Collin College’s Security Management Prac5ces Capstone Course · @NTXISSA #NTXISSACSC3 Collin College’s Security Management Prac5ces Capstone Course Mr. Rick Brunner, Col USAF

@NTXISSA#NTXISSACSC3

CollinCollege’sSecurity

ManagementPrac5cesCapstone

CourseMr. Rick Brunner, Col USAF (Retired), EJD, MS, SCF, CISSP, ITIL

Security Management Practices Instructor

Collin College

10/3/2015

Rick Brunner <[email protected]>


Disclaimer

Theviews,thoughts,claims,oropinionsinthis

presenta?onaresolelythoseofthepresenter.

Nothinginthispresenta?onrepresentsthe

views,thoughts,claims,oropinionsofCollin

College,UnitedStatesAirForce,theAirForce

Reserves,theDepartmentofDefense,the

IntelligenceCommunity,oranyprioremployer.

3


“Ifyouthinktechnologycansolveyour

securityproblems,thenyoudon’t

understandtheproblemsandyou

don’tunderstandthetechnology.”

-BruceSchneier


Objec?ves

• Provideintroduc?onintoCollinCollege’sSecurityManagementPrac?cescourse

• Provideintroduc?onintoTexasCISO’sCouncil’s

Informa?onSecurityProgramEssen?alsdocument

• DiscussindividuallytheproposedTexasCISO’sCouncil’s

Informa?onSecurityProgram’sfivecorecomponentsand

howCollinCollege’sSecurityManagementPrac?cesand

associatedCyberSecuritycoursealignswitheachofthe

iden?fiedfivecorecomponents

• ProvideinsightintoSecurityManagementPrac?ces

course’sEnterpriseInforma?onSecurityProgramPlan

assignment


Ques?on(s)

6

•  Ifastudentcompletesacourseorsetofcoursesthat

providesstudentsanintroduc?on(workingknowledge/

understanding)intothefivecorecomponentsasoutlined

bytheTexasCISOCouncil'sInforma?onSecurityProgram

Essen?alsdocument,doesthatbackgroundenhancea

student’sopportunityingainingemploymentwithinan

organiza?on’sinforma?onsecuritydepartment?

•  Ifresponsetoaboveisyes,doesthatvalidatethe

informa?on/contentpresentedinthecourseorsetof

courses?


SecurityManagementPrac?ces

• Capstone course • Course provides an in-depth coverage of security

management practices, including asset evaluation

and risk management; cyber law and ethics issues;

policies and procedures; business recovery and

business continuity planning; security design; and developing and maintaining a security plan

• Student must demonstrate knowledge and skill in

writing an Enterprise Information Security Program

Plan


SecurityManagementPrac?cesCourseSyllabus

Introduc5ons

IntellectualPropertyProtec5on―CrossRoadsbetweenEthics,Informa5onSecurity,andInternalAudit

Presenta5onIntroduc?ontotheManagementofInforma?onSecurityEnterpriseInforma?onSecurityProgramPlanAssignmentLaw,Ethics,andPrivacyPrivacyImpactAssessmentLabPlanningforSecurityRiskManagement:Iden?fyandAssessingRiskDataClassifica?onLabRiskManagement:ControllingRiskInforma?onSecurityPolicyRiskManagement-Iden?fica?onandScoringLabDevelopingtheSecurityProgramSecurityManagementModelsResponsibili?esMatrixLabSecurityManagementPrac?cesInforma?onSecurityProgramLabProtec?onMechanismsPlanningforCon?ngenciesInforma?onSecurityControlsLabPersonnelSecurityandEduca?on,TrainingandAwarenessProgram


Informa?onSecurityDefini?on

9

Term Meaning Source

Informa?onSecurity Protec?nginforma?onandinforma?onsystemsfrom

unauthorizedaccess,use,disclosure,disrup?on,

modifica?on,ordestruc?oninordertoprovide—

1)integrity,whichmeansguardingagainstimproper

informa?onmodifica?onordestruc?on,andincludes

ensuringinforma?onnonrepudia?onandauthen?city;

2)confiden?ality,whichmeanspreservingauthorized

restric?onsonaccessanddisclosure,includingmeans

forprotec?ngpersonalprivacyandproprietary

informa?on;and

3)availability,whichmeansensuring?melyand

reliableaccesstoanduseofinforma?on.

NISTIR7298,GlossaryofKey

Informa/onSecurityTerms

Informa?onSecurity Theprotec?onofinforma?onandinforma?onsystems

fromunauthorizedaccess,use,disclosure,disrup?on,

modifica?on,ordestruc?oninordertoprovide

confiden?ality,integrity,andavailability.

