CNIT 160 4d Security Program Management (Part 4)
0 likes152 views
This document provides an overview of topics covered in Part 4 of the CNIT 160 lecture on information security program development. It discusses administrative activities like external partnerships, compliance management, personnel management, project/program management, and budgets. It also covers security program operations such as event monitoring, vulnerability management, and secure engineering. Future lectures will address additional security program operations, incident management, awareness training, and other security controls and processes.
CNIT 160 4d Security Program Management (Part 4)
- 1. CNIT 160: Cybersecurity Responsibilities 4. Information Security Program Development Part 4 Pages 257-275
- 2. Topics in this Lecture • Administrative Activities • External Partnerships (p. 257) • Compliance Management • Personnel Management • Project and Program Management • Budget • Business Case Development • Vendor Management • Security Program Operations • Event Monitoring • Vulnerability Management
- 3. • Security Program Operations • Secure Engineering and Development • Network Protection (p. 277) • Endpoint Protection & Mgmt (p. 288) • Identity and Access Management (p. 292) Chapter Topics For Later Lectures
- 4. • Security Program Operations • Security Incident Management • Security Awareness Training • Managed Security Services Providers • Data Security (p. 302) • Business Continuity Planning Chapter Topics For Later Lectures
- 5. • IT Service Management (p. 322) • Controls • Metrics and Monitoring • Continuous Improvement Chapter Topics For Later Lectures
- 7. Law Enforcement • Cultivate relationships in advance of incidents • USA • FBI (InfraGard) • Secret Service (HTCIA) • Global • Interpol
- 8. Regulators and Auditors • Partners, not adversaries • Understand their ethical boundaries
- 9. Standards Organizations • PCI Security Standards Council • Cloud Security Alliance • Information Security Forum • International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC)
- 10. Professional Organizations • ISACA • Developer of CISM and CISA certifications • ISSA (Information Systems Security Association) • (ISC)2 (International Information Systems Security Certification Consortium) • Developer of CISSP certification
- 11. Professional Organizations • CSA (Cloud Security Alliance) • EC-Council (International Council of Electronic Commerce Consultants) • Developer of CEH (Certified Ethical Hacker) certification • SANS • Developer of GIAC certifications
- 12. Security Professional Services Vendors • Essential partners of security managers • Must develop trusted relationships • Virtual CISOs or CISO advisors • Can assist with strategy for • acquisition, implementation, and operation of security tools
- 13. Security Product Vendors • Need good relationships with vendors • Often an area with problems • Constantly changing • New vendors, new products
- 15. Compliance • Conformance to applicable policies, standards, regulations, and other requirements • Security manager must determine whether • Information systems, processes, and personnel • conform to those things
- 16. Compliance or Security • Two categories of organizations • Compliance based • "Check the box" • Do the bare minimum • Security and risk based • Perform risk assessments, etc.
- 17. Applicability
- 18. Compliance Risk • Risk from failure to comply • With an applicable law or other legal obligation • Risks may include • Sensitive data exposure • Fines and sanctions
- 19. Compliance Enforcement • Audits, control self-assessments, and other examinations of systems and processes • Reveal both direct risks and compliance risk
- 21. Finding and Retaining Talent • Shortage of skilled workers • Retaining talent is a challenge • They get bored and seek new challenges • Look within your organization • Cross over from IT to information security
- 22. Roles and Responsibilities • Role • A designation that denotes a set of responsibilities • Examples: security manager, security engineer, security analyst • Responsibility • A stated expectation of activities and performance • Examples: weekly scans, risk assessments, access requests
- 23. Defining Roles and Responsibilities • Security manager • Analyzes the required activities in the security team • Groups them along with • Subject matter, skill levels, and other considerations • Gives them roles and job titles
- 24. Job Descriptions • Formal description of a position, including • Job title • Work experience requirements • Knowledge requirements • Responsibilities
- 25. Culture • Attitudes, practices, communication styles, ethics, etc. • Many organizations don't regard information security as important • So the security manager must promote security awareness in subtle ways • Developing a "culture within a culture"
- 26. Professional Development • Constant learning • This is combat • The adversaries are constantly improving
