: Certified Information Systems Security Professional (CISSP ...CISSP Exam Tips Requirements Minimum of 4 years of relevant experience or 3 years plus a degree Registration letter from

Slide 131

© Logical Security

Deal with Risk

“How do we deal with risk in the organization?”

Response: “We create a lot of paperwork and then we just ignore it.”

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

Page 133: Certified Information Systems Security Professional (CISSP ...CISSP Exam Tips Requirements Minimum of 4 years of relevant experience or 3 years plus a degree Registration letter from

Slide 132

© Logical Security

Management’s Response to Identified Risks

Risk mitigation

Implement countermeasures

Risk transference

Third-party involvement purchase insurance

Risk acceptance

Informed decision – no action taken

Risk avoidance

Decide to stop activity

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

Page 134: Certified Information Systems Security Professional (CISSP ...CISSP Exam Tips Requirements Minimum of 4 years of relevant experience or 3 years plus a degree Registration letter from

Slide 133

© Logical Security

Risk Acceptance

Cost decision

Potential loss is lower than control cost

Pain decision

Ability to deal with related security incidents

Visibility decision

Reputation can take it

Not a surprise decision

Risk should not be accepted without knowing it

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

Page 135: Certified Information Systems Security Professional (CISSP ...CISSP Exam Tips Requirements Minimum of 4 years of relevant experience or 3 years plus a degree Registration letter from

Slide 134

© Logical Security

Risk Analysis Process Summary

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

Page 136: Certified Information Systems Security Professional (CISSP ...CISSP Exam Tips Requirements Minimum of 4 years of relevant experience or 3 years plus a degree Registration letter from

Slide 135

© Logical Security

Review

3 types of control categories

Due diligence

Separation of duties is what type of control?

4 ways of dealing with risk

Formula for residual risk

Formula to calculate the value of a countermeasure

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

Page 137: Certified Information Systems Security Professional (CISSP ...CISSP Exam Tips Requirements Minimum of 4 years of relevant experience or 3 years plus a degree Registration letter from

Slide 136

© Logical Security

Now What?

We understand the legal requirements of the company.

We understand the regulation requirements of the company.

We understand the acceptable risk level.

We have identified critical assets.

We have carried out risk assessments to understand the current security posture.

Now we need to build a security program with all of these ingredients.

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

Page 138: Certified Information Systems Security Professional (CISSP ...CISSP Exam Tips Requirements Minimum of 4 years of relevant experience or 3 years plus a degree Registration letter from

Slide 137

© Logical Security

Components of Security Program

Layered Approach

Security Program Steps

Organizational Security

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

Page 139: Certified Information Systems Security Professional (CISSP ...CISSP Exam Tips Requirements Minimum of 4 years of relevant experience or 3 years plus a degree Registration letter from

Slide 138

© Logical Security

A Layered Approach

Defense in Depth

Providing layers of defense that an attacker must compromise before accessing an asset

Not relying upon just one control

Understanding that compromises in one layer may take place and having back up to compensate for this

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

Page 140: Certified Information Systems Security Professional (CISSP ...CISSP Exam Tips Requirements Minimum of 4 years of relevant experience or 3 years plus a degree Registration letter from

Slide 139

© Logical Security

In Security, You Never Want Any Surprises

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

Page 141: Certified Information Systems Security Professional (CISSP ...CISSP Exam Tips Requirements Minimum of 4 years of relevant experience or 3 years plus a degree Registration letter from

Slide 140

© Logical Security

Building Foundation

Security Program

Blueprint for a security program

A framework for administrative, technical, and physical controls to work within

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

Page 142: Certified Information Systems Security Professional (CISSP ...CISSP Exam Tips Requirements Minimum of 4 years of relevant experience or 3 years plus a degree Registration letter from

Slide 141

© Logical Security

Security Roadmap

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

Page 143: Certified Information Systems Security Professional (CISSP ...CISSP Exam Tips Requirements Minimum of 4 years of relevant experience or 3 years plus a degree Registration letter from

Slide 142

© Logical Security

Functional and Assurance Requirements

The security controls, systems, and overall program need to

have both requirements covered.

“What is it that we want it to do?”

Defining before buying

“How are we making sure it is doing what it is supposed to be doing?”

Testing, logging, auditing

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

Page 144: Certified Information Systems Security Professional (CISSP ...CISSP Exam Tips Requirements Minimum of 4 years of relevant experience or 3 years plus a degree Registration letter from

Slide 143

© Logical Security

Building Foundation

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

Page 145: Certified Information Systems Security Professional (CISSP ...CISSP Exam Tips Requirements Minimum of 4 years of relevant experience or 3 years plus a degree Registration letter from

Slide 144

© Logical Security

Most Organizations

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

Page 146: Certified Information Systems Security Professional (CISSP ...CISSP Exam Tips Requirements Minimum of 4 years of relevant experience or 3 years plus a degree Registration letter from

Slide 145

© Logical Security

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

Page 147: Certified Information Systems Security Professional (CISSP ...CISSP Exam Tips Requirements Minimum of 4 years of relevant experience or 3 years plus a degree Registration letter from

