Slide Deck - CISSP Mentor Program Class Session 1

FRSecure 2016 CISSP
Mentor Program
EVAN FRANCEN, PRESIDENT & CO-FOUNDER - FRSECURE
CLASS SESSION #1

CISSP Mentor Program Session #1
Welcome!
• What is the CISSP Mentor Program
• History
• 1st class was 2010; 6 students
• Today’s class; 80 students
• Why we do it
• Success Stories
• Heck, it’s free! If you aren’t satisfied, we’ll
refund everything you paid us. ;)
We need MORE good information security
people!

We need MORE good information security people!
The CISSP is ideal for those working in positions such
as, but not limited to:
◦ Security Consultant
◦ Security Manager
◦ IT Director/Manager
◦ Security Auditor
◦ Security Architect
◦ Security Analyst
◦ Security Systems Engineer
◦ Chief Information Security Officer
◦ Director of Security
◦ Network Architect

Typical Class Structure
• Recap of previous content/session
• Questions
• Quiz
• Current Events
• Lecture
• Homework Assignment - WHAT?! Yeah, we got homework. 
• Questions

Questions
• We may not get to all of the questions during class
• Send questions to Robb Stiffler (rstiffler@frsecure.com) – for now.
• We will soon (probably) assist in setting up (or facilitating) a study group.
• Content will be made available to all students upon request.

The Certified Information Systems Security Professional (or
“CISSP”)
• Maintained by the International Information Systems Security Certification
Consortium (or ISC2®)
• Tests your knowledge (or memorization) of the Common Body of Knowledge
(or “CBK”).
• “a mile wide and two inches deep” (or maybe just an inch deep).
• 2015 CBK, updated in April, 2015
• CBK consists of eight domains… next page

The Certified Information Systems Security Professional (or “CISSP”)
Eight domains for the CISSP CBK:
• Security and Risk Management
• Asset Security
• Security Engineering
• Communications and Network Security
• Identity and Access Management
• Security Assessment and Testing
• Security Operations
• Software Development Security

Preparation (there are bunches of ways)
• 3x Book Read (my favorite)
• Read the book once, fast
• Read the book a second time, focus on concepts
• Read the book a third time, focus on mastery and memorization
• Note Cards
• Practice Tests (and quizzes)
• Study Groups
The CISSP Mentor Program a tool and facilitation of your studies, it does not supplant
them! YOU WILL STILL NEED TO STUDY.

How to take the exam
• Computer-based (“CBT”) at Pearson Vue
• 250 questions
• Six hour time limit
• Two (sort of four) types of questions:
• Multiple Choice (four options, two are almost obviously wrong)
• “Advanced Innovative”
• Scenario
• Drag/Drop
• Hotspot
• 25 (10%) of the questions are “experimental” or research questions.

The Certified Information Systems Security
Professional (or “CISSP”)
How to take the exam
• Methods
• Two-pass
• Three-pass
• Suppose you could do one-pass too if you’re some kind of Jedi Master
(or whatever)
• You will know right away if you have passed or failed.

The Certified Information Systems Security Professional (or
“CISSP”)
Becoming a CISSP
• Passing the exam is only one step.
• Need experience
• 5 or more years within 2 or more domains (can waive one year with a college degree or
with another relevant certification)
• Not enough experience? Pass the exam and you’re known as an “Associate of (ISC2)”
• Must agree to the (ISC2) Code of Ethics.
• Must be endorsed by another CISSP (in good standing).

About me
• President & Co-founder of FRSecure
• 20+ years of information security experience
• Big breach inside experience
• Information security evangelist
• Specialties: Security leadership coaching, risk management, methodology development, and
Social Engineering ;)
• CISSP sixty thousand something (I forgot my number).
• Very, very passionate about information security, but most importantly in doing the right
thing.
FRSecure exists to fix the broken industry.

Same presentation given numerous times… Good for us too.
• Introduction
• We’re all experts right?
• Fundamentals
• The value of listening
• Principles
• Solutions – What to do…
• Questions

Information Security Fundamentals
Introduction
• FRSecure
• Information security consulting company
• Business since 2008
• 700+ clients, many in legal, healthcare, and finance
• Speaker – Evan Francen
• President & Co-founder of FRSecure
• 20+ years of information security experience
• Big breach inside experience
• Information security evangelist
• Specialties: Security leadership coaching, risk management, methodology development, and
Social Engineering ;)

If there’s one thing that I’ve learned in 20+ years in information
security it’s to LISTEN.
If there’s one more thing that I’ve learned in 20+ years in
information security it’s that I don’t know everything!
Although too many information security “experts” won’t admit it.

