collin college’s security management prac5ces capstone course · @ntxissa #ntxissacsc3 collin...
TRANSCRIPT
@NTXISSA#NTXISSACSC3
CollinCollege’sSecurity
ManagementPrac5cesCapstone
CourseMr. Rick Brunner, Col USAF (Retired), EJD, MS, SCF, CISSP, ITIL
Security Management Practices Instructor
Collin College
10/3/2015
Rick Brunner <[email protected]>
@NTXISSA#NTXISSACSC3
Disclaimer
Theviews,thoughts,claims,oropinionsinthis
presenta?onaresolelythoseofthepresenter.
Nothinginthispresenta?onrepresentsthe
views,thoughts,claims,oropinionsofCollin
College,UnitedStatesAirForce,theAirForce
Reserves,theDepartmentofDefense,the
IntelligenceCommunity,oranyprioremployer.
@NTXISSA#NTXISSACSC3
“Ifyouthinktechnologycansolveyour
securityproblems,thenyoudon’t
understandtheproblemsandyou
don’tunderstandthetechnology.”
-BruceSchneier
@NTXISSA#NTXISSACSC3
Objec?ves
• Provideintroduc?onintoCollinCollege’sSecurityManagementPrac?cescourse
• Provideintroduc?onintoTexasCISO’sCouncil’s
Informa?onSecurityProgramEssen?alsdocument
• DiscussindividuallytheproposedTexasCISO’sCouncil’s
Informa?onSecurityProgram’sfivecorecomponentsand
howCollinCollege’sSecurityManagementPrac?cesand
associatedCyberSecuritycoursealignswitheachofthe
iden?fiedfivecorecomponents
• ProvideinsightintoSecurityManagementPrac?ces
course’sEnterpriseInforma?onSecurityProgramPlan
assignment
@NTXISSA#NTXISSACSC3
Ques?on(s)
6
• Ifastudentcompletesacourseorsetofcoursesthat
providesstudentsanintroduc?on(workingknowledge/
understanding)intothefivecorecomponentsasoutlined
bytheTexasCISOCouncil'sInforma?onSecurityProgram
Essen?alsdocument,doesthatbackgroundenhancea
student’sopportunityingainingemploymentwithinan
organiza?on’sinforma?onsecuritydepartment?
• Ifresponsetoaboveisyes,doesthatvalidatethe
informa?on/contentpresentedinthecourseorsetof
courses?
@NTXISSA#NTXISSACSC3
SecurityManagementPrac?ces
• Capstone course • Course provides an in-depth coverage of security
management practices, including asset evaluation
and risk management; cyber law and ethics issues;
policies and procedures; business recovery and
business continuity planning; security design; and developing and maintaining a security plan
• Student must demonstrate knowledge and skill in
writing an Enterprise Information Security Program
Plan
@NTXISSA#NTXISSACSC3
SecurityManagementPrac?cesCourseSyllabus
Introduc5ons
IntellectualPropertyProtec5on―CrossRoadsbetweenEthics,Informa5onSecurity,andInternalAudit
Presenta5onIntroduc?ontotheManagementofInforma?onSecurityEnterpriseInforma?onSecurityProgramPlanAssignmentLaw,Ethics,andPrivacyPrivacyImpactAssessmentLabPlanningforSecurityRiskManagement:Iden?fyandAssessingRiskDataClassifica?onLabRiskManagement:ControllingRiskInforma?onSecurityPolicyRiskManagement-Iden?fica?onandScoringLabDevelopingtheSecurityProgramSecurityManagementModelsResponsibili?esMatrixLabSecurityManagementPrac?cesInforma?onSecurityProgramLabProtec?onMechanismsPlanningforCon?ngenciesInforma?onSecurityControlsLabPersonnelSecurityandEduca?on,TrainingandAwarenessProgram
@NTXISSA#NTXISSACSC3
Informa?onSecurityDefini?on
9
Term Meaning Source
Informa?onSecurity Protec?nginforma?onandinforma?onsystemsfrom
unauthorizedaccess,use,disclosure,disrup?on,
modifica?on,ordestruc?oninordertoprovide—
1)integrity,whichmeansguardingagainstimproper
informa?onmodifica?onordestruc?on,andincludes
ensuringinforma?onnonrepudia?onandauthen?city;
2)confiden?ality,whichmeanspreservingauthorized
restric?onsonaccessanddisclosure,includingmeans
forprotec?ngpersonalprivacyandproprietary
informa?on;and
3)availability,whichmeansensuring?melyand
reliableaccesstoanduseofinforma?on.