Slide 146

© Logical Security

Silo Security Structure

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

Page 148: Certified Information Systems Security Professional (CISSP ...CISSP Exam Tips Requirements Minimum of 4 years of relevant experience or 3 years plus a degree Registration letter from

Slide 147

© Logical Security

Islands of Security Needs and Tools

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

Page 149: Certified Information Systems Security Professional (CISSP ...CISSP Exam Tips Requirements Minimum of 4 years of relevant experience or 3 years plus a degree Registration letter from

Slide 148

© Logical Security

Get Out of a Silo Approach

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

Page 150: Certified Information Systems Security Professional (CISSP ...CISSP Exam Tips Requirements Minimum of 4 years of relevant experience or 3 years plus a degree Registration letter from

Slide 149

© Logical Security

Security Is a Process

Security is a process, not a product.

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

Page 151: Certified Information Systems Security Professional (CISSP ...CISSP Exam Tips Requirements Minimum of 4 years of relevant experience or 3 years plus a degree Registration letter from

Slide 150

© Logical Security

Approach to Security Management

Top-Down Approach

Security is directed, driven, and supported by senior management

Bottom-Up Approach

Staff member or group drives initiative

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

Page 152: Certified Information Systems Security Professional (CISSP ...CISSP Exam Tips Requirements Minimum of 4 years of relevant experience or 3 years plus a degree Registration letter from

Slide 151

© Logical Security

Result of Battling Management

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

Page 153: Certified Information Systems Security Professional (CISSP ...CISSP Exam Tips Requirements Minimum of 4 years of relevant experience or 3 years plus a degree Registration letter from

Slide 152

© Logical Security

Industry Best Practices Standards

BS/ISO I7799

Comprehensive guidelines on range of controls for implementing security

Companies can be certified against this standard

Divided into 10 sections

Security policy

Security organization

Assets classification and control

Personnel security

Physical and environmental security

Computer and network management

System access control

System development and maintenance

Business continuity planning

Compliance

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

Page 154: Certified Information Systems Security Professional (CISSP ...CISSP Exam Tips Requirements Minimum of 4 years of relevant experience or 3 years plus a degree Registration letter from

Slide 153

© Logical Security

ISO/IEC 17799

The ISO/IEC 17799 is a set of best practices for organizations to follow to implement and maintain a security program.

It started out as British Standard 7799 (BS7799). BS7799 was published in the United Kingdom and became a de facto standard in the industry that was used to provide guidance to organizations, in the practice of information security.

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

Page 155: Certified Information Systems Security Professional (CISSP ...CISSP Exam Tips Requirements Minimum of 4 years of relevant experience or 3 years plus a degree Registration letter from

Slide 154

© Logical Security

Pieces and Parts

BS7799 Part 1 outlines control objectives and a range of controls that can be used to meet those objectives.

BS7799 Part II outlines how a security program can be setup and maintained.

BS7799 Part II serves as a baseline which organizations could be certified against.

An organization would choose to be certified against the BS7799 standard to provide confidence to their customer base and partners

The organization could be certified against all of BS7799 Part II or just a portion of the standard.

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

Page 156: Certified Information Systems Security Professional (CISSP ...CISSP Exam Tips Requirements Minimum of 4 years of relevant experience or 3 years plus a degree Registration letter from

Slide 155

© Logical Security

Numbering

ISO/IEC 17799:2005 is the newest version of BS7799 Part 1

Provides a list of controls that can be used within the framework

Will be ISO/IEC 27002:yr

ISO/IEC 27001:2005 is the newest version of BS7799 Part II

Steps for setting up and maintaining a security program

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

Page 157: Certified Information Systems Security Professional (CISSP ...CISSP Exam Tips Requirements Minimum of 4 years of relevant experience or 3 years plus a degree Registration letter from

Slide 156

© Logical Security

New ISO Standards

ISO/IEC 27000 - a vocabulary or glossary of terms

ISO/IEC 27002 - the proposed re-naming of existing standard ISO 17799

ISO/IEC 27003 - a new ISMS implementation guide

ISO/IEC 27004 - a new standard for information security measurement and metrics

ISO/IEC 27005 - a proposed standard for risk management, potentially related to the current British Standard BS 7799 part 3

ISO/IEC 27006 - a guide to the certification/registration process

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

Page 158: Certified Information Systems Security Professional (CISSP ...CISSP Exam Tips Requirements Minimum of 4 years of relevant experience or 3 years plus a degree Registration letter from

Slide 157

© Logical Security

COBIT

What is COBIT?

Control Objectives for Information and related Technology (COBIT) was created by the Information Systems Audit and Control Association (ISACA), and the IT Governance Institute (ITGI).