CNSSInstruc?onNo.4009,Na?onal

Informa?onAssurance(IA)Glossary

Informa?onSecurity Preserva?onofconfiden/ality,integrityandavailability

ofinforma?on

Note1toentry:Inaddi?on,otherproper?es,suchas

authen/city,accountability,non-repudia/on,

andreliabilitycanalsobeinvolved.

ISO/IEC27000,Informa?ontechnology

—Security

techniques—informa?onsecurity

managementsystems—Overviewand

vocabulary


TexasCISOCouncil

• Createdin2013• AnInformalVolunteerNetworkof45

Informa?onSecurityProfessionals

represen?ng12IndustryVer?cals

• Iden?fyHowtheycouldmakelifeeasier

forSecurityProfessionals

• ShareExperiencesWithOrganiza?ons

andProfessionalsWhoareStruggling

withBasicSecurityFundamentals

• www.texascisocouncil.org

Source: http://www.isacantx.org/Presentations/2015-09%20Pre%20-%20Texas_CISO-Essentials_Guide.pdf


TexasCISOCouncilFirstContribu?on

11

• ThirteenCouncilMembers

Createdthe"Informa?on

SecurityProgramEssen?als

Guide"ReleasedinApril2015

• The37PageGuideisaBackto

BasicsApproachfor

Informa?onSecurity

Managementandisa"StepIn"

SimplifiedFramework

• AvailableforFreeDownloadat

www.texascisocouncil.org



WhyTheyCreatedTheGuide

12

"Theprimarygoalofcrea?ngtheGuidewastoofferasimplifiedmechanismtovalidatethatanorganiza?onhasin-placeorplannedsolu?onsforkeyelementsofaninforma?onsecurityprogramandthattheorganiza?onhasnotoverlookedcri?calcorecompetenciesorcontrols."



FiveCoreComponents

13


GovernanceandOrganiza?on

NTXISSACyberSecurityConference–October2-3,2015 14

• CompanyAlignment,

RequirementsandScope

• Organiza?onalStructure

• DepartmentalRela?onships

Theterm"informa5onsecurity"canmeandifferentthingsindifferentorganiza5onsandwithdifferent

peopledependingontheirexperienceandtheirpercep5onofsecurity.Theinforma5onsecurityteamand

func5oncanbeorganizedinmanydifferentways,dependingonhowanorganiza5onviewsitsexternaland

internalthreatsanditsoverallsecurityposture.


GovernanceandOrganiza?on


• CompanyAlignment,

Requirementsand

Scope

• Organiza?onal

Structure

• Departmental

Rela?onships

• SecurityManagementPrac?ces• DevelopingtheSecurityProgram

•  CISOrepor/ngmodels

•  CISO’srolesandresponsibili/es

•  Organiza/onalRolesandResponsibili/es--RACI

•  PlanningforSecurity•  Informa/onSecurityGovernance

Wheredoesinforma5onsecurityreportwithintheoverallorganiza5on?

Response:Guidesdecisions,whichwillbemaderegardingthenecessarygovernancestructuresthatneed

tobeinplacetosupportsuccessfulexecu5onofaneffec5veinforma5onsecuritystrategywithinthe

organiza5on.

CISO

Impact

Quo?ent

(CIQ)

Source: IANS Research ‘The 7 Factors of CISO Impact’ Copyright 2015.

CISO

Impact

Quo?ent

(CIQ)

The topmost CISOs think differently.

Source: IANS Research ‘The 7 Factors of CISO Impact’ Copyright 2015.


