Presentation is loading. Please wait.

Presentation is loading. Please wait.

Donald JG Chiarella, PhD, CISM, CDMP, PEM, CHS-CIA, MBA.

Published byAubrey Daniel Modified over 8 years ago

Similar presentations

Presentation on theme: "Donald JG Chiarella, PhD, CISM, CDMP, PEM, CHS-CIA, MBA."— Presentation transcript:

1 Donald JG Chiarella, PhD, CISM, CDMP, PEM, CHS-CIA, MBA

2  Domain 1- Information Security Governance  Domain 2 – Information Risk Management and Compliance  Domain 3 – Information Security program Development and Management  Domain 4 – Information Security Incident Management

3  Definition – rules, processes, or laws by which businesses are managed, operated, and controlled  Defining Information  Information Concepts  Info Security –deals with content, info, knowledge  Outcomes – strategic alignment, risk mgt, value delivery, resource mgt, performance mgt, integration.

4  Effective Info Security Governance  Business Goals and Objectives  Roles and Responsibilities  Outcomes and Responsibilities  Sr. Mgt commitment and support  Establish Reporting and communication channels  Governance, Risk Mgt, Compliance  Business Model for Info Security

5  Info Security Concepts and Technology  Complexity of network  Computer Based Info System  Business Info System  Info Security Concepts  Attacks  Trends of Attacks  Cyber Attack evolution  Increase in Malicious Software  Global Attack Trend  More than Just Computer Security

6  Scope and Charter  Assurance Process Integration  Third Party Relationship  Implementation Metrics  Type of Metrics

7  Definition of a Strategy  Information Strategy?  Participants  Alternate View  Common Pitfalls  Objectives  Goals  Desired State of Security  Prevalent Standards and Frameworks  Capability Maturity Model (CMM)

8  COBIT  Balanced Scorecard  SABSA  ISO/IEC 17799/ISO 27002  Other Approaches  Risk Objectives  Optimizing risk cost

9  Info Security Strategy Development  Determine current state of security  Info Security strategy development  Elements of Strategy  Constraints  Action Plan  Policy Development  Standards Development  Key Goal Indicator  Key Risk Indicator  Key Performance Indicator  Info Security Governance Assurance

10  An example  Addition Policy Samples  Action Plan Immediate goals  Info Security Program Objectives

11  Risk Mgt  Why Risk Mgt?  Risk Mgt Process  Outcomes of Risk Mgt  Risk Appetite  Information Asset  Examples  Information Asset Owners  Information Asset Inventory

12  Information Classification  Purpose of Asset Classification  Basis for Classifications  Sensitivity and Criticality of Data  Asset Classification and BCM, DRP  Relationship between Risk, Impact, Sensitivity, and Criticality  Management of Classified Information

13  Asset Valuation  Asset Valuation Approaches  Purpose and Benefits of Asset Valuation  Relationship of valuation and impact assessment  Methodology methods such as risk assessment, information resource valuation

14  Legal, Regulatory, and Organizational Compliance  Legal and Regulatory Factors  Operational Compliance Risk  Threat Identification  Threat Categories  Vulnerability Assessment  Risk Identification  Risk Estimate Factors  Likelihood

15  Risk Assessment  Introduction  Risk Analysis vs. Risk Assessment vs. Risk Mgt  Risk rating Matrix  Risk Assessment methodology  Risk IT Framework based on COBIT  Octave Method  NIST  Probabilistic Risk Assessment  Factor Analysis of Information Risk (FAIR)  Aggregated Risk and Cascading Risks  Risk Identification Methodology  Operational Risk Areas  Qualitative Risk Analysis  Probability Scales  Quantitative Risk Analysis

16  Semi-quantitative risk analysis  Probability Distribution  Subjective vs. Objective probability

17  Risk Response Techniques  Risk Prioritization  Risk Mgt options  Negative Risk Strategies  Risk Avoidance  Risk Transference  Risk Mitigation  Risk Acceptance  Residual Risk  Documenting Risk

18  Controls  Identify possible controls  Risk mgt action  Risk control strategy selection  Risk control life cycle  Categories of control  Control types  Architectural Layer  Info Security principles  Cost Benefit Analysis  Cost  Benefit  The Cost Benefit Analysis (CBA) Formula  Other Feasibility Approaches  Baseline