It is a set of best practices (framework) for information (IT) management

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

Page 159: Certified Information Systems Security Professional (CISSP ...CISSP Exam Tips Requirements Minimum of 4 years of relevant experience or 3 years plus a degree Registration letter from

Slide 158

© Logical Security

Inside of COBIT

4 domains are groupings

of processes that map to

the following organizational

responsibilities;

Planning and Organization

Acquisition and Implementation

Delivery and Support

Monitoring

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

Page 160: Certified Information Systems Security Professional (CISSP ...CISSP Exam Tips Requirements Minimum of 4 years of relevant experience or 3 years plus a degree Registration letter from

Slide 159

© Logical Security

COBIT – Control Objectives

5.1 Management of IT Security

Manage IT Security at the highest appropriate organizational level …

5.2 IT Security Plan

Translate business information requirements, IT configuration, information risk action plans, and information security culture …

5.3 Identity Management

All users (internal, external, and temporary) and their activity on IT systems (business application, system operation…)

5.4 User Account Management

Ensure that requesting, establishing, issuing, suspending, modifying, and closing user accounts and related user privileges …

5.5 Security Testing, Surveillance, and Monitoring

Ensure that IT security implementation is tested and monitored proactively. IT security should be reaccredited periodically …

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

Page 161: Certified Information Systems Security Professional (CISSP ...CISSP Exam Tips Requirements Minimum of 4 years of relevant experience or 3 years plus a degree Registration letter from

Slide 160

© Logical Security

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

Page 162: Certified Information Systems Security Professional (CISSP ...CISSP Exam Tips Requirements Minimum of 4 years of relevant experience or 3 years plus a degree Registration letter from

Slide 161

© Logical Security

Measurements

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

Page 163: Certified Information Systems Security Professional (CISSP ...CISSP Exam Tips Requirements Minimum of 4 years of relevant experience or 3 years plus a degree Registration letter from

Slide 162

© Logical Security

Information Technology Infrastructure Library (ITIL)

It is considered the de facto standard for IT service

management and concentrates on how to provide consistent,

documented, and repeatable processes to ensure quality.

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

Page 164: Certified Information Systems Security Professional (CISSP ...CISSP Exam Tips Requirements Minimum of 4 years of relevant experience or 3 years plus a degree Registration letter from

Slide 163

© Logical Security

3rd Party Governance

Today’s business environment is increasingly dependent on third party relationships as organizations concentrate on their core competencies and outsource many non-core services.

In turn, the heightened security expected by customers and a growing global emphasis on legal and regulatory compliance requires evidence of adequate governance measures.

Thus, the twin issues of due diligence and due care over third parties have become critical to business success.

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

Page 165: Certified Information Systems Security Professional (CISSP ...CISSP Exam Tips Requirements Minimum of 4 years of relevant experience or 3 years plus a degree Registration letter from

Slide 164

© Logical Security

3rd Party Governance (Cont.)

There are 6 elements to consider:

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

Page 166: Certified Information Systems Security Professional (CISSP ...CISSP Exam Tips Requirements Minimum of 4 years of relevant experience or 3 years plus a degree Registration letter from

Slide 165

© Logical Security

Security Governance

“Security governance is the set of responsibilities and

practices exercised by the board and executive management

with the goal of providing strategic direction, ensuring that

objectives are achieved, ascertaining that risks are managed

appropriately and verifying that the enterprise’s resources are

used responsibly.”

- IT Governance Institute

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

Page 167: Certified Information Systems Security Professional (CISSP ...CISSP Exam Tips Requirements Minimum of 4 years of relevant experience or 3 years plus a degree Registration letter from

Slide 166

© Logical Security

All security activity takes place within the security department, thus security works within a silo and is not integrated throughout the organization.

Executive management holds business unit managers responsible for carrying out risk management activities for their specific business units.

CISO took some boilerplate security policies, inserted his company’s name, then had the CEO sign them.

Executive management sets an acceptable risk level that is the basis for the company’s security policies and all security activities.

CEO, CFO and business unit managers feel as though information security is the responsibility of the CIO, CISO and IT department and do not get involved.

CEO, CFO, CIO and business unit managers participate in a risk management committee that meets each month and information security is always one topic on the agenda to review.

Board members do not understand that information security is in their realm of responsibility and focus solely on corporate governance and profits.

Board members understand that information security is critical to the company and demand to be updated quarterly on security performance and breaches.

Company BCompany A

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

Page 168: Certified Information Systems Security Professional (CISSP ...CISSP Exam Tips Requirements Minimum of 4 years of relevant experience or 3 years plus a degree Registration letter from

Slide 167

© Logical Security

The organization does not analyze its performance for improvement, but does continually march forward and makes the same mistakes over and over again.

The organization is continuing to review its business processes, including security, with the goal of continued improvement.

Security products, managed services, and consultants are purchased and deployed without any real research or performance metrics to be able to determine the return on investment or effectiveness. Company has a false sense of security because it is using products, consultants, and/or managed services.

Security products, managed services, and consultants are purchased and deployed in an informed manner. They are also constantly reviewed to ensure they are cost effective.

Policies and standards are developed, but no enforcement or accountability practices have been envisioned or deployed.

Employees are held accountable for any security breaches they participate in, either maliciously or accidentally.

Business processes are not documented and are not analyzed for potential risks that can affect operations, productivity, and profitability.

Critical business processes are documented along with the risks that are inherent at the different steps within the business processes.