RACIMatrix

18


ReferencestoGovernanceandOrganiza?on

• IANS(TheIns?tuteforAppliedNetworkSecurity)exists

tochangethebalanceofpowerinthecyberwar.Wedo

thisbyarmingCISOsandtheirteamswithauniquemix

ofthoughtleadershipandprac?caladvice.Learnabout

IANSathqp://www.iansresearch.com

• Webinar - Tom Scholtz, Gartner, "Build An Effective

Security and Risk Governance Function" -

http://www.gartner.com/webinar/2745217


Informa?onSecurityStrategy


• Vision/Roadmap

• BusinessGoalsand

Objec?vesAlignment


Informa?onSecurityStrategy


• Vision/Roadmap

• BusinessGoalsand

Objec?vesAlignment

• SecurityManagementPrac?ces•  PlanningforSecurity

•  Value,Vision,Mission

•  BusinessObjec/ves

•  StrategicPlanning•  Informa/onSecurityDevelopment

Lifecycle

•  Laws,Ethics,Privacy

•  IntrototheManagementof

Informa/onSecurity•  PrinciplesofInforma/onSecurity

Management

•  ProjectManagement


StrategyDevelopmentProcess

22


Informa?onSecurityFramework


• ExternalStandards• ScopeofSecurity

Components

• Effec?veness/Maturity

Eitherthroughtheselec?onanduseofanindividualframeworkoracompila?onofframeworksin

ahybridapproach,theeffec?veimplementa?onofanInforma?onSecurityFrameworkwillhelp

theorganiza?onensurecompliancetoregulatoryrequirementsaswellasprovidethebasisfor

definingcomprehensivecontrolsandsafeguardsforprotec?ngagainstthreatsandmanaging

risks.


Informa?onSecurityFramework


• SecurityManagementPrac?ces•  SecurityManagementModels

•  AccessControlModels

•  Confiden/alityModel

•  IntegrityModel

•  SecurityArchitecture

•  SecurityArchitectureFrameworks•  SABSA

•  NISTCyberSecurity

•  RiskManagementFramework

•  Protec/onMechanisms•  ISO27001/02

•  NISTSP800-53

•  COBIT5•  PCIDSS3.0

•  HIPAA/HITECH•  Technology

•  Informa/onSecurityPolicy

• ExternalStandards• ScopeofSecurity

Components

• Effec?veness/Maturity

25

Source:SherwoodAppliedBusinessSecurityArchitecture(SABSA),SABSACharteredArchitect,Founda5onsF1andF2

Course,DavidLynas,SABSAIns5tute2010






NISTCyberSecurityFrameworkCoreStructure

Source:hVp://www.nist.gov/cyberframework/upload/cybersecurity-framework-021214.pdf


Func?onandCategoryUniqueIden?fiers

31


Informa?onSecurityRiskManagement


• OngoingAssessment

Realiza?on

• ImpactandLikelihood

Assessment

• ControlMapping


Informa?onSecurityRiskManagement


• SecurityManagementPrac?ces•  RiskManagement:Iden/fyingand

AssessingRisk•  RiskManagement

•  Riskiden/fica/on

•  RiskAssessment

•  RiskandOpportunityModel

•  RiskIndicator/Appe/teThreshold

•  RiskManagement:ControllingRisk•  RiskControlStrategies

•  FeasibilityandCost-BenefitAnalysis

•  AssessmentMethodologies

•  FailureofCurrentRiskAssessment

Prac/ces

•  BusinessRiskIntelligenceANewWay

toCommunicateRisk

•  FinalThoughts&BestPrac/ces

• OngoingAssessment

Realiza?on

• ImpactandLikelihood

Assessment

• ControlMapping

34


DataDrivenRiskAssessmentTool

35


ThreatReport─Sample

36


RiskReport─Sample

37


RiskAnalysis

38


Mi?ga?on/Ac?onPlan

39


Measurements&Metrics


• KeyPerformance

Indicators

• Risk/ThreatIndicators

• Con?nualImprovement


Measurements&Metrics


• SecurityManagementPrac?ces•  SecurityManagementPrac/ces

•  Benchmarking

•  PerformanceMeasurementin

Informa/onSecurityManagement

•  Informa/onSecurityProgram

MaturityandTypesofMetrics

•  NISTSP800-55,Rev.1:

PerformanceMeasurementGuide

forInforma/onSecurity

• KeyPerformance

Indicators

• Risk/ThreatIndicators

• Con?nualImprovement


EnterpriseInforma?onSecurityProgramPlanAssignment

42


AssignmentStructure

• TitlePage

• TableofContents

• Introduc/on• Purpose

• Scope

• Background

• Assump/ons/Constraints


AssignmentStructure(Con?nued)

• Vision,Mission,Objec/ves,Metrics• Vision

• Mission

• Objec/ves

• Metrics

• LegalandPrivacy• Iden/fyanylaws,statutes,regula/ons,thatyoubelieve

apply

• DiscusshowyouaregoingtointerfacewiththeChiefPrivacyOfficer

• Discuss/Iden/fyifyouareSafeharborandwhy

• Discuss/iden/fyifyouaregoingtoimplementaPrivacyImpact

Analysis



Informa?onSecurity• Iden?fyKeyTeamMembersandtheirrolesandresponsibili?es

• Useadiagramshowingtheorganiza?onstructurefromtheCEOtotheCISO,includetheplacementoftheCIOandifneedtheITSecurityManager

