ISACA CISM Certification Certified Information Security Manager Courseware Version 4.0
CISM® Firebrand Accelerated Training
1 4/17/2015
2015 CISM Review Course
Introduction
2 4/17/2015
1
Agenda This introduction will address: • The CISM Certification • Course format
• Examination format • Introduction of Attendees • To set the scene – Recent Incidents
4 4/17/2015
This is NOT a Death-By-PowerPoint Seminar
5 4/17/2015
2
But it IS a Seminar
6 4/17/2015
CISM Certified Information Security Manager • Designed for personnel that have (or want to have) responsibility for managing an Information Security program • Tough but very good quality examination • Requires understanding of the concepts behind a security program – not just the definitions
7 4/17/2015
3
CISM Exam Review Course Overview The CISM Exam is based on the CISM job practice. • The ISACA CISM Certification Committee oversees the development of the exam and ensures the currency of its content. There are four content areas that the CISM candidate is expected to know.
8 4/17/2015
CISM Qualifications To earn the CISM designation, information security professionals are required to: • Successfully pass the CISM exam • Adhere to the ISACA Code of Professional Ethics • Agree to comply with the CISM continuing education policy • Submit verified evidence of five (5) years of work experience in the field of information security. 9 4/17/2015
4
Daily Format Lecture and Sample questions Domain structure •Learning Objectives •Content •Sample Questions Please note that the information in every domain overlaps with the information in other domains – during the course we will introduce topics that are expanded upon in latter domains 10 4/17/2015
Domain Structure Information Security Governance
Reports To
Mandates Information Risk Management and Compliance Influences Deploys Information Security Program Development and Management Requires Information Security Incident Management
11
4/17/2015
5
Course Structure
Start Time Breaks
Meals End of Day End of class on last day
12 4/17/2015
Logistics Fire Escapes • Assembly point Mobile phones / pagers
13 4/17/2015
6
The Examination
14 4/17/2015
Description of the Exam The exam consists of 200 multiple choice questions that cover the CISM job practice areas. Four hours are allotted for completing the exam See the Candidate’s Guide to the CISM Exam and Certification
15 4/17/2015
7
Examination Job Content Areas The exam items are based on the content in 4 information security areas • Information Security Governance 24% • Information Risk Management and Compliance 33% • Information Security Program Development and Management 25% • Information Security Incident Management 18%
16 4/17/2015
Examination Job Content Areas Information Security Incident Management, 18%
Information Security Program Development and Management, 25%
Information Security Governance, 24%
Information Risk Management and Compliance, 33% 17
4/17/2015
8
2015 Exam Dates The exam will be administered three times in 2015 • The 1st exam date is June 13 • April 21 is deadline for registration • The 2nd exam date is Sept 12 • The 3rd exam date is Dec 12 • Many examination locations worldwide •Register at www.isaca.org
18 4/17/2015
Examination Day Be on time!! • The doors are locked when the instructions start – approximately 30 minutes before examination start time. Bring the admission ticket (sent out prior to the examination from ISACA) and an acceptable form of original photo identification (passport, photo id or drivers license). 19 4/17/2015
9
Completing the Examination Items • Bring several #2 pencils and an eraser • Read each question carefully • Read ALL answers prior to selecting the BEST answer • Mark the appropriate answer on the test answer sheet. • When correcting an answer be sure to thoroughly erase the wrong answer before filling in a new one. • There is no penalty for guessing. Answer every question. 20 4/17/2015
Grading the Exam Candidate scores are reported as a scaled score based on the conversion of a candidate’s raw score on an exam to a common scale.
ISACA uses and reports scores on a common scale from 200 to 800. A candidate must receive a score of 450 or higher to pass. Exam results will be mailed (and emailed) out approximately 8 weeks after the exam date. Good Luck! 21 4/17/2015
10
Introduction of Classmates
22 4/17/2015
HIGHLY HIGHLY TECHNICAL TECHNICALATTACKS ATTACKS
23 4/17/2015
11
Stuxnet Part of “Operation Olympic Games”, a 2006 operation designed to disrupt Iran’s nuclear programme General James E Cartwright, head of CyberOps inside the US Strategic Command developed the Stuxnet plan • Stage 1: Plant code that extracts maps of the air-gapped networks supporting nuclear labs & reprocessing plants in Iran • Stage 2: Payload development by NSA’s Foreign Affairs Directorate & IDF’s Intelligence Corps Unit 8200 • Code named: “The Bug” • Stage 3: Test against P-1 centrifuges • Stage 4: Plant the worm in Natanz via spies, and tricked insiders ( engineers to maintenance workers – anyone with physical access to the plant). This was in 2008 The Op was successful • ICS were infected & high-speed centrifuges were infected • Iranians blamed themselves or suppliers for observed problems 24 4/17/2015
Stuxnet 20x more complex than any piece of previous malware Array of capabilities • Increase pressure inside nuclear reactors while telling system operators everything was normal Does not carry a forged security clearance (used by malware to escalate privilege). It had a real clearance, stolen from one of the most Globally-reputable technology companies Exploited 20 zero-day vulnerabilities Target – specific. It remained dormant until target was sighted. Target was the P-1 centrifuges. May have shut down 1000 centrifuges in Natanz, Iran has responded to the attack with an open call to hackers to join the Iranian Revolutionary Guard. It now has the 2nd largest online army 25 4/17/2015
12
GhostNet GhostNet represents a network of compromised computers resident in highvalue political, economic, and media locations spread across numerous countries worldwide
26 4/17/2015
GhostNet Infected 986 machines across 93 countries
27 4/17/2015
13
GhostNet Malware retrieving a sensitive document •
This screen capture of the Wireshark network analysis tool shows an infected computer at the Office of the Dalai Lama uploading a sensitive document to one of the CGI network’s control servers.
28 4/17/2015
GhostNet The gh0st RAT interface:
29 4/17/2015
14
GhostNet gh0st RAT demonstration https://www.youtube.com/watch?v=6p7FqSav6 Ho
30 4/17/2015
Technical Social Engineering The purpose of social engineering is to transparently install malicious software or to trick you into handing over sensitive information.
Technical Social Engineering is a chained exploit. Human nature and software vulnerabilities are both exploited.
31 4/17/2015
15
Technical Social Engineering
32 4/17/2015
Operation Aurora Targeted 34 companies in the financial, technology & defense sectors Never before seen level of sophistication outside the defense industry. Prior to this, commercial attacks were SQL-injection or wireless breach based Highly sophisticated & coordinated hack attack against Google’s corporate network • Targeted & stole IP (source code repositories) • Accessed Gmail accounts of human rights activists
33 4/17/2015
16
Operation Aurora Used several pieces of malware, levels of encryption, stealth programming & zero-day exploits in IE, Word, Excel & Adobe PDFs • Attack was obfuscated & avoided common detection methods Tailored to target a small number of corporate users • •
sending a malicious document attached to an email or sending a spoofed email message with a link to a malicious website
Infected machines will typically have the following components installed: •
%System%\[RANDOM].dll: main file. Runs as a service and has back door capabilities
•
%System%\acelpvc.dll: Streams live desktop feed to the attacker
•
%System%\VedioDriver.dll: Helper dll for acelpvc.dll
34 4/17/2015
Operation Aurora Siphoned off live feed and/or data to C & C servers in Illinois, Texas & Taiwan One C&C server was hosted by RackSpace Designed to occur during a holiday season when co. SOC & IRTs would be thinly staffed
35 4/17/2015
17
Operation Aurora – Tojan.Hydraq Infects Win2K, Win7, Win2003, Win2008, Vista, XP Creates 2 files • Creates a service RASxxxx
•Registers service by creating a registry subkey •Modifies this registry entry: • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\Current Version\SvcHost\”netsvcs”
4/17/2015
•Opens a backdoor allowing a remote attacker to do a number of things
36
Operation Aurora – Google Case Study Initial attack occurred when company executives visited a malicious site
Via clicked URL sent by email/IM or Via social networking sites
Drive-by Download
IE exploited via zero-day exploit Multiple pieces of malware downloaded into device Automatically & Transparently 37 4/17/2015
18
Operation Aurora – Google Case Study Shell code 3X encrypted
Downloaded encrypted binary code in 2 encrypted .exe’s from external node
Opened backdoor “Beachead” into other parts of the corporate network 4/17/2015
Established encrypted covert channel masquerading as SSL connection
38
ICEFOG Advanced Persistent Threat A threat actor Emerging trend of cyber-mercenary teams of 10s to 100s available for hire to perform surgical hit-andrun ops • Going after the supply chain & compromising target with surgical precision Relies on spear phishing emails that attempt to trick a victim into opening a malicious attachment or visiting a malicious website Victims were Japanese & South Korean targets. From China with love 39 4/17/2015
19
End of Introduction
40 4/17/2015
20
ISACA® Trust in, and value from, information systems
1 4/17/2015
2015 CISM Review Course
Chapter 1 Information Security Governance
2 4/17/2015
1
Course Agenda Priorities for the CISM Corporate Governance Information Security Strategy Information Security Program Elements of a Security Program Roles and Responsibilities Evaluating a Security Program Reporting and Compliance Ethics 3 4/17/2015
Examination Content
• • • •
The CISM Candidate understands: Effective security governance framework Building and deploying a security strategy aligned with organizational goals Manage risk appropriately Responsible management of program resources The content area in this chapter will represent approximately 24% of the CISM examination (approximately 48 questions). 4
4/17/2015
2
Chapter 1 Learning Objectives Align the organization’s Information security strategy with business goals and objectives • Obtain Senior Management commitment Provide support for: • Governance • Business cases to justify security • Compliance with legal and regulatory mandates • Organizational priorities and strategy • Identify drivers affecting the organization • Define roles and responsibilities • Establish metrics to report on effectiveness of the security strategy 5 4/17/2015
The Priorities for the CISM Candidate in Chapter One
6 4/17/2015
3
CISM Priorities The CISM must understand: • Requirements for effective information security governance
• Elements and actions required to: • Develop an information security strategy • Plan of action to implement it
7 4/17/2015
The First Question In your own words, please describe what information Security is, what is the purpose or value of information security in relation to the business
8 4/17/2015
4
Information Security Information is indispensable to conduct business effectively today Information must be: • Available • Have Integrity of data and process • Be kept Confidential as needed Protection of information is a responsibility of the Board of Directors 9 4/17/2015
Information Security Information Protection includes: •Accountability •Oversight •Prioritization •Risk Management •Compliance (Regulations and Legislation)
10 4/17/2015
5
Information Security Governance Overview Information security is much more than just IT security (more than technology) Information must be protected at all levels of the organization and in all forms • Information security is a responsibility of everyone • In all forms – paper, fax, audio, video, microfiche, networks, storage media, computer systems 11 4/17/2015
Selling the Importance of Information Security Benefits of effective information security governance include: • Improved trust in customer relationships
• Protecting the organization’s reputation • Better accountability for safeguarding information during critical business activities • Reduction in loss through better incident handling and disaster recovery 12 4/17/2015
6
The First Priority for the CISM Remember that Information Security is a business-driven activity. • Security is here to support the interests and needs of the organization – not just the desires of security • Security is always a balance between cost and benefit; security and productivity
13 4/17/2015
Corporate Governance
14 4/17/2015
7
Business Goals and Objectives Corporate governance is the set of responsibilities and practices exercised by the board and executive management Goals include: –Providing strategic direction –Reaching security and business objectives –Ensure that risks are managed appropriately –Verify that the enterprise’s resources are used responsibly 15 4/17/2015
Outcomes of Information Security Governance The six basic outcomes of effective security governance: • Strategic alignment • Risk management • Value delivery • Resource management • Performance measurement • Integration 16 4/17/2015
8
Benefits of Information Security Governance Effective information security governance can offer many benefits to an organization, including: • Compliance and protection from litigation or penalties • Cost savings through better risk management • Avoid risk of lost opportunities • Better oversight of systems and business operations • Opportunity to leverage new technologies to business advantage
17 4/17/2015
Performance and Governance Governance is only possible when metrics are in place to: • Measuring • Monitoring • Reporting On whether critical organizational objectives are achieved Enterprise-wide measurements should be developed 18 4/17/2015
9
Information Security Strategy
19 4/17/2015
Developing Information Security Strategy
Information Security Strategy • Long term perspective
• Standard across the organization • Aligned with business strategy / direction • Understands the culture of the organization • Reflects business priorities
20 4/17/2015
10
Elements of a Strategy A security strategy needs to include: • Resources needed • Constraints • A road map
•Includes people, processes, technologies and other resources •A security architecture: defining business drivers, resource relationships and process flows
Achieving the desired state is a long-term goal of a series of projects 21 4/17/2015
Objectives of Security Strategy The objectives of an information security strategy must • Be defined • Be supported by metrics (measureable) • Provide guidance
22 4/17/2015
11
The Goal of Information Security The goal of information security is to protect the organization’s assets, individuals and mission This requires: • Asset identification •Classification of data and systems according to criticality and sensitivity •Application of appropriate controls
*Information is an asset only to the degree it supports the primary purpose of the business 23 4/17/2015
Defining Security Objectives The information security strategy forms the basis for the plan(s) of action required to achieve security objectives The long-term objectives describe the “desired state” Should describe a well-articulated vision of the desired outcomes for a security program Security strategy objectives should be stated in terms of specific goals directly aimed at supporting business activities 24 4/17/2015
12
Business Linkages Business linkages • Start with understanding the specific objectives of a particular line of business • Take into consideration all information flows and processes that are critical to ensuring continued operations • Enable security to be aligned with and support business at strategic, tactical and operational levels 25 4/17/2015
Business Case Development The Business case for initiating a project must be captured and communicated: • Dependencies • Reference • Context
• Project metrics
• Value Proposition
• Workload
• Focus
• Required resources
• Deliverables
• Commitments
The Business case for Security must address the same criteria 26 4/17/2015
13
The Information Security Program
27 4/17/2015
Question: What steps/elements are necessary to develop an effective security program?