One thing is clear…
We’re missing the information security
fundamentals!

What are some of the fundamentals?
We’re all experts, right?
What is “information security”?
We can argue about who’s definition is better, but we need to start with a common understanding (or definition).

Information security is the application of administrative, physical,
and technical controls to protect the confidentiality, integrity, and
availability of information.
“Most organizations overemphasize technical controls to protect confidentiality
and do so at the expense of other critical controls and purposes.”
Seems fundamental. How about a story?

Probably one of the most overused words in all of security…
What is “risk”?
Again, we can argue about who’s definition is better, but we need to start with a common understanding (or
definition).

Risk is the likelihood of something bad happening and the impact if it
did.
“The likelihood of a threat exploiting a vulnerability, leads an associated
impact.”
Seems fundamental. How about another story?

Risk
Anybody know who this guy is? 

What is information security?
What is risk?
Why are these definitions so important?
Because they should drive everything you’re doing.

The value of listening.
To keep us honest (and humble), we organized the FRSecure
Customer Advisory Board (or “CAB”).
We posed two simple questions…
What is your greatest frustration with respect to information security?
What is your greatest challenge with respect to information security?
Then we listened…

Greatest frustrations:
1. Lack of common information security understanding.
2. Different interpretations of different information security
regulations and standards.
3. Lack of education for practitioners and executive management.
4. Constantly changing priorities based on outside influences.
Together we derived a core frustration that sums up everything; we are all speaking different languages
for the same topic.

Greatest Challenges:
1. Education/training for executives, IT personnel, and users.
2. Management commitment to continuous improvement.
3. Obtaining the necessary resources to manage information
security.
4. Measuring information security (metrics, status, improvements,
etc.)
Greatest frustrations could be summed up with; we don’t know how to fix the issues facing us within the
greater context of a strategic information security program.

So what are we going to do?
Our two problems, summed up by listening:
1. We are all speaking different languages for the same topic.
2. We don’t know how to fix the issues.
Now we can offer some advice, but only after listening.

We are all speaking different languages for the same topic.
1. Define and live by your definition of information security. Get
everybody in agreement with the common definition because it
will (or should) drive everything.
2. Define and live by your definition of risk. If you can understand
and communicate risk well:
• You will automatically be compliant with regulations.
• You will be able to make good decisions.
• You will build a security program that works for you.

We don’t know how to fix the issues.
Start with defining your information security principles. These are
the rules that you are going to live by. Here’s ours:
1. A business is in business to make money.
2. Information Security is a business issue.
3. Information Security is fun.
4. People are the biggest risk.
5. “Compliant” and “secure” are different.

Start with defining your information security principles. These are
the rules that you are going to live by. Here’s ours:
6. There is no common sense in Information Security.
7. “Secure” is relative.
8. Information Security should drive business.
9. Information Security is not one size fits all.
10. There is no “easy button”.

Now that you’re bought in on principles for managing your security
program, go here:
1. Management commitment. For real. Either you’re in or you’re not.
2. Asset management. You can’t secure what you don’t know you have.
3. Access control. You can’t secure what you can’t control.
4. Change control. See step 3.
5. Measure, measure, measure. You can’t manage what you can’t
measure.

As you build, implement, manage, and improve your security
program…
Don’t forget to listen!
The things that people are telling you are real, and you might learn a
thing or two.
It’s also OK to admit that you don’t know everything.

Questions?
Aaaaaannnnnnnd we’re back.
Homework for Thursday (4/28)
◦ Please read Chapter 2/Domain 1: Security and Risk Management
◦ Pages 11 – 74 (only 63ish pages)
We’ll dig in!

Questions?
Hopefully about security.
Thank you!
Evan Francen
◦ FRSecure
◦ efrancen@frsecure.com
◦ 952-467-6384

Slide Deck - CISSP Mentor Program Class Session 1

More Related Content

What's hot (20)

Viewers also liked (14)

Similar to Slide Deck - CISSP Mentor Program Class Session 1 (20)

More from FRSecure (20)

Recently uploaded (20)

Slide Deck - CISSP Mentor Program Class Session 1