• ProduceaRACIMatrixthatassignsRACIresponsibili?esforeachteammember

• Useatableorspreadsheetforaccomplishingthistask

• OutlineanddiscussyourRiskManagementProgramandhowyouaregoingtoreportmetricsbacktotheCEOandtheBOD

• DiscussyourInforma?on/DataClassifica?onSchemeanditsrela?onshiptoinforma?onheldbytheCompany,pleaseincludeariskstatementineachclassifica?onbeyondPublic

• Addresshowyouarealigningwiththebusiness



Informa/onSecurityPrograms• Thissec/onneedstoaddresswhatarethetop5orsoprogramsthatyouas

theCISOaretoexecutewithinthefirst6monthstoyearwithpossible

iden/fica/onofaddi/onalprogramsrequiredtoexecuteaneffec/ve

informa/onsecurityprogram.

• Possibleprogramscouldinclude:• DataLossPreven/on

• VendorManagement

• SocwareasaService• NetworkSegmenta/on

• SecurityInforma/onandEventManagement

• NetworkSecurity

• SecureSocwareDevelopmentLifecycle

• IncidentResponseManagement

• ThreatandVulnerabilityManagement


AnUpdate

47


Ques?on(s)

48

•  Ifastudentcompletesacourseorsetofcoursesthat

providesstudentsanintroduc?on(workingknowledge/

understanding)intothefivecorecomponentsasoutlined

bytheTexasCISOCouncil'sInforma?onSecurityProgram

Essen?alsdocument,doesthatbackgroundenhancea

student’sopportunityingainingemploymentwithinan

organiza?on’sinforma?onsecuritydepartment?

•  Ifresponsetoaboveisyes,doesthatvalidatethe

informa?on/contentpresentedinthecourseorsetof

courses?

49


References

• hqp://www.isacantx.org/Presenta?ons/2015-09%20Pre%20-%20Texas_CISO-Essen?als_Guide.pdf

• Informa?onSecurityProgramEssen?als--AGuideProducedBythe

TexasCISOCouncil--Version1April19,2015,

hqp://media.wix.com/ugd/

618c85_f1e315b1e92844fcaebc9612fd1157c5.pdf

• GoverningforEnterpriseSecurity(GES)Implementa?onGuide,

August2007hqp://www.sei.cmu.edu/reports/07tn020.pdf

• BoardsofDirectors,CorporateGovernanceandCyber-Risks:

SharpeningtheFocus,CommissionerLuisA.Aguilar

http://www.sec.gov/News/Speech/Detail/Speech/1370542057946

50


References

• SherwoodAppliedBusinessSecurityArchitecture(SABSA),SABSACharteredArchitect,Founda?onsF1andF2Course,DavidLynas,

SABSAIns?tute2010

• Na?onalIns?tuteofStandardsandTechnology(NIST)

CybersecurityFrameworkhqp://www.nist.gov/cyberframework/

• Communica?ngRiskToExecu?veLeadership,AndrewPlato,

President/CEOofAni?an,

hqp://phxsac.com/wp-content/uploads/2014/04/Communica?ng-

Risk-to-Execu?ve-Leadership.pdf

• RiskRadar,

hqp://download.cnet.com/Risk-Radar/

3000-2076_4-75882721.htmlor

hqp://www.proconceptsllc.com/risk-radar-enterprise.html

51


References

• GuideforConduc?ngRiskAssessments,NISTSP800-30,Rev1,

September2012,

hqp://csrc.nist.gov/publica?ons/nistpubs/800-30-rev1/sp800_30_r1.pdf

• ManagingInforma?onSecurityRisk--Organiza?on,Mission,and

Informa?onSystemView,NISTSP800-39,March2011

http://csrc.nist.gov/publications/nistpubs/800-39/SP800-39-final.pdf

• PerformanceMeasurementGuideforInforma?onSecurity,NISTSP

800-55,Rev1,July2008,

hqp://csrc.nist.gov/publica?ons/nistpubs/800-55-Rev1/SP800-55-

rev1.pdf

• NIST'sComputerSecurityDivisionPublica?ons,

hqp://csrc.nist.gov/publica?ons/index.html52


Questions

53

@NTXISSA#NTXISSACSC3@NTXISSA#NTXISSACSC3

TheCollinCollegeEngineeringDepartment

CollinCollegeStudentChapteroftheNorthTexasISSA

NorthTexasISSA(Informa?onSystemsSecurityAssocia?on)


Thankyou

Collin College’s Security Management Prac5ces Capstone Course · @NTXISSA #NTXISSACSC3 Collin College’s Security Management Prac5ces Capstone Course Mr. Rick Brunner, Col USAF

Documents