Company BCompany A

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

Page 169: Certified Information Systems Security Professional (CISSP ...CISSP Exam Tips Requirements Minimum of 4 years of relevant experience or 3 years plus a degree Registration letter from

Slide 168

© Logical Security

Security Program Components

Policies

Standards

Baselines

Guidelines

Roles

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

Page 170: Certified Information Systems Security Professional (CISSP ...CISSP Exam Tips Requirements Minimum of 4 years of relevant experience or 3 years plus a degree Registration letter from

Slide 169

© Logical Security

Policy Framework

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

Page 171: Certified Information Systems Security Professional (CISSP ...CISSP Exam Tips Requirements Minimum of 4 years of relevant experience or 3 years plus a degree Registration letter from

Slide 170

© Logical Security

Policy Types

Organizational Policy

Management’s directives on the role of security within company

Organizational policy is created to address:

Business needs

Laws

Regulations

Standards of due care

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

Page 172: Certified Information Systems Security Professional (CISSP ...CISSP Exam Tips Requirements Minimum of 4 years of relevant experience or 3 years plus a degree Registration letter from

Slide 171

© Logical Security

Organizational Policy

Policy should have the following goals:

Define security program

Set strategic directions

Assign responsibilities

Address all compliancy issues

Identify assets

Provides personal responsibility

Give authority

Tool to resolve conflicts

Define security team

Address exceptions and discipline

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

Page 173: Certified Information Systems Security Professional (CISSP ...CISSP Exam Tips Requirements Minimum of 4 years of relevant experience or 3 years plus a degree Registration letter from

Slide 172

© Logical Security

Policy Approved – Now What?

Once policies are approved by governing body, control objectives should be defined.

The objectives of management are used as the framework for developing and implementing controls.

What do we need our controls to do before we buy and/or implement them?

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

Page 174: Certified Information Systems Security Professional (CISSP ...CISSP Exam Tips Requirements Minimum of 4 years of relevant experience or 3 years plus a degree Registration letter from

Slide 173

© Logical Security

Issue-Specific PoliciesAlso called functional policies.

Issue-Specific Policies can be created for:

Protection of confidential/proprietary information

Unauthorized software

Employees working from home

Rights of privacy

Responsibility for correctness of data

Suspected malicious code

Physical emergencies

Risk management and contingency planning

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

Page 175: Certified Information Systems Security Professional (CISSP ...CISSP Exam Tips Requirements Minimum of 4 years of relevant experience or 3 years plus a degree Registration letter from

Slide 174

© Logical Security

ASP Policy Example

Source: www.sans.org

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

Page 176: Certified Information Systems Security Professional (CISSP ...CISSP Exam Tips Requirements Minimum of 4 years of relevant experience or 3 years plus a degree Registration letter from

Slide 175

© Logical Security

System-Specific Policies

Policy should have the following characteristics:

Express management’s decisions pertaining to systems

Content is based on technical analysis of stated systems

Map to specific system objectives and requirements

Strictly enforced

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

Page 177: Certified Information Systems Security Professional (CISSP ...CISSP Exam Tips Requirements Minimum of 4 years of relevant experience or 3 years plus a degree Registration letter from

Slide 176

© Logical Security

System-Specific Policy

Concentrates directly on the use and maintenance of

computers and devices

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

Page 178: Certified Information Systems Security Professional (CISSP ...CISSP Exam Tips Requirements Minimum of 4 years of relevant experience or 3 years plus a degree Registration letter from

Slide 177

© Logical Security

Standards

Organizational Standards Compulsory rules

Employee behavior

Computer and device use

Organizational standards (not to be confused with American National

Standards, FIPS, Federal Standards, or other national or international

standards) specify uniform use of specific technologies, parameters, or

procedures when such uniform use will benefit an organization.

Standardization of organization wide identification badges is a typical

example, providing ease of employee mobility and automation of

entry/exit systems.

- NIST

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

Page 179: Certified Information Systems Security Professional (CISSP ...CISSP Exam Tips Requirements Minimum of 4 years of relevant experience or 3 years plus a degree Registration letter from

Slide 178

© Logical Security

Standard Example

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

Page 180: Certified Information Systems Security Professional (CISSP ...CISSP Exam Tips Requirements Minimum of 4 years of relevant experience or 3 years plus a degree Registration letter from

Slide 179

© Logical Security

Baseline

Baselines

A minimum level of security required

Abstraction of the standards

Ensure acceptable risk level is met

Required configuration of systems

Metrics representation

Unauthorized access incidents

Unpatched systems

Users with too much access

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

Page 181: Certified Information Systems Security Professional (CISSP ...CISSP Exam Tips Requirements Minimum of 4 years of relevant experience or 3 years plus a degree Registration letter from

Slide 180

© Logical Security

Data Collection for MetricsDifferent data collected is compared to set baselines to

validate compliance.

