theknowledgeacademy

Certified Information
Security Manager
(CISM)

New York • San Francisco • London • Sydney • Dubai • Singapore • Vancouver • Bangalore © The Knowledge Academy Ltd.
 About The Knowledge Academy
The world's largest provider of classroom and online training courses

 World Class Training Solutions

 Subject Matter Experts
 Highest Quality Training Material
 Accelerated Learning Techniques
 Project, Programme, and Change Management, ITIL® Consultancy
 Bespoke Tailor Made Training Solutions
 PRINCE2®, MSP®, ITIL®, Soft Skills, and More

© The Knowledge Academy Ltd.

theknowledgeacademy

Course Syllabus
• Domain 1: Information Security
Governance

• Domain 2: Information Security Risk

Management

• Domain 3: Information Security Program

Development and Management

• Domain 4: Incident Management

© The Knowledge Academy Ltd.

theknowledgeacademy

Domain 1

Information Security Governance

© The Knowledge Academy Ltd.
theknowledgeacademy

This Domain Covers…

A: ENTERPRISE GOVERNANCE

Domain 1:  1A1: Organisational Culture

 1A2: Legal, Regulatory and Contractual
requirements

Information Security
 1A3: Organisational Structures, Roles and
Responsibilities

Governance
B:INFORMATION SECURITY STRATEGY

 1B1: Information Security Strategy Development

 1B2: Information Governance Frameworks and
Standards
 1B3: Strategic Planning (e.g. budgets, resources,
business case)

© The Knowledge Academy Ltd

theknowledgeacademy

Module 1A1: Organisational Culture

© The Knowledge Academy Ltd.

 About Information Security Governance
• Information security governance focuses on various key processes.
theknowledgeacademy

• Those processes are sourcing, configuration management, personnel management, access

management, risk management, incident management, change management, vulnerability
management, and business continuity planning.

• An effective governance program will use the metrics, balanced scorecard, and other means
for monitoring these key processes.

• Security processes will be changed to remain effective and to support continuous business
requirements by the process of continuous improvements.

© The Knowledge Academy Ltd

 About Information Security Governance
(Continued)
theknowledgeacademy

• Information security is a collection of activities established to clearly understand the state of

the security program of the organisation, its risks, and its direct activities.

• An objective of the security program is a contribution towards the accomplishment of the

security strategy, which itself will continue the alignment to the business and business objects.

• An organisation must also have an effective IT governance program to ensure the success of
information security governance.

• IT is the force multiplier and enabler that facilitates the business processes for fulfilling the
objectives of organisation.

© The Knowledge Academy Ltd

 About Information Security Governance
(Continued)
theknowledgeacademy

• Information security governance will not be Business

able to reach its full potential without Vision

effective IT governance. Business Strategy

Business Objectives

• The result may be that the proverbial IT bus IT Strategy

will travel with safety but to the wrong
destination. IT Security Strategy

Security Policy

Feedback
• This is represented in the given figure. Security Standards

Security Processes

Security Metrics

© The Knowledge Academy Ltd

 About Information Security Governance
(Continued)
theknowledgeacademy

• Alignment of security program of an organisation with the business requirements is the

objective of security governance.

• Information security governance refers to the set of top-down activities that control the
security organisation to ensure that information security supports the organisation. The
following are some activities that flow out of healthy security governance:

Objectives Strategy Policy Priorities Standards

Program and
Processes Controls Project Metrics
Management

© The Knowledge Academy Ltd

 Reason for Security Governance
• In most industry sectors and at all levels of government, organisations are increasingly
theknowledgeacademy

depending upon their information systems.

• This has increased to the point where organisations fully depend upon the integrity and
availability of their information system for continuing business operations.

• As an information security professional, it is important that you understand the importance of

business with regard to CIA (Confidentiality, Integrity, and Availability).

• While building the structure of security governance, these three need to be considered.

• Information security governance is necessary to ensure that the incidents related to security do
not threaten the critical system and support the continuing viability of the organisation.

© The Knowledge Academy Ltd

 Reason for Security Governance
(Continued)
theknowledgeacademy

• Among information security professionals, it is a known fact that information technology

assets, with internet access, would be compromised in minutes of being placed online.

• For the protection of these assets, the required tools, controls, and processes are as complex
as the information system which is designed for protection.

• The management will not be informed or in control of these protective measures, without the
effective top-down management of the security controls and processes that are protective
assets.

© The Knowledge Academy Ltd

 Security Governance Activities and Results
• In an effective security governance program, the senior management team of the organisation
theknowledgeacademy

will see that the information system will be adequately protected.

• The following are activities are necessary for the protection of the organisation:

Risk Management Process Improvement Event Identification

Business Continuity and

Incident Response Improved Compliance Disaster Recovery
Planning

Metrics Resource Management Improved IT Governance

© The Knowledge Academy Ltd

 Security Governance Activities and Results
(Continued)
theknowledgeacademy

• These activities are carried out by scripted interactions among key business and IT executives
periodically.

• Meetings will consist of a discussion of the alignment with business objects, the impact of
regulatory changes, recent incidents, the effectiveness of measurements, recent audits, and
risk assessments.

• Other discussions may consist of such things like recent business results, changes to the
business, and any anticipated business events like mergers and acquisitions. The following are
the two key results of an effective security governance program:

1 2
Increased Trust Improved Reputation

© The Knowledge Academy Ltd

 Risk Appetite
• ISACA had defined the risk appetite as the level of risk that is accepted by an organisation
theknowledgeacademy

willingly while in pursuit of its mission, objectives, and strategy.

• Usually, only high-risk averse organisations like insurance companies, banks, and public utilities
will define the risk appetite in actual terms.

• Other organisations are more tolerant of risk and make the risk decisions individually on the
basis of their gut feeling.

• So, many organisations are finding it important to articulate and document the risk appetite of
the organisation because of the increased influence and mandates by customers.

• Usually, risk-averse organisations have a formal system of traceability and accountability of risk
decisions back to the head of department and business executives.

• The CISO (Chief Information Security Officer) is rarely a person who takes the decisions for risk
treatment and is accountable for that decision.

© The Knowledge Academy Ltd

 Organisation Culture
• Transparency and accountability in the organisational culture have a great impact on
theknowledgeacademy

information security.

• Organisational behaviour, strategies for navigating and influencing the enterprise's informal
and formal structures to get work done, norms, attitudes, amount of collaboration, the
existence or absence of turf disputes, and geographic dispersion all represent culture.

• Individual backgrounds, values, work ethics, experiences, filters or blind spots, and life views
that individuals bring to the workplace all have an impact on culture.

• Every enterprise has a culture, whether it was purposefully created or evolved over time as a
reflection of the leadership, and it must be taken into account when ascertaining roles and
duties.

• Information security basically includes analytical and logical activities.

© The Knowledge Academy Ltd

 Organisation Culture
(Continued)
theknowledgeacademy

• Building relationships, promoting teamwork, and influencing corporate attitudes toward a

positive security culture are more dependent on interpersonal abilities.

• A good information security programme manager will determine the need of developing both
kinds of abilities as necessary for effective management.

• Employees in their different roles must do their duties in a way that safeguards information
assets in order to build a security-aware culture.

• All employees, regardless of their role or level within the organisation, should be capable of
defining how information security associates with their job.

• To accomplish this, the security manager must organise communications, participate in

committees and projects, and pay personalised attention to the needs of end users and
managers.

© The Knowledge Academy Ltd

 Organisation Culture
General Rules of Use/ Acceptable Use Policy
theknowledgeacademy

• All participants must understand what behaviour is acceptable, what activities are necessary,
and what acts are explicitly prohibited in order to maintain a risk-aware and secure enterprise
culture.

• An acceptable usage policy is a user-friendly explanation of what employees should and should
not do.

• This policy can describe the expectations and responsibilities of all users in daily words and in a
straightforward, concise manner.

• It is essential to effectively convey and ensure that the acceptable use policy is read and
understood by all users. Regardless of job status, all new staff who will have access to
information assets should be provided with the use policy.

© The Knowledge Academy Ltd

 Organisation Culture
(Continued)
theknowledgeacademy

• The policy and standards for access control, categorisation, labelling, and handling of
documents and information, reporting requirements, disclosure limits, mobile computing,
unlawful uses, and enforcement are typically included in the rules of use for all workers.

• They may also contain email and Internet usage policies. The usage guidelines serve as a broad
security baseline for the entire enterprise.

• It is usually required to offer supplemental or additional information to specific enterprise

groups in accordance with their duties.

• The information security manager should collaborate with the compliance department or
Human Resources (HR) to ensure that new hires understand and agree to the acceptable use
policy.

© The Knowledge Academy Ltd

 Organisation Culture
Ethics
theknowledgeacademy

• Several enterprises have implemented ethics training to provide direction on what is lawful and
proper behaviour.

• This strategy is most commonly used when personnel is required to perform sensitive tasks
such as penetration testing, monitoring user activities, and accessing sensitive personal data.

• Personnel responsible for information security must be aware of any conflicts of interest or
behaviours that may be seen as detrimental to the enterprise.

• To ensure consistent and complete consideration, ethical conduct aims and activities should be
integrated with privacy and data protection activities and objectives.

• These activities may involve the incorporation of data ethics frameworks, which can aid in the
definition of protocols for ethical and responsible data use in the enterprise.

© The Knowledge Academy Ltd

theknowledgeacademy

Module 1A2: Legal, Regulatory and

Contractual Requirements

© The Knowledge Academy Ltd.

 Introduction
• Every enterprise encounters a broad array of obligations that emerged from international and
theknowledgeacademy

local legislation, other regulatory monitoring mandates, and contract-specific information

associated with security clauses.

• In order to create a strategy, the information security manager must acquire as much
information on these overarching criteria as feasible.

• Privacy, intellectual property, and contractual, civil, and criminal law are all inextricably linked
to information security.

• Any attempt to create and implement an effective information security strategy must be
founded on a thorough grasp of the applicable legal requirements and constraints.

• Different regions in a worldwide enterprise may be subject to conflicting laws. To solve these
issues, the global enterprise may require to develop separate security strategies for each
geographic division, or it may base policy on the most stringent criteria to provide consistency
across the enterprise.