28 4/17/2015
14
Security Program Priorities Achieve high standards of corporate governance Treat information security as a critical business issue Create a security positive environment Have declared responsibilities
29 4/17/2015
Security versus Business Security must be aligned with business needs and direction Security is woven into the business functions • Provides •Strength •Resilience •Protection •Stability •Consistency
30
4/17/2015
15
Security Program Objectives Ensure the availability of systems and data • Allow access to the correct people in a timely manner Protect the integrity of data and business processes • Ensure no improper modifications Protect confidentiality of information • Unauthorized disclosure of information •Privacy, trade secrets, 31 4/17/2015
What is Security A structured deployment of risk-based controls related to: • People
• Processes • Technology
32 4/17/2015
16
Security Integration Security needs to be integrated INTO the business processes The goal is to reduce security gaps through organizational-wide security programs Integrate IT with: • Physical security • Risk Management • Privacy and Compliance • Business Continuity Management 33 4/17/2015
Security Program Starts with theory and concepts • Policy Interpreted through:
• Procedures • Baselines • Standards Measured through audit 34 4/17/2015
17
Architecture Information security architecture is similar physical architecture • Requirements definition • Design / Modeling • Creation of detailed blueprints • Development, deployment
Architecture is planning and design to meet the needs of the stakeholders Security architecture is one of the greatest needs for most organizations 35 4/17/2015
Information Security Frameworks Framework • Template • Structure • Measurable / Auditable • Project Planning and Management • Strategic, Tactical and Operational viewpoints 36 4/17/2015
18
Using an Information Security Framework Effective information security is provided through adoption of a security framework − Defines information security objectives − Aligns with business objectives − Provides metrics to measure compliance and trends − Standardizes baseline security activities enterprise-wide 37 4/17/2015
The Desired State of Security The “desired state of security” must be defined in terms of attributes, characteristics and outcomes • It should be clear to all stakeholders what the intended security state is
38 4/17/2015
19
The Desired State cont. The desired state according to COBIT (Control Objectives for Information and related Technology) • “Protecting the interests of those relying on information, and the processes, systems and communications that handle, store and deliver the information, from harm resulting from failures of availability, confidentiality and integrity” • Focuses on IT-related processes from IT governance, management and control perspectives 39 4/17/2015
The Maturity of the Security Program Using CMM 0: Nonexistent—No recognition by organization of need for security 1: Ad hoc—Risks are considered on an ad hoc basis—no formal processes 2: Repeatable but intuitive—Emerging understanding of risk and need for security 3: Defined process—Companywide risk management policy/security awareness 4: Managed and measurable—Risk assessment standard procedure, roles and responsibilities assigned, policies and standards in place 5: Optimized—Organization-wide processes implemented, monitored and managed 40 4/17/2015
20
Using the Balanced Scorecard The Four Perspectives of the Balanced Scorecard
Financial
Vision and Strategy
Customer
Internal Business Processes
Learning and Growth 41 4/17/2015
The ISO27001:2013 Framework The goal of ISO27001:2013 is to: Establish Implement Maintain, and Continually improve An information security management system
Contains: • 14 Clauses, 35 Controls Objectives and 114 controls 42 4/17/2015
21
Examples of Other Security Frameworks SABSA (Sherwood Applied Business Security Architecture) COBIT COSO Business Model for Information Security • Model originated at the Institute for Critical Information Infrastructure Protection
43 4/17/2015
Examples of Other Security Frameworks • ISO standards on quality (ISO 9001:2000) • Six Sigma • Publications from NIST and ISF • US Federal Information Security Management Act (FISMA)
44 4/17/2015
22
Constraints and Considerations for a Security Program Constraints Legal—Laws and regulatory requirements Physical—Capacity, space, environmental constraints Ethics—Appropriate, reasonable and customary Culture—Both inside and outside the organization Costs—Time, money Personnel—Resistance to change, resentment against new constraints
45
4/17/2015
Constraints and Considerations for a Security Program cont. Constraints Organizational structure—How decisions are made and by whom, turf protection Resources—Capital, technology, people Capabilities—Knowledge, training, skills, expertise Time—Window of opportunity, mandated compliance Risk tolerance—Threats, vulnerabilities, impacts 46 4/17/2015
23
Elements of a Security Program
47 4/17/2015
Elements of Risk and Security The next few slides list many factors that go into a Security program.
48 4/17/2015
24
Risk Management The basis for most security programs is Risk Management: • Risk identification • Risk Mitigation
• Ongoing Risk Monitoring and evaluation The CISM must remember that risk is measured according to potential impact on the ability of the business to meet its mission – not just on the impact on IT. 49 4/17/2015
Information Security Concepts Access Architecture Attacks Auditability Authentication Authorization Availability Business dependency analysis
Business impact analysis Confidentiality Countermeasures Criticality Data classification Exposures Gap analysis Governance 50
4/17/2015
25
Information Security Concepts cont. Identification
Sensitivity
Impact
Standards
Integrity
Strategy
Layered security
Threats
Management
Vulnerabilities
Nonrepudiation
Enterprise architecture
Risk / Residual risk
Security domains
Security metrics
Trust models 51
4/17/2015
Security Program Elements Policies Standards Procedures Guidelines Controls—physical, technical, procedural
Technologies Personnel security Organizational structure Skills
52 4/17/2015
26
Security Program Elements cont. Training Awareness and education Compliance enforcement
Outsourced security providers Other organizational support and assurance providers Facilities Environmental security
53 4/17/2015
Third Party Agreements Ensure that security requirements are addressed in all third party agreements Service Level Agreements Jurisdiction in case of dispute Right to audit or obtain independent verification of compliance
54 4/17/2015
27
Roles and Responsibilities
55 4/17/2015
Roles and Responsibilities of Senior Management Board of directors • Information security governance / Accountability
Executive management • Implementing effective security governance and defining the strategic security objectives • Budget and Support
Steering committee • Ensuring that all stakeholders impacted by security considerations are involved • Oversight and monitoring of security program 56 4/17/2015
28
Senior Management Commitment To be successful, information security must have the support of senior management • Budget • Direction/ Policy • Reporting and Monitoring A bottom-up management approach to information security activities is much less likely to be successful 57 4/17/2015
How can we obtain continued Senior Management support for the security program?
58 4/17/2015
29
Steering Committee Oversight of Information Security Program Acts as Liaison between Management, Business, Information Technology, and Information Security
Ensures all stakeholder interests are addressed Oversees compliance activities
59 4/17/2015
CISO Chief Information Security Officer Responsibilities • Responsible for Information securityrelated activity • Policy • Investigation • Testing • Compliance
60 4/17/2015
30
Business Manager Responsibilities • Responsible for security enforcement and direction in their area • Day to day monitoring • Reporting • Disciplinary actions • Compliance
61 4/17/2015
IT Staff Responsibilities • Responsible for security design, deployment and maintenance • System and Network monitoring
• Reporting • Operations of security controls • Compliance
62 4/17/2015
31
Centralized versus Decentralized Security Which is better? Consistency versus flexibility Central control versus Local ownership Procedural versus responsive Core skills versus distributed skills Visibility to senior management versus visibility to users and local business units 63 4/17/2015
Evaluating the Security Program
64 4/17/2015
32
Audit and Assurance of Security Objective review of security risk, controls and compliance Assurance regarding the effectiveness of security is a part of regular organizational reporting and monitoring
65 4/17/2015
Evaluating the Security Program Metrics are used to measure results Measure security concepts that are important to the business Use metrics that can be used for each reporting period • Compare results and detect trends
66 4/17/2015
33
Effective Security Metrics Set metrics that will indicate the health of the security program • Incident management • Degree of alignment between security and business development •Was security consulted •Were controls designed in the systems or added later 67 4/17/2015
Effective Security Metrics cont. Choose metrics that can be controlled • Measure items that can be influenced or managed by local managers / security
• Not external factors such as number of viruses released in the past year • Have clear reporting guidelines • Monitor on a regular scheduled basis
68 4/17/2015
34
Key Performance Indicators (KPIs) Thresholds to measure • Compliance / non-compliance • Pass / fail • Satisfactory / unsatisfactory results A KPI is set at a level that indicates action should / must be taken • Alarm point 69 4/17/2015
End to End Security Security must be enabled across the organization – not just on a system by system basis Performance measures should ensure that security systems are integrated with each other • Layered defenses
70 4/17/2015
35
Correlation Tools The CISM may use Security Event and Incident Management (SEIM, SIM, SEM) tools to aggregate data from across the organization Data analysis
Trend detection Reporting tools
71 4/17/2015
Reporting and Compliance
72 4/17/2015
36
Regulations and Standards The CISM must be aware of National • Laws •Privacy • Regulations •Reporting, Performance Industry standards • Payment Card Industry (PCI) • BASEL II 73 4/17/2015
Effect of Regulations Requirements for business operations • Potential impact of breach •Cost •Reputation • Scheduled reporting requirements •Frequency •Format 74 4/17/2015
37
Reporting and Analysis
Data gathering at source • Accuracy • Identification Reports signed by Organizational Officer
75 4/17/2015
Ethics
76 4/17/2015
38
Ethical Standards Rules of behaviour • Legal • Corporate
• Industry • Personal
77 4/17/2015
Ethical Responsibility Responsibility to all stakeholders • Customers • Suppliers
• Management • Owners • Employees • Community 78 4/17/2015
39
ISACA Code of Ethics cont. Required for all certification holders Support the implementation of, and encourage compliance with, appropriate standards, procedures and controls for information systems. Perform their duties with objectivity, due diligence and professional care, in accordance with professional standards and best practices. 79 4/17/2015
ISACA Code of Ethics cont. Serve in the interest of stakeholders in a lawful and honest manner, while maintaining high standards of conduct and character, and not engage in acts discreditable to the profession. Maintain the privacy and confidentiality of information obtained in the course of their duties unless disclosure is required by legal authority. Such information shall not be used for personal benefit or released to inappropriate parties. 80 4/17/2015
40
ISACA Code of Ethics cont. Maintain competency in their respective fields and agree to undertake only those activities, which they can reasonably expect to complete with professional competence. Inform appropriate parties of the results of work performed; revealing all significant facts known to them. Support the professional education of stakeholders in enhancing their understanding of information systems security and control. 81 4/17/2015
Practice Question 1.
The PRIMARY purpose of a security strategy is to provide: A. The basis for determining the security architecture for the organization. B. The intent and direction of management. C. Guidance for users on how to comply with security requirements. D. Standards to measure compliance.
82 4/17/2015
41
Practice Question 2. The BEST method of improving security compliance is: A. To make it easier for employees to follow security rules. B. To have comprehensive organization-wide security policies. C. To have an active security awareness program. D. To inform all staff about legal regulations and legislation..
83 4/17/2015
Practice Question 3. The MOST important task of the CRISC regarding compliance with regulations is to: A. Develop the policies and standards to be followed by the organization. B. Ensure that accurate and complete data is used in reporting procedures C. Provide guidance to business units on the legal requirements for compliance. D. Approve all reports prior to submission to outside agencies 84 4/17/2015
42
Practice Question 4. The MOST important consideration in the development of security policies is that: A. The policies reflect the intent of Senior Management. B. The policies are legal. C. All employees agree with the policies. D. That the correct procedures are developed to support the requirements of policy.
85 4/17/2015
End of Domain
86 4/17/2015
43
17/04/2015
ISACA® Trust in, and value from, information systems
1 4/17/2015
2015 CISM Review Course
Chapter 2 Information Risk Management and Compliance
2 4/17/2015
1
17/04/2015
Course Agenda
4/17/2015
Information Asset Classification Identify regulatory, legal and other requirements Identify risk, threats and vulnerabilities Risk treatment Evaluate security controls Integrate risk management into business processes Report non-compliance and other changes in risk
3
Exam Relevance Ensure that the CISM candidate… Manages information risk to an acceptable level to meet the business and compliance requirements of the organization The content area in this chapter will represent approximately 33% of the CISM examination (approximately 66 questions).
4 4/17/2015
2
17/04/2015
Chapter 2 Task Statements Establish an information asset classification and ownership process Ensure risk, threat and vulnerability assessments are conducted periodically Evaluate security controls Identify gaps between current and desired state
5 4/17/2015
Chapter 2 Task Statements cont. Integrate risk, threat and vulnerability identification and management into the organization Monitor existing risk to ensure changes are identified and managed appropriately Report information risk management levels to management.
6 4/17/2015
3
17/04/2015
Information Asset Classification
7 4/17/2015
Information Asset Classification Need to know what information to protect Need to know who is responsible to protect it
• Ownership • Roles and responsibilities
8 4/17/2015
4
17/04/2015
Roles and Responsibilities Information protection requires clear assignment of responsibilities • Information owner • Information System owner
• Board of Directors / Chief Executive Officer • Users • Information Custodians • Third Party Suppliers 9 4/17/2015
Roles and Responsibilities Information security risk management is an integral part of security governance • Is the responsibility of the board of directors or the equivalent to ensure that these efforts are visible Management must be involved in and sign off on acceptable risk levels and risk management objectives
10 4/17/2015
5
17/04/2015
Information Classification Considerations Business Impact and reliance of business on information and information system • Understand business objectives
•Availability of data / systems •Sensitivity of data / systems
11 4/17/2015
Regulations and Legislation Information asset protection may be required by legislation • Privacy •Consumer data •Employee data • Financial accuracy •SOX-type laws 12 4/17/2015
6
17/04/2015
Asset Valuation Information Asset valuation may be based on: • Financial considerations •Liability for lost data •Cost to create or restore data •Impact on business mission • Reputation •Customer or supplier confidence 13 4/17/2015
Valuation Process Determine ownership Determine number of classification levels Develop labeling scheme Identify all information types and locations De-classify when data no longer needs protection 14 4/17/2015
7
17/04/2015
Information Protection Ensure that data is protected consistently across all systems Protect data in all forms – paper, electronic, optical, fax, Protect data at all times: • Storage • Transmission • Processing • Destruction 15 4/17/2015
Information Asset Protection Policies • Communicated • Enforced
• Clean desk / Clear screen • Need to know – Least privilege Procedures • Labeling • Destruction 16 4/17/2015
8
17/04/2015
Risk Management
17 4/17/2015
Definition of Risk Risk is a function of the likelihood of a threat-source exercising a vulnerability and the resulting impact of that adverse event on the mission of the organization.
• Asset • Threat • Vulnerability • Likelihood (probability) • Impact (consequence) 18 4/17/2015
9
17/04/2015
Why is Risk Important Risk management is a fundamental function of Information Security • Provides rationale and justification for virtually all information security activities Prioritization of Risk allows the development of a security roadmap
19 4/17/2015
Risk Management Definition What is risk management? The systematic application of management policies, procedures and practices to the tasks of: • Identifying • Analyzing • Evaluating • Treating • Monitoring, Risk related to information and information systems 20 4/17/2015
10
17/04/2015
Risk Management Objective • The objective of risk management is to identify, quantify and manage information security risk. • Reduce risk to an acceptable level through the application of risk-based, cost-effective controls.
21 4/17/2015
Risk Management Overview Risk is the probability of occurrence of an event or transaction causing financial loss or damage to • Organization • Staff • Assets
Quantitative and Qualitative Measures
• Reputation 22 4/17/2015
11
17/04/2015
Risk Management Overview Risk management is the process of ensuring that the impact of threats exploiting vulnerabilities is within acceptable limits at an acceptable cost
At a high level, this is accomplished by • Balancing risk against mitigation costs • Implementing appropriate countermeasures and controls 23 4/17/2015
Defining the Risk Environment The most critical prerequisite to a successful risk management program is understanding the organization including: − Key business drivers − The organization’s SWOT (strengths, weaknesses, opportunities and threats) − Internal and external stakeholders − Organizational structure and culture − Assets (resources, information, customers, equipment) − Goals and objectives, and the strategies already in place to achieve them 24 4/17/2015
12
17/04/2015
Threats to Information and Information Systems Threats to information and information systems are related to: • Availability • Confidentiality • Integrity •Non-repudiation
25 4/17/2015
Threat Analysis Intentional versus Unintentional attacks • Natural • Man-made
• Utility / Equipment Threats affected by • The skill and motivation of the attacker • The existence of attack tools 26 4/17/2015
13
17/04/2015
Aggregate Risk Aggregate risk must be considered • Aggregate risk is where a several smaller risk factors combine to create a larger risk (the perfect storm scenario)
27 4/17/2015
Cascading Risk Cascading risks are the effect of one incident leading to a chain of adverse events (domino effect)
28 4/17/2015
14
17/04/2015
Identification of Vulnerabilities Weaknesses in security controls • Patches not applied • Non-hardened systems • Inappropriate access levels • Unencrypted sensitive data • Software bugs or coding issues (buffer overflow) • Physical security 29 4/17/2015
The Effect of Risk An exploit of a vulnerability by a threat may lead to an exposure. An exposure is measured by the impact it has on the organization or the ability of the organization to meet its mission.