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

Page 182: Certified Information Systems Security Professional (CISSP ...CISSP Exam Tips Requirements Minimum of 4 years of relevant experience or 3 years plus a degree Registration letter from

Slide 181

© Logical Security

Guidelines

Guidelines

Recommendations on actions in different situations

Operational guides where standards do not apply

Industry or internal guidelines

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

Page 183: Certified Information Systems Security Professional (CISSP ...CISSP Exam Tips Requirements Minimum of 4 years of relevant experience or 3 years plus a degree Registration letter from

Slide 182

© Logical Security

Procedures

Procedures

Detailed activities to be taken to achieve a specific task

Step-by-step instructions

Implementation of standards

Standardization

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

Page 184: Certified Information Systems Security Professional (CISSP ...CISSP Exam Tips Requirements Minimum of 4 years of relevant experience or 3 years plus a degree Registration letter from

Slide 183

© Logical Security

Tying Them Together

Policy = Unauthorized users should not have access to sensitive data

Standard = Users must be authorized with a smart card and PIN before accessing the database

Baseline = Number of unauthorized accesses allowed

Guideline = Explanation of identification and authorization and smart card use

Procedures = How to configure the database

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

Page 185: Certified Information Systems Security Professional (CISSP ...CISSP Exam Tips Requirements Minimum of 4 years of relevant experience or 3 years plus a degree Registration letter from

Slide 184

© Logical Security

Program Support

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

Page 186: Certified Information Systems Security Professional (CISSP ...CISSP Exam Tips Requirements Minimum of 4 years of relevant experience or 3 years plus a degree Registration letter from

Slide 185

© Logical Security

Entity Relationships

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

Page 187: Certified Information Systems Security Professional (CISSP ...CISSP Exam Tips Requirements Minimum of 4 years of relevant experience or 3 years plus a degree Registration letter from

Slide 186

© Logical Security

Senior Management’s Role

Senior Management

Defines the scope, objectives, priorities, and strategies of the company’s security program

Provides vision, funds, visibility, and enforcement

Ultimately liable

Without management’s support, efforts can be doomed from start

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

Page 188: Certified Information Systems Security Professional (CISSP ...CISSP Exam Tips Requirements Minimum of 4 years of relevant experience or 3 years plus a degree Registration letter from

Slide 187

© Logical Security

Security Roles

Data Owner

Responsible for subset(s) of data and data classification

Sets security requirements for data protection

Usually process owners or business VPs or department heads

Business accountability

Not ITs job

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

Page 189: Certified Information Systems Security Professional (CISSP ...CISSP Exam Tips Requirements Minimum of 4 years of relevant experience or 3 years plus a degree Registration letter from

Slide 188

© Logical Security

Custodian

Custodian

Is delegated data maintenance tasks

Required to implement and maintain controls to provide the protection level dictated by data owner

Usually a technical security staff or IT

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

Page 190: Certified Information Systems Security Professional (CISSP ...CISSP Exam Tips Requirements Minimum of 4 years of relevant experience or 3 years plus a degree Registration letter from

Slide 189

© Logical Security

Auditor

Ensuring independent assurance to management and shareholders on the appropriateness of security objectives

Determines if controls (administrative, technical, physical) comply with security objectives

Internal and external auditing

Third-party reviews

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

Page 191: Certified Information Systems Security Professional (CISSP ...CISSP Exam Tips Requirements Minimum of 4 years of relevant experience or 3 years plus a degree Registration letter from

Slide 190

© Logical Security

Access

“Who determines the level of access employees have and

who configures the technology and who validates it all?”

Response: “Fred, the IT guy.”

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

Page 192: Certified Information Systems Security Professional (CISSP ...CISSP Exam Tips Requirements Minimum of 4 years of relevant experience or 3 years plus a degree Registration letter from

Slide 191

© Logical Security

Information Classification

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

Page 193: Certified Information Systems Security Professional (CISSP ...CISSP Exam Tips Requirements Minimum of 4 years of relevant experience or 3 years plus a degree Registration letter from

Slide 192

© Logical Security

Information Classification Program

Classification goals

Availability, integrity, and confidentiality are provided at the necessary levels for all identified assets

Return on investment by implementing controls where they are needed the most

Map data protection levels with organizational needs

Mitigate threats of unauthorized access and disclosure

Comply with legal and regulation requirements

Maintain competitive status

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

Page 194: Certified Information Systems Security Professional (CISSP ...CISSP Exam Tips Requirements Minimum of 4 years of relevant experience or 3 years plus a degree Registration letter from

Slide 193

© Logical Security

Data LeakageData is the gold of our times that must be protected.

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

Page 195: Certified Information Systems Security Professional (CISSP ...CISSP Exam Tips Requirements Minimum of 4 years of relevant experience or 3 years plus a degree Registration letter from

Slide 194

© Logical Security

Do You Want to End Up in the News?

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

Page 196: Certified Information Systems Security Professional (CISSP ...CISSP Exam Tips Requirements Minimum of 4 years of relevant experience or 3 years plus a degree Registration letter from

Slide 195

© Logical Security

Types of Classification Levels

Commercial

Confidential

Private

Sensitive

For internal use only

Military

Top secret

Secret

Confidential

Sensitive but unclassified

Unclassified

PublicCompanies need to decide what levels

they will use and

what those levels mean.