© The Knowledge Academy Ltd

 Introduction
(Continued)
theknowledgeacademy

• Corporate legal departments usually concentrate on securities and contracts or company stock-
related issues.

• As a result, they are not always directly tracking regulatory requirements, and the information
security manager should not depend on the legal department to do so. The impacted
department is usually the most aware of legal and regulatory issues.

• To assure clarity on the enterprise's official position on the topic, the information security
manager should request legal review and interpretation of legislative requirements that have
security consequences.

• Automated governance, risk, and compliance (GRC) skills may aid in the maintenance of a
comprehensive catalogue of legal and regulatory requirements.

© The Knowledge Academy Ltd

 Requirements for Content and Retention of Business Records
• Because business records comprise a substantial portion of the information that will be
theknowledgeacademy

secured by the security strategy that will be developed, it is essential for the information
security manager to understand the underlying requirements for those records.

• As a contributor to strategy development, the information security leader must know the
business requirements for all sorts of company records.

• Representatives from the company legal department can usually assist in determining what
types of records must be safeguarded to preserve their confidentiality, integrity, and
availability.

• Legal affairs representatives can also advise on legal and regulatory requirements for
enterprise documentation.

• Due to the nature of the enterprise's activity, business requirements may surpass the legal and
regulatory standards set by competent legislating bodies.

© The Knowledge Academy Ltd

 Requirements for Content and Retention of Business Records
(Continued)
theknowledgeacademy

• Regulations like Sarbanes-Oxley have mandated varied obligatory retention requirements for
various categories and types of information, irrespective of the storage media.

• The information security manager will be responsible for staying current with these regulations
and ensuring compliance as part of the enterprise's retention strategy.

• There may also be requirements arising from any lawful preservation order requiring an
organisation or individual to maintain specified data at the request of law enforcement or
other authorities.

• In general, archived information needs to be appropriately indexed in order to be located and

recovered.

© The Knowledge Academy Ltd

theknowledgeacademy

Module 1A3: Organisational Structures,

Roles and Responsibilities

© The Knowledge Academy Ltd.

 Roles and Responsibilities
• A position title also includes the rank of a person, which signifies a person’s seniority, a span of
theknowledgeacademy

control, placement in a command-and-control hierarchy, and so on.

• In order of increasing seniority, typical ranks include the following:

o Supervisor o Senior vice president

o Manager o Executive vice president
o Senior manager o President
o Director o Chief executive officer
o Senior director o Member, board of directors
o Executive director o Chairman, board of directors
o Vice president

© The Knowledge Academy Ltd

 Roles and Responsibilities
(Continued)
theknowledgeacademy

• Responsibility is a statement of activity that is expected from a person to perform.

• Typically, responsibilities are documented in job descriptions and position descriptions.

• Typical responsibilities include the following:

 Troubleshoot network faults and develop solutions.

 Perform monthly corporate expense settlement.

 Auditing of the user account terminations and developing exception reports.

© The Knowledge Academy Ltd

 Roles and Responsibilities
Board of Directors
theknowledgeacademy

• In an organisation, the board of directors is a body of people who oversee activities in the
organisation.

• The Board of directors are accountable to constituents and shareholders to perform an activity
in the best interests of the organisations without the appearance of ill-gotten profits,
impropriety, or conflict of interest as a result of their activities.

• They are responsible for the appointment of the CEO (Chief Executive Officer), in a non-
government organisation.

© The Knowledge Academy Ltd

 Roles and Responsibilities
Executive Management
theknowledgeacademy

• Executive management has the responsibility of carrying out the directives issued by the board
of directors.

• In information security management, it includes ensuring that there are enough resources for
the organisation for the implementation of a security program, and the development and
maintenance of security controls for the protection of critical assets.

• Executive management must provide assurance of balanced priorities.

© The Knowledge Academy Ltd

 Roles and Responsibilities
Security Steering Committee
theknowledgeacademy

• Responsibilities of the Steering Committee include the following:

Risk Treatment Deliberation and Recommendation

Discussion and Coordination of IT and Security Projects

Discussion of New Laws, Regulations, and Requirements

Review of Recent Risk Assessments

Review of Recent Security Incidents

© The Knowledge Academy Ltd

 Roles and Responsibilities
Business Process and Business Asset Owners
theknowledgeacademy

• Responsibilities of Business Process and Business Asset Owners include the following:

Access Grants Access Reviews Configuration Process Definition

Functional
Access Revocation Physical Location
Definition

© The Knowledge Academy Ltd

 Roles and Responsibilities
Data Management
theknowledgeacademy

• Data management positions are responsible for the development and implementation of
database designs, and the maintenance of databases.

• These positions are:

Database
Data Manager Data Scientist
Analyst

Database Database
Architect Administrator

© The Knowledge Academy Ltd

 Roles and Responsibilities
Security Operations
theknowledgeacademy

• Security operations positions are responsible for building, designing, and monitoring the
security controls and security systems for the assurance of confidentiality, integrity, and
availability of information systems.

• The major security positions are:

Access
Security Architect Security Engineer Security Analyst
Administrator

© The Knowledge Academy Ltd

 Monitoring Responsibilities
• Monitoring responsibilities helps an organisation to ensure that the correct jobs are being
theknowledgeacademy

carried out in the right way.

• There are various activities which are providing information to management.

• These activities include the following:

Controls and Internal

Metrics and Reporting Work Measurement
Audit

Performance Position
360 Feedback
Evaluation Benchmarking

© The Knowledge Academy Ltd

theknowledgeacademy

Module 1B1: Information Security Strategy

Development

© The Knowledge Academy Ltd.

 Introduction
• Risk optimisation is an essential component of enterprise IT governance and management.
theknowledgeacademy

• The information security strategy covers management actions and structures that are distinct
from governance activities.

• The information security strategy will give a plan of action for the information security
manager to meet enterprise needs, such as achieving an acceptable level of risk while
optimising resources.

© The Knowledge Academy Ltd

 Business Goals and Objectives
• Corporate governance is the practise of a set of practises and responsibilities by the board of
theknowledgeacademy

directors and senior management with the aim of providing strategic direction, assuring that
objectives are met, risk is appropriately managed, and enterprise's resources are used
responsibly.

• A strategy is a plan for attaining a goal. The objectives outlined in the plan define the business's
strategic orientation.

• Information security must support the business strategy and the activities that take place to
attain the objectives in order to be valuable to the firm.

• One of the subset of corporate governance is information security governance. It offers

strategic direction for security operations and assures that goals are met.

• It confirms that the risk of information security is correctly controlled and that enterprise
information resources are used efficiently and effectively.

© The Knowledge Academy Ltd

 Business Goals and Objectives
Relationship of Governance Elements
theknowledgeacademy

© The Knowledge Academy Ltd

 Business Goals and Objectives
Information Security Strategy Development Participants
theknowledgeacademy

© The Knowledge Academy Ltd

 Information Security Strategy Objectives
• An information security strategy's objectives must be described and metrics must be
theknowledgeacademy

developed to ascertain whether those objectives are being accomplished. The six identified
outcomes of security governance will often provide high-level direction. The outcomes are as
follows:

Strategic
Alignment
Effective Risk
Management Value
Delivery Resource
Optimisation Performance
Measurement Assurance
Process
Integration

© The Knowledge Academy Ltd

 Information Security Strategy Objectives
(Continued)
theknowledgeacademy

• The plan must explain what each of the chosen areas means to the enterprise, how each result
might be attained, and what constitutes success.

• Sensitivity will be a more subjective decision. The unintentional revealing of sensitive

information can have a wide range of consequences that are difficult to predict.

• The data owner is the person who ascertains the classification level for data and is usually the
best source for ascertaining the potential implications of data leakage.

• The categorisation level will then serve as the foundation for security operations and access
control. Most businesses will employ three or four levels of sensitivity and criticality, like
confidential, internal, and public.

• Asset classification is a difficult process for most enterprises, but it is necessary for existing
information if security governance is to be effective, efficient, and relevant.

© The Knowledge Academy Ltd

 Information Security Strategy Objectives
(Continued)
theknowledgeacademy

• When done properly, classification reduces the cost of overprotecting insignificant information
while also reducing the danger of under protecting high-value information.

• If this assignment is not completed, it will get increasingly more difficult over time. Policies,
processes, and standards must be defined concurrently in order to mandate classification and
avoid related problems from worsening.

• Over classification is a significant issue in classification implementation. It can be especially

challenging in enterprises with a blaming culture, where mistakes are not tolerated.

• It would be impossible to develop a cost-effective security plan that is associated with business
needs before:

 Describing the needs of the business in terms of information security

© The Knowledge Academy Ltd

 Information Security Strategy Objectives
(Continued)
theknowledgeacademy

 Ascertaining information security goals that will meet the needs.

 Identifying and locating information resources and assets.

 Assessing information resources and assets.

 Categorising information assets according to their importance and sensitivity.

 Implementing a procedure to make sure that every asset has a specified owner.

© The Knowledge Academy Ltd

 Ensuring Objective and Business Integration
• It is vital to specify the security objectives if an information security strategy serves as the
theknowledgeacademy

foundation for a plan of action to accomplish those goals.

• For a variety of reasons, defining long-term goals in terms of a desired level of security is
essential.

• Without a well-articulated vision of desired results for a security program, developing a

meaningful strategy is not possible.

• Without a strategy, it is impossible to develop a meaningful action plan as well as the enterprise
will continue to execute ad hoc tactical points solution with nothing to give overall integration.

• The resulting non-integrated systems will cost more money, impossible or difficult to secure, and
be harder or impossible to manage. Various businesses wait until a significant catastrophe occurs
before allocating enough resources to solve these problems.

• This could lead to outcomes that are much more costly than dealing with problems appropriately
from the start.
© The Knowledge Academy Ltd
 Ensuring Objective and Business Integration
(Continued)
theknowledgeacademy

• Audit reports, change management activities, and steering committee conversations are
additional sources of information to direct security operations.

• For instance, the establishment of a Public Key Infrastructure (PKI) might permit high-value
transactions between dependable business partners or clients.

• By using Virtual Private Networks (VPNs), the sales force may be given access to secure remote
connectivity and be able to protect sensitive data well.

• In other words, information security enables business operations that would otherwise be too
risky to carry out or, as is commonly the case, be carried out in the hopes that everything will
work out as planned.