30 4/17/2015
15
17/04/2015
Impact Examples of direct and indirect financial losses: Direct loss of money (cash or credit) Criminal or civil liability Loss of reputation/goodwill/image Reduction of share value Conflict of interests to staff or customers or shareholders
31 4/17/2015
Impact cont. Examples of direct and indirect financial losses: Breach of confidence/privacy Loss of business opportunity/competition Loss of market share Reduction in operational efficiency/performance Interruption of business activity Noncompliance with laws and regulations resulting in penalties
32 4/17/2015
16
17/04/2015
Risk Management Process Risk Identification (Assessment and Analysis)
Risk Treatment (Control Selection)
Evaluation and Assessment
33 4/17/2015
Risk Assessment Methodology Quantitative • Determine the impact of a single event •Single Loss Expectancy
•SLE = Asset Value x Exposure Factor • Calculate frequency of events •Annualized rate of occurrence (ARO) •ARO = Incidents per year 34 4/17/2015
17
17/04/2015
Annualized Loss Expectancy (ALE) ALE is the calculated cost of risk per year from a single event • ALE = SLE x ARO Used to justify expense of implementing controls to reduce risk levels Cost of controls should not be greater than benefit realized by implementing the control
35 4/17/2015
Qualitative Risk Assessment Determine risk levels through scenario-based analysis Rank risk levels according to frequency and impact (Low (1), Moderate (2), High (3))
Likelihood
Impact Low
Moderate
High
High
3
6
9
Moderate
2
4
6
Low
1
2
3 36
4/17/2015
18
17/04/2015
Data Gathering Techniques Surveys / Questionnaires Observation Workshops Delphi techniques
37 4/17/2015
Results of Risk Assessment Documentation of risk levels • Risk register Determination of threat and vulnerability levels Forecast of impact and frequency of events Recommendations for risk mitigation • Controls, safeguards, countermeasures 38 4/17/2015
19
17/04/2015
Alignment of Risk Assessment and BIA Risk Assessment measures Impact and Likelihood Business Impact Analysis measures Impact over Time
Related disciplines – but not the same BIA must be done periodically to determine how risk and impact levels increase over time • Set priorities for critical business functions 39 4/17/2015
Risk Treatment
40 4/17/2015
20
17/04/2015
Risk Treatment Risk Treatment takes the recommendations from the risk assessment process and selects the best choice for managing risk at an acceptable level • Residual Risk • Risk Acceptance • Cost / Benefit • Priorities • Balance between security and business 41 4/17/2015
Risk Treatment Risk Treatment Options • Reduction / mitigation – implement changes •Enhance managerial, technical, physical and operational controls • Acceptance • Transference • Avoidance 42 4/17/2015
21
17/04/2015
Risk Mitigation and Controls Controls (safeguards / countermeasures) are implemented in order to reduce a specified risk −Existing controls and countermeasures can be evaluated −New controls and countermeasures can be designed
43 4/17/2015
Control Recommendations Factors to be considered when recommending new or enhanced controls are: Cost-benefit analysis Anticipated effectiveness Compatibility with other controls, systems, and processes Legislation and regulation Organizational policy, standards, and culture Impact of control on business processes Control reliability 44 4/17/2015
22
17/04/2015
Cost Benefit Analysis of Controls Cost-benefit analysis must consider the cost of the control throughout the full life cycle of the control or countermeasure including: Acquisition / purchase costs
Deployment and implementation costs Recurring maintenance costs Testing and assessment costs
45 4/17/2015
Cost Benefit Analysis of Controls cont. Cost benefit analysis includes costs of: Compliance monitoring and enforcement Inconvenience to users Reduced throughput of controlled processes Training in new procedures or technologies as applicable End of life decommissioning
46 4/17/2015
23
17/04/2015
Risk Mitigation Schematic Owners
Value
Wish to minimize
Countermeasures
Impose
To Reduce
Threat Agents Give Rise to
Threats
Risk To
That increase
To
Assets
Wish to abuse and/or may damage
47
4/17/2015
Control Types and Categories Controls may be: • Managerial • Technical • Physical
48 4/17/2015
24
17/04/2015
Control Types and Categories cont. Controls may be: • Directive • Deterrent • Preventative • Detective • Recovery • Corrective • Compensating 49 4/17/2015
Security Control Baselines Creating baselines of control can assist in developing a consistent security infrastructure Principles for developing baselines include
• Assess of the level of security that is appropriate for the organization • Mandate a configuration for all systems and components attached to the organization’s network
50 4/17/2015
25
17/04/2015
Ongoing Risk Assessment and Building Risk Management into the Organization
51 4/17/2015
Ongoing Risk Assessment Monitor controls to ensure that they are working effectively • Implemented as designed • Operating properly • Producing the desired outcome (mitigating the risk they were installed to address)
52 4/17/2015
26
17/04/2015
Measuring Control Effectiveness Determine metrics to measure control effectiveness • Do regular monitoring and reporting Aggregate data from several control points
• Security Event Incident Monitoring (SEIM) Measure control effectiveness in comparison to business goals and objectives
53 4/17/2015
Building Risk Management In (Agenda) Risk Management should be built in to business processes • Change control • Systems development life cycle (SDLC) • Ongoing monitoring and analysis • Audit • Business process re-engineering • Project management • Employment • Procurement 54 4/17/2015
27
17/04/2015
Risk Related to Change Control Uncontrolled / Unauthorized changes Changes implemented incorrectly • Backup
• Rollback Changes that bypass / overwrite controls Interruption to service
55 4/17/2015
Controlling Risk in Change Control Oversight / Steering Committee Formal Change control process • Documentation of changes • Approvals • Testing Review of all proposed / implemented changes for impact on security controls 56 4/17/2015
28
17/04/2015
Risk Management During SDLC Integrate risk management throughout the SDLC • Review risk levels as system is designed, developed, tested and implemented • Test the implemented security controls • Ensure the ability to log and monitor events is built into all systems Review all new systems for correct operation of controls and associated risk levels 57 4/17/2015
Ongoing Risk Management Monitoring and Analysis Do risk assessment annually • More frequently in event of: •Organizational changes
•Regulation •Incidents Monitor controls frequently and report to management • Standardized reporting (format) • Trend analysis
58
4/17/2015
29
17/04/2015
Audit and Risk Management Audit validates that risk is being managed correctly • Compared with culture of organization • Policy • Regulation • Best practices
59 4/17/2015
Audit and Risk Management cont. Validate that risk is within acceptable levels • Risk appetite Threat and vulnerability analysis was done correctly Controls are working correctly • Mitigating risk effectively • Validate compliance with controls Reporting and recommendations 60 4/17/2015
30
17/04/2015
Risk in Business Process Re-Engineering Review all major systems and business process changes for impact on risk levels Ensure that ability to monitor controls is built into business processes • Enable reporting and compliance Regular reporting to management on status of changes • Ensure that changes do not bypass controls •Separation of duties, least privilege 61 4/17/2015
Risk in Project Management Risk of “Scope Creep” Risk of project overrun • Budget • Time • Failure to deliver expected results • Vendor compliance with requirements
62 4/17/2015
31
17/04/2015
Risk During Employment Process Hiring Procedures • Correct skills and experience • Background checks •Criminal •Financial •References from former employers / associates 63 4/17/2015
New Employee Initiation Require signing of • Non-disclosure agreements (NDA) • Non-compete agreements • Ethics statement Review security policy • Awareness training
64 4/17/2015
32
17/04/2015
Risk During Employment Access Creep – adding more and more access • Violation of least privilege / need to know Enforce compliance with controls Regular awareness sessions
65 4/17/2015
Risk at Termination of Employment Need to remove all access Recover all organizational assets • ID cards
• Laptops • Remote access tokens • Blackberry/ cellphone • Documents Review NDAs 66 4/17/2015
33
17/04/2015
Risks During Procurement Need to purchase the ‘right’ equipment at the right price • Improper buying practices •Influence
•Kickbacks •Piracy / imitations • Inappropriate relations / selection of vendors 67 4/17/2015
Risk During Procurement cont. Equipment not delivered according to specifications /contract terms Equipment not configured / installed properly
Vendor not providing contracted maintenance according to maintenance agreements Maintain correct patch levels
68 4/17/2015
34
17/04/2015
Reporting to Management Regular reporting • Standard format • Scheduled basis Consistent metrics to allow comparison of results over time Reporting on an exceptional basis • Following an event
69 4/17/2015
Documentation Typical risk management documentation includes: A risk register An inventory of information assets Threat and vulnerability analysis Control effectiveness report Initial risk rating Risk report - consequences and likelihood of compromise A risk mitigation and action plan 70 4/17/2015
35
17/04/2015
Training and Awareness The most effective control to mitigate risk is training of all personnel • Awareness • Training • Education Educate on policies, standards, practices Creates accountability 71 4/17/2015
Training and Awareness End users should receive training on The importance of adhering to information security policies, standards, and procedures
Clean desk policy Responding to incidents and emergencies Privacy and confidentiality requirements The security implications of logical access in an IT environment 72 4/17/2015
36
17/04/2015
Training for End Users Practical training topics • Clean desk policy • Responding to incidents and emergencies • Privacy and confidentiality requirements • Handling sensitive data and intellectual property • The security requirements for access to IT systems 73 4/17/2015
Practice Question The PRIMARY purpose of a risk management program is a) To eliminate risk
b) To reduce all risks to a minimal level of impact c) To satisfy regulatory requirements d) To ensure risk levels are acceptable to senior management
74 4/17/2015
37
17/04/2015
Practice Question 2 The formula SLE x ARO relates to a) Annualized Loss Expectancy (ALE) b) Risk acceptance levels c) The frequency of attacks d) Calculation of the impact of a threat
75 4/17/2015
38
17/04/2015
ISACA® Trust in, and value from, information systems
1 4/17/2015
2015 CISM Review Course
Chapter 3 Information Security Program Development and Management
2 4/17/2015
1
17/04/2015
Course Flow Chapter One Information Security Governance
Influenced by
Directs changes to
Chapter Four Information Security Incident Management
Chapter Two Information Risk Management Directs development of
Enforced by
Chapter Three Develop and Manage a Security Program 3
4/17/2015
Course Agenda Learning objectives Security Program Development Objectives Role of the Information Security Manager Information Security Program Development Elements of a Security Program Information Security Concepts Technology and Tools, Security Models Integrating Security into the Business
4
4/17/2015
2
17/04/2015
Exam Relevance Ensure that the CISM candidate… Understands how to manage the information security program in alignment with the information security strategy
The content area in this chapter will represent approximately 25% of the CISM examination (approximately 50 questions).
5 4/17/2015
Chapter 3 Learning Objectives Develop and maintain plans to implement an information security program that is aligned with the information security strategy Ensure alignment between the information security program and other business functions Identify internal and external resources required to execute the information security program Ensure the development of information security architectures 6 4/17/2015
3
17/04/2015
Learning Objectives cont. Ensure the development, communication, and maintenance of standards, procedures and other documentation that support information security policies Design and develop a program for information security awareness, training and education Integrate information security requirements into contracts and third party agreements 7 4/17/2015
Definition Information security program management includes: • Directing
• Overseeing • Monitoring Information-security-related activities in support of organizational objectives.
8 4/17/2015
4
17/04/2015
Security Strategy and Program Relationship The security strategy is the long term plan of creating a security structure that will support the business goals of the organization The security program outlines the steps necessary to implement the security strategy The security program should be defined in business terms 9 4/17/2015
Information Security Management Information Security management is primarily concerned with • Ongoing, day-to-day operations of a security department
• Budget for security • Planning • Business case development for security projects • Staff development and training 10 4/17/2015
5
17/04/2015
Importance of Security Management Achieving adequate levels of information security means: • Implementing cost effective security solutions • Supporting business operations • Strategic planning and alignment between security and the business • Compliance and reporting
11 4/17/2015
Definition Information security program development is the integrated set of: • Activities
• Projects • Initiatives to implement the information security strategy 12 4/17/2015
6
17/04/2015
Effective Security Management Effective security management must demonstrate value to the organization • Compliance with policies and procedures • Cost effective • Improved audit results • Business process assurance
13 4/17/2015
Reasons for Security Program Failure Poorly understood requirements • Lack of understanding about what is important and why Lack of funding or resources Lack of will to make security a priority Too much technical focus
14 4/17/2015
7
17/04/2015
Security Program Development Objectives
15 4/17/2015
Program Objectives Implement the objectives of the security strategy • Managerial controls • Technical controls • Physical controls
16 4/17/2015
8
17/04/2015
Security Program Development The elements essential to ensure successful security program design and implementation: A well defined and clear information security strategy Cooperation and support from management and stakeholders Effective metrics to measure program effectiveness 17 4/17/2015
Security Program Development cont. A well-executed security program will : Support governance of information security Convert security initiatives into a practical real-world implementations Provide proof that security implementations are meeting business and security needs Be flexible enough to adapt to changes in security / business requirements 18 4/17/2015
9
17/04/2015
Outcomes of Information Security Program Development As seen in Chapter One, objectives for information security governance include: Strategic alignment Risk management
Value delivery Resource management Assurance process integration Performance measurement 19 4/17/2015
Governance of the Security Program Acceptance and support for the strategy and the objectives of the security program is the responsibility of executive management Everyone is responsible for compliance with security requirements
20 4/17/2015
10
17/04/2015
Role of the Information Security Manager
21 4/17/2015
Role of the Information Security Manager (Agenda) Strategy Policy
Compliance Prevention
Monitoring
Detection
Correction
Awareness
Implementation 22 4/17/2015
11
17/04/2015
Strategy The first step to development of an information security program (as seen in chapter one) is to align the security strategy with the objectives of the business • Governance • Resources • Reporting • Compliance • Regulations 23 4/17/2015
Policy Policy provides: • Authority • Direction
Requires: • Background • Scope • Applicability 24 4/17/2015
12
17/04/2015
Creating Effective Policy Ownership Up to date Exceptions Enforceable / legal Non-technical Reflects culture and mission of the organization 25 4/17/2015
Awareness People are the most important element of a security program, therefore they must: •Understand their roles •Be capable of performing their roles •Be provided adequate training •Be accountable for results
26 4/17/2015
13
17/04/2015
Implementation Converts strategy to practical tools and techniques • Controls • Safeguards • Countermeasures
27 4/17/2015
Monitoring Review of security controls, countermeasures, safeguards Continuous or periodic testing Frequency is dependent on • Laws • Business changes • Culture
28 4/17/2015
14
17/04/2015
Compliance Compliance ensures that business processes and security measures meet the requirements of corporate policy, local regulations, industry-based standards, and best practices. Compliance requires proof (not just theory) Testing, logging Reporting
29 4/17/2015
Information Security Program Development
30 4/17/2015
15
17/04/2015
Developing an Information Security Road Map The CISM must consider the security program from the perspective of: • Data • Applications • Systems • Facilities • Processes 31 4/17/2015
Defining Security Program Objectives Whether or not there is an existing information security program, there are some basic program components:
Understanding management’s security objectives Develop key goal indicators (KGIs) that reflect and measure business priorities Ways to measure whether the program is heading in the right direction 32 4/17/2015
16
17/04/2015
Inventory of Information Systems Document all aspects of the information systems including: • • • • • • • • •
System categorization System description including system boundaries Network diagram and data flows Software and hardware inventory Users and system owners Business risk assessment System risk assessment Contingency plan System security plan 33
4/17/2015
Challenges in Developing an Information Security Program The process of setting a program in place and measuring its results requires a great deal of cooperation among everyone in the organization who handles data
Information security program development is not usually hampered by technology choices available, but rather by people, process and policy issues that conflict with program objectives and see security as a hindrance to business operations 34 4/17/2015
17
17/04/2015
Challenges in Developing an Information Security Program cont. The challenges faced by the CISM while developing a security program may include: • Organizational resistance due to: •Changes in areas of responsibility •A perception that increased security will impact productivity and access •Unfair monitoring / restrictions • Lack of adequate budget, personnel, skills or support • Unanticipated problems with existing controls, systems or ongoing projects 35
4/17/2015
Elements of a Security Program Road Map A vital element of the information security program is a roles and responsibilities matrix (RACI - Responsible, Accountable, Consulted, Informed) CEO
CISO
CIO
VP – HR
Policy Development
I
R
A
C
Business Continuity
I
C
R
I
Incident Management
I
A
R
C
36 4/17/2015
18
17/04/2015
Elements of a Security Program Road Map An understanding of the general risk appetite of an organization and a review to discover any gaps or determine whether the information security program is operating at acceptable levels
Potential Loss due to Equipment Failure 75,000
50,000
Acceptable Risk Level
Risk
Current Risk Level 25,000
0
37 4/17/2015
Elements of a Security Program Road Map Ability to link the security program with business objectives and demonstrate justification for the evolution from a security concept towards a security architecture and finally into the selection and implementation of security tools and technologies
Security Context
Security Concept
Logical Architecture
Physical Architecture
Component
38 4/17/2015
19
17/04/2015
Security Programs and Projects The overall security program will almost always consist of a series of individual projects designed to meet security objectives Security Program
Policy Creation Project
Firewall Implementation project
Awareness Sessions 39 4/17/2015
Security Program and Project Development A gap analysis will identify a series of projects required to implement the information security program •Each project should have time, budget, milestones, deliverables, and measurable results •Each project should be clearly defined and integrate with other projects and departments •HR, Finance, Physical security 40 4/17/2015
20
17/04/2015
Security Program and Project Development cont. Security projects should be prioritized so that: •Most important projects are given priority •Projects do not overlap or cause a delay for other projects
•Resources are appropriately allocated •Results are documented and reported to management
41 4/17/2015
Security Project Planning Determine project needs • Oversight / timelines • Equipment
• Personnel (skills) •Outsourcing or contract staff • Infrastructure •Networks, databases, facilities, etc. 42 4/17/2015
21
17/04/2015
Selection of Controls Controls are • Technical • Managerial • Physical Tools designed to provide reasonable assurance that: •Business objectives will be achieved •Undesirable events will be prevented or detected and corrected 43 4/17/2015
Common Control Practices Common control practices include: • Logical Access control • Principle of least privilege / need to know
• Compartmentalization to minimize damage •Domains • Segregation of duties • Transparency 44 4/17/2015
22
17/04/2015
Elements of a Security Program
45 4/17/2015
Security Program Elements (Agenda) Policies Standards Procedures Guidelines Technologies Personnel security Organizational structure
Outsourced security providers Facilities Environmental security
46 4/17/2015
23
17/04/2015
Policies Provide authority and direction for security program from management • High level versus functional policies • Are ‘interpreted’ by standards, procedures, baselines What are the characteristics of effective policies? What makes a policy effective?