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

Page 197: Certified Information Systems Security Professional (CISSP ...CISSP Exam Tips Requirements Minimum of 4 years of relevant experience or 3 years plus a degree Registration letter from

Slide 196

© Logical Security

Data Protection Levels

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

Page 198: Certified Information Systems Security Professional (CISSP ...CISSP Exam Tips Requirements Minimum of 4 years of relevant experience or 3 years plus a degree Registration letter from

Slide 197

© Logical Security

Classification Program Steps

1. Compile an inventory of all information assets

2. Define levels of protection for information assets

3. Define a classification criteria

4. Develop information classification policy

5. Define information handling and labeling procedures

6. Assign responsibility for classification to the owner of information

7. Assign a security classification to all information assets

8. Classify information according to sensitivity and how much protection is required

9. Integrate into security awareness and training programs

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

Page 199: Certified Information Systems Security Professional (CISSP ...CISSP Exam Tips Requirements Minimum of 4 years of relevant experience or 3 years plus a degree Registration letter from

Slide 198

© Logical Security

Information Classification Components

A policy should outline:

Information as an asset of individual business units

Declare business unit managers as information owners

Declare IT as data custodians

Classification scheme

Definitions for each classification

Criteria for each classification

Roles and responsibilities of classification

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

Page 200: Certified Information Systems Security Professional (CISSP ...CISSP Exam Tips Requirements Minimum of 4 years of relevant experience or 3 years plus a degree Registration letter from

Slide 199

© Logical Security

Procedures and Guidelines

Procedures and guidelines should outline:

How to classify information

How to change classification level if needed

How to communicate classification change to IT

How to declassify and destroy material

Periodic review of:

Current classification levels and mapping to business needs

Current access rights and privileges

Protection levels that current controls are using

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

Page 201: Certified Information Systems Security Professional (CISSP ...CISSP Exam Tips Requirements Minimum of 4 years of relevant experience or 3 years plus a degree Registration letter from

Slide 200

© Logical Security

Classification Levels

Once the organization understands the different levels of

protection that must be provided, it can develop the

necessary classification levels.

Too many classification levels are impractical and add confusion.

Too few classification levels gives the perception of little value and use.

There should be no overlap between classification levels.

Classification levels should be developed for data and software.

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

Page 202: Certified Information Systems Security Professional (CISSP ...CISSP Exam Tips Requirements Minimum of 4 years of relevant experience or 3 years plus a degree Registration letter from

Slide 201

© Logical Security

Information Classification Criteria

Criteria Items

Usefulness and value of information

How long information will hold this protection requirement

The level of damage possible if the data was disclosed, modified, or corrupted

Laws, regulations, or liability responsibilities pertaining to the data

Lost opportunity costs

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

Page 203: Certified Information Systems Security Professional (CISSP ...CISSP Exam Tips Requirements Minimum of 4 years of relevant experience or 3 years plus a degree Registration letter from

Slide 202

© Logical Security

Criteria Example

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

Page 204: Certified Information Systems Security Professional (CISSP ...CISSP Exam Tips Requirements Minimum of 4 years of relevant experience or 3 years plus a degree Registration letter from

Slide 203

© Logical Security

Or Not

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

Page 205: Certified Information Systems Security Professional (CISSP ...CISSP Exam Tips Requirements Minimum of 4 years of relevant experience or 3 years plus a degree Registration letter from

Slide 204

© Logical Security

Information Owner Requirements

To properly classify information, the information owner must:

Understand the organization’s classification scheme and criteria

Be familiar with legal and regulation requirements

Carry out classification processes in a consistent manner

Have classification processes reviewed and monitored

Carry out declassifying procedures when necessary

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

Page 206: Certified Information Systems Security Professional (CISSP ...CISSP Exam Tips Requirements Minimum of 4 years of relevant experience or 3 years plus a degree Registration letter from

Slide 205

© Logical Security

Clearly Labeled

All classified items need to be clearly labeled

Handling of data in different formats (paper, digital, video, audio, facsimile)

Marking should be on cover and inside of documents

Magnetic or optical media must be labeled

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

Page 207: Certified Information Systems Security Professional (CISSP ...CISSP Exam Tips Requirements Minimum of 4 years of relevant experience or 3 years plus a degree Registration letter from

Slide 206

© Logical Security

Testing Classification Program

Are documents in open view?

Is sensitive information viewable on computer screen?

Is data physically protected and not just logically protected?

How is sensitive data destroyed?

Review users’ access levels

Review an information flow matrix

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

Page 208: Certified Information Systems Security Professional (CISSP ...CISSP Exam Tips Requirements Minimum of 4 years of relevant experience or 3 years plus a degree Registration letter from

Slide 207

© Logical Security

Who Is Always Causing Problems?

Not birds

– PEOPLE are always a security headache.