NISTIR7298,GlossaryofKey
Informa/onSecurityTerms
Informa?onSecurity Theprotec?onofinforma?onandinforma?onsystems
fromunauthorizedaccess,use,disclosure,disrup?on,
modifica?on,ordestruc?oninordertoprovide
confiden?ality,integrity,andavailability.
CNSSInstruc?onNo.4009,Na?onal
Informa?onAssurance(IA)Glossary
Informa?onSecurity Preserva?onofconfiden/ality,integrityandavailability
ofinforma?on
Note1toentry:Inaddi?on,otherproper?es,suchas
authen/city,accountability,non-repudia/on,
andreliabilitycanalsobeinvolved.
ISO/IEC27000,Informa?ontechnology
—Security
techniques—informa?onsecurity
managementsystems—Overviewand
vocabulary
@NTXISSA#NTXISSACSC3
TexasCISOCouncil
• Createdin2013• AnInformalVolunteerNetworkof45
Informa?onSecurityProfessionals
represen?ng12IndustryVer?cals
• Iden?fyHowtheycouldmakelifeeasier
forSecurityProfessionals
• ShareExperiencesWithOrganiza?ons
andProfessionalsWhoareStruggling
withBasicSecurityFundamentals
• www.texascisocouncil.org
Source: http://www.isacantx.org/Presentations/2015-09%20Pre%20-%20Texas_CISO-Essentials_Guide.pdf
@NTXISSA#NTXISSACSC3
TexasCISOCouncilFirstContribu?on
11
• ThirteenCouncilMembers
Createdthe"Informa?on
SecurityProgramEssen?als
Guide"ReleasedinApril2015
• The37PageGuideisaBackto
BasicsApproachfor
Informa?onSecurity
Managementandisa"StepIn"
SimplifiedFramework
• AvailableforFreeDownloadat
www.texascisocouncil.org
Source: http://www.isacantx.org/Presentations/2015-09%20Pre%20-%20Texas_CISO-Essentials_Guide.pdf
@NTXISSA#NTXISSACSC3
WhyTheyCreatedTheGuide
12
"Theprimarygoalofcrea?ngtheGuidewastoofferasimplifiedmechanismtovalidatethatanorganiza?onhasin-placeorplannedsolu?onsforkeyelementsofaninforma?onsecurityprogramandthattheorganiza?onhasnotoverlookedcri?calcorecompetenciesorcontrols."
Source: http://www.isacantx.org/Presentations/2015-09%20Pre%20-%20Texas_CISO-Essentials_Guide.pdf
@NTXISSA#NTXISSACSC3
GovernanceandOrganiza?on
NTXISSACyberSecurityConference–October2-3,2015 14
• CompanyAlignment,
RequirementsandScope
• Organiza?onalStructure
• DepartmentalRela?onships
Theterm"informa5onsecurity"canmeandifferentthingsindifferentorganiza5onsandwithdifferent
peopledependingontheirexperienceandtheirpercep5onofsecurity.Theinforma5onsecurityteamand
func5oncanbeorganizedinmanydifferentways,dependingonhowanorganiza5onviewsitsexternaland
internalthreatsanditsoverallsecurityposture.