47 4/17/2015
Acceptable Use Policy An acceptable use policy − Should provide a user-friendly summary of what should and should not be done to comply with policy − Must detail in everyday terms the obligations of all users − Must be communicated to all users − Must be read and understood by all users − Should be provided to new personnel
48 4/17/2015
24
17/04/2015
Acceptable Use Policy cont. Rules of use for all personnel include the policies and standards for − Access control − Classification of data − Marking and handling of documents − Reporting requirements and disclosure constraints − Rules regarding email and Internet use
49 4/17/2015
Standards Standards ensure that systems are configured and operated in an similar manner Compliance with standards should be automated • Ensure that system configurations do not (intentionally or unintentionally) deviate from policy compliance Standards are used to implement policy Deviations from a standard must have formal approval 50 4/17/2015
25
17/04/2015
Procedures Procedures provide a defined, step by step method of completing a task • i.e., new user registration / user ID creation; incident management
• Allow actual activity to be reviewed for compliance with the required procedures • Helps ensure consistency of operations
51 4/17/2015
Guidelines Provide recommendations for better security practices: • Password creation, use of social media
• Are only recommendations, not mandatory
52 4/17/2015
26
17/04/2015
Technology One of the most important elements of a security program • Without the right tools, an effective security program is not feasible • Many tools available
53 4/17/2015
Personnel Security Protect staff from being harmed • Duress alarms, cameras Having the right people:
• Skills / Education required • Awareness • Management and oversight •Disciplinary action when required • Separation of duties 54 4/17/2015
27
17/04/2015
Training and Skills Matrix Determine level of training needed by staff according to job responsibilities • Develop training matrix • Perform gap analysis Manager
Administrator
User
Level III
CISM
CCSP
SEC +
Level II
SEC +
GSEC
Awareness
Level I
Awareness
SEC +
Awareness
55 4/17/2015
Organizational Structure Who should security report to • Normal reporting • Incident reports
• Adequate: •Budget •Authority •Scope 56 4/17/2015
28
17/04/2015
Outsourced Security Providers Outsourcing security and monitoring may have many benefits • Provide necessary expertise • Monitor all corporate systems •Correlate activity from several systems •Centralized reporting
57 4/17/2015
Third-party Service Providers When using a third party: Ensure data are stored and secured adequately in the service provider environment • Define data destruction and data sanitization processes Create channels of communication and liaison with outsourced firm Maintain accountability in the service provider organization for policy enforcement Remember that prime liability for data protection is with the organization, not with the outsourced firm 58 4/17/2015
29
17/04/2015
Facilities Secure operational areas • Server rooms • Equipment rooms • Administrator, developer, and operator work areas Consider factors such as: • Age of building (fire codes) • Shared facility with other companies 59 4/17/2015
Facilities Security Physical controls may include: • Smart cards or access controls based on biometrics • Security cameras
• Security guards • Fences • Lighting • Locks • Sensors 60 4/17/2015
30
17/04/2015
Environmental Security Heating, ventilation and humidity controls Reliable power supplies
61 4/17/2015
Information Security Concepts
62 4/17/2015
31
17/04/2015
Information Security Concepts (Agenda) Topics already covered: Confidentiality
Risk Management • Threats • Vulnerabilities
Integrity
• Attacks
Availability
• Exposure
Countermeasures
Architecture
Controls
Business impact analysis (BIA)
Governance Layered Defense
Data classification 63
4/17/2015
Information Security Concepts (Agenda) Access Control • Identification • Authentication • Authorization • Accounting / Auditability Criticality Sensitivity Trust Models 64 4/17/2015
32
17/04/2015
Access Control Controlling who and what has access to the facilities, systems, people and data of the organization • Ensuring the right people have the right level of access • Preventing inappropriate use, modification or destruction of organizational resources • Tracking all activity to the responsible entity 65 4/17/2015
Identification Access control starts with knowing who or what is accessing our systems, data, facilities or other resources. Unique (track able to the correct person/process) Removed when no longer required i.e., IDs, customer account numbers, fingerprints
66 4/17/2015
33
17/04/2015
Authentication Validating the claimed identity – is the person requesting access really who they say they are? • Knowledge (password)
• Ownership (Token, smartcard, badge) • Characteristic (biometrics)
67 4/17/2015
Authorization Granting the authenticated user the correct level of permissions needed • Read
• Write • Execute • Create • Delete 68 4/17/2015
34
17/04/2015
Accounting / Auditability Logging, monitoring and tracking of activity Ability to associate activity with a specific user Audit log: • Protection • Review • Analysis 69 4/17/2015
Criticality How much is the ability of the organization to deliver its products and services dependent on: • Information
• Information systems What would the extent of the impact be on the business (quantitatively and qualitatively) if they were not available This is a measure of the criticality of the resource 70 4/17/2015
35
17/04/2015
Sensitivity How much is the organization dependent on the accuracy or confidentiality requirements for: • Information • Information systems This is a measure of the sensitivity of the resource
71 4/17/2015
Trust Models Multi-level security • Users have different levels of trust (access) Domains of trust • Departmentalization/compartmentalization Security perimeters Trusted links between systems
72 4/17/2015
36
17/04/2015
Technologies and Tools Security Components and Models
73 4/17/2015
Technology-based Security Technology-based controls • Many technologies available •Are used to implement controls
•Have controls built into their implementation •Must be enabled •Must be monitored / updated
74 4/17/2015
37
17/04/2015
Technologies There are numerous technologies relevant to security that the CISM should be familiar with including: • Firewalls • Routers and switches • IDS, NIDS, HIDS • Cryptographic techniques (PKI, DES) • Digital signatures • Smart cards 75 4/17/2015
Security in Technical Components Native control technologies • Security features built in to equipment and applications. •Access control on switches, routers •Error handling in applications • Many products feature ‘Out-of-the-box’ security features that can be configured to protect business information systems Generally configured and operated by IT 76 4/17/2015
38
17/04/2015
Security in Technical Components cont. Supplemental control technologies • Security control devices added to an information system •IDS (Intrusion Detection Systems), Firewall, PKI (Public Key Infrastructure) • Operate as a form of layered defense
77 4/17/2015
Security in Technical Components cont. Management support technologies • Provide support for management to monitor systems and controls • Examples include security information event management (SIEM) tools, compliance monitoring scanners and security event analysis systems Are often used by information security group independently of information technology 78 4/17/2015
39
17/04/2015
Security in Technical Components cont. The effectiveness of the security technologies must be evaluated • Use clear, repeatable metrics • Evaluate: •Control placement •Control effectiveness •Control efficiency •Control policy •Control implementation 79 4/17/2015
Operations Security Operational security • Monitoring of systems • Maintenance of systems • Procedures • Change control • Backups • User access management • Patch Management • Usually performed by IT administrators 80 4/17/2015
40
17/04/2015
Technologies – Access Control Lists Access control lists (ACLs) • Designate levels of access accorded to users, processes • Based on either the rights of the users or the protection levels accorded to the protected resource
81 4/17/2015
Filtering and Content Management Data Loss Prevention (DLP) • Scans documents emails, etc. for sensitive data. • Will block unauthorized transmission of data Web Filtering • Scans web, email, and IM traffic for inappropriate content • Blocks mobile code, inappropriate links, cookies, etc. 82 4/17/2015
41
17/04/2015
Technologies - SPAM Email filtering to weed out unsolicited email • May contain malicious code • Causes network and storage congestion • Disable links and potentially malicious attachments
83 4/17/2015
Technologies – Databases and DBMS Databases • Electronic storage of data • May be accessed remotely
• Need stringent security controls – architecture, access, backup, journaling Database Management System (DBMS) • Manages the database (retrieves, updates, logs, organizes data) • Ensures changes meet with rules 84 4/17/2015
42
17/04/2015
Encryption Allows data to be stored, transmitted or displayed in a secure format – unreadable except to authorized personnel • Changes the format/structure of the data • Provides •Confidentiality •Integrity •Authenticity •Access control •Non-repudiation 85 4/17/2015
Technologies - Cryptography Symmetric key algorithms • Use the same key to encrypt and decrypt a message
• Fast and excellent for confidentiality
86 4/17/2015
43
17/04/2015
Technologies – Cryptography cont. Asymmetric • Use a mathematically-related key pair •Private key (only known to key owner) •Public key (can be distributed freely) •Provide •Confidentiality •Proof of origin / non-repudiation (digital signatures) •Integrity •Access control 87 4/17/2015
Technologies – Encryption cont. Protect data at various levels • Application layer encryption •PGP
• Session / transport layer encryption •SSH, SSL, TLS • Network Layer encryption •IPSEC • Link layer encryption 88 4/17/2015
44
17/04/2015
Technologies – Hashing Algorithms Compute a fixed length value from a message that can be used to verify message integrity • Message has not be altered or changed •Either intentionally or accidentally
•Are used in digital signatures
89 4/17/2015
Technology – Communications OSI Model Open Systems Interconnect (OSI model) Seven layer model for communications Layering Encapsulation
Application Presentation Session Transport Network Data Link Physical
90 4/17/2015
45
17/04/2015
Technology – Communications TCP/IP Transmission Control Protocol / Internet Protocol Four layer model used for most communications today Robust Works on most platforms and vendor systems
Application
Host to Host Internetworking Data Link / Physical
91 4/17/2015
Technologies – Operating Systems Provide interface between hardware and user applications Manage the use of system resources
92 4/17/2015
46
17/04/2015
Technology - Firewalls Regulate traffic flows between networks • Operate at various network layers •Application proxies •Session layer proxies •Network layer •Packet Filtering
93 4/17/2015
Emerging Technologies The CISM must be aware of emerging technologies and their impact on the information security program: • Virtual environments
• Cloud computing • Mobile computing •Apple and Android Apps •VOIP •SCADA networks 94 4/17/2015
47
17/04/2015
Testing the Security Program
95 4/17/2015
Intrusion Detection Policies and Processes The ISM should understand and manage intrusion detection systems and procedures, including: Personnel who run and monitor intrusion detection systems have adequate training Intrusion detection software and hardware runs continuously Intrusion detection software can be easily modified to adapt to changing environments Intrusion detection systems do not impose excessive overhead, especially excessive network overhead 96 4/17/2015
48
17/04/2015
Intrusion Detection Systems An organization should ideally use two types of intrusion detection systems (IDSs) • Host-based • Network-based
Sensors should be suitably placed to provide adequate coverage of the network typology
97 4/17/2015
IDS / IPS Intrusion detection and prevention systems should: Identify and record any attempts to exploit a system by an attacker Adequately protect networks and systems from security breaches Be monitored and maintained daily Protect logs for use in future investigations
98 4/17/2015
49
17/04/2015
Password Cracking Many tools available • Software • Hardware (keystroke loggers) • Should be forbidden by policy except for extraordinary, authorized purposes Brute force attacks Dictionary attacks Rainbow tables Restrict access to password files • Store passwords as hashed values 99 4/17/2015
Vulnerability Assessments Discover potential weaknesses or gaps in the security controls • Open ports or services • Lack of training • Improper rule-base configurations • Poor incident handling
100 4/17/2015
50
17/04/2015
Vulnerability Assessments cont. A vulnerability assessment can include assessing • Network visibility and accessibility • Information leakage • Presence of unneeded software and/or utilities • Unpatched equipment • Application-level vulnerabilities (including databases) • Weak security policies and standards 101 4/17/2015
Vulnerability Assessments cont. Assessment Tools • Scans •May indicate many false positives •Require analysis to determine true level of vulnerability Testing – inline, integrated test facility Observation 102 4/17/2015
51
17/04/2015
Penetration Testing Attempt to exploit a perceived vulnerability • Usually more focussed than a vulnerability scan • Indicates whether the vulnerability does pose a serious risk of breach •Allows determination of potential impact Can be done by external or internal testing teams • Must have prior approval 103 4/17/2015
Penetration Testing cont. Risk of system failure / interruption Areas to test • Web applications
• Firewalls / proxy devices • Operating systems • Applications and Utilities • Physical access 104 4/17/2015
52
17/04/2015
Third Party Security Reviews Advantages • Objective •Not influenced by ‘that is how we have always done it around here’ excuse • Expertise •May not be available in-house Disadvantages • Need Non-disclosure agreements • Cost 105 4/17/2015
Integration of the Security Program into the Business
106 4/17/2015
53
17/04/2015
Integration into Life Cycle Processes A security program must be integrated into the change management process for the organization • Identify IT changes being initiated, funded, and deployed Provides the opportunity to • Identify vulnerabilities in new systems • Identify new threats presented by systems • Ensure that existing security controls will not be adversely affected by proposed or actual changes 107 4/17/2015
Security in External Agreements Ensure that security requirements are included in outsourcing agreements: • Suppliers
• Subcontractors • Joint ventures • Business partners • Outsourced functions 108 4/17/2015
54
17/04/2015
Security in External Agreements Include in all external agreements • Right to audit • Service level agreements (SLAs) •Performance metrics Due diligence • Ensure systems and data are protected adequately (compliance)
109 4/17/2015
Security Program Implementation Rome was not built in a day – neither will a security program be rolled out all at once • May consist of many projects •Network security •User security •Application security •Physical security •Systems security and backup 110 4/17/2015
55
17/04/2015
Phased Approach The program should be phased in by: • Region • Department • Product / service / business process • Building • Application According to priorities, staff availability and regulation 111 4/17/2015
Challenges During Implementation Unexpected discovery of unaccounted-for systems or processes Resistance from staff / management Time or budget Impact on business operations Availability of equipment Training requirements
112 4/17/2015
56
17/04/2015
Review and Audit of the Security Program
113 4/17/2015
Evaluating the Security Program The information security manager must evaluate the documented security objectives for the program: Are program goals aligned with governance objectives if they exist? Are objectives measurable, realistic and associated with specific timelines? Do program objectives align with organizational goals, initiatives, compliance needs and operational? 114 4/17/2015
57
17/04/2015
Evaluating Security Program cont. The information security manager must evaluate the documented security objectives Is there consensus on program objectives? Have metrics been implemented to measure program objective success and shortfalls? Are there regular management reviews of objectives and accomplishments?