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

Page 209: Certified Information Systems Security Professional (CISSP ...CISSP Exam Tips Requirements Minimum of 4 years of relevant experience or 3 years plus a degree Registration letter from

Slide 208

© Logical Security

Employee Management

Hiring and Firing

Termination

Training

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

Page 210: Certified Information Systems Security Professional (CISSP ...CISSP Exam Tips Requirements Minimum of 4 years of relevant experience or 3 years plus a degree Registration letter from

Slide 209

© Logical Security

Employee Management

Weakest link in security is people

80/20 rule

Proper management of employees is very important

Communication structure needs to be in place

Constructing and enforcing policies

Culture

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

Page 211: Certified Information Systems Security Professional (CISSP ...CISSP Exam Tips Requirements Minimum of 4 years of relevant experience or 3 years plus a degree Registration letter from

Slide 210

© Logical Security

Employee Position and Management

Employee Management

Position definition

Determining position sensitivity

Filling the position - screening and selecting

Employee training and awareness

User account management

Audit and management reviews

Detecting unauthorized/illegal activities

Temporary assignments and in-house transfers

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

Page 212: Certified Information Systems Security Professional (CISSP ...CISSP Exam Tips Requirements Minimum of 4 years of relevant experience or 3 years plus a degree Registration letter from

Slide 211

© Logical Security

Hiring and Firing Issues

Pre-employment

Background check

Drug screening

Security clearance

Credit check

Termination Procedures

Complete an exit interview

Review the non-disclosure agreement

Individual must be immediately escorted out of the facility

Individual must surrender ID badges, keys, and company assets

User’s accounts must be disabled

User’s passwords must be changed

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

Page 213: Certified Information Systems Security Professional (CISSP ...CISSP Exam Tips Requirements Minimum of 4 years of relevant experience or 3 years plus a degree Registration letter from

Slide 212

© Logical Security

A Few More Items

When hiring be alert about future checks that may be necessary if the individual moves to a higher classification level in the company.

Hiring and firing practices should follow pre-determined checklists developed by HR.

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

Page 214: Certified Information Systems Security Professional (CISSP ...CISSP Exam Tips Requirements Minimum of 4 years of relevant experience or 3 years plus a degree Registration letter from

Slide 213

© Logical Security

Unfriendly Termination

Security and Safety Steps

1. System access should be terminated as quickly as possible.

2. System access should be removed at the same time (or just before) the employees are notified of their dismissal.

3. System access should be immediately terminated.

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

Page 215: Certified Information Systems Security Professional (CISSP ...CISSP Exam Tips Requirements Minimum of 4 years of relevant experience or 3 years plus a degree Registration letter from

Slide 214

© Logical Security

Security Awareness and Training

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

Page 216: Certified Information Systems Security Professional (CISSP ...CISSP Exam Tips Requirements Minimum of 4 years of relevant experience or 3 years plus a degree Registration letter from

Slide 215

© Logical Security

Training CharacteristicsAwareness Training Education

Attribute: “What” “How” “Why”

Level: Information Knowledge Insight

Learning Objective:

Recognition and Retention

Skill Understanding

Example Teaching Method:

Media

-Videos

-Newsletters

-Posters

Practical Instruction

-Lecture and/or demo

-Case study

-Hands-on practice

Theoretical Instruction

-Seminar and discussion

-Reading and study

-Research

Test Measure:

True/False

Multiple Choice

(Identify learning)

Problem Solving, i.e.,

Recognition and Resolution

(Apply learning)

Essay

(Interpret learning)

Impact Timeframe:

Short-term Intermediate Long-term

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

Page 217: Certified Information Systems Security Professional (CISSP ...CISSP Exam Tips Requirements Minimum of 4 years of relevant experience or 3 years plus a degree Registration letter from

Slide 216

© Logical Security

Awareness

Security Awareness Program

Employees must know what’s expected of them, as well as the ramifications of non-compliance

This is part of due care and can be used in liability cases if not performed

Banners, employee handbooks, posters

Should be performed annually

Policies, standards, baselines, guidelines

Incident reporting, malware, social engineering, hazards

Different training for different employee groups

Technical = IT

Liability, laws, regulations = management levels

Basic security and usability issues = users

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

Page 218: Certified Information Systems Security Professional (CISSP ...CISSP Exam Tips Requirements Minimum of 4 years of relevant experience or 3 years plus a degree Registration letter from

Slide 217

© Logical Security

Security Enforcement IssuesImportance

Not just lip service

Support directly from upper management

Ensures required baseline of security is met

Realized ramifications for actions

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

Page 219: Certified Information Systems Security Professional (CISSP ...CISSP Exam Tips Requirements Minimum of 4 years of relevant experience or 3 years plus a degree Registration letter from

Slide 218

© Logical Security

Answer This Question

A company needs to be concerned about an asset’s reliability,

confidentiality, and integrity. What is used to enforce the

protection of integrity?

a. Controlling physical security

b.Using access controls

c. Enforcing the rules of confidentiality

d.Using logical security

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

Page 220: Certified Information Systems Security Professional (CISSP ...CISSP Exam Tips Requirements Minimum of 4 years of relevant experience or 3 years plus a degree Registration letter from

Slide 219

© Logical Security

Answer This Question

The risk management team process for identifying,

controlling, eliminating, and/or minimizing uncertain events

can be assisted by what aid?

a. Qualitative risk assessment processes

b.Automated information system security tools

c. Internal security controls

d.Risk mitigation

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

_____________________________________________________________________________________

Page 221: Certified Information Systems Security Professional (CISSP ...CISSP Exam Tips Requirements Minimum of 4 years of relevant experience or 3 years plus a degree Registration letter from
Page 222: Certified Information Systems Security Professional (CISSP ...CISSP Exam Tips Requirements Minimum of 4 years of relevant experience or 3 years plus a degree Registration letter from

Review Questions:

1. Which of the following is an example of an ultimate data owner?

A. Front-line employee

B. Customer accessing information via the extranet

C. IT administrator

D. CIO

2. What is the term that defines when senior management initiates and sponsors a

company’s security program?

