Certified Information

Security Manager
(CISM)
Kelly Handerhan, Instructor

Chapter 4: Information Security Management

INFORMATION SECURITY MANAGEMENT

• As defined by ISACA the goal of this domain is to “oversee and direct

information security activities to execute the information security
program.”
• Procurements and Contracts
• Configuration Management
• Monitoring and Auditing
• Security Testing
• Knowledge Transfer

CISM
PROCUREMENTS AND
CONTRACTS
• Managing Outside services
• NSA/CSS and SA-CMM
• OSD Acquisition Reform
• Contracts
• SLAs

CISM
MANAGING OUTSIDE SERVICES
“Develop and follow a set of procedures and standards that is
consistent with the business organization’s overall
procurement process and acquisition strategy to acquire IT-
related infrastructure, facilities, hardware, software and
services needed by the business.” --ISACA

CISM
NSA/CSS CIRCULAR NO. 500R

• Circular is issued from National Security Agency/Central Security Service

• Directed towards software engineering projects with the purpose to “Promote
management of acquisition programs to optimize total system performance and minimize
life-cycle costs.”
• Manages the project based on risk, cost, performance, and schedule, understanding that
there may be trade-offs between these considerations

• Provides guidance to apply best practices and processes to reduce costs, maintain
schedule, manage risks and meet performance requirements
• Vendor selection based on proven, software development capabilities and who have had
success in performing similar projects

CISM
SOFTWARE ACQUISITION CAPABILITY
MATURITY MODEL (SA-CMM)

• Same concept as CMMI

• Five phases of maturity:
• Initial
• Repeatable:
• Defined
• Quantified
• Optimized

CISM
 US OFFICE OF THE SECRETARY OF
DEFENSE (OSD) ACQUISITION REFORM
• Offers the following principles:
• Empower staff to manage risks, not avoid them
• Operate in integrated project teams
• Reduce life cycle costs
• Use commercial products and processes when possible
• Move towards industry standards and performance specifications, as
opposed to government proprietary measurements and processes
• Reflect Quality in solicitations to vendors
• Don’t just use lowest cost as a basis for contracts. Consider TCO
• Test and inspect seamlessly
• Manage contracts for end results

CISM
SERVICE LEVEL AGREEMENTS
• Usually a legally binding contract that offers guarantees usually centering on
performance and reliability of procured systems, as well as response times
from the vendor.
• Could also be used internally from department to department
• A form of risk transference
• Metrics should be clearly defined in the SLA
• Usually offer some sort of financial compensation if the metrics are not met

CISM
CONTRACTS
• Legally binding agreement between parties
• Should be in writing and modified in writing
• Five elements necessary for a contract to be legally binding:
• Competency/Capacity
• Consideration
• Offer
• Legal
• Acknowledgement
• Breaches are violations of contract
• Damages are often awarded in response to a breach of contract

CISM
THIRD-PARTY PROVIDERS
• Internet service providers, call centers, data processing centers, etc.
• Vicarious liability imposes legal responsibility on an entity when the entity had nothing to
do with actually causing the injury. Often applied through “Respondent Superior” when a
superior is liable for the actions of his or her employees
• Laws are evolving. Is an ISP responsible for what it’s customers do? Is a software
service that provides P2P sharing liable when its customers use that software to violate
copyright restrictions?

CISM
 CONFIGURATION
MANAGEMENT AND CHANGE
CONTROL

CISM
CONFIGURATION MANAGEMENT
• Defined by ISC2 as “a process of identifying and documenting hardware
components, software and the associated settings.”
• The goal is to move beyond the original design to a hardened, operationally
sound configuration
• Identifying, controlling, accounting for and auditing changes made to the
baseline TCB
• These changes come about as we perform system hardening tasks to secure a
system.
• Will control changes and test documentation through the operational life cycle of a
system
• Implemented hand in hand with change control
• ESSENTIAL to Disaster Recovery

CISM 12
CONFIGURATION MANAGEMENT
DOCUMENTATION
• Make
• Model
• MAC address
• Serial number
• Operating System/Firmware version
• Location
• BIOS or other passwords
• Permanent IP if applicable
• Organizational department label

CISM 13
SYSTEM HARDENING & BASE-LINING
• Removing Unnecessary Services
• Installing the latest services packs and patches
• Renaming default accounts
• Changing default settings
• Enabling security configurations like auditing, firewalls, updates, etc
• ***Don’t forget physical security!***

CISM 14
 CHANGE MANAGEMENT
• Directive, Administrative Control that should be incorporated into
organizational policy.
• The formal review of all proposed changes--no “on-the-fly”
changes
• Only approved changes will be implemented
• The ultimate goal is system stability
• Periodic reassessment of the environment to evaluate the need for
upgrades/modifications

CISM 15
THE CHANGE MANAGEMENT PROCESS

• Request Submittal
• Risk/Impact Assessment
• Approval or Rejection of Change
• Testing
• Scheduling/User Notification/Training
• Implementation
• Validation
• Documentation

CISM 16
 PATCH MANAGEMENT
• An essential part of Configuration and Change Management
• May come as a result of vendor notification or pen testing
• Cve.mitre.org (Common Vulnerability and Exposures) database
provides standard conventions for known vulnerabilities
• Nvd.nist.gov Enables automation of vulnerability management,
security measurement, and compliance. NVD includes databases of
security checklists, security related software flaws, incorrect
configurations, product names, and impact metrics.
• www.cert.gov: Online resource concerning common vulnerabilities
and attacks

CISM 17
 PATCH MANAGEMENT
DEFINITION AND SCOPE

• Faster, more systematic testing and an optimized patch rollout

reduces the window of vulnerability on installed systems

Weakness Weakness Vendor Patch Central Local Patch Controlling

found published Notice created testing testing rollout weakness

Systems vulnerable to attack

CISM
 MONITORING AND AUDITING

CISM
MONITORING AND AUDITING
Violation Analysis
Auditing
Security Audits
Audit Trails
Problem Management

CISM
VIOLATION ANALYSIS

First step of any incident response should always include

violation analysis
Has an actual security incident transpired, or do we simply have
abnormal system activity?
Is this event malicious or accidental?
Is it internal/external?
What is the scope of the incident?