115 4/17/2015
Evaluating the Security Program cont. Review of the Security Program may be • Automated •Minimize low-value activity workload
• Manual • Incremental reviews • Continuous Auditing techniques • Conducted by external or internal parties 116 4/17/2015
58
17/04/2015
Measuring Information Security Risk and Loss The following are possible approaches to periodically measuring the program’s success against risk management and loss prevention objectives: The technical vulnerability management approach The risk management approach The loss prevention approach
117 4/17/2015
Measuring Effectiveness of Technical Security Program Ensure that equipment is configured according to required baselines Identify single points of failure Verify that controls are working correctly and mitigating risk effectively Ensure controls are being monitored as scheduled Ensure incident reports are generated and distributed 118 4/17/2015
59
17/04/2015
Measuring Effectiveness of Security Management Methods of tracking the program’s success include: Tracking the frequency of issue recurrence The degree to which procedures are standardized Documented information security roles and responsibilities Information security requirements incorporated into every project plan Efforts and results in making the program more productive and cost-effective Overall security resource utilization 119 4/17/2015
Security Project Management Because there will never be adequate budget or staff, the CISM must prioritize security projects • Approval of Steering Committee • Utilize external resources • Recruitment of additional staff Regular reporting on the status of ongoing security projects is necessary
120 4/17/2015
60
17/04/2015
Review of Security Compliance A key role of the CISM is to review the levels of compliance with • Policies • Procedures
• Standards • Baselines Deviations from the mandated levels of compliance may require a review of the policies, or the need to strengthen the controls
121
4/17/2015
Sample Questions
122 4/17/2015
61
17/04/2015
Practice Question 1.) A security manger is most likely to be concerned with pending changes when: A. Rollback procedures have not been documented B. Users have not been notified of changes C. System performance tests were not conducted D. Program changes have not been documented 123 4/17/2015
Practice Question 2.)
The MOST important element of a good information security policy is: A. Being easy to read and understand. B. Allowing for flexible interpretation. C. Capturing the intent of management. D. Defining secure operating procedures
124 4/17/2015
62
17/04/2015
Practice Question 3.) Which of the following would be the BEST approach when conducting a security awareness campaign? A. Provide interesting technical details of past exploits. B. Target high risk groups like system administrators and the help desk. C. Provide customized messages for different groups. D. Clearly describe acceptable use policies and procedures 125 4/17/2015
Practice Question 4.) The MOST appropriate metric to measure how
well information security is managing the administration of user access is the percent of user IDs: A. That have been reviewed by management B. That have been created and deleted in the past year. C. That have high level access to organizational systems. D. With corresponding payroll records. 126 4/17/2015
63
17/04/2015
End of Domain Three
127 4/17/2015
64
17/04/2015
ISACA® Trust in, and value from, information systems
1 4/17/2015
2015 CISM Review Course
Chapter 4 Information Security Incident Management
2 4/17/2015
1
17/04/2015
Exam Relevance Ensure that the CISM candidate… Plan, establish and manage the capability to detect, investigate, respond to and recover from information security incidents to minimize business impact.
The content area in this chapter will represent approximately 18% of the CISM examination (approximately 36 questions).
3 4/17/2015
Chapter 4 Learning Objectives Develop and implement processes for: • Detecting • Identifying • Analyzing • Responding To information security incidents
4 4/17/2015
2
17/04/2015
Learning Objectives cont. Incident Management process • Escalation and communication processes • Lines of authority • Plans to respond to, and document, information security incidents • Capability, skills and procedures to investigate information security incidents • Communicate with internal parties and external organizations
5 4/17/2015
Learning Objectives cont. Test and refine information security incident response plans Manage incident response Conduct reviews of security incidents, to determine root cause, develop corrective actions and reassess risk Integrate incident response plans with business continuity plans (BCP) and disaster recovery plans (DRP)
6 4/17/2015
3
17/04/2015
Definition Incident • Any event that has the potential to adversely impact the ability of the business to meet its objectives Incident management • The capability to effectively manage unexpected disruptive events •Minimize impacts •Maintain and restore normal business operations within defined time limits 7 4/17/2015
Definition Incident response • The operational capability of incident management that identifies, prepares for and responds to incidents • Provide forensic and investigative capabilities • Restore normal operations as defined in service level agreements (SLAs) • Manage the impact of unexpected disruptive events to acceptable levels 8 4/17/2015
4
17/04/2015
Definition Incident Management will ensure that incidents are detected, recorded and managed to limit impacts.
9 4/17/2015
Goals of Incident Management and Response The goals of incident management and response include: • The ability to deal effectively with unanticipated events • Detection and monitoring capabilities to alert staff to a potential incident • Effective notification and reporting to management • A response plan that is aligned with business priorities 10 4/17/2015
5
17/04/2015
Goals of Incident Response cont. The ability to learn from past incidents and prevent future problems Regular testing and validation of the effectiveness of the plan
11 4/17/2015
What is an Incident - Intentional Malicious code Unauthorized access to IT systems, facilities, information Unauthorized use of resources Unauthorized changes to systems, networks Denial of service (DOS) Surveillance, espionage Social Engineering Fraud
12
4/17/2015
6
17/04/2015
What is an Incident - Unintentional Equipment failure Utility failure (power) Software bugs
Deletion of files Weather-related issues
13 4/17/2015
History of Incidents Past incidents provide valuable information on risk trends, threat types and business impact due to an incident • Can be used to evaluate the existing plans • Used as input to know the types of incidents that must be considered and planned for
14 4/17/2015
7
17/04/2015
Developing Response and Recovery Plans Factors to consider when developing response and recovery plans include: • Available resources • Expected services levels
• Types, kinds, and severity of threats faced by the organization
15 4/17/2015
Preparing the Incident Response Plan
16 4/17/2015
8
17/04/2015
Incident Management and Response The incident management and response structure should include: Incident Response Planning Business Continuity Planning Disaster Recovery Planning • Recovery of IT systems
17 4/17/2015
Incident Management and Response cont. Plans must be • Clearly documented • Readily accessible • Based on the long range IT plan • Consistent with the overall business continuity and security strategies
18 4/17/2015
9
17/04/2015
Incident Management and Response cont. Incident Response planning includes Incident detection capabilities (ability to recognize an event (false positive vs. real event) Clearly defined severity criteria (catastrophic, major, minor) Assessment and triage capabilities (determine extent of incident) Declaration criteria (activation of response teams) 19 4/17/2015
Importance of Incident Management and Response Incident response is required since even minor incidents may: • Affect business viability • Develop into major incidents • Require public communications plans • Necessitate advising regulators, clients or other affected stakeholders Even the best controls cannot prevent all incidents 20 4/17/2015
10
17/04/2015
Incident Response Functions Detection and reporting • Alerting, escalation Triage • Containment, recovery Analysis • Root cause, lessons learned Incident response team skills • Necessary training and experience 21 4/17/2015
Incident Management Technologies An effective incident management system should • Monitor and consolidate inputs from multiple systems
• Identify incidents or potential incidents • Prioritize incidents based on business impact • Provide status tracking and notifications • Integrate with major IT management systems • Follow good practices guidelines
22
4/17/2015
11
17/04/2015
Responsibilities of the CISM Developing the information security incident management and response plans Handling and coordinating information security incident response activities Validating, verifying and reporting on effectiveness of protective controls and countermeasure solutions Planning, budgeting and program development for all matters related to information security incident management and response 23 4/17/2015
Incident Response Manager Responsibilities The responsibilities of the incident response manager include: • Managing the incident so that the impact is contained and minimal damage occurs • Notifying the appropriate people and escalating the incident to management when required • Recovering quickly and efficiently from security incidents • Balancing operational and security needs 24 4/17/2015
12
17/04/2015
Incident Response Manager Responsibilities cont. The responsibilities of the incident response manager include: • Responding systematically and decreasing the likelihood of cascading problems or incident recurrence • Dealing with legal and law enforcementrelated issues • Ensuring that the incident response is documented • Following up on lessons learned to enhance controls 25 4/17/2015
Requirements for Incident Response Managers Have the leadership skills necessary to manage crisis teams Understand business priorities and culture Have the experience, knowledge, and the authority to invoke the disaster recovery processes necessary to maintain or recover operational status
26 4/17/2015
13
17/04/2015
Senior Management Involvement Senior management provides strategic direction during the crisis • Reporting of the incident is escalated to senior management • Decisions and direction is passed down to the incident management teams
27 4/17/2015
The Desired State Incident management and response requires • Well-developed monitoring capabilities for key controls • Personnel trained in assessing the situation, capable of providing triage, and managing effective responses • Managers that have made provisions to capture all relevant information and apply previously learned lessons 28 4/17/2015
14
17/04/2015
Strategic Alignment of Incident Response Incident management must be aligned with the organization’s strategic plan • Scope – what incidents are the responsibility of the Incident response team • Services – services should be clearly defined • Organizational structure – Reporting and oversight • Resources – sufficient staffing and skills necessary for effective response • Funding – sufficient funding as required to manage incident response • Management buy-in – Senior management buy-in is essential 29 4/17/2015
Creating a Detailed Incident Response Plan
30 4/17/2015
15
17/04/2015
Detailed Plan of Action for Incident Management The incident management action plan outlined in the CMU/SEI technical report titled Defining Incident Management Processes: Prepare/improve/sustain (prepare) Protect infrastructure (protect) Detect events (detect) Triage events (triage) Respond
31 4/17/2015
Detailed Plan of Action for Incident Management - Prepare Prepare/improve/sustain (prepare) phase: Coordinate planning and design: Identify incident management requirements.
Establish vision and mission. Obtain funding and sponsorship. Develop implementation plan. Coordinate implementation:
32 4/17/2015
16
17/04/2015
Detailed Plan of Action for Incident Management – Prepare cont. Prepare/improve/sustain (prepare) phase Develop policies, processes and plans. Establish incident handling criteria. Implement defined resources. Evaluate incident management capability. Conduct postmortem review. Determine incident management process changes. Implement incident management process changes. 33 4/17/2015
Detailed Plan of Action for Incident Management - Protect Protect infrastructure (protect) phase Implement changes to computing infrastructure to mitigate ongoing or potential incident. Implement infrastructure protection improvements from postmortem reviews or other process improvement mechanisms. Evaluate computing infrastructure by performing proactive security assessment and evaluation. Provide input to detect process on incidents/potential incidents. 34 4/17/2015
17
17/04/2015
Detailed Plan of Action for Incident Management - Detect Detect events (detect) phase Proactive detection—The detect process is conducted prior to incident alert. This will enable the response team to detect attack precursors, false negatives and emerging threats. Reactive detection—The detect process is conducted when there are reports of possible incidents from system users or other organizations 35 4/17/2015
Detailed Plan of Action for Incident Management - Triage Triage Requires initial gathering of incident data, incident severity determination, notification and activation of incident response team • Can be done on two levels •Tactical - Based on a set of criteria •Strategic - Based on the impact of business
36 4/17/2015
18
17/04/2015
Detailed Plan of Action for Incident Management - Response Response • Technical response •Collecting data for further analysis •Analyzing incident supporting information such as log files •Technical mitigation strategies and recovery options •Development and deployment of workarounds • Management response • Legal response 37 4/17/2015
Elements of an Incident Response Plan Another approach to the development of an incident response plan based on the SANS Institute • • • • • •
Preparation Identification Containment Eradication Recovery Lessons learned 38
4/17/2015
19
17/04/2015
Crisis Communications One of the greatest challenges in a crisis is effective communications • Internal •Staff, management, business units • External •Business partners •Shareholders •General public •Government and regulatory bodies •Law Enforcement 39 4/17/2015
Challenges in Developing an Incident Management Plan Unanticipated challenges may be the result of • Lack of management buy-in and organizational consensus • Mismatch to organizational goals and priorities • Incident management team member turnover • Poor communications • Complex and wide plan 40 4/17/2015
20
17/04/2015
Incident Response Team Members
41 4/17/2015
Personnel An Incident Response Team usually consists of • The Incident Manager (often an Information Security Manager) •The Team Leader • Steering committee/advisory board • Provide oversight and authority
42 4/17/2015
21
17/04/2015
Personnel cont. An Incident Response Team usually consists of • Permanent/dedicated team members •Specialized skills – forensics, audit, communications, legal •Representation from key departments – Operations, IT, HR, Finance, Security, Executive, etc. • Virtual/temporary team members •External experts 43 4/17/2015
Personnel cont. The composition of the incident response team will depend on a number of factors such as • Mission and goals of the incident response program • Nature and range of services provided
• Available staff expertise • Scope and technology base • Anticipated incident load • Severity or complexity of incident reports • Funding • Regulations and legal considerations 44 4/17/2015
22
17/04/2015
Team Member Skills The set of basic skills that incident response team members need can be separated into two broad groups: Personal skills • Ability to handle stress • Leadership skills • Expertise based on the incident handler’s daily activity. Technical skills • Specialized skills in IT, communications, etc 45 4/17/2015
Skills cont. Personal skills • Communication • Presentation skills • Ability to follow policies and procedures • Team skills • Integrity • Confidence • Problem solving • Time management 46 4/17/2015
23
17/04/2015
Skills cont.