A. Bottom-up approach

B. Top-down approach

C. Steering committee

D. Middle-driven approach

3. Which of the following would not be part of an organizational security policy?

A. Security program goals

B. E-mail security policy

C. Responsibilities assignments

D. Enforcement information

4. A technique used in qualitative risk analysis that uses the anonymous opinions of

all individuals is called what?

A. Consensus approach

B. Delphi technique

C. Group mentality

D. Group discussion phase

5. Which of the following terms is a recommendation to an employee on how to act?

A. Baseline

B. Rule

C. Guideline

D. Standard

6. Which is not an example or characteristic of qualitative risk analysis?

A. Delphi technique

B. Storyboarding

C. SLE calculations

D. Opinion-based

Page 223: Certified Information Systems Security Professional (CISSP ...CISSP Exam Tips Requirements Minimum of 4 years of relevant experience or 3 years plus a degree Registration letter from

7. A policy that is more technically focused and outlines the directives dictated by

management is which of the following?

A. System-specific

B. Technical-specific

C. Organizational

D. Issue-specific

8. Which is not an example of security awareness?

A. Security training

B. Security bulletin board notes

C. Security ACLs

D. Security objectives in an employee’s performance review

9. A common omission in security programs by many companies is which of the

following?

A. Responsibility assignments

B. Penalties for non-compliance

C. Risk analysis

D. Awareness

10. What step should happen first when an employee is terminated if it is an

unfriendly separation?

A. Escorted off premises

B. Network and system access privileges removed

C. Facility ID badges handed out

D. Employees personal items should be boxed

11. Third party governance is used to accomplish what aspect of security?

A. Taking control of a third party’s IT department

B. Ensuring that a third party partner has met a certain level of compliance

and security

C. Allowing a third party entity to take over security of your organization’s IT

department

D. Hiring a contractor to do an internal audit

Page 224: Certified Information Systems Security Professional (CISSP ...CISSP Exam Tips Requirements Minimum of 4 years of relevant experience or 3 years plus a degree Registration letter from

Answer Key:

1. D

The key here is the word ultimate. Employees and the administrator can be data owners

in some situations, but senior management is ultimately the owner of business-oriented

data. Data owners are legally bound to the protection of data within a company.

Because of this required responsibility, data owners should be members of senior

management. These individuals practice due care with data classifications and

associated security policies.

2. B

A top-down approach to security management is the ideal method because it is typically

more successful than the bottom-up approach. A top-down approach means that

management is driving a project, and bottom-up means that a lower level employee is

driving a project. The most important factor in security management is obtaining the

support of upper management.

3. B

An organizational security policy covers the entire program at a high level. Typically this

will cover how the program is set up, goals and objectives, who is responsible for what,

and how to enforce the policy. E-mail security would be an issue-specific policy.

4. B

In the qualitative risk analysis approach, the Delphi Technique is used to achieve

honest results by allowing the individuals to submit their opinions anonymously. This

technique is designed to allow people to submit their opinions without being influenced

by others.

5. C

Guidelines are used to provide employees with recommendations on how to perform

specific tasks. This is different than a standard, which is a rule that must be followed, or

a baseline, which is a minimal level of security.

6. C

Qualitative risk analysis does not focus on real-number calculations, but instead assigns

rankings to threats and countermeasures and focuses on judgment, intuition, and

experience. Single loss expectancy (SLE) is a method used in quantitative risk analysis.

Page 225: Certified Information Systems Security Professional (CISSP ...CISSP Exam Tips Requirements Minimum of 4 years of relevant experience or 3 years plus a degree Registration letter from

7. A

System-specific policies are technical directives derived by management to protect

individual systems. They can outline how a system should be accessed or how users

should be trained on the use of a specific system.

8. C

Security awareness is a vital part of a successful security program. As its name states,

the goal is to make employees aware of the components of the security program.

Employees can be made aware in a variety of ways, such as e-mail, regular meetings,

training classes, or by having security-related tasks as part of their performance plans.

Access control lists (ACL) are security controls, but do not contribute to security

awareness.

9. B

A common mistake that many companies make is failing to include penalties in the

security program to be enforced if/when individuals do not comply with outlined

directives. As with any rule or law, without known consequences, it is unlikely that the

instruction will be followed. Security awareness is included in most security policies;

however, following through with the awareness objective is not as common.

10. B

The first step taken when an employee is terminated is to remove all network and

system privileges. The ex-employee could still remotely connect to a network and do

harm. Protecting the company’s assets should be the first step.

11. B

We need to make certain that working with a third party doesn’t introduce new security

concerns, so we use third party governance to work with verifying the third party’s

compliance to your security needs.


Top Related