CISM
 SECURITY TESTING

CISM
SECURITY AUDITING AND REVIEWS
• Security Audit
• Conducted by 3 rd party
• Determines the degree to which required controls are
implemented
• Security Review
• Conducted by system maintenance or security
personnel
• Goal is determine vulnerabilities within a system. Also
known as a vulnerability assessment

CISM 23
SECURITY REVIEWS/VULNERABILITY
ASSESSMENTS AND PENETRATION TESTING
• Vulnerability Assessment
• Physical / Administrative/ Logical
• Identify weaknesses

• Penetration Testing
• Ethical hacking to validate discovered weaknesses
• Red Teams (Attack)/Blue Teams (Defend)

• NIST SP 800-42 Guideline on Security Testing

CISM
 STEPS OF A PEN TEST
• Discovery
• Enumeration
• Vulnerability Mapping
• Exploitation
• Reporting

CISM 25
 DEGREE OF KNOWLEDGE
• Zero Knowledge (Black Box Testing): Team has no knowledge
of the target and must start with only information that is
publically available. This simulates an external attack
• Partial Knowledge: The team has limited knowledge of the
organization
• Full Knowledge: This simulates an internal attack. The team
has full knowledge of network operations

CISM 26
OVERT OR COVERT TESTING?

• Blind
• Double Blind
• Targeted

CISM 27
 TESTING GUIDELINES
• Reasons for evaluating an organization’s systems
• Risk analysis
• Certification
• Accreditation
• Security architectures
• Policy development

• Develop a cohesive, well-planned, and operational security

testing program

CISM
WHY ARE PENETRATION TESTS
SUCCESSFUL?
• Lack of awareness
• Policies not enforced
• Procedures not followed
• Disjointed operations between departments
• Systems not patched

CISM
 PENETRATION TESTING GOALS
• Check for unauthorized hosts connected to the organization’s network

• Identify vulnerable services

• Identify deviations from the allowed services defined in the organization’s

security policy

• Assist in the configuration of the intrusion detection system (IDS)

• Collect forensics evidence

CISM
 PENETRATION TESTING ISSUES
• Three basic requirements:
• Defined goal, which should be clearly documented
• Limited timeline outlined
• Approved by senior management; only management should approve this
type of activity
• Issue: it could disrupt productivity and systems
• Overall purpose is to determine subject’s ability to withstand an attack
and determine effectiveness of current security measures
• Tester should determine effectiveness of safeguards and identify areas of
improvement. ****TESTER SHOULD NOT BE THE ONE SUGGESTING
REMEDIATION. THIS VIOLATES SEPARATION OF DUTIES*****

CISM
 ROLES AND RESPONSIBILITIES
• Approval for the tests may need to come from as high as the
CIO
• Customary for the testing organization to alert other security
officers, management, and users
• Avoid confusion and unnecessary expense
• In some cases, it may be wise to alert local law enforcement
officials

CISM
 RULES OF ENGAGEMENT
• Specific IP addresses/ranges to be tested
• Any restricted hosts

• A list of acceptable testing techniques

• Times when testing is to be conducted
• Points of contact for the penetration testing team, the targeted
systems, and the networks
• Measures to prevent law enforcement being called with false
alarms
• Handling of information collected by penetration testing team

CISM
 TYPES OF PENETRATION TESTS
• Physical Security
• Access into building or department
• Wiring closets, locked file cabinets, offices, server room, sensitive areas
• Remove materials from building

• Administrative Security
• Help desk giving out sensitive information, data on disposed disks

• Logical Security
• Attacks on systems, networks, communication

CISM
 APPROACHES TO TESTING
• Do not rely on single method of attack
• Get creative

• Path of least resistance

• Easiest route to valuable data, maybe not through the
firewall but hanging modem

• Break the rules

• Even if a company follows its own policy, standards and
procedures, it does not mean that there are not
vulnerabilities
• Attempt things not expected

CISM
 APPROACHES TO TESTING
• Do not rely exclusively on high-tech tools
• Dumpster diving

• Stealth methods may be required

• Do not damage systems or data

• Do not overlook small weakness in search for the big ones

• Have a toolkit of techniques

CISM
 KNOWLEDGE TRANSFER

CISM
KNOWLEDGE TRANSFER

• End users should understand policies and procedures as

well as WHY they are important and why we put them in
place.
• Training
• Awareness
• Education

CISM
• Training
• Classroom, Online, CBT
• Awareness
• Posters, memos, security mindedness
• Education
• Making resources available
• Encouraging certification and skill enhancement

CISM
INFORMATION SECURITY MANAGEMENT

• As defined by ISACA the goal of this domain is to “oversee and direct

information security activities to execute the information security
program.”
• Procurements and Contracts
• Configuration Management
• Monitoring and Auditing
• Security Testing
• Knowledge Transfer

CISM