Technical skills • Basic understanding of the underlying technologies used by the organization • Understanding of the techniques, decision points and supporting tools required in incident management
47 4/17/2015
Security Concepts and Technologies The following security concepts and technologies should be considered and known to IRTs • Security principles • Security vulnerabilities/ weaknesses
• Network applications and services
• Network security issues
• The Internet
• Operating systems
• Network protocols
• Malicious code • Programming skills
48 4/17/2015
24
17/04/2015
Organizing, Training and Equipping the Response Staff Every incident response team member should get the following types of training: • Induction to Incident response - basic information about the team and its operations • Description of the team’s roles, responsibilities and procedures • On the job training • Formal training 49 4/17/2015
Review and Audit of Incident Response
50 4/17/2015
25
17/04/2015
Value Delivery To deliver value, incident management should: • Integrate and align with business processes and structures • Improve the capability of businesses to manage incidents effectively • Integrate incident management with risk and business continuity • Become part of an organization’s overall strategy and effort to protect and secure critical business function and assets
51
4/17/2015
Performance Measurement Performance measurements for incident management and response will focus on achieving the defined objectives and optimizing effectiveness
• Incident response time • Application of lessons learned KPIs and KGIs should be defined and agreed upon by stakeholders and ratified by senior management 52 4/17/2015
26
17/04/2015
Reviewing the Current State of Incident Response Capability Survey of senior management, business managers and IT representatives Self-assessment External assessment or audit
53 4/17/2015
Audits Audits (internal and external) must be performed to verify • Incidents have been resolved and closed off • Lessons learned applied to the organization • Adherence by the incident response team to the policies and procedures defined by the organization 54 4/17/2015
27
17/04/2015
Gap Analysis – Basis for an Incident Response Plan Gap analysis – compares current incident response capabilities with the desired level. The following may be identified: • Processes that need to be improved to be more efficient and effective • Resources needed to achieve the objectives for the incident response capability
55 4/17/2015
Responding to an Incident
56 4/17/2015
28
17/04/2015
When an Incident Occurs If an incident occurs: • The Incident response team should follow the procedures set out in the Incident response plan • Properly document (record and preserve) all information related to the incident • Follow data/evidence preservation procedures • Take precautions to avoid changing, altering or contaminating any potential or actual evidence 57 4/17/2015
During an Incident The initial response to an incident should include: Retrieving information needed to confirm an incident • False positive or real event • Notify incident manager and activate incident response teams
58 4/17/2015
29
17/04/2015
During an Incident cont. Identifying the scope and size of the affected environment (e.g., networks, systems, applications) • Contain the incident and minimize the potential for further damage Determining the degree of loss, modification or damage (if any) Identifying the possible path or means of attack Restore critical services 59 4/17/2015
Containment Strategies During an incident it is critically important to contain the crisis and attempt to minimize the amount of damage that occurs. • Network isolation and segmentation
• Fire doors and fire suppression • Fail secure • Multiple suppliers • Multiple facilities • Cross trained staff 60 4/17/2015
30
17/04/2015
The Battle Box Preloaded kits containing the tools and support materials needed by the response team in a crisis • Flashlights • Communications (radio, satellite phones) • Battery • Forms and documentation, pens • Tools • Protective clothing • First aid kits • Evidence collection bags 61 4/17/2015
Evidence Identification and Preservation The CISM must know • Requirements for collecting and preserving evidence • Rules for evidence, admissibility of evidence, and quality and completeness of evidence • The consequences of any contamination of evidence following a security incident • Consider enlisting the help of third-party specialists if detailed forensic skills are needed 62 4/17/2015
31
17/04/2015
Post Event Reviews Post Event reviews allow lessons learned to be applied to future incidents • Use information gathered to improve response procedures • Do reviews with all affected staff •Follow up on all lessons
63 4/17/2015
Business Continuity and Disaster Recovery Planning
64 4/17/2015
32
17/04/2015
Disaster Recovery Planning (DRP) and Business Recovery Processes Disaster recovery has traditionally been defined as the recovery of IT systems from disastrous events Business recovery (resumption) is defined as the recovery of the critical business processes necessary to continue or resume operations.
65 4/17/2015
Development of BCP and DRP Each of these planning processes typically includes several main phases, including: Risk and business impact assessment Response and recovery strategy definition Documenting response and recovery plans Training all users and response teams Updating response and recovery plans Testing response and recovery plans Auditing response and recovery plans 66 4/17/2015
33
17/04/2015
Plan Development
Plan development factors include: Pre-incident readiness Evacuation procedures How to declare a disaster Identifying the business processes and IT resources that should be recovered Identifying the responsibilities in the plan
67 4/17/2015
Plan Development cont. Plan development factors include: Identifying contact information The step-by-step explanation of the recovery options Identifying the various resources required for recovery and continued operations Ensuring that other logistics such as personnel relocation and temporary housing are considered 68 4/17/2015
34
17/04/2015
Recovery Strategies Recovery strategies must be sustainable for the entire period of recovery until business processes are restored to normal Strategies may include: • Doing nothing until recovery facilities are ready • Using manual procedures / workarounds • Focusing on the most important customers, suppliers, products, and systems with resources that are still available 69 4/17/2015
Recovery Strategies The most appropriate recovery strategy is based on: • The ability to recover within acceptable recovery times at a reasonable cost
• Which recovery strategies are available •Several options may be considered including outsourcing of certain functions
70 4/17/2015
35
17/04/2015
Basis for Recovery Strategy Selections Response and recovery strategy plans should be based on the following considerations: Interruption window RTOs RPOs Services delivery objectives (SDOs) Maximum tolerable outages (MTOs) / Maximum Tolerable Period of Disruption (MTPD) Location Nature of probable disruptions 71 4/17/2015
Disaster Recovery Sites Types of offsite backup hardware facilities available include: Hot sites Warm sites Cold sites Mobile sites Duplicate information processing facilities Mirror sites 72 4/17/2015
36
17/04/2015
Disaster Recovery Sites cont. Criteria for selecting alternate sites for processing in the event of a disaster include: • The recovery site should not be subject to the same disaster(s) as the primary site • Availability of similar hardware /software • Ability to move people and resources to the recovery location • Ability to test the recovery strategy 73 4/17/2015
Recovery of Communications Recovery of IT facilities involves telecommunications and network recovery • • • •
Alternative / Diverse routing Long-haul network diversity Voice recovery Availability appropriate circuits and adequate bandwidth • Availability of out-of-band communications in case of failure of primary communications methods 74 4/17/2015
37
17/04/2015
Notification Requirements Plan should include a call tree with a prioritized list of contacts Representatives of equipment and software vendors Contacts within companies that have been designated to provide supplies and equipment or services Contacts at recovery facilities, including hot site representatives or predefined network communications rerouting services
75 4/17/2015
Notification Requirements cont. Plan should include a call tree with a prioritized list of Contacts at offsite media storage facilities and the contacts within the company who are authorized to retrieve media from the offsite facility Insurance company agents Contacts at human resources (HR) and/or contract personnel services Law enforcement contacts 76 4/17/2015
38
17/04/2015
Response Teams Number of teams depends upon size of organization and magnitude of operations examples include: The emergency action team Damage assessment team Emergency management team Relocation team Security team 77 4/17/2015
Insurance
Types of insurance coverage IT equipment and facilities Media (software) reconstruction Extra expense Business interruption Valuable papers and records Errors and omissions Fidelity coverage Media transportation 78 4/17/2015
39
17/04/2015
Testing Response and Recovery Plans Testing must include: Developing test objectives Executing the test Evaluating the test Developing recommendations to improve the effectiveness of testing processes as well as response and recovery plans Implementing a follow-up process to ensure that the recommendations are implemented 79 4/17/2015
Types of Tests Tests can include: Desk check / Table-top walk-through of the plans Table-top walk-through with mock disaster scenarios (simulation tests) Testing the infrastructure and communication components of the recovery plan Testing the infrastructure and recovery of the critical applications (parallel tests) Full restoration and recovery tests with some personnel unfamiliar with the systems 80 4/17/2015
40
17/04/2015
Test Results The test should strive to: Verify the completeness and effectiveness of the response and recovery plans Evaluate the performance of the personnel involved in the exercise Evaluate the coordination among the team members and external vendors and suppliers Indicate areas where improvements to the plan are necessary
81 4/17/2015
Test Results cont. The test should strive to: Measure the ability and capacity of the backup site to perform required processing Ensure vital records / data can be retrieved Evaluate the state and quantity of equipment and supplies that have been relocated to the recovery site Measure the overall performance of operational and information systems related to maintaining the business entity 82 4/17/2015
41
17/04/2015
Plan Maintenance Activities The BCP and DR plans must be maintained through: Developing a schedule for periodic review and maintenance of the plan • Updating plan with personnel changes, phone numbers and responsibilities or status within the company Updating the plan whenever significant changes have occurred • Organizational change • Results of tests or incidents 83 4/17/2015
BCP and DRP Training Training must be provided for all staff dependent on their responsibilities: Develop a schedule for training personnel in emergency and recovery procedures • Users • Team members • Local business units liaisons
84 4/17/2015
42
17/04/2015
Practice Question 1. The PRIMARY goal of a post-incident review is to: A. Gather evidence for subsequent disciplinary action. B. Identify key individuals who provided critical support during the crisis. C. Prepare a report on the incident for further management review D. Derive ways to improve the response process.
85 4/17/2015
Practice Question 2. Which of the following is the MOST important skill for an incident handler to possess? A. Presentation skills for management reporting B. Ability to follow policy and procedures C. Integrity D. Ability to cope with stress
86 4/17/2015
43
17/04/2015
Practice Question 3. What is the PRIMARY reason for conducting triage? A. To set the priorities for incident response B. To determine the root cause of the incident C. To mitigate the damage being caused by the incident D. To detect the presence of an incident
87 4/17/2015
Practice Question 4. Which of the following is MOST important factor when deciding whether to build an alternate facility or subscribe to a hot site operated by a third party? A. Cost to restore lost data following the incident B. Incremental cost of losing different systems C. Location, availability, and cost of commercial recovery facilities D. Estimated annualized loss expectancy (ALE) from key risks 88 4/17/2015
44
17/04/2015
Practice Question 5.
Which of the following documents should be contained in an incident response procedures manual A. B. C. D.
Risk Assessment report Communications plan Record of all assets and systems Alternate site recovery procedures
89 4/17/2015
45
ISACA ® EXAM CANDIDATE INFORMATION GUIDE 2015
ISACA Exam Candidate Information Guide
ISACA Exams 2015— Important Date Information Exam Date—13 June 2015 Exam Early registration deadline: 11 February 2015 Final registration deadline: 10 April 2015 Exam registration changes: Between 11 April and 24 April 2015, charged a US $50 fee, with no changes accepted after 24 April 2015 Refunds: By 10 April 2015, charged a US $100 processing fee, with no refunds after that date Deferrals: Requests received on or before 24 April 2015, charged a US $50 processing fee. Requests received from 25 April through 22 May 2015, charged a US $100 processing fee. After 22 May 2015, no deferrals will be permitted. All deadlines are based upon Chicago, Illinois, USA 5 p.m. CT (central time)
Exam Date—12 September 2015 Exam* Early registration deadline: 17 June 2015 Final registration deadline: 24 July 2015 * CISA and CISM only at select locations Exam registration changes: Between 25 July and 3 August, charged a US $50 fee, with no changes accepted after 3 August 2015 Refunds: By 24 July 2015, charged a US $100 processing fee, with no refunds after that date Deferrals: Requests received on or before 10 August 2015, charged a US $50 processing fee. Requests received from 11 August through 28 August 2015, charged a US $100 processing fee. After 28 August 2015, no deferrals will be permitted. All deadlines are based upon Chicago, Illinois, USA 5 p.m. CT (central time)
Exam Date—12 December 2015 Exam Early registration deadline: 19 August 2015 Final registration deadline: 23 October 2015 Exam registration changes: Between 24 October and 30 October, charged a US $50 fee, with no changes accepted after 30 October 2015 Refunds: By 23 October 2015, charged a US $100 processing fee, with no refunds after that date Deferrals: Requests received on or before 23 October 2015, charged a US $50 processing fee. Requests received from 24 October through 27 November 2015, charged a US $100 processing fee. After 27 November 2015, no deferrals will be permitted. All deadlines are based upon Chicago, Illinois, USA 5 p.m. CT (central time) Note: • The CISA Chinese Mandarin Traditional, German, Italian and Hebrew languages are only offered at the June exam. • The CISA Turkish is only offered at the June and December exams. • The CISM Japanese and Korean languages are only offered at the June exam. • Visit www.isaca.org/examlocations for a listing of the exam sites. Select the appropriate tab for June, September or December. Please contact
[email protected] for further information.
Table of Contents ISACA Certification .................................................................3 June—Important Date Information .......................................5 September—Important Date Information .............................6 December—Important Date Information ..............................7 Exam Day Information............................................................8 Post Exam Information .........................................................10 About ISACA With more than 115,000 constituents in 180 countries, ISACA® (www.isaca.org) helps business and IT leaders build trust in, and value from, information and information systems. Established in 1969, ISACA is the trusted source of knowledge, standards, networking, and career development for information systems audit, assurance, security, risk, privacy and governance professionals. ISACA offers the Cybersecurity NexusTM, a comprehensive set of resources for cybersecurity professionals, and COBIT®, a business framework that helps enterprises govern and manage their information and technology. ISACA also advances and validates business-critical skills and knowledge through the globally respected Certified Information Systems Auditor® (CISA®), Certified Information Security Manager® (CISM®), Certified in the Governance of Enterprise IT® (CGEIT®) and Certified in Risk and Information Systems Control™ (CRISC™) credentials. The association has more than 200 chapters worldwide.
ANSI Accredited Program PERSONNEL CERTIFICATION #0694 ISO/IEC 17024 CISA, CISM, CGEIT and CRISC Program Accreditation Renewed Under ISO/IEC 17024:2003 The American National Standards Institute (ANSI) has accredited the CISA, CISM, CGEIT and CRISC certifications under ISO/IEC 17024:2003, General Requirements for Bodies Operating Certification Systems of Persons. ANSI, a private, nonprofit organisation, accredits other organizations to serve as third-party product, system and personnel certifiers. ISO/IEC 17024 specifies the requirements to be followed by organizations certifying individuals against specific requirements. ANSI describes ISO/IEC 17024 as “expected to play a prominent role in facilitating global standardization of the certification community, increasing mobility among countries, enhancing public safety and protecting consumers.” ANSI’s accreditation: • Promotes the unique qualifications and expertise that ISACA certifications provide • Protects the integrity of the certifications and provides legal defensibility • Enhances consumer and public confidence in the certifications and the people who hold them • Facilitates mobility across borders or industries Accreditation by ANSI signifies that ISACA’s procedures meet ANSI’s essential requirements for openness, balance, consensus and due process. With this accreditation, ISACA anticipates that significant opportunities for CISAs, CISMs and CGEITs will continue to present themselves around the world. ISACA 3701 Algonquin Road, Suite 1010 Rolling Meadows, IL 60008 USA Phone: +1.847.253.1545 Fax: +1.847.253.1443 Email:
[email protected] Web site: www.isaca.org Participate in the ISACA Knowledge Center: www.isaca.org/knowledge-center Follow ISACA on Twitter: https://twitter.com/ISACANews Join ISACA on LinkedIn: ISACA (Official), http://linkd.in/ISACAOfficial Like ISACA on Facebook: www.facebook.com/ISACAHQ Reservation of Rights Copyright © 2014 ISACA. Reproduction or storage in any form for any purpose is not permitted without ISACA’s prior written permission. No other right or permission is granted with respect to this work. All rights reserved.