@NTXISSA#NTXISSACSC3
GovernanceandOrganiza?on
NTXISSACyberSecurityConference–October2-3,2015 15
• CompanyAlignment,
Requirementsand
Scope
• Organiza?onal
Structure
• Departmental
Rela?onships
• SecurityManagementPrac?ces• DevelopingtheSecurityProgram
• CISOrepor/ngmodels
• CISO’srolesandresponsibili/es
• Organiza/onalRolesandResponsibili/es--RACI
• PlanningforSecurity• Informa/onSecurityGovernance
Wheredoesinforma5onsecurityreportwithintheoverallorganiza5on?
Response:Guidesdecisions,whichwillbemaderegardingthenecessarygovernancestructuresthatneed
tobeinplacetosupportsuccessfulexecu5onofaneffec5veinforma5onsecuritystrategywithinthe
organiza5on.
CISO
Impact
Quo?ent
(CIQ)
The topmost CISOs think differently.
Source: IANS Research ‘The 7 Factors of CISO Impact’ Copyright 2015.
@NTXISSA#NTXISSACSC3
ReferencestoGovernanceandOrganiza?on
• IANS(TheIns?tuteforAppliedNetworkSecurity)exists
tochangethebalanceofpowerinthecyberwar.Wedo
thisbyarmingCISOsandtheirteamswithauniquemix
ofthoughtleadershipandprac?caladvice.Learnabout
IANSathqp://www.iansresearch.com
• Webinar - Tom Scholtz, Gartner, "Build An Effective
Security and Risk Governance Function" -
http://www.gartner.com/webinar/2745217
@NTXISSA#NTXISSACSC3
Informa?onSecurityStrategy
NTXISSACyberSecurityConference–October2-3,2015 20
• Vision/Roadmap
• BusinessGoalsand
Objec?vesAlignment
@NTXISSA#NTXISSACSC3
Informa?onSecurityStrategy
NTXISSACyberSecurityConference–October2-3,2015 21
• Vision/Roadmap
• BusinessGoalsand
Objec?vesAlignment
• SecurityManagementPrac?ces• PlanningforSecurity
• Value,Vision,Mission
• BusinessObjec/ves
• StrategicPlanning• Informa/onSecurityDevelopment
Lifecycle
• Laws,Ethics,Privacy
• IntrototheManagementof
Informa/onSecurity• PrinciplesofInforma/onSecurity
Management
• ProjectManagement
@NTXISSA#NTXISSACSC3
Informa?onSecurityFramework
NTXISSACyberSecurityConference–October2-3,2015 23
• ExternalStandards• ScopeofSecurity
Components
• Effec?veness/Maturity
Eitherthroughtheselec?onanduseofanindividualframeworkoracompila?onofframeworksin
ahybridapproach,theeffec?veimplementa?onofanInforma?onSecurityFrameworkwillhelp
theorganiza?onensurecompliancetoregulatoryrequirementsaswellasprovidethebasisfor
definingcomprehensivecontrolsandsafeguardsforprotec?ngagainstthreatsandmanaging
risks.