19  Business Impact Analysis  Impact Analysis & Risk Assessment  Recovery Time Objectives (RTO)  Recovery Point Objective (RPO)  Gap Analysis

20  Enterprise Risk Mgt Methodologies  What is enterprise risk mgt?  Characteristics of enterprise risk mgt  Why ERM is important  Enterprise Risk Mgt – integrated framework  ERM and Project Mgt  ERM and system development life cycle  Risk monitoring and communication  Reporting Risk

21  InfoSec Program Overview  InfoSec Mgt Trends  IS Program Critical Components  Importance of IS program  Outcomes of IS program

22  InfoSec Program Objectives  IS Program Objectives  Defining Objectives

23  IS Program Concepts  Technology Resources

24  Scope and Charter of an InfoSec Program

25  InfoSec Mgt Framework  IS Mgt Framework  COBIT  ISO/IEC27001

26  InfoSec Framework Components  IS Framework Components  Operational Components  Management Components  Administrative Components  Educational and Informational Components

27  Defining an Information Security Program Roadmap  IS program roadmap  Elements of a roadmap  Gap analysis for a roadmap

28  InfoSec Infrastructure and Architecture  Objectives of IS Architecture

29  Architecture Implementation  SABSA

30  IS Program Mgt Activities  IS Program – Administrative Activities  IS Program – Personnel, Roles, and Responsibilities  Model for Roles, responsibilities  Security Awareness, training, education  Security Awareness  Documentation  Program development and Project Mgt  Risk Mgt  Business Case Development  IS Program Budgeting

31  General Rules of use – acceptable use policy  Information security problem mgt  Vendor Mgt  IS Program Mgt Evaluation  Plan-do-check-act  Legal and regulatory requirements  Physical and environmental factors  Ethics  Culture and regional variances  Logistics

32  Security Program Services and Operational Activities  IS program services and operational activities  Cross-organizational responsibilities  IS Manager responsibilities  IS responsibilities of other departments  Incident response  Security review and audits  Management of security technology  Due Diligence  Managing and controlling access to information resources  Vulnerability Reporting  Compliance Monitoring and enforcement  Risk and business impact assessment

33  Controls and Counter Measures  Controls  Control categories  Control Design Considerations  Control Types and Effects  Controls Recommended by ISO/IEC 27001  Controls as strategy implementation resources  Control Strength  Control Methods  Control recommendation  Countermeasures

34  Physical and environmental controls  Native control technologies  Supplemental control technologies  Management support technologies  Technical Control components and architecture  Control testing and modification  Baseline controls

35  IS Program metrics and monitoring  Metrics development  Monitoring approaches  Monitoring Security Activities in infrastructure  Determining Success of IS investments  Measuring information security risk and loss  Measuring support of organizational objectives  Measuring compliance  Measuring operational productivity  Measuring security cost-effectiveness  Measuring organizational awareness  Measuring effectiveness of technical security architecture

36  Measuring effectiveness of management framework and resources  Measuring operational performance  Monitoring and communication

37  Common Infosec Program Challenges  Inadequate management support  Inadequate funding  Inadequate staffing

38  Incident Mgt Overview  Definition  Goal of Incident Mgt and Response Activities

39  Incident reponse procedures  Outcomes of incident mgt  Concepts  Effective incident mgt  Incident Mgt systems

40  Info Sec Manager  IS manager responsibilities  Senior Mgt Commitment

41  Incident Mgt Resources  Policies and Standards  Incident Mgt response technology concepts  Personnel  Roles and responsibilities  Skills  Personal Skills  Technical Skills  Awareness and education  Audits  Outsourced security providers

42  Incident Mgt objectives  Desired State

43  Incident Mgt Metrics and Indicators  Incident Mgt Metrics  Strategic Alignment  Risk Mgt  Assurance Process Integration  Value delivery  Resource Mgt  Performance Mgt

44  Defining incident mgt procedures  Detailed Plan of Action for Incident Mgt

45  Current state of incident response capability  History of Incidents  Threats  Vulnerabilities

46  Developing an incident response plan  Elements of an incident response plan  Gap analysis – basis for an incident mgt plan  Business impact assessment  Elements of a BIA  Benefits of a BIA  Escalation process for effective incident mgt  Help desk process for identifying security incidents  Incident Mgt and response team  Organizing, training, and equipping the response staff  Incident notification process  Challenges in developing an incident mgt plan