© The Knowledge Academy Ltd

 Ensuring Objective and Business Integration
Business Linkages
theknowledgeacademy

• A direct connection to particular business activities and goals must be made when formulating
strategic objectives.

• These connections can begin from the viewpoint of a particular line of business, considering
specific objectives.

• A review and analysis of each component of a specific product line can show how this strategy
might function.

• A look into the process's past might turn up past mistakes that could point out system flaws.
The research may reveal ways to reduce errors, either by putting in place more or better
controls or by assuring redundancy for more trustable automated operations, as human error
accounts for the majority of system failures.

© The Knowledge Academy Ltd

 Ensuring Objective and Business Integration
(Continued)
theknowledgeacademy

• By enhancing business processes, lowering errors, and boosting productivity, the establishment
and analysis of business links can reveal information security vulnerabilities at the operational
level, which can significantly increase the value of information security.

• If high-level members of the key departments and business units are involved, one of the
beneficial outcomes of an information security steering group can be improving business links
continuously.

• Regular meetings with business owners to address security-related topics can help create
connections.

• This could be a chance to inform the owners of business processes about the possible
advantages that more security could bring to their system.

© The Knowledge Academy Ltd

 Avoiding Common Pitfalls and Bias
• While preparing for strategy development, it is essential to avoid a few common errors that
theknowledgeacademy

may have an undue influence on the objectives to be fulfilled and the activities carried out to
achieve corporate goals.

• Experiments and investigations have revealed a number of underlying reasons for poor
decision making. Awareness may result in solutions to mitigate the negative impacts. Some of
the most common pitfalls are:

The Status Quo

Overconfidence Optimism Anchoring
Bias

Mental The Herding

False Consesus
Accounting Instinct

© The Knowledge Academy Ltd

 The Desired State
• The phrase "desired state" refers to a complete snapshot of all appropriate conditions at a
theknowledgeacademy

specific time in the future.

• It must encompass policies, principles, processes, framework, organisational structures, ethics,

cultures, information, behaviour, services, applications, infrastructure, skills, people, and
competencies for a robust picture.

• It is impossible to define a condition of security in solely quantitative terms. As a result, a

desired state of security must be described qualitatively in terms of traits, characteristics, and
results to some extent.

• As per COBIT, it can involve high-level objectives like “protecting the interests of individuals
who rely on information, as well as the systems, processes, and communications that manage,
store, and distribute the information, against harm caused by failures of confidentiality,
availability, and integrity”.

© The Knowledge Academy Ltd

 The Desired State
COBIT
theknowledgeacademy

• COBIT gives a comprehensive framework for enterprise IT governance and management that
address IT security, risk, governance, and information security in general.

• Because IT and related activities are involved in many elements of information security, it can
serve as a framework for ascertaining the intended state for effective information security.

• COBIT has various emphasis areas, each of which describes a specific governance domain,
topic, or issue that can be addressed by a set of governance and management objectives and
their components.

• Small and medium-sized businesses, risk, information security, digital transformation, cloud
computing, privacy, and DevOps are examples of potential focus areas.

© The Knowledge Academy Ltd

 The Desired State
(Continued)
theknowledgeacademy

• Focus areas may include a mix of generic governance components and modifications, as well as
issues for information security governance.

• COBIT is based on two principles:

1. Principles that define the fundamental requirements of a business information and

technology governance system.

2. Principles for a governance framework that can be utilised to design an enterprise

governance system.

© The Knowledge Academy Ltd

 The Desired State
Governance System Principles
theknowledgeacademy

1. Provide 2. Holistic 3. Dynamic

Stakeholder Value Approach Governance System

4. Governance Distinct 5. Tailored to 6. End-to-End

From Management Enterprise Needs Governance System

© The Knowledge Academy Ltd

 The Desired State
Governance Framework Principles
theknowledgeacademy

1. Based on
2. Open and Flexible
Conceptual Model

3. Aligned to
Major Standards

© The Knowledge Academy Ltd

 The Desired State
Business Model for Information Security
theknowledgeacademy

• To more effectively manage security, the BMIS model employs systems thinking to elucidate
complex relationships inside the company.

• The model's elements and dynamic interconnections define the boundaries of an information
security program and model how the program runs and responds to internal and external
change. BMIS sets the stage for frameworks like COBIT.

• To be fully understood, a system must be regarded holistically rather than simply as the sum of
its elements.

• This is at the heart of systems theory. A holistic approach looks at the system as a whole and as
a functional entity.

• Another principle of systems theory is that understanding one aspect of the system allows you
to understand other areas of the system.

© The Knowledge Academy Ltd

 The Desired State
Business Model for Information Security
theknowledgeacademy

Organisation
Design/Strategy

Governance
Process

People Technology
Human Factor

© The Knowledge Academy Ltd

 The Desired State
(Continued)
theknowledgeacademy

• The following are the Four Elements of BMIS Model:

1 3

Organisation
Design and People Process Technology
Strategy

2 4

© The Knowledge Academy Ltd

 The Desired State
Dynamic Interconnections
theknowledgeacademy

• The elements are linked together by dynamic interconnections, which produce a

multidirectional force that pushes and pulls as things change.

• Behaviours and actions in the dynamic interconnections might throw the model off balance or
bring it back into balance. The six dynamic interconnections are as follows:

Enablement and
Governance Culture
Support

Emergence Human Factors Architecture

© The Knowledge Academy Ltd

 The Desired State
Governance, Risk Management, and Compliance
theknowledgeacademy

• GRC is an example of the growing realisation of the need for convergence, or assurance
process integration.

• GRC refers to a strategy that enterprises can use to integrate these three areas.

• GRC, which is sometimes characterised as a single business activity, covers several overlapping
and related operations within a company, such as internal audit and compliance programmes.

• Governance is the duty of the board of directors and senior management, and it focuses on
developing the procedures that an enterprise needs to ensure that employees follow defined
policies and processes.

© The Knowledge Academy Ltd

 Elements of a Strategy
Road Map
theknowledgeacademy

• People, procedures, technology, and other resources are typically included in a road map to
attain a stated, secure desired state.

• Its purpose is to map the pathways and steps that need to be taken to achieve the strategy's
objectives.

• The interactions and relationships between numerous strategy elements are likely to be
complex. As a result, it is advisable to think about the early stages of designing a security
architecture.

• Architectures can help define business drivers, resource relations, and process flows in a
systematic way.

• Architecture can also assist in ensuring that conceptual and contextual factors, like business
drivers and effects, are taken into account during the strategy creation stage.

© The Knowledge Academy Ltd

 Elements of a Strategy
Resources and Constraints
theknowledgeacademy

• COBIT defines some governance system elements as factors that collectively and individually
impact whether something will work—in this case, management and governance of
information security and enterprise IT.

• The objectives cascade drives these components (i.e., higher-level goals describe what the
different enablers must attain). The following are the components of the governance system:

1. Principles, Policies, and Framework: The vehicle for translating desired behaviour into
practical guidance for daily management.

2. Processes: An organised set of actions and practises to attain specific goals and produce a
number of outputs in support of attaining overall objectives.

© The Knowledge Academy Ltd

 Elements of a Strategy
3. Organisational Structures: The primary decision-making bodies in an enterprise.
theknowledgeacademy

4. Culture, Ethics, and Behaviour: Individual and enterprise characteristics that are usually
overlooked as success elements in governance and management activities.

5. Information: Information used and produced by the enterprise. Information is widespread

across the enterprise and is essential to keep the enterprise running and well-governed, but at
the operational level, information is frequently the core product of the enterprise itself.

6. Services, Infrastructure, and Applications: The applications, technology, and infrastructure

that give information technology processing and services to the organisation.

7. People, Skills, and Competencies: Necessary for carrying out all tasks successfully, reaching
the right conclusions, and for taking actions appropriately.

© The Knowledge Academy Ltd

theknowledgeacademy

Module 1B2: Information Governance

Frameworks and Standards

© The Knowledge Academy Ltd.

 The Security Balanced Scorecard
• A balanced scorecard is a tool of management
theknowledgeacademy

used to measure the effectiveness and

performance of an organisation.

• It is used to determine how well an Financial Key Customer Key

Measurements Measurements
organisation can accomplish its strategic
objectives and missions, and how well it is
associated with overall organisational
objectives.
Internal
• Management defines key measurements in the Processes
Innovation and
Learning
balanced scorecard in each of four Measurements
perspectives:

© The Knowledge Academy Ltd

 The Security Balanced Scorecard
(Continued)
theknowledgeacademy

• The balanced scorecard of each organisation will represent the unique set of measurements
that reflects the type of business, style of management, and business model of an
organisation.

• It needs to be used for the measurement of the overall progress and effectiveness of an
organisation.

• The security balanced scorecard is similar to the balanced scorecard, which can be used to
measure the results and performance of a security organisation.

• The security balanced scorecard has the same four perspectives as the balanced scorecard.

© The Knowledge Academy Ltd

 The Security Balanced Scorecard
(Continued)
theknowledgeacademy

• The four perspectives of the security balanced scorecard are mapped to key activities, shown
in below table:

Financial Customer Internal Processes Innovation and

Learning
Awareness and Lower cost of incidents Increase confidence Improve processes Improve awareness
Education
Access Control Control access Provide access Ensure proper access Improve
communication

Vulnerability Reduce vulnerabilities Protect against Manage risks Learn from incidents
Management vulnerabilities

Business Continuity Ensure continuity Provide core services Test continuity Ensure awareness

Compliance Comply with Ensure compliance Ensure compliance Review compliance

regulations

Program Ensure efficiency Include customer input Reduce reactive Continue improvement
Management processes

© The Knowledge Academy Ltd

 Architectural Approaches
• One of the subsets of Enterprise Architecture (EA) is Enterprise Information Security
theknowledgeacademy

Architecture (EISA).

• A foundational structure, or set of structures, can be described as an architecture framework.

These structures can be used to create a variety of different architectures, such as business
process architecture, also known as contextual architecture, and the more conventional
conceptual, logical, physical, functional, and operational architectures.

• Numerous strategies have emerged, including process models, frameworks, and ad hoc
methods. This development happened as it became clear that a perspective on architecture
that was limited to IT was unable to satisfy business design and the development of security
requirements.