@NTXISSA#NTXISSACSC3
Informa?onSecurityFramework
NTXISSACyberSecurityConference–October2-3,2015 24
• SecurityManagementPrac?ces• SecurityManagementModels
• AccessControlModels
• Confiden/alityModel
• IntegrityModel
• SecurityArchitecture
• SecurityArchitectureFrameworks• SABSA
• NISTCyberSecurity
• RiskManagementFramework
• Protec/onMechanisms• ISO27001/02
• NISTSP800-53
• COBIT5• PCIDSS3.0
• HIPAA/HITECH• Technology
• Informa/onSecurityPolicy
• ExternalStandards• ScopeofSecurity
Components
• Effec?veness/Maturity
25
Source:SherwoodAppliedBusinessSecurityArchitecture(SABSA),SABSACharteredArchitect,Founda5onsF1andF2
Course,DavidLynas,SABSAIns5tute2010
Source:SherwoodAppliedBusinessSecurityArchitecture(SABSA),SABSACharteredArchitect,Founda5onsF1andF2
Course,DavidLynas,SABSAIns5tute2010
Source:SherwoodAppliedBusinessSecurityArchitecture(SABSA),SABSACharteredArchitect,Founda5onsF1andF2
Course,DavidLynas,SABSAIns5tute2010
@NTXISSA#NTXISSACSC3
NISTCyberSecurityFrameworkCoreStructure
Source:hVp://www.nist.gov/cyberframework/upload/cybersecurity-framework-021214.pdf
@NTXISSA#NTXISSACSC3
Informa?onSecurityRiskManagement
NTXISSACyberSecurityConference–October2-3,2015 32
• OngoingAssessment
Realiza?on
• ImpactandLikelihood
Assessment
• ControlMapping
@NTXISSA#NTXISSACSC3
Informa?onSecurityRiskManagement
NTXISSACyberSecurityConference–October2-3,2015 33
• SecurityManagementPrac?ces• RiskManagement:Iden/fyingand
AssessingRisk• RiskManagement
• Riskiden/fica/on
• RiskAssessment
• RiskandOpportunityModel
• RiskIndicator/Appe/teThreshold
• RiskManagement:ControllingRisk• RiskControlStrategies
• FeasibilityandCost-BenefitAnalysis
• AssessmentMethodologies
• FailureofCurrentRiskAssessment
Prac/ces
• BusinessRiskIntelligenceANewWay
toCommunicateRisk
• FinalThoughts&BestPrac/ces
• OngoingAssessment
Realiza?on
• ImpactandLikelihood
Assessment
• ControlMapping
@NTXISSA#NTXISSACSC3
Measurements&Metrics
NTXISSACyberSecurityConference–October2-3,2015 40
• KeyPerformance
Indicators
• Risk/ThreatIndicators
• Con?nualImprovement
@NTXISSA#NTXISSACSC3
Measurements&Metrics
NTXISSACyberSecurityConference–October2-3,2015 41
• SecurityManagementPrac?ces• SecurityManagementPrac/ces
• Benchmarking
• PerformanceMeasurementin
Informa/onSecurityManagement
• Informa/onSecurityProgram
MaturityandTypesofMetrics
• NISTSP800-55,Rev.1:
PerformanceMeasurementGuide
forInforma/onSecurity
• KeyPerformance
Indicators
• Risk/ThreatIndicators
• Con?nualImprovement
@NTXISSA#NTXISSACSC3
AssignmentStructure
• TitlePage
• TableofContents
• Introduc/on• Purpose
• Scope
• Background
• Assump/ons/Constraints
@NTXISSA#NTXISSACSC3
AssignmentStructure(Con?nued)
• Vision,Mission,Objec/ves,Metrics• Vision
• Mission
• Objec/ves
• Metrics
• LegalandPrivacy• Iden/fyanylaws,statutes,regula/ons,thatyoubelieve
apply
• DiscusshowyouaregoingtointerfacewiththeChiefPrivacyOfficer
• Discuss/Iden/fyifyouareSafeharborandwhy
• Discuss/iden/fyifyouaregoingtoimplementaPrivacyImpact
Analysis
@NTXISSA#NTXISSACSC3
AssignmentStructure(Con?nued)
Informa?onSecurity• Iden?fyKeyTeamMembersandtheirrolesandresponsibili?es
• Useadiagramshowingtheorganiza?onstructurefromtheCEOtotheCISO,includetheplacementoftheCIOandifneedtheITSecurityManager
• ProduceaRACIMatrixthatassignsRACIresponsibili?esforeachteammember
• Useatableorspreadsheetforaccomplishingthistask
• OutlineanddiscussyourRiskManagementProgramandhowyouaregoingtoreportmetricsbacktotheCEOandtheBOD
• DiscussyourInforma?on/DataClassifica?onSchemeanditsrela?onshiptoinforma?onheldbytheCompany,pleaseincludeariskstatementineachclassifica?onbeyondPublic
• Addresshowyouarealigningwiththebusiness
@NTXISSA#NTXISSACSC3
AssignmentStructure(Con?nued)
Informa/onSecurityPrograms• Thissec/onneedstoaddresswhatarethetop5orsoprogramsthatyouas
theCISOaretoexecutewithinthefirst6monthstoyearwithpossible
iden/fica/onofaddi/onalprogramsrequiredtoexecuteaneffec/ve
informa/onsecurityprogram.