2
ISACA Exam Candidate Information Guide ISACA CERTIFICATION: IS AUDIT, SECURITY, GOVERNANCE AND RISK AND CONTROL The ISACA Exam Candidate Information Guide includes candidate information about exam registration, dates, and deadlines and provides important key candidate details for exam day administration. This publication is available online at www.isaca.org/examguide The following certifications are addressed in this guide: Certified Information Systems Auditor (CISA), Certified Information Security Manager (CISM), Certified in the Governance of Enterprise IT (CGEIT), and Certified in Risk and Information Systems Control (CRISC). A brief summary of each follows. CISA
CISM
CGEIT
CRISC
Description
The CISA designation is a globally recognized certification for IS audit control, assurance, and security professionals.
The management-focused CISM certification promotes international security practices and recognizes the individual who manages, designs, and oversees and assesses an enterprise’s information security.
CGEIT recognizes a wide range of professionals for their knowledge and application of enterprise IT governance principles and practices.
CRISC certification is designed for those experienced in the management of IT risk, and the design, implementation, monitoring and maintenance of IS controls.
Eligibility Requirements
Five (5) or more years of experience in IS audit, control, assurance, or security. Waivers are available for a maximum of three (3) years.
Five (5) or more years of experience in information security management. Waivers are available for a maximum of two (2) years.
Five (5) or more years of experience managing, serving in an advisory or oversight role, and/or otherwise supporting the governance of the IT-related contribution to an enterprise including a minimum of one year of experience relating to the definition, establishment and management of a Framework for the Governance of IT. There are no substitutions or experience waivers.
Three (3) or more years of cumulative work experience performing the tasks of a CRISC professional across at least two (2) CRISC domains, of which one must be in Domain 1 or 2, is required for certification. There are no substitutions or experience waivers.
Domains (%)
Domain 1—The Process of Auditing Information Systems (14%) Domain 2—Governance and Management of IT (14%) Domain 3—Information Systems Acquisition, Development, and Implementation (19%) Domain 4—Information Systems Operations, Maintenance and Support (23%) Domain 5—Protection of Information Assets (30%)
Domain 1—Information Security Governance (24%) Domain 2—Information Risk Management and Compliance (33%) Domain 3—Information Security Program Development and Management (25%) Domain 4—Information Security Incident Management (18%)
Domain 1: Framework for the Governance of Enterprise IT (25%) Domain 2: Strategic Management (20%) Domain 3: Benefits Realization (16%) Domain 4: Risk Optimization (24%) Domain 5: Resource Optimization (15%)
Domain 1: IT Risk Identification (27%) Domain 2: IT Risk Assessment (28%) Domain 3: Risk Response and Mitigation (23%) Domain 4: Risk and Control Monitoring and Reporting (22%)
Number of exam questions*: length of exam
200 questions: 4 hours
200 questions: 4 hours
150 questions: 4 hours
150 questions: 4 hours
Exam Languages
Chinese Mandarin Traditional** Chinese Mandarin Simplified English French German** Hebrew** Italian** Japanese Korean Spanish Turkish***
English Japanese** Korean** Spanish
English
English Spanish
* Consists of multiple choice items that cover the respective job practice areas created from the most recent job practice analysis. See page 11 for related links. ** June exam only *** June and December exam only.
3
ISACA Exam Candidate Information Guide REGISTERING FOR THE EXAM REGISTER FOR THE EXAM You can register for an ISACA exam via online registration or hard copy registration form. To place your online registration via the ISACA web site visit www.isaca.org/examreg. To register via hardcopy registration form, complete the hardcopy registration form provided at www.isaca.org/exam and fax or mail to ISACA along with your payment information. Note: Faxed/mailed registrations will incur an additional US $75 charge.
SUBMIT REGISTRATION FEES AND PAYMENT Online early registrations received on or before early registration deadline Online final registrations received by final registration deadline
ISACA member US $440 US $490
Non-ISACA member US $625 US $675
NOTE: Registration form and payment must be received on or before the early registration deadline to qualify for the early registration rate.
Notes: • The CISA Chinese Mandarin Traditional, German, Hebrew, and Italian languages will only be offered at the June exam. • The CISM Japanese and Korean languages are only offered at the June Exam. • Visit www.isaca.org/examlocations for a listing of the exam sites. Please select the appropriate tab for the June, September or December locations. Please contact
[email protected] for further information.
CONSIDER ISACA MEMBERSHIP If you are not yet an ISACA member, consider joining during the registration process and enjoy the member discount on your exam and study materials. Please visit www.isaca.org/join for detailed information on membership benefits and fees. Join Dates From 1 August 2014 to 30 May 2015 From 1 June 2015 to 31 July 2015 From 1 August 2015 to December 2015
Member Through 31 December 2015 31 December 2015 31 December 2016
Due Dates Deadlines are based on Chicago, Illinois, USA, 5 P.M. Central Time (UTC/GMT-06:00 Chicago, Illinois, USA). If not registering online, please mail or fax the registration form to ISACA. Do not do both. Submitting duplicate registrations online and/or by hard copy to ISACA may result in multiple registrations and charges. Final registration forms and payment must be postmarked or received by fax on or before the final registration date for the exam you are registering for. Both pages of the registration form must be received to complete a registration.
ACKNOWLEDGMENT OF REGISTRATION An email acknowledgement of the exam registration, exam test site and exam language will be sent to registrants shortly after the processing of the registration. Please review the exam registration details carefully and contact the ISACA certification department at
[email protected] for any corrections or changes. A receipt letter acknowledging exam registration and payment with a link to ISACA’s Exam Candidate Information Guide should be received by exam registrants within four weeks (depending on your worldwide location and local postal delivery) of the processing of the registration form and payment. We encourage exam candidates to review this Guide to familiarize themselves with exam day information and rules.
4
ISACA Exam Candidate Information Guide JUNE—IMPORTANT DATE INFORMATION Exam Date 13 June 2015 Exam Registration Changes Changes to the exam site, test language and candidate name are subject to the following charges: z On or before 10 April 2015 ................................ No charge z 11 April through 24 April 2015 .......................... US $50 No exam registration changes will be granted after 24 April 2015.
Refund and Deferrals of Fees Refund: Candidates unable to take the exam are eligible for a refund of registration fees, less a US $100 processing fee, if such a request is received in writing on or before 10 April 2015. All requests for a refund after this date will be denied. Exam candidates who have deferred their exam are not eligible for a refund of their deferral fee and associated exam payment. Deferrals: Exam registrants may elect to defer their registration to the following exam date. A deferral fee is required based on the following schedule: z On or before 24 April ......................................... US $50 z 25 April through 22 May .................................... US $100 Deferral requests will not be accepted after 22 May 2015. To request a deferral, please go to www.isaca.org/examdefer. Exam candidates who have deferred their exam are not eligible for a refund of their deferral fee and associated exam payment. Exam candidates who do not appear for the exam (or arrive too late to be admitted) are not eligible for a refund or deferral of their exam registration payment. Any candidate who has not received his/her admission ticket by 1 June 2015 should contact the ISACA certification department at
[email protected] or via phone at +1.847.660.5660.
Special Accommodations Upon request, ISACA will make reasonable accommodations in its exam procedures for candidates with documented disabilities or religious requirements. Consideration for reasonable alterations in scheduling, exam format, presentation, and allowance of food or drink at the exam site must be requested. Documented disability requests must be accompanied by a doctor’s note. Requests for a religious requirement must be accompanied by a note from the candidate’s religious leader. Unless requested and approved, no food or drink is allowed at any exam site. Requests for consideration must be submitted to ISACA International Headquarters in writing, accompanied by appropriate documentation, no later than 10 April 2015 to
[email protected].
Request for Additional Test Centers If an exam center is not available within 100 miles (160 kilometers) of the location in which a candidate wants to be tested, and if there are ten or more paid candidates who wish to enter as a group at this location, they may request that a new exam center be established. Written requests for establishment of new exam centers, including a minimum of ten paid registration forms, must be received at ISACA International Headquarters no later than 1 February 2015. While there is no guarantee that a new exam center can be arranged, every attempt will be made to provide one.
Exam locations For a complete listing of the exam sites for the June exam administration visit www.isaca.org/examlocations and select the June Exam Locations tab. All deadlines are based on Chicago, Illinois, USA, 5 p.m. Central Time (UTC/GMT-06:00 Chicago, Illinois, USA). No refunds or exchanges will be given for study aids, associated taxes, shipping and handling charges, or membership dues. Exam registration and membership fees are nontransferable.
5
ISACA Exam Candidate Information Guide SEPTEMBER—IMPORTANT DATE INFORMATION Exam Date 12 September 2015 The September exam administration is only offered for the CISA and CISM certification exams at limited exam sites.
Exam Registration Changes Changes to the exam site, test language and candidate name are subject to the following charges: z On or before 24 July 2015................................. No charge z 25 July through 3 August 2015 ......................... US $50 No exam registration changes will be granted after 3 August 2015.
Refund and Deferrals of Fees Refund: Candidates unable to take the exam are eligible for a refund of registration fees, less a US $100 processing fee, if such a request is received in writing on or before 24 July 2015. All requests for a refund after this date will be denied. Exam candidates who have deferred their exam are not eligible for a refund of their deferral fee and associated exam payment. Deferrals: Exam registrants may elect to defer their registration to the following exam date. A deferral fee is required based on the following schedule: z On or before 10 August 2015 ............................ US $50 z 11 August through 28 August 2015................... US $100 Deferral requests will not be accepted after 28 August 2015. To request a deferral, please go to www.isaca.org/examdefer. Exam candidates who have deferred their exam are not eligible for a refund of their deferral fee and associated exam payment. Exam candidates who do not appear for the exam (or arrive too late to be admitted) are not eligible for a refund or deferral of their exam registration payment. Any candidate who has not received his/her admission ticket by 15 August 2015 should contact the ISACA certification department at
[email protected] or via phone at +1.847.660.5660.
Special Accommodations Upon request, ISACA will make reasonable accommodations in its exam procedures for candidates with documented disabilities. Consideration for reasonable alterations in exam format, presentation, and allowance of food or drink at the exam site must be requested and accompanied by a doctor’s note. Unless requested and approved, no food or drink is allowed at any exam site. Requests for consideration must be submitted to ISACA International Headquarters in writing, accompanied by appropriate documentation, no later than 27 July 2015 to
[email protected].
Exam Locations For a complete listing of the exam sites for the September exam administration visit www.isaca.org/examlocations and select the September Exam Locations tab. All deadlines are based on Chicago, Illinois, USA, 5 p.m. Central Time (UTC/GMT-06:00 Chicago, Illinois, USA). No refunds or exchanges will be given for study aids, associated taxes, shipping and handling charges, or membership dues. Exam registration and membership fees are nontransferable.
6
ISACA Exam Candidate Information Guide DECEMBER—IMPORTANT DATE INFORMATION Exam Date 12 December 2015 Exam Registration Changes Changes to the exam site, test language and candidate name are subject to the following charges: z On or before 23 October .................................... No charge z 24 October through 30 October......................... US $50 No exam registration changes will be granted after 30 October 2015.
Refund and Deferrals of Fees Refund: Candidates unable to take the exam are eligible for a refund of registration fees, less a US $100 processing fee, if such a request is received in writing on or before 23 October 2015. All requests for a refund after this date will be denied. Exam candidates who have deferred their exam are not eligible for a refund of their deferral fee and associated exam payment. Deferrals: Exam registrants may elect to defer their registration to the following exam date. A deferral fee is required based on the following schedule: z On or before 23 October .................................... US $50 z 24 October through 27 November ..................... US $100 Deferral requests will not be accepted after 27 November 2015. To request a deferral, please go to www.isaca.org/examdefer. Exam candidates who have deferred their exam are not eligible for a refund of their deferral fee and associated exam payment. Exam candidates who do not appear for the exam (or arrive too late to be admitted) are not eligible for a refund or deferral of their exam registration payment. Any candidate who has not received his/her admission ticket by 1 December 2015 should contact the ISACA certification department at
[email protected] or via phone at +1.847.660.5660.
Special Accommodations Upon request, ISACA will make reasonable accommodations in its exam procedures for candidates with documented disabilities or religious requirements. Consideration for reasonable alterations in scheduling, exam format, presentation, and allowance of food or drink at the exam site must be requested. Documented disability requests must be accompanied by a doctor’s note. Requests for a religious requirement must be accompanied by a note from the candidate’s religious leader. Unless requested and approved, no food or drink is allowed at any exam site. Requests for consideration must be submitted to ISACA International Headquarters in writing, accompanied by appropriate documentation, no later than 23 October 2015 to
[email protected].
Request for Additional Test Centers If an exam center is not available within 100 miles (160 kilometers) of the location in which a candidate wants to be tested, and if there are ten or more paid candidates who wish to enter as a group at this location, they may request that a new exam center be established. Written requests for establishment of new exam centers, including a minimum of ten paid registration forms, must be received at ISACA International Headquarters no later than 1 August 2015. While there is no guarantee that a new exam center can be arranged, every attempt will be made to provide one.
Exam Locations For a complete listing of the exam sites for the December exam administration visit www.isaca.org/examlocations and select the December Exam Locations tab. All deadlines are based on Chicago, Illinois, USA, 5 p.m. Central Time (UTC/GMT-06:00 Chicago, Illinois, USA). No refunds or exchanges will be given for study aids, associated taxes, shipping and handling charges, or membership dues. Exam registration and membership fees are nontransferable.