• Linkages to the business side of information protection and techniques for its design are
provided by a variety of architectural approaches.

© The Knowledge Academy Ltd

 Enterprise Risk Management Framework
• Several Enterprise Risk Management (ERM) models incorporate components that assist in
theknowledgeacademy

preparing for strategic planning and subsequent program development:

 The COSO ERM Integrated Framework describes fundamental enterprise risk management
components, examines key ERM concepts and principles, recommends a standard ERM
language, and gives clear guidance and direction for enterprise risk management.

 ISO 31000:2018 specifies risk management principles, a framework, and a procedure to

assist enterprises in increasing the possibility of attaining objectives, discovering
opportunities and threats, and efficiently allocating and utilising risk treatment resources.

 The Risk Management Code of Practice, British Standard (BS) 31100, provides a procedure
for executing and maintaining the concepts stated in ISO 31000, involving essential
functions such as identifying, responding, assessing, reporting, and reviewing.

© The Knowledge Academy Ltd

 Information Security Management Frameworks and Models
• Numerous well-known frameworks were developed with an emphasis on information security
theknowledgeacademy

risk management.

1. ISO/IEC 27000 Series

• The 14 sections of the ISO/IEC 27001:2013 standard can be used to assess the
comprehensiveness of an organisational security strategy and assure that all important
security elements are addressed.

• It is important to build organisational standards and policies that can be traced directly to each
standard element.

• While 27002:2013 is the standard on which an enterprise may decide to be evaluated and
certified, it is also the code of practise for information security management that supports
standard implementation.

© The Knowledge Academy Ltd

 Information Security Management Frameworks and Models
(Continued)
theknowledgeacademy

• The following are the 14 Security Control Clauses of ISO/IEC 27001:2013:

A.5: Information Security Policies
A.6: Organisation of Information Security
A.7: Human Resource Security
A.8: Asset Management
A.9: Access Control
A.10: Cryptography
A.11: Physical and Environmental Security
A.12: Operations Security
A.13: Communications Security
A.14: System Acquisition, Development and Maintenance
A.15: Supplier Relationships
A.16: Information Security Incident Management
A.17: Information Security Aspects of Business Continuity Management
A.18: Compliance

© The Knowledge Academy Ltd

 Information Security Management Frameworks and Models
2. NIST Cybersecurity Framework
theknowledgeacademy

• The NIST Cybersecurity Framework, formally known as the NIST Framework for Improving
Critical Infrastructure Cybersecurity, provides high-level guidelines for aligning a cybersecurity
programme with organisational goals.

• In response to the increased occurrence of cybersecurity threats, NIST hosted a series of

workshops to build a process for identifying possibilities for improvement in an enterprise's
information security programme.

• The framework emphasises the importance of effective risk management integration and
extensively promotes supply chain risk management improvement.

• The NIST Cybersecurity Framework does not provide any controls that can be used.

© The Knowledge Academy Ltd

 Information Security Management Frameworks and Models
3. NIST Risk Management Framework
theknowledgeacademy

• The NIST Risk Management Framework (RMF) gives a procedure for integrating privacy,
security, and cyber supply chain risk management activities into the system development life
cycle.

• Originally designed to assist US federal agencies in evaluating and improving information

security, it has been expanded to apply to any company and is free to use.

• The RMF provides provisions for assessing the continuous efficacy and efficiency of risk
management procedures, as well as a risk-based approach to categorise relevant assets,
selection, and implementation controls to attain adequate protection.

© The Knowledge Academy Ltd

theknowledgeacademy

Module 1B3: Strategic Planning

© The Knowledge Academy Ltd.

 Workforce Composition and Skills
• Personnel security is an important aspect of an enterprise's information security strategy that
theknowledgeacademy

must be taken into account as a preventive measure for securing an enterprise.

• Because the most damaging and costly compromises are generally the consequence of insider
activity, whether unintentional or intentional, the first line of defence should be to try to
assure the trustworthiness and integrity of new and existing people.

• The information security program will implement the mechanisms for assuring these traits in
the workforce (including in-house people and external service providers), but needs and plans
must be incorporated into the strategy.

© The Knowledge Academy Ltd

 Workforce Composition and Skills
Organisational Structure
theknowledgeacademy

• The formulation of an information security strategy will be heavily influenced by the

organisational structure.

• In designing a security plan, a flexible and dynamic structure is likely to be beneficial.

• In more constrained systems, efforts to formulate a strategy may be regarded as a challenge to

the autonomy or authority of diverse groups.

• This is becoming more common as the importance and prominence of the information security
function in the organisational hierarchy have grown.

• Although reporting to the CIO was appropriate in the past, that structure has become
insufficient for successfully managing increased risk, escalating losses, and the sophistication
of attackers. Furthermore, it frequently leads to a conflict of interest.

© The Knowledge Academy Ltd

 Workforce Composition and Skills
Centralised and Decentralised Approaches to Coordinating Information Security
theknowledgeacademy

• The cultural mix of an enterprise will influence many aspects of strategy, involving whether a
centralised or decentralised approach is more beneficial for the security enterprise.

• While centralisation and standardisation of security can provide many benefits, the structure
of an enterprise often renders this an inefficient approach.

• Multinational corporations that choose a centralised approach must carefully analyse the
various local legal requirements in each country in which they have a presence.

• For instance, some nations may forbid the storage or processing of business data outside of
their borders, and other governments may levy taxes, such as a withholding tax, on any
software or hardware used by entities under their jurisdiction, regardless of where that
software or hardware is physically located.

© The Knowledge Academy Ltd

 Workforce Composition and Skills
Employee Roles and Responsibilities
theknowledgeacademy

• It is crucial that the plan include a mechanism that defines all security duties and
responsibilities and incorporates them in employee job descriptions due to the numerous
tasks that employees must do.

• In the end, there is a better likelihood of accomplishing security governance goals if employees
are compensated based on their commitment to performing their job responsibilities.

• The annual job performance and goals of an employee may contain security-related metrics.

• To describe security roles and duties, the information security manager should collaborate
with the HR director. Each job position's specific competencies should be identified and
recorded.

© The Knowledge Academy Ltd

 Workforce Composition and Skills
Skills
theknowledgeacademy

• The skills required to implement a security strategy are a significant concern.

• Choosing a plan that employs existing abilities is likely to be the most cost-effective option,
although it may be necessary to develop new skills or outsource certain critical functions at
times.

• A skills inventory is necessary to ascertain the resources available while establishing a security
plan.

• Proficiency testing may be useful in determining whether the necessary skills are available or
may be acquired through training.

© The Knowledge Academy Ltd

 Workforce Composition and Skills
Awareness and Education
theknowledgeacademy

• Because security is frequently weakest at the end-user level, training, education, and
awareness are critical components of the overall plan.

• It is critical to evaluate the requirement for the development of methods and processes that
make policies, standards, and procedures easier to follow, implement, and monitor.

• A periodic security awareness campaign intended for end users underlines the importance of
information security, and it is now required by law in several jurisdictions for a variety of
sectors.

• Evidence suggests that the majority of employees in most businesses are unaware of security
policies and regulations, even if they exist.

© The Knowledge Academy Ltd

 Assurance Provisions
Audits
theknowledgeacademy

• Audits, both external and internal, are one of the primary methods for ascertaining
information security deficiencies in terms of controls and compliance, and they are an
important resource in strategy creation.

• Internal audits are typically undertaken by an internal audit department that reports to either
an audit committee of the board of directors or senior management in larger enterprises.

• External audits are often performed by an independent third party and may involve IT and
information security domains, depending on audit objectives.

• Because audits can give the information security manager valuable monitoring tools, the
security department must have access to this information.

© The Knowledge Academy Ltd

 Assurance Provisions
(Continued)
theknowledgeacademy

• It is critical for the information security manager to have solid working relationships with other
assurance providers in order to facilitate the flow of information that is required for effective
security management.

• Many enterprises are required to file numerous audits and other reports with regulatory
bodies as a result of increased regulatory oversight.

• Many of these reports have implications for information security and can give helpful
intelligence and monitoring data to the information security manager.

© The Knowledge Academy Ltd

 Assurance Provisions
Compliance Enforcement
theknowledgeacademy

• Security violations are a constant worry for information security managers, and it is essential
to develop methods for dealing with them as part of the strategy development.

• Senior management buy-in and support for these procedures are crucial, particularly in terms
of enforcement.

• Management is frequently the source of the most serious compliance issues, according to
security managers. It may be difficult to enforce compliance across an enterprise if there is a
lack of dedication and compliance in management ranks.

• The most effective way to comply in an enterprise where transparency and trust are valued
and fostered by management is likely to be a system of self-reporting and voluntary
compliance based on the knowledge that security is clearly in everyone's best interest.

© The Knowledge Academy Ltd

 Risk Assessment and Management
• A complete approach for recognising, assessing, and treating information security risk should
theknowledgeacademy

be included in the information security strategy. Strategic planning involves the determination
of how to attain risk direction in order to safeguard diverse enterprise assets from a wide
variety of threats and vulnerabilities.

• The following are the elements that must be considered in strategic planning, and
subsequent operation and implementation as a part of information security itself:

Business Resource Outsourced Threat

Impact Dependency Services Assessment
Analysis Analysis

Other
Vulnerability Organisationl
Assessment Insurance
Support and
Insurance

© The Knowledge Academy Ltd

 Action Plan to Implement Strategy
Gap Analysis – Basis for and Action Plan
theknowledgeacademy

• A gap analysis is necessary for several strategy components, including maturity levels, control
targets, and risk and impact objectives.

• The analysis will determine the steps required to transition from the present state to the
desired state in order to meet the set objectives.

• This exercise may need to be performed annually, or more frequently, to give performance and
target metrics, as well as information for potential mid-course corrections in reaction to
changing surroundings or other variables.

• Working backward from the endpoint to the current state to find the intermediate steps
required to achieve the objectives is a common technique for gap analysis.

© The Knowledge Academy Ltd

 Action Plan to Implement Strategy
Action Plan Matrix
theknowledgeacademy

• The strategy's implementation plan will necessitate mechanisms for monitoring and measuring
progress and achievement of goals.

• As with any project plan, costs and progress must be reviewed on a continuous basis to ensure
plan compliance and to allow for prompt mid-course modifications.

• There will very certainly be a number of short-term objectives, each of which will necessitate
resources and a plan of action to attain.

• A variety of ways can be employed to continuously monitor and measure progress. On a regular
basis, one or more of the methods for assessing the present state can be used to evaluate and
chart how the current state has changed.

© The Knowledge Academy Ltd

 Action Plan to Implement Strategy
Key Goal Indicators
theknowledgeacademy

• Developing meaningful measurements requires defining clear objectives and reaching a

consensus on targets.

• The following are some essential objectives for an information security plan:

 Meeting Sarbanes-Oxley controls testing compliance requirements.

 Finishing independent controls testing, validation, and attestation.
 Creating the required control effectiveness statement.

• The findings of the testing must be signed by the CFO and CEO and confirmed by independent
auditors. The findings must subsequently be published in the company's public filings with the
SEC.

© The Knowledge Academy Ltd

 Action Plan to Implement Strategy
Key Performance Indicators
theknowledgeacademy

• Indicators of critical performance parameters required to fulfil the goals include:

 Plans for control effectiveness testing.

 Progress in testing control effectiveness.
 Control effectiveness testing results.

• Appropriate testing plans that are consistent with the established goals and incorporate the
CSFs must be developed in order for tracking progress in the testing effort.

• Management will require reporting on the progress and outcomes of testing due to the limited
time available to execute the essential tests.

© The Knowledge Academy Ltd

 Action Plan to Implement Strategy
General Metrics Considerations
theknowledgeacademy

• Considerations for information security metrics involve confirming that what is being assessed
is, in fact, appropriate.

• In any objective sense, it is difficult to measure security, and very meaningless indicators are
frequently utilised merely because they are readily available.

• Metrics serve only one purpose: to deliver the information required to make decisions. It is
therefore vital to understand what decisions must be taken and who makes them, and then to
devise means to provide that information in an accurate and timely manner.

• Different metrics are more or less valuable for different segments of the organisation and
should be determined in consultation with business process management and owners.

© The Knowledge Academy Ltd

 Action Plan to Implement Strategy
(Continued)
theknowledgeacademy

• While technical metrics are crucial to the IT security manager, senior management usually
wants a summary of information that is important from a management viewpoint - information
that normally excludes comprehensive technical data.

• This includes the following:

 Progress in accordance with the plan and budget.

 Significant changes in risk and potential consequences for business objectives.

 The outcomes of disaster recovery testing.

 Audit findings.

 Status of regulatory compliance.

© The Knowledge Academy Ltd

 Action Plan to Implement Strategy
(Continued)
theknowledgeacademy

• The information security manager might require more in-depth tactical data, such as:

 Metrics for policy compliance.

 An important system, process, or other changes that could modify the risk profile.
 Status of patch management.

• The majority of technical security data may be valuable in organisations with an IT security
manager. This comprises:

 Results of vulnerability scans.

 Complying with requirements for server configuration.
 Monitoring data from intrusion detection systems.
 Analysis of firewall logs.

© The Knowledge Academy Ltd

 Action Plan to Implement Strategy
Action Plan Intermediate Goals
theknowledgeacademy

• Once the overarching strategy has been completed, most enterprises may easily define a variety
of specific near-term targets that are in line with the overall information security strategy.

• Prioritising corrective actions should be simply based on the BIA identification of business-
critical resources and the security status as established by the previous CMMI gap analysis.

• If the security strategy objective is to attain CMMI level 4 certification and compliance, then an
example of near-term action may explain the following:

 The current applications being used must be identified by each business unit.

 Twenty-five percent of all data that has been kept needs to be examined to determine who
owns it and how sensitive it is.

 In order to identify important resources, each business unit must complete a BIA for
information resources.
© The Knowledge Academy Ltd
 Action Plan to Implement Strategy
(Continued)
theknowledgeacademy

 Business units must comply with regulations.

 It is necessary to specify all security positions and duties.

 Establishing a procedure to ensure business process connections.

 Each business unit must undergo a thorough risk assessment.

 The acceptable use policy must be explained to all users.

 To ensure that all policies are consistent with strategic security goals, all policies must be
evaluated and amended as appropriate.

 All policies must be subject to standards.

© The Knowledge Academy Ltd

 Information Security Program Objectives
• The strategy will result in an information security programme if it is implemented with an action
theknowledgeacademy

plan.

• The program is essentially the project plan for implementing and establishing ongoing
management of some or all of the strategy's components.

• The information security program protects persons who rely on information as well as the
procedures, systems, and communications that handle, store, and transmit it.

• Its goal is to keep them safe from harm caused by failures in availability, confidentiality, and
integrity. Concepts such as information utility and possession are emerging definitions (the
latter to cope with theft, deception, and fraud).

• The networked economy has undoubtedly increased the importance of trust and accountability
in electronic transactions.

© The Knowledge Academy Ltd

 Information Security Program Objectives
(Continued)
theknowledgeacademy

• For most enterprises, security is achieved when:

 When needed, information is available and usable, and the systems that provide it can
withstand attacks (availability).

 Information is only observed or released to those who have a legal right to know
(confidentiality).

 Data is safeguarded against unauthorised change (integrity).

 Trusted business transactions and information exchanges between enterprise sites or with
partners (authenticity and nonrepudiation).

© The Knowledge Academy Ltd

theknowledgeacademy

Domain 2

Information Security Risk Management

© The Knowledge Academy Ltd.
theknowledgeacademy

This Domain Covers…

Domain 2: A: INFORMATION RISK ASSESSMENT

 2A1: Emerging Risk and Threat Landscape

Information Security  2A2: Vulnerability and Control Deficiency Analysis

 2A3: Risk Assessment and Analysis

Risk Management B: INFORMATION RISK RESPONSE

 2B1: Risk Treatment / Risk Response Options

 2B2: Risk and Control Ownership
 2B3: Risk Monitoring and Reporting

© The Knowledge Academy Ltd

theknowledgeacademy

Module 2A1: Emerging Risk and Threat

Landscape

© The Knowledge Academy Ltd.

 Risk Identification
 Before an enterprise can investigate potential and emerging risks, it must first understand how
theknowledgeacademy

to identify risks.

 Risk identification is the process of determining the nature and type of viable threats and
examining the enterprise's vulnerabilities that are subject to those threats.

 The vulnerabilities that identified threats may exploit constitute an identified risk.

 Only identified risks can be assessed and treated appropriately, so risk identification is essential
to effective risk management.

 It is essential to identify all information assets, involving those held by third parties. It is
necessary to identify viable threats, both potential and actual.

 The viability of a threat is determined by two factors: The threat exists or could reasonably be
anticipated to materialise, and the threat is under control in some way.

© The Knowledge Academy Ltd

 Risk Identification
(Continued)
theknowledgeacademy

 A knowledgeable group developing a variety of risk scenarios or brainstorming sessions is

usually used to identify risks.

 These exercises consider that all significant enterprise vulnerabilities are known, as well as the
types and nature of threats that could exploit them.

 Vulnerabilities can take many different forms.

 They may be commonly understood technical weaknesses, or they could be obscured by

unmonitored procedures or business processes.

© The Knowledge Academy Ltd

 Risk Identification
(Continued)
theknowledgeacademy

Risk Scenario Approaches

Top Down
Business Goals
• Identified Business Objectives
• Identify Scenarios with highest impact on achievement of business
objectives

Business Goals

• Identify Hypothetical Scenarios

• Reduce through High-level Analysis.

Generic Risk Scenarios

Bottom Up

© The Knowledge Academy Ltd

 Threats
Internal Threats
theknowledgeacademy

• Internal threats are those that are initiated in the organisation.

• Internal threats are related to the employees of the organisation and the employees may be
the intentional actors of these threats.

• For the constitution of threats, the following events can take place:

o Well-meaning personnel making errors in haste.

o Disgruntled personnel deliberately bring harm to an asset.

o Well-meaning personnel is being tricked into doing something harmful.

o A trusted individual in a trusted third-party organisation doing any of these.

© The Knowledge Academy Ltd

 Threats
External Threats
theknowledgeacademy

• External threats are those threats initiated outside the organisation.

• These can include both deliberate and accidental assets, like internal threats.

• The security manager who is performing a risk assessment should understand the full range of
threat actors, along with their motivations.

• It is specifically important for organisations where specific types of threat actors or motivations
are more common.

© The Knowledge Academy Ltd

 Threats
(Continued)
theknowledgeacademy

External Threat Actors and Threat Motivations:

External Threats Actors Threat Actor Motivations
Former Employees Competitive Advantage
Current and Former Consultants Economic Espionage
Current and Former Contractors Monetary Gain
Competitors Political Gain
Hacktivists Intelligence
Government Intelligence Agencies Revenge
Terrorist Group Ego
Activist Group Curiosity
Armed Forces Unintentional Errors

© The Knowledge Academy Ltd

 Threats
Advanced Persistent Threats
theknowledgeacademy

• Advanced Persistent Threats (APIs) are highly skilled, advanced attackers with a strong
motivation to exploit systems and networks.

• The increased skills available to the hacking community, as well as the efficiency of the tools
they use, raises the risk of compromise significantly.

• Governments, organised crime, or competitors may sponsor APTs.

• The information security manager should be aware that APTs pose a significant risk to
businesses of all sizes around the world and must ensure that adequate measures are in place
to detect and identify this threat.

© The Knowledge Academy Ltd

 Threats
(Continued)
theknowledgeacademy

Typical Sources of APT

Threat What They Seek Business Impact

Intelligence agencies Political, defense or commercial trade secrets Loss of trade secrets or commercial,
competitive advantage
Criminal groups Money transfers, extortion opportunities, personal Financial loss. large-scale customer data
identity Information or any secrets for potential onward breach or loss of trade secrets
sale
Terrorist groups Production of widespread terror through death, Loss of production and services. stock
destruction and disruption market irregularities and potential risk
to human life
Activist groups Confidential information or disruption of services Major data breach or loss of service
Armed forces Intelligence or positioning to support future attacks on Serious damage to facilities in the event
critical national Infrastructure of a military conflict

© The Knowledge Academy Ltd

 Defining a Risk Management Framework
• A reference model must be used and adapted to the circumstances of the enterprise when
theknowledgeacademy

developing a systematic risk management program.

• The reference model reflects the desired state.

• There are several standards and publications available to guide information technology and
security risk management approaches.

• Examples include:

o COBIT

o NISI Managing Information Security Risk: Organisation, Mission and Information System
View.

© The Knowledge Academy Ltd

 Emerging Threats
• Unusual activity on a system, repeated alarms, slow network or system performance, or new or
theknowledgeacademy

extreme activity in logs can all be indicators of emerging threats.

• In several cases, compromised enterprises have proof of emergent threats in their logs well
before the actual compromise, but the evidence is not acted on or not noticed.

• When combined with a threat, a lack of effective monitoring can result in a breach.

• Most technologies are designed with an emphasis on function and aim, with little regard for
security implications.

• As a result, new technology is often a source of new vulnerabilities and, in some cases, can act
as a threat agent within an information system.

• The information security manager should be aware of new technologies and plan for their
introduction in the enterprise, especially if the technologies promise cost savings or a
competitive benefit.

© The Knowledge Academy Ltd

 Risk, Likelihood and Impact
• Risk is defined by the International Organisation for Standardisation (ISO) as "the effect of
theknowledgeacademy

uncertainty on objectives." This means that results can be either positive or negative.

• Risk will be evaluated primarily from a negative viewpoint, with negative risk defined as the
likelihood of an event and its consequences.

• The likelihood, also known as probability, is a measure of the frequency that an event may
arise.

• When determining risk, likelihood is used to estimate the level of risk on the basis of the
frequency of events as well as the influence of those events that may arise in a given time
duration.

• Annual Loss Expectancy (ALE) is determined by combining the likelihood or frequency with the
magnitude. The higher the frequency, the higher the likelihood and, thus, the higher the risk.

© The Knowledge Academy Ltd

 Risk Register
• A risk register must be established during the process of identifying risk and its elements.
theknowledgeacademy

• The register must act as a central repository for all information security risks, involving specific
threats, exposures, vulnerabilities, and assets at risk. It must involve the owner of the asset,
the risk owner, and any other stakeholders.

• Because the risk register is a living repository, content must be filled out as the assessment
process begins.

• Once the efforts for risk identification, evaluation, analysis, and response have been achieved,
and other relevant information has been entered into the register, it will act as an authoritative
reference point for every risk management-related activity.

• Risk registers improve responsibility by assigning risk to risk owners and also give a tracking
mechanism to ensure risk has been mitigated in accordance with agreed-upon action plans and
timelines. There is no accountability if there is no risk register.

© The Knowledge Academy Ltd

 Risk Register
(Continued)
theknowledgeacademy

• The risk register gives an overview of the enterprise's risk profile. A risk profile is a necessary
component of active information risk management.

• It will provide a thorough overview of the overall risk to which the enterprise is exposed, as
well as other pertinent information.

• There are several approaches available to meet this requirement.

© The Knowledge Academy Ltd

theknowledgeacademy

Module 2A2:
Vulnerability and Control Deficiency
Analysis

© The Knowledge Academy Ltd.

 Introduction
• The term vulnerability, also known as weakness, is usually used to describe a binary condition.
theknowledgeacademy

• Something is either vulnerable or not vulnerable. In most situations, assets are vulnerable to
distinct degrees.

• The extent of exposure should be considered because it influences the likelihood that a
vulnerability will be compromised.

• These differences are important when prioritising risk management efforts, ascertaining the
level of risk within a scenario, and explaining conclusions and suggestions to management.

• Many vulnerabilities are system conditions that should be identified before they can be
addressed.

© The Knowledge Academy Ltd

 Introduction
(Continued)
theknowledgeacademy

• The goal of vulnerability identification is to discover problems before they are discovered and
exploited by an adversary, which is why an enterprise must conduct regular vulnerability
assessments and penetration tests to identify, validate, as well as classify its vulnerabilities.

• A vulnerability assessment should consider both process and procedural flaws as well as logical
flaws. There is a risk where there are vulnerabilities.

• Various types of testing or subject matter expert estimates can be used to estimate the degree
of vulnerability. Estimates, like other types of valuations, can be quantitative or qualitative.

• Whatever method is used, it is essential to communicate the nature of these estimates so that
management is not misled.

• Using ranges or distributions to indicate both unlikely maximums and more probable values is
an effective approach for reflecting uncertainty in values.

© The Knowledge Academy Ltd

 Introduction
(Continued)
theknowledgeacademy

• Understanding the other controls in place that may mitigate the overall exposure is required to
determine the ultimate relevance of a weak control.

• It would be inaccurate and unfair to portray a control as a major issue when, in fact, the
mixture of controls is quite robust.

• Several IT system flaws are discovered utilising automated scanning equipment, and these can
act as leading symbols of potential compromise.

• Process and performance vulnerabilities are more challenging to identify and may need a
thorough review and analysis.

• To be efficient, the assessment must take into account process, procedural, and physical
vulnerabilities, as well as technological flaws.

© The Knowledge Academy Ltd

 Security Control Baselines
 Policies, processes, standards, practices, and organisational structures are all part of the
theknowledgeacademy

information security risk management framework, which also includes controls.

 It is intended to give reasonable assurance that the business goals are attained and the
potential consequences of undesired events are adequately addressed.

 The framework should consider people, procedures, and technology, as well as the enterprise's
physical, contractual, technical, and procedural elements.

 To be effective, it must consider the enterprise's strategic, operational, programmatic, and

tactical elements.

 Safeguards are any practice, process, procedure, or other instrumentation that decreases risk
via the precautionary measure to protect a business asset.

 Safeguards are proactive controls because they are applied and utilised to prevent an event
from occurring.

© The Knowledge Academy Ltd

 Security Control Baselines
(Continued)
theknowledgeacademy

 Intrusion Prevention Systems (IPs), Employee background checks, and turnstile gates are
instances of proactive controls or safeguards.

 Countermeasures involve procedures, practices, processes, or other instrumentation utilised to

respond to a past event.

 When a threat or vulnerability is identified, countermeasures are typically implemented.

 Countermeasures can be implemented and integrated in a variety of ways, ranging from

modifying architecture or reengineering procedures to decreasing or eradicating internal
threats to technical vulnerabilities, to developing an employee awareness programme to target
social engineering and promote early detection and reporting of security incidents.

© The Knowledge Academy Ltd

 Events Affecting Security Baselines
 A variety of factors may change the risk, probability, or impact equation, requiring a change in
theknowledgeacademy

baseline security.

 The collective ability of controls to protect the enterprise's information assets determines
baseline security.

 Baseline security is basically managed by the least restrictive aspect of collective standards and
is the enterprise's minimum level of security. Control objectives must also reflect baseline
security levels.

 Any incident can be attributed to either a lack of control or control failure.

 Any significant incident needs a risk assessment and a root cause analysis of the failure, which
may need increasing or altering baseline security by changing appropriate policies, procedures,
processes, standards, or controls.

© The Knowledge Academy Ltd

 Events Affecting Security Baselines
(Continued)
theknowledgeacademy

 Information security managers must monitor and assess events that affect security baselines
and, as a result, might influence the security posture of the enterprise.

 Based on this evaluation, the information security manager should determine whether the
enterprise's security strategy, roadmap, and test plans need to be altered to address changing
risks.

 Security baselines may be changed for a variety of reasons.

© The Knowledge Academy Ltd

theknowledgeacademy

Module 2A3: Risk Assessment and Analysis

© The Knowledge Academy Ltd.

 Introduction
 Risk management involves a set of processes that considers the end-to-end requirements of
theknowledgeacademy

recognising, examining, evaluating, and keeping risk at acceptable levels.

 These involve weighing policy alternatives with interested parties, taking risk assessment and
other factors into account, and selecting suitable prevention and control options with
acceptable costs and influences on the enterprise's capability to operate efficiently.

 Risk management functions typically involve the execution of the following processes:

Recommend
Establish Identify Accept Communicate
Perform Risk Risk
Scope and Assets and Residual Risk About and
Assessment Treatment or
Boundaries Valuation Monitor Risk
Response

© The Knowledge Academy Ltd

 Introduction
(Continued)
theknowledgeacademy

Continuous Risk Management Steps

Risk Appetite

Identify and Assess

Risk

Regular Review is Required Because

• Risk Changes Over Time
Proactive Develop Risk
• Countermeasures Might Not be
Monitoring Followed/appropriate Management Plan
• Countermeasures Might have Opened
New Risk

Implement Risk
Management Plan

© The Knowledge Academy Ltd

 Introduction
(Continued)
theknowledgeacademy

Information Security Risk Management Process

Context Establishment
Communication and Consultation
Risk Assessment

Monitoring and Review

Risk Identification

Risk Analysis

Risk Evaluation

Risk Treatment

© The Knowledge Academy Ltd

 Determining the Risk Management Context
 In business terms, risk management should provide a balance between benefits and costs.
theknowledgeacademy

 The scope of risk management activities and the environment in which risk management
operates is defined by the context, which involves the organisational structure, culture,
principles, people, infrastructure, and skills.

 Determining the risk management context includes specifying the:

 Enterprise's scope and the procedures or activities to be evaluated.

 The entire scope of risk management activities.

 Roles and responsibilities, not only for the various parts of the enterprise involved in the risk
management process but also for risk and control ownership.

 Organisational culture in the form of risk-aversion or aggression.

© The Knowledge Academy Ltd

 Determining the Risk Management Context
(Continued)
theknowledgeacademy

 The risk-evaluation criteria should be determined and agreed upon. Whether or not risk
treatment is needed is usually determined by technical, operational, regulatory, financial, legal,
social, or environmental criteria or a mixture of these.

 The criteria must be consistent with the scope and analysis of the enterprise's internal policies
and processes, and they should support the enterprise's objectives and goals.

 Important criteria to consider include:

 Impact: The types of outcomes that will be considered.

 Likelihood: The likelihood of a negatively influencing the event occurring.

 Cost-benefit Analysis: To ascertain the best strategy for mitigating versus transferring the
influence of a risk event.

© The Knowledge Academy Ltd

 Determining the Risk Management Context
(Continued)
theknowledgeacademy

 Risk Appetite/Risk Tolerance: The rules that ascertain whether the risk level is such that
additional treatment activities are needed.

 These criteria may require to be modified later in the risk management process as a result of
changing circumstances or as a result of the risk assessment and evaluation process itself.

© The Knowledge Academy Ltd

 Operational Risk Management
 The risk of loss caused by ineffective, inefficient, inadequate, or failed procedures, people, and
theknowledgeacademy

systems, as well as external events, is referred to as operational risk.

 Business interruption is a major concern, and averting it must be a primary principle of risk
management.

 Most of the time, incident management is sufficient for managing materialised risk, minimising
significant disturbance to operations and potential influences.

 In some cases, incidents will escalate to tragedies, requiring business continuity and disaster
recovery.

 In either case, the understanding and ability to address appropriate problems sufficiently to
assure the enterprise's survival serves as a backstop to limit risk and assure it is managed.

© The Knowledge Academy Ltd

 Risk Management Integration with IT Life Cycle Management
Processes
theknowledgeacademy

• It is essential for information security management to ensure that risk identification, evaluation,
analysis, assessment, and response activities are integrated into life cycle processes.

• The necessity to minimise an enterprise's negative influence and to establish a solid basis for
decision-making are the primary reasons enterprises implement a risk management process for their
IT systems.

• Risk management must be fully integrated into the System Development Life Cycle (SDLC) for it to be
effective. The SDLC of an information technology system has five phases: initiation, development or
acquisition, implementation, operation or maintenance, and disposal.

• In some cases, an IT system may be in multiple phases at the same time. However, regardless of the
SDLC phase for which the assessment is performed, the risk management methodology is the same.

• Risk management is an iterative procedure that can be conducted throughout every major phase of
the SDLC.

© The Knowledge Academy Ltd.

 Risk Management Integration with IT Life Cycle Management
Processes
theknowledgeacademy

(Continued)

• Other business areas and activities may already have change management processes in place.

• One advantage is that many enterprises now have change management processes in place that cover
the whole enterprise.

• The information security manager should be familiar with these change management activities and
assure that security is properly integrated with business operations so that changes are not made
without considering the implications for the enterprise's information assets' overall security.

• One way to help assure this is for information security management to join the change management
committee and assure that all changes are subject to security review and approval and that proposed
changes satisfy policy and standard requirements.

• Any proposed variations must be identified and documented for further investigation.

© The Knowledge Academy Ltd.

 Risk Management Integration with IT Life Cycle Management
Processes
theknowledgeacademy

(Continued)

• While the normal focus of change management is on hardware and software changes and security
influence, the change management process must extend far beyond system owners and the IT
population.

• Change management must involve facilities management for data centre infrastructure and any
other area that may have an influence on overall information security.

• Change management's impact on system and facility maintenance windows must be addressed by
facilities personnel and business continuity management.

• Changes in these areas are frequently not documented in a timely manner. It is possible that facilities
do not have current single-line drawings and blueprints.

© The Knowledge Academy Ltd.

 Risk Management Integration with IT Life Cycle Management
Processes
theknowledgeacademy

(Continued)

The IT Risk Management Life Cycle

IT Risk
Identification

Risk and Control

IT Risk
Monitoring and
Assessment
Reporting

Risk Response
and Mitigation

© The Knowledge Academy Ltd.

 Risk Scenarios
 In generally, risk can be characterised or related to the following:
theknowledgeacademy

Consequences,
Resulting Asset/ Resource
Actor Type Of Threat Results or Frequency
Event
Impact

© The Knowledge Academy Ltd

 Risk Scenarios
(Continued)
theknowledgeacademy

Risk Scenario Components

© The Knowledge Academy Ltd

 Risk Assessment Process
 Risk assessment, in conjunction with either an information asset or a business impact analysis
theknowledgeacademy

classification procedure to ascertain sensitivity or criticality, is used as a base for identifying

relevant and cost-effective countermeasures or controls to mitigate identified risk.

 Business value is usually expressed as sensitivity or criticality. The majority of risk assessment
approaches have four distinct phases. These are some examples:

1 2 3 4

Risk Identification Risk Analysis Risk Evaluation Risk Assessment

© The Knowledge Academy Ltd

 Risk Assessment Process
Risk Driven Approach
theknowledgeacademy

© The Knowledge Academy Ltd

 Risk Assessment and Analysis Methodologies
 The information security manager has access to a variety of risk management models and
theknowledgeacademy

assessment approaches. The approach chosen must be specified by the best form, fit, and
function.

 Depending on the enterprise and the specific requirements, approaches such as the Holistic
Approach to Risk Management (HARM), Factor Analysis of Information Risk (FAIR), risk factor
analysis, and value at risk (VAR) may be more appropriate.

 Risk scenarios in the COBIT approach include the process of identifying risk, followed by
analysis. The next step is to evaluate the risk to see if it exceeds acceptable levels.

 These three steps enable the risk assessment to produce a suggestion for the best risk
response, or risk treatment.

 Priorities for response are determined by a cost-benefit and risk-level analysis, with high cost-
benefit and high likelihood.

© The Knowledge Academy Ltd

 Risk Assessment and Analysis Methodologies
NIST Risk Assessment Methodology
theknowledgeacademy

© The Knowledge Academy Ltd

 Other Risk Assessment Approaches
• Developments in recent decades have resulted in significant enhancements in defining the
theknowledgeacademy

bounds of probable risk.

• Yet, few effectively address information risk.

• A few of these advancements are being executed in the field of information security, and it is
likely that more refined techniques and methods will continue to be developed.

Factor Analysis for Information Risk (FAIR)

• FAIR is a well-known industry approach for decomposing risk and understanding its elements.

• The approach provides a reasoned, detailed analysis process that is intended to supplement
other assessment approaches with the goal of increasing accuracy.

© The Knowledge Academy Ltd

 Other Risk Assessment Approaches
FAIR Methodology
theknowledgeacademy

© The Knowledge Academy Ltd

 Other Risk Assessment Approaches
Holistic Approach to Risk Management (HARM)
theknowledgeacademy

• HARM is a methodology that is designed and developed to support as well as normalise an

enterprise's approach relative to conducting risk analysis.

• The following are the Core Processes of HARM

© The Knowledge Academy Ltd

 Risk Analysis
 Risk analysis is the process of calculating and determining potential probability and resulting
theknowledgeacademy

outcomes.

 This step involves ascertaining threat actor abilities and motivations, as well as the efficiency of
existing controls and the extent to which they may affect a specific identified risk. Risk analysis
includes:

 Extensive investigation of the risk sources (threats and vulnerabilities) identified during the
risk identification phase.

 The degree to which information assets are vulnerable to potential threats and their impact
on likelihood. The potential negative effects of successfully attacking the assets.

 The likelihood of those consequences occurring, as well as the factors that influence them.

 Inclusion of existing controls or procedures that tend to decrease negative risk or improve
positive outcomes.

© The Knowledge Academy Ltd

 Risk Analysis
Risk Mapping Indicating Risk Appetite Bands
theknowledgeacademy

© The Knowledge Academy Ltd

 Risk Evaluation
• During the risk evaluation phase, decisions are made about how the enterprise reacts to and
theknowledgeacademy

prioritises risk based on the foregoing analysis, with assistance made for the probable margin
of error, which can be significant if reliable data is unavailable.

• This is done within the context of the enterprise's defined tolerance criteria, risk appetite, and
capacity creating a method to advise on a reasonable and suitable risk response.

• Acceptance is the most likely treatment option if the risk meets the acceptable risk criteria.

• If the risk exceeds the acceptable level and is not within the tolerance range, the most likely
treatment will be some form of mitigation.

• Mitigation options include changing or adding controls or reengineering business processes to

make a process less risky.

• A system redesign can reduce technical risk, or risk sharing may be the most cost-effective
alternative.

© The Knowledge Academy Ltd

 Risk Evaluation
(Continued)
theknowledgeacademy

• If there are no cost-effective alternatives for mitigating extreme risk, management may take
the decision that the activity is not worth the risk, or it may decide to take the risk if the
advantages outweigh the risks.

• Typically, risk transfer is chosen for risks with a lower likelihood but a high influence.

• Control risk should be considered if the risk is mitigated through the use of controls.

• If the results are ambiguous, inaccurate, or misleading, the risk assessment may lead to a
decision to conduct additional analysis.

© The Knowledge Academy Ltd

 Risk Ranking
• The risk practitioner utilises the results of risk assessment to prioritise risks so that the risk
theknowledgeacademy

owner can direct risk response efforts.

• The risk ranking is derived from a mixture of all risk elements, such as threat recognition and
the characteristics and abilities of a threat source, the severity of a vulnerability, the likelihood
of occurrence when considering the effectiveness of controls, control risk, and the influence to
the enterprise should the risk be realised.

• When these are added together, they indicate the level of risk associated with a threat.

© The Knowledge Academy Ltd

theknowledgeacademy

Module 2B1: Risk Treatment / Risk

Response Options

© The Knowledge Academy Ltd.

 Risk Treatment/Risk Response Options
 After identifying the risk, the next step in the risk management process is to take a decision
theknowledgeacademy

regarding what to do about what was identified.

 Risk treatment pits available resources against the requirement of risk reduction.

 Not all risks can be mitigated or eliminated because there is not a sufficient amount of
resources to treat them all in the enterprise environment.

 Risk analysts and technology architects can devise ways to bring about the greatest possible
risk reduction when risk treatment is performed at the enterprise level.

 It can be achieved by implementing solutions that will reduce many risks.

© The Knowledge Academy Ltd

 Determining Risk Capacity and Acceptable Risk
(Risk Appetite)
theknowledgeacademy

 Every enterprise has a specific risk capacity, which is defined as the maximum amount of loss that an
enterprise can tolerate without jeopardising its continued existence.

 The risk appetite of an enterprise is determined by its owners or board of directors, subject to the
absolute maximum imposed by this risk capacity.

 Risk appetite is described as the amount of risk that an entity is willing to accept in the pursuit of its
mission on a broad scale.

 As part of strategic planning, the board of directors may delegate risk appetite setting to senior
management in some cases.

 Acceptable risk appetite or risk determination, as well as assessment criteria, are important to
almost all elements of information security and most other elements of organisational activities.

© The Knowledge Academy Ltd.

 Determining Risk Capacity and Acceptable Risk
(Risk Appetite)
theknowledgeacademy

(Continued)

 Many aspects of strategy, such as control objectives, baseline security, control execution, cost-benefit
calculations, severity criteria determination, risk management options, required incident response
abilities, insurance requirements, and feasibility assessments, will be determined by risk appetite.

 Risk appetite is translated into several standards and policies that must be adjusted or confirmed on
a regular basis in order to keep the risk level within the boundaries set by the risk appetite.

 The risk may be accepted within the boundaries, a formal and explicit process that confirms that the
risk requires and warrants no additional response by the enterprise as long as the specific risk and
risk environment remain substantially the same and accountability for the risk is assigned to a
specific owner.

 Risk acceptance should not exceed the enterprise's risk appetite, but it should also not exceed the
risk capacity.

© The Knowledge Academy Ltd.

 Risk Response Options
 For risk treatment, the following are the four primary ways:
theknowledgeacademy

Risk
Risk Transfer
Mitigation

Risk Risk
Avoidance Acceptance

© The Knowledge Academy Ltd

 Risk Acceptance Framework
 A risk acceptance framework can be a useful tool for defining the criteria for risk acceptance
theknowledgeacademy

and the level at which management acceptance is carried out.

Risk Level Level Required for Acceptance

Low Risk acceptance possible by business unit level (e.g., manager)

Medium Risk acceptance possible at the division level (e.g., director)

High Risk acceptance possible at the department level (e.g., CFO, COO, CIO)

Severe Risk acceptance only at board/governing body level.

Risk reduction is necessary during monitoring and rigorous controls .
Management notification process is necessary.

© The Knowledge Academy Ltd

 Inherent and Residual Risk
 The risk exposure or level without considering the actions that management might take or has
theknowledgeacademy

taken is referred to as inherent risk.

 The risk that stays after controls are executed is referred to as residual risk. Risk can never be
eradicated because a certain level of residual risk always exists even when appropriate controls
are implemented.

 It must be noted that lowering one risk invariably raises another, hopefully of a lower
magnitude.

 The goal is to assure that residual risk is similar to the enterprise's acceptable risk criteria or
satisfies risk tolerance criteria.

 Risk tolerance is defined as the allowable variation from acceptable risk, which is typically
expressed as a percentage or range.

 Acceptable residual risk must be the result of meeting the defined control objectives and be
equivalent to the enterprise's defined security baselines.
© The Knowledge Academy Ltd
 Inherent and Residual Risk
(Continued)
theknowledgeacademy

 Management can use residual risk reported by a subsequent risk assessment to recognise
areas where more control is needed to further mitigate risk.

 An information security strategy establishes acceptable levels of risk.

 Residual risk above an acceptable level must be treated further, with the option of additional
mitigation through the execution of more stringent controls.

 Risk levels below the acceptable level must be assessed to determine whether the controls in
place are still necessary and whether they can be reduced in cost by removing or modifying
them.

© The Knowledge Academy Ltd

 Impact
 Every risk management activity is intended to lower the impacts to acceptable levels in order
theknowledgeacademy

to create or preserve value for the organisation.

 An impact occurs when a threat exploits a vulnerability and causes a loss.

 Vulnerabilities and threats that do not have an impact are usually insignificant and are not
regarded as a risk.

 In commercial enterprises, the effect is usually quantified as a short-term direct financial loss
or a long-term ultimate financial loss.

 Instances of such losses can contain:

 Direct loss of money or Illegal or civil liability.

 Loss of reputation/goodwill/image.

 Decrease of share value or conflict of interest for staff, customers, or shareholders.

© The Knowledge Academy Ltd
 Controls
 Any technology, procedure, practise, policy, standard, or process that acts to regulate activity in
theknowledgeacademy

order to mitigate or lower risk is referred to as a control.

 It could be administrative, technical, managerial, or legal in nature. As it is common to find a

variety of controls in various parts of a typical process, it is essential to understand the whole
risk mitigation procedure from beginning to end.

 While layering controls is a good idea, utilising too many controls to address the same risk is
wasteful and often decreases productivity. It is essential to assure that the various controls are
not all exposed to the same risk, as this would defeat the objective of layering them.

 Risk assessments must be conducted from the beginning to the end of a process in order to be
effective and reasonably accurate.

 This strategy will facilitate on understanding of whether upstream controls reduce or eliminate
some risk, thereby eradicating the requirement for subsequent controls. It will also assist in
determining whether there is redundant or duplicate control.

© The Knowledge Academy Ltd

 Legal and Regulatory Requirements
 Legal and regulatory requirements must be taken into account in terms of risk and influence.
theknowledgeacademy

Senior management should do this in order to determine the suitable level of compliance and
priority.

 Legal general counsel must evaluate regulations to specify the exposure the enterprise subject
as a result of the regulation and the current level at which the enterprise can demonstrate
compliance.

 If the enterprise is found to be noncompliant, the regulations should be evaluated to specify

the level of risk they pose to the enterprise.

 Because enforcement actions are typically initiated against those who are least compliant, the
enterprise must consider the level of enforcement and its relative position in relation to its
peers.

 The possible financial and reputational consequences of full compliance, partial compliance,
and non-compliance should also be considered.

© The Knowledge Academy Ltd

 Legal and Regulatory Requirements
(Continued)
theknowledgeacademy

 These evaluations serve as the base for senior management to specify the nature and scope of
relevant compliance activities for the enterprise.

 The information security manager should be aware that senior management may decide that
risking sanctions is slightly expensive than attaining compliance, or that compliance is not
warranted because enforcement is limited, or even non-existent.

 This is a management decision that must be weighed against risk and impact.

© The Knowledge Academy Ltd

 Costs and Benefits
 When planning controls, an organisation must consider the costs and advantages.
theknowledgeacademy

 If the costs of specific controls outweigh the benefits of mitigating a particular risk, the
enterprise may decide to accept the risk instead of incurring the cost of mitigation.

 Cost-benefit analysis provides a financial perspective on risk and specifies the cost of
protecting what is essential.

 Yet, cost-benefit analysis is also about making wise decisions on the basis of the costs of risk
mitigation versus potential losses. Both ideas are directly related to good governance practises.

 Most information security crime and loss metrics, however, are not as well established as
traditional robbery and theft statistics.

 Employee productivity impacts, revenue losses, and direct cost loss events are three common
measures of potential losses.

© The Knowledge Academy Ltd

theknowledgeacademy

Module 2B2: Risk and Control Ownership

© The Knowledge Academy Ltd.

 Risk Ownership and Accountability
 Ownership and accountability are required for risk. After a risk has been identified, analysed,
theknowledgeacademy

and evaluated, its owner must be identified as a manager or senior official within the
organisation.

 A risk owner is responsible for accepting risk based on the organisation's tolerance criteria and
risk appetite, and they should be able to choose the appropriate risk response based on
analyses and guidance provided by the information security manager.

 This accountability includes approving controls when risk mitigation is the preferred risk
response.

 The idea is to establish a direct link so that all risk is addressed through appropriate treatment
and all controls are justified by the risk that requires their existence.

 Due to the shared relationship between risk and controls, the owner of a risk should also own
any controls associated with that risk and be held accountable for ensuring their effectiveness.

© The Knowledge Academy Ltd

 Risk Ownership and Accountability
(Continued)
theknowledgeacademy

 Risk owners may be required to prepare standard reports on the status of risk, any incidents
that may have occurred, the level of rink currently encountered by the enterprise, and the
tested effectiveness of controls in areas where there are regulations or laws that apply to risk.

Relationship Between Risk and Control

Risk

Influences Links Informs

Control

© The Knowledge Academy Ltd

 Risk Owner
 The risk owner is the person to whom the enterprise has delegated the accountability and
theknowledgeacademy

authority for making risk-based decisions, as well as the person who bears the loss related to
realised risk plan.

 Strategically, senior management is the risk owner who is ultimately responsible for risk
response across the enterprise. From an operational and management standpoint, directors,
vice presidents, managers, and so on have the power and accountability and must be held
responsible for making risk-related decisions as part of routine operations.

 Confusion occurs in relation to risk associated with information technology, as it is ordinary in

enterprises to attempt to place responsibility and accountability for that risk with the IT
department.

 While IT personnel act as stewards/custodians of systems that support business operations,

risk ownership falls to the person in the organisation who needs and consumes those services
to carry out their business functions.

© The Knowledge Academy Ltd

 Control Owner
 The control owner is the person to whom the enterprise has delegated control-related
theknowledgeacademy

decision-making authority and responsibility.

 The control owner and the risk owner are usually the same people because any changes or
removal of a control will impact the risk being treated, probably causing the risk to exceed the
defined risk appetite.

 Control ownership, like risk ownership, falls to individuals within the enterprise who have the
authority to make control decisions and will be held responsible for how risk is managed.

 Although IT staff may act as custodians/stewards of controls, it is ultimately the business unit
that bears responsibility if control is ineffective in properly treating risk. In some cases, the
business unit will not be the control owner.

 Technology controls involving intrusion detection/prevention systems, email filters, End-point

detection, and data loss prevention platforms are typically enterprise-wide controls that are
configured and handled by the enterprise's security operations staff.

© The Knowledge Academy Ltd

theknowledgeacademy

Module 2B3: Risk Monitoring and

Reporting

© The Knowledge Academy Ltd.

 Risk Monitoring
 Continuous risk monitoring, evaluation, assessment, and reporting are an essential part of the
theknowledgeacademy

risk management life cycle.

 On a regular basis, the results and status of this ongoing analysis must be documented and
reported to senior management.

 Senior management will usually be less interested in technical details and will instead want an
overview of the current situation and indicators of any impending or immediate threat that
needs attention.

 Security dashboards, stoplight charts, and heat charts are generally used to display an overall
evaluation of the security posture. Other representations of security status, like spider charts
or bar graphs, may be more effective at conveying trends, depending on the recipients.

 The information security manager is accountable for managing the reporting process to assure
that it occurs, regardless of the form of reporting, and that the results are sufficiently analysed
and acted on in a timely manner.

© The Knowledge Academy Ltd

 Key Risk Indicators
 One approach that is gaining popularity is the use of key risk indicators to report and monitor
theknowledgeacademy

risk (KRIs). KRIs are measures that indicate when an enterprise is exposed to