47  Business Continuity and Disaster Recovery Procedures  Recovery planning and business recovery procedures  Recovery operations  Recovery Strategies  Addressing Threats  Recovery Sites (1/2)  Criteria for selecting alternative site  Basis for recovery site selection  Reciprocal agreements  Alternatives for backup facilities  Recovery of telecommunications  Recovery Strategy Approach

48  Strategy Implementation  Recovery Plan elements  Integrating recovery objectives and impact analysis into incident response  Risk acceptance and tolerance  Business Impact Analysis  Recovery time objectives (RTO)  Recovery point objective (RPO)  Service delivery objective (SDO)  Maximum tolerable outage (MTO)  Notification requirements

49  Supplies  Telecommunication networks  High availability considerations  Insurance  Updating recovery plans

50  Testing Incident Response and Business Continuity / Disaster recovery procedures  Testing incidence response and recovery plans  Periodic testing  Periodic testing process  Testing for Infrastructure and Business Critical applications  Types of tests  Test results  Additional tests  Test recovery metrics

51  Executing Response and Recovery Plans  Ensuring execution as required  Review of Response and Recovery plans  Maintaining Business Continuity and Disaster Recovery Plan

52  Post Incident Activities and Investigation  Identify cause and corrective action  Documenting evidence  Establishing post incident procedures  Requirements of evidence  Legal aspects of forensic evidence

53  Finis

Download ppt "Donald JG Chiarella, PhD, CISM, CDMP, PEM, CHS-CIA, MBA."

Similar presentations

IT Web Application Audit Principles Presented by: James Ritchie, CISA, CISSP….

IT Web Application Audit Principles Presented by: James Ritchie, CISA, CISSP….
Course: e-Governance Project Lifecycle Day 1

Course: e-Governance Project Lifecycle Day 1
Chapter 10 Accounting Information Systems and Internal Controls

Chapter 10 Accounting Information Systems and Internal Controls
Agenda COBIT 5 Product Family Information Security COBIT 5 content

Agenda COBIT 5 Product Family Information Security COBIT 5 content
Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch

Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch
Service Design – Section 4.5 Service Continuity Management.

Service Design – Section 4.5 Service Continuity Management.
Security Controls – What Works

Security Controls – What Works
By: Ashwin Vignesh Madhu

By: Ashwin Vignesh Madhu
Information Security Governance and Risk Chapter 2 Part 1 Pages 21 to 69.

Information Security Governance and Risk Chapter 2 Part 1 Pages 21 to 69.
First Practice - Information Security Management System Implementation and ISO 27001 Certification.

First Practice - Information Security Management System Implementation and ISO Certification.
The Information Systems Audit Process

The Information Systems Audit Process
Managing Risk in Information Systems Strategies for Mitigating Risk

Managing Risk in Information Systems Strategies for Mitigating Risk
Risk Assessment Frameworks

Risk Assessment Frameworks
Session 3 – Information Security Policies

Session 3 – Information Security Policies
EASTERN MICHIGAN UNIVERSITY Continuity of Operations Planning (COOP)

EASTERN MICHIGAN UNIVERSITY Continuity of Operations Planning (COOP)
INFORMATION SECURITY GOVERNANCE (ISG) Relates to the security of information systems Is an element of corporate governance.

INFORMATION SECURITY GOVERNANCE (ISG) Relates to the security of information systems Is an element of corporate governance.
Financial Advisory & Litigation Consulting Services Risk Management 2006 September 14-15, 2006 The Metropolitan Club, New York, NY Workshop B: Information.

Financial Advisory & Litigation Consulting Services Risk Management 2006 September 14-15, 2006 The Metropolitan Club, New York, NY Workshop B: Information.
SEC835 Database and Web application security Information Security Architecture.

SEC835 Database and Web application security Information Security Architecture.
Network Security Policy Anna Nash MBA 737. Agenda Overview Goals Components Success Factors Common Barriers Importance Questions.

Network Security Policy Anna Nash MBA 737. Agenda Overview Goals Components Success Factors Common Barriers Importance Questions.
Engineering, Operations & Technology | Information TechnologyAPEX | 1 Copyright © 2009 Boeing. All rights reserved. Architecture Concept UG D- DOC UG D-

Engineering, Operations & Technology | Information TechnologyAPEX | 1 Copyright © 2009 Boeing. All rights reserved. Architecture Concept UG D- DOC UG D-

Similar presentations

Ads by Google