- 27. Career Paths • Most security workers change companies every two years • To advance to the next level • Providing a career path can prevent that
- 28. Specialties
- 29. Certifications (Non-Vendor) • Security+ • Entry-level • SSCP from (ISC)2 • More technical than CISSP • GIAC from SANS • CEH from EC-Council • CCSP from Cloud Security Alliance
- 30. • CISSP from (ISC)2 • Essential. Non-technical. • CSSLP (Certified Secure Software Lifecycle Professional) from (ISC)2 • Essential. Non-technical. Certifications (Non-Vendor)
- 31. • ISACA Certifications • CISM (Certified Information Security Manager) • CISA (Certified Information Systems Auditor) • CRISC (Certified in Risk and Information Systems Control) Certifications (Non-Vendor)
- 32. • Check Point Certified Security Administrator (CCSA) • Certified Forensic Security Responder (CFSR) from Guidance Software • Radware Certified Security Specialist (RCSS) • Metasploit Certified Specialist from Rapid7 • WhiteHat Certified Secure Developer Certifications (Vendor)
- 33. Training
- 34. Training • Minimum: one week • Often employers reimburse college tuition • I know DriveSavers gives six weeks of training a year • Employees stay there for decades
- 36. Ch 4d-1
- 37. Administrative Activities Project and Program Management
- 38. Projects • The field is in continuous change • Project • A group activity to achieve a particular aim • Program Management • Management of several concurrent projects
- 41. Return on Security Investment (ROSI) • Security improvements don't increase revenue or lower costs • The benefit is risk reduction • Difficult to justify to management
- 42. Administrative Activities Business Case Development
- 43. Business Case • The rationale for making a business investment • Used to justify making an investment • And to support management of the investment later • Explains the benefits of the investment
- 44. Feasibility • Feasibility study • Defines the business problem • Describes a number of potential solutions • Business case should go further • And include figures for costs and benefits
- 45. Business Case Contents • Business problem • Feasibility study results • Increased revenue or efficiency analysis • High-level project plan • Timeline and number of people • Budget • Metrics • Risks
- 47. Trust Relationships • Security managers need deep, trusted relationships with security services vendors • Must confide challenges to a vendor • And get advice that will benefit the business • Not just make a sale
- 49. Security Program Operations Topics • In this lesson • Event Monitoring • Vulnerability Management
- 50. Security Program Operations Topics • For future lessons • Secure Engineering and Development • Network Protection • Endpoint Protection and Management • Identity and Access Management
- 51. Security Program Operations Topics (continued) • For future lessons • Security Incident Management Security Awareness Training • Managed Security Service Providers (MSSPs) • Data Security • Business Continuity Planning
- 52. Event Monitoring
- 53. Log Reviews • Many devices have logs • Firewalls, servers, operating systems... • Log review used to be a daily activity • Now most organizations perform real-time event monitoring
- 54. Centralized Log Managment • All the events are sent to a log server • Archives events so they can be reviewed • Used by the SEIM (next slide)
- 55. SEIM (Security Event and Incident Management) • A system that correlates events from many sources • Splunk is the industry leader
- 56. Threat Intelligence • SIEMs can ingest threat intelligence feeds • External sources of adversary information • Such as IP addresses of known attackers
- 57. Orchestration • A scripted, automated response • Automatically or manually triggered when specific events occur • Automates repetitive tasks • Makes response much faster
- 58. Security Program Operations Vulnerability Management
- 59. Vulnerability Managment • The practice of periodically examing information systems • To discover exploitable vulnerabilities • With analysis and decisions about remediation
- 60. Scanning Tools
- 61. Vulnerability Management Activities • Periodic scanning • Analysis of scan results • Common Vulnerability Scoring System (CVSS) • Contextual criticality • Delivery of scan results to asset owners • Remediation
- 62. Common Vulnerability Scoring System (CVSS) • Open framework • Rates vulnerabilities from 0 to 10 • Includes exploitability, impact, and complexity
- 63. Vulnerability Identification Techniques • Security scan • With an automated tool • Penetration test • People simulating an attacker • Social engineering assessment • Phishing or other attacks against humans
- 64. Patch Management • Adding vendor patches to IT systems, tools, and applications • Only the smallest organizations can do it manually • Automated tools ensure that all systems are patched consistently
- 65. Ch 4d-2