7
ISACA Exam Candidate Information Guide EXAM DAY INFORMATION Admission Ticket Approximately two to three weeks prior to the exam date, candidates will be sent an email admission ticket (eticket) from ISACA. Admission tickets are sent via email to the current email address on file. In order to receive an admission ticket, all fees must be paid. Exam candidates can also download a copy of the admission ticket at www.isaca.org > MyISACA page of the web site. Tickets will indicate the date, registration time and location of the exam, as well as a schedule of events for that day and a list of materials that candidates must bring with them to take the exam. Candidates are not to write on the admission ticket. Candidates can use their admission ticket (either a printout of their e-ticket or their downloaded ticket) only at the designated test center. Identification on Exam Day Candidates will be admitted to the test center only if they have a valid admission ticket and an acceptable form of identification (ID). An acceptable form of ID must be a current and original government-issued ID that contains the candidate’s name, as it appears on the admission ticket, and the candidate’s photograph. The information on the ID cannot be handwritten. All of these characteristics must be demonstrated by the single piece of ID provided. Examples include, but are not limited to, a passport, driver’s license, military ID, state ID, green card and national ID. Any candidate who does not provide an acceptable form of ID will not be allowed to sit for the exam and will forfeit his/her registration fee. IDs will be checked during the exam administration. Only candidates with an admission ticket and an acceptable government-issued ID will be admitted to take the exam, and the name on the admission ticket must match the name on the government-issued ID. If candidates’ mailing and/or email addresses change, they should update their profile on the ISACA web site (www.isaca.org ) or contact
[email protected]. Arrival Time For Exam It is imperative that candidates note the specific registration and exam times on their admission ticket. NO CANDIDATE WILL BE ADMITTED TO THE TEST CENTER ONCE THE CHIEF EXAMINER BEGINS READING THE ORAL INSTRUCTIONS, APPROXIMATELY 30 MINUTES BEFORE THE EXAM BEGINS. Any candidate who arrives after the oral instructions have begun will not be allowed to sit for the exam and will forfeit his/her registration fee. An admission ticket can only be used at the designated test center specified on the admission ticket. To ensure that you arrive in plenty of time for the exam, we recommend that you become familiar with the exact location and the best travel route to your exam site prior to the date of the exam. Test center telephone numbers and web site references have been provided (when available) to assist you in obtaining directions to the facility. Exam Rules • Candidates will not be admitted to a test center after the oral instructions have begun. • Candidates should bring several sharpened No. 2 or HB (soft lead) pencils and a good eraser. Pencils and erasers will not be available at the test center. • As exam venues vary, every attempt will be made to make the climate control comfortable at each exam venue. Candidates may want to dress to their own comfort level. • Candidates are not allowed to bring reference materials, blank paper, note pads or language dictionaries into the test center. • Candidates are not allowed to bring or use a calculator in the test center. • Candidates are not allowed to bring any type of communication, surveillance or recording device (including, but not limited to cell phones, tablets, smart glasses, smart watches, mobile devices, etc.) into the test center. If exam candidates are viewed with any such communication, surveillance or recording device during the exam administration, their exams will be voided and they will be asked to immediately leave the exam site. • Candidates are not allowed to bring baggage of any kind, including but not limited to handbags/purses, briefcases, etc. into the test center. Visit www.isaca.org/cisabelongings, www.isaca.org/cismbelongings, www.isaca.org/cgeitbelongings, www.isaca.org/criscbelongings for more information on personal belongings allowed or prohibited. • Visitors are not permitted in the test center. • No food or beverages are allowed in the test center (without advanced authorization from ISACA). • Candidates are urged to immediately record their answers on their answer sheet. No additional time will be allowed after the exam time has elapsed to transfer or record answers should candidates mark their answers in the test booklet. The exam will be scored based on the answer sheet recordings only. • Candidates must gain authorization or be accompanied by a test proctor to leave the testing area. • Candidates may leave the testing room with authorization during the examination to visit the facilities. Only one person will be excused from the room at a time. Testing staff will collect the candidate examination materials and the candidate will be required to check-out and check-in again upon re-entering the exam. Note the examination time will not stop and no extra time will be allotted. Misconduct Candidates who are discovered in violation of the Exam Rules or engaging in any kind of misconduct including but not limited to the activities listed below will be subject to disqualification. The testing agency will report all cases of misconduct to the respective ISACA Certification Committee for committee review in order to render any decision necessary. • Giving or receiving help; using notes, papers or other aids, • Attempting to take the exam for someone else, • Possession of communication, surveillance or recording device, including but not limited to cell phones, tablets, smart glasses, smart watches, mobile devices, etc, during the exam administration, • Removing test materials, answer sheet or notes from the testing center, • Attempting to share test questions or answers or other information contained in the exam (as such are the confidential information of ISACA); including sharing test questions subsequent to the exam. • Leaving the testing room or area without authorization or accompaniment by a test proctor. (These individuals will not be allowed to return to the testing room), • Accessing items stored in the personal belongings area before the completion of the exam, and • Continuing to write the exam after the proctor signals the end of the exam time.
8
ISACA Exam Candidate Information Guide Reasons for Dismissal or Disqualification and Voiding of Exam • Unauthorized admission to the test center. • Candidate creates a disturbance or gives or receives help. • Candidate attempts to remove test materials, questions, answers or notes from the test center. • Candidate impersonates another candidate. • Candidate brings items into the test center that are not permitted or accesses items stored in the personal belongings area during the exam. • Candidate possession of any communication, surveillance or recording device during the exam administration • Candidate leaves the test area without authorization. • Candidate continues to write the exam, including continuing to record answers on his/her answer sheet after the proctor signals the end of the examination. • Candidate shares test questions or other information contained in the exam. Personal Belongings Each test site will have a specific area designated for the storage of personal belongings. Neither ISACA or its testing vendor takes responsibility for personal belongings of candidates. ISACA will not assume responsibility for stolen, lost or damaged personal property. To review the Personal Belongings Policy, please visit www.isaca.org/cisabelongings, www.isaca.org/cismbelongings, www.isaca.org/cgeitbelongings, or www.isaca.org/criscbelongings. Personal items brought to the exam site and stored in the belongings area of the testing center may not be accessed until the exam candidate has completed and submitted his/her exam. Taking the Exam/Types of Questions on the Exams Exam questions are developed with the intent of measuring and testing practical knowledge and the application of general concepts and standards. All questions are designed with one best answer. Every question has a stem (question) and four options (answer choices). The candidate is asked to choose the correct or best answer from the options. The stem may be in the form of a question or incomplete statement. In some instances, a scenario may also be included. These questions normally include a description of a situation and require the candidate to answer two or more questions based on the information provided. The candidate is cautioned to read each question carefully. An exam question may require the candidate to choose the appropriate answer based on a qualifier, such as MOST likely or BEST. In every case, the candidate is required to read the question carefully, eliminate known incorrect answers and then make the best choice possible. To gain a better understanding of the types of questions that might appear on the exam and how these questions are developed, refer to the Item Writing Guide available at www.isaca.org/itemwriter. Representations of CISA exam questions are available at www.isaca.org/cisaassessment; CISM exam questions are available at www.isaca.org/cismassessment. Conduct Oneself Properly • To protect the security of the exam and maintain the validity of the scores, candidates are asked to sign the answer sheet. • The respective ISACA Certification Committee reserves the right to disqualify any candidate who is discovered engaging in any kind of misconduct or violation of exam rules, including but not limited to giving or receiving help; using notes, papers or other aids; attempting to take the exam for someone else; using any type of communication, surveillance or recording device during the exam administration, removing test materials or notes from the test center or attempting to share test questions or answers or other information contained in the exam (as such are the confidential information of ISACA). The testing agency will provide the respective ISACA Certification Committee with records regarding such irregularities for committee review and to render any decision necessary. Be Careful in Completing the Answer Sheet • Before a candidate begins the exam, the test center chief examiner will read aloud the instructions for entering identification information on the answer sheet. A candidate’s identification number as it appears on the admission ticket and all other requested information must be correctly entered or scores may be delayed or incorrectly reported. • A proctor speaking the primary language used at each test center is available. If a candidate desires to take the exam in a language other than the primary language of the test center, the proctor may not be conversant in the language chosen. However, written instructions will be available in the language of the exam. • A candidate is instructed to read all instructions carefully and understand them before attempting to answer the questions. Candidates who skip over the directions or read them too quickly could miss important information and possibly lose credit. • All answers are to be marked in the appropriate circle on the answer sheet. Candidates must be careful not to mark more than one answer per question and to be sure to answer a question in the appropriate row of answers. If an answer needs to be changed, a candidate is urged to erase the wrong answer fully before marking in the new one. • All questions should be answered. There are no penalties for incorrect answers. Grades are based solely on the number of questions answered correctly, so do not leave any questions blank. • After completion, candidates are required to hand in their answer sheet and test booklet. Budget One’s Time • The exam is four hours in length. Candidates are advised to pace themselves to complete the entire exam. • Candidates are urged to immediately record their answers on the answer sheet. No additional time will be allowed after the exam time has elapsed to transfer or record answers should a candidate mark answers in the test booklet. The exam will be scored based on the answer sheet recordings only.
9
ISACA Exam Candidate Information Guide Exam Day Comments
ISACA utilizes an internationally recognized professional testing agency to assist the construction, administration and scoring of the exams. Candidates wishing to comment on the test administration conditions may do so at the conclusion of the testing session by completing the “Test Administration Questionnaire.” The Test Administration Questionnaire is presented at the back of the examination booklet with corresponding instructions for completion. Candidates who wish to address any additional comments or concerns about the examination administration, including site conditions or the content of the exam, should contact ISACA international headquarters by letter or by email (
[email protected]). Please include the following information in your comments: exam ID number, testing site, date tested and any relevant details on the specific issue. Only those comments received by ISACA during the first 2 weeks after the exam administration will be considered in the final scoring of the exam. Appeals undertaken by a certification exam taker, certification applicant or by a certified individual are undertaken at the discretion and cost of the exam taker, applicant or individual.
POST EXAM INFORMATON: Scoring the Exams The ISACA exams consists of multiple-choice items. Candidate scores are reported as a scaled score. A scaled score is a conversion of a candidate’s raw score on an exam to a common scale. ISACA uses and reports scores on a common scale from 200 to 800. For example, the scaled score of 800 represents a perfect score with all questions answered correctly; a scaled score of 200 is the lowest score possible and signifies that only a small number of questions were answered correctly. A candidate must receive a score of 450 or higher to pass the exam. A score of 450 represents a minimum consistent standard of knowledge. A candidate receiving a passing score may then apply for certification if all other requirements are met. The exams contain some questions which are included for research and analysis purposes only. These questions are not separately identified and not used to calculate your final score. Approximately five weeks for CISA/CISM and eight weeks for CGEIT/CRISC after the test date, the official exam results will be mailed to candidates. Additionally, with the candidate’s consent during the registration process, an email message containing the candidate’s pass/fail status and score will be sent to the candidate. This email notification will only be sent to the address listed in the candidate’s profile at the time of the initial release of the results. To ensure the confidentiality of scores, exam results will not be reported by telephone or fax. To prevent email notification from being sent to spam folders, candidates should add
[email protected] to their address book, whitelist or safe-senders list. Once released, scores will also be available in the ISACA constituent profile at the MyISACA > MyCertifications page of the ISACA website. Candidates will receive a score report containing a subscore for each domain area. Successful candidates will receive, along with a score report, details on how to apply for certification. The subscores can be useful in identifying those areas in which the unsuccessful candidate may need further study before retaking the exam. Unsuccessful candidates should note that the total scaled score cannot be determined by calculating either a simple or weighted average of the subscores. Candidates receiving a failing score on the exam may request a hand score of their answer sheets. This procedure ensures that no stray marks, multiple responses or other conditions interfered with computer scoring. Candidates should understand, however, that all scores are subjected to several quality control checks before they are reported; therefore, rescores most likely will not result in a score change. Requests for hand scoring must be made in writing to the certification department within 90 days following the release of the exam results. Requests for a hand score after the deadline date will not be processed. All requests must include a candidate’s name, exam identification number and mailing address. A fee of US $75 must accompany each request. Passing the exam does not grant the designation. Candidates have five years from the passing date to apply for certification. To become certified, each exam passer must complete requirements including submitting an application for certification. Candidates receiving a score less than 450 have not passed and can retake the exam by registering and paying the exam registration fee for the future administration. There are no limits to how many times a candidate can take the exam. ISACA Code of Professional Ethics ISACA sets forth a Code of Professional Ethics to guide the professional and personal conduct of members of the association and/or its certification holders. Members and certifieds are required to abide by the Code. Failure to comply with this Code of Professional Ethics can result in an investigation into a member’s and/or certification holder’s conduct and, ultimately, in disciplinary measures. The ISACA Code of Professional Ethics can be viewed online at www.isaca.org/ethics.
10
ISACA Exam Candidate Information Guide Confidentiality By taking an ISACA Exam, the candidate understands and agrees that the Exam (which includes all aspects of the exam, including, without limitation, the test questions, answers, examples and other information presented or contained in the exam and exam materials) belongs to ISACA and constitutes ISACA’s confidential information (collectively, “Confidential Information”). The candidate agrees to maintain the confidentiality of ISACA’s Confidential Information at all times and understands that any failure to maintain the confidentiality of ISACA’s Confidential Information may result in disciplinary action against the candidate by ISACA or other adverse consequences, including, without limitation, nullification of his/her exam, loss of his/her credentials, and/or litigation. Specifically, the candidate understands that he/she may not, for example, discuss, publish or share any exam question(s), his/her answers or thoughts on any questions(s) or the exam’s format in any forum or media (i.e., via e-mail, Facebook, LinkedIn).
IMPORTANT ADDITIONAL REFERENCES These references contain essential exam information and should be read in their entirety.
Important Additional References CISA Exam
CISM Exam
CGEIT Exam
CRISC Exam
Certification
www.isaca.org/cisa
www.isaca.org/cism
www.isaca.org/cgeit
www.isaca.org/crisc
Preparing for the Exam
www.isaca.org/cisaprep
www.isaca.org/cismprep
www.isaca.org/cgeitprep
www.isaca.org/criscprep
Requirements for Certification Job Practice
www.isaca.org/cisarequirements
www.isaca.org/cismrequirements
www.isaca.org/cgeitrequirements
www.isaca.org/criscrequirements
Applying for Certification Maintaining your Certification Glossary of Terms Acronyms
www.isaca.org/cisaapp
www.isaca.org/cismapp
www.isaca.org/cgeitapp
www.isaca.org/criscapp
www.isaca.org/cisacpepolicy
www.isaca.org/cismcpepolicy
www.isaca.org/cgeitcpepolicy
www.isaca.org/crisccpepolicy
www.isaca.org/glossary
www.isaca.org/glossary
www.isaca.org/glossary
www.isaca.org/glossary
www.isaca.org/cisaprep
www.isaca.org/cismprep
www.isaca.org/cisajobpractice www.isaca.org/cismjobpractice www.isaca.org/cgeitjobpractice www.isaca.org/criscjobpractice
Available Study Materials From ISACA: Passing an ISACA exam can be achieved through an organized plan of study. To assist individuals with the development of a successful study plan, ISACA offers, for purchase, study aids to exam candidates. Visit www.isaca.org/ bookstore for more complete details including detailed descriptions of the products, costs, and languages available. Order early as delivery time can be one to two weeks, depending on geographic location and customs clearance practices. CISA: CISA Review Manual 2015. CISA Review Questions, Answers & Explanations Manual 2015 CISA Review Questions, Answers & Explanations Manual Supplement 2015 CISA Review Questions, Answers & Explanation Database— 12 month subscription CISA Review Questions, Answers & Explanation Database V15 CD-ROM CISA Online Review Course CISM: CISM Review Manual 2015 CISM Review Questions, Answers & Explanations Manual 2014 CISM Review Questions, Answers & Explanations Manual 2014 Supplement CISM Review Questions, Answers & Explanations Manual 2015 Supplement CISM Review Questions, Answers & Explanation Database— 12 month subscription CISM Review Questions, Answers & Explanation Database V15 CD-ROM
—
—
CGEIT: CGEIT Review Manual 2015 CGEIT Review Questions, Answers & Explanations Manual 2015 CGEIT Review Questions, Answers & Explanations Manual Supplement 2015 COBIT5 CRISC: CRISC Review Manual 2015 CRISC Review Questions, Answers & Explanations Manual 2015 CRISC Review Questions, Answers & Explanations Manual Supplement 2015 CRISC Review Questions, Answers & Explanation Database— 12 month subscription
ISACA Contact Information Exam and exam registration Phone: +1.847.660.5660; Fax: +1.847.253.1443; Email:
[email protected] Certification Phone: +1.847.660.5660; Fax: +1.847.253.1443; Email: certification@ isaca.org Study aids Phone: +1.847.660.5650; Email:
[email protected] ISACA membership Phone: +1.847.660.5600; Email:
[email protected] DOC: 2015 Exam Candidates Guide Version: V3 Update: 2015-03
11