• Possibleprogramscouldinclude:• DataLossPreven/on
• VendorManagement
• SocwareasaService• NetworkSegmenta/on
• SecurityInforma/onandEventManagement
• NetworkSecurity
• SecureSocwareDevelopmentLifecycle
• IncidentResponseManagement
• ThreatandVulnerabilityManagement
@NTXISSA#NTXISSACSC3
Ques?on(s)
48
• Ifastudentcompletesacourseorsetofcoursesthat
providesstudentsanintroduc?on(workingknowledge/
understanding)intothefivecorecomponentsasoutlined
bytheTexasCISOCouncil'sInforma?onSecurityProgram
Essen?alsdocument,doesthatbackgroundenhancea
student’sopportunityingainingemploymentwithinan
organiza?on’sinforma?onsecuritydepartment?
• Ifresponsetoaboveisyes,doesthatvalidatethe
informa?on/contentpresentedinthecourseorsetof
courses?
@NTXISSA#NTXISSACSC3
References
• hqp://www.isacantx.org/Presenta?ons/2015-09%20Pre%20-%20Texas_CISO-Essen?als_Guide.pdf
• Informa?onSecurityProgramEssen?als--AGuideProducedBythe
TexasCISOCouncil--Version1April19,2015,
hqp://media.wix.com/ugd/
618c85_f1e315b1e92844fcaebc9612fd1157c5.pdf
• GoverningforEnterpriseSecurity(GES)Implementa?onGuide,
August2007hqp://www.sei.cmu.edu/reports/07tn020.pdf
• BoardsofDirectors,CorporateGovernanceandCyber-Risks:
SharpeningtheFocus,CommissionerLuisA.Aguilar
http://www.sec.gov/News/Speech/Detail/Speech/1370542057946
50
@NTXISSA#NTXISSACSC3
References
• SherwoodAppliedBusinessSecurityArchitecture(SABSA),SABSACharteredArchitect,Founda?onsF1andF2Course,DavidLynas,
SABSAIns?tute2010
• Na?onalIns?tuteofStandardsandTechnology(NIST)
CybersecurityFrameworkhqp://www.nist.gov/cyberframework/
• Communica?ngRiskToExecu?veLeadership,AndrewPlato,
President/CEOofAni?an,
hqp://phxsac.com/wp-content/uploads/2014/04/Communica?ng-
Risk-to-Execu?ve-Leadership.pdf
• RiskRadar,
hqp://download.cnet.com/Risk-Radar/
3000-2076_4-75882721.htmlor
hqp://www.proconceptsllc.com/risk-radar-enterprise.html
51
@NTXISSA#NTXISSACSC3
References
• GuideforConduc?ngRiskAssessments,NISTSP800-30,Rev1,
September2012,
hqp://csrc.nist.gov/publica?ons/nistpubs/800-30-rev1/sp800_30_r1.pdf
• ManagingInforma?onSecurityRisk--Organiza?on,Mission,and
Informa?onSystemView,NISTSP800-39,March2011
http://csrc.nist.gov/publications/nistpubs/800-39/SP800-39-final.pdf
• PerformanceMeasurementGuideforInforma?onSecurity,NISTSP
800-55,Rev1,July2008,
hqp://csrc.nist.gov/publica?ons/nistpubs/800-55-Rev1/SP800-55-
rev1.pdf
• NIST'sComputerSecurityDivisionPublica?ons,
hqp://csrc.nist.gov/publica?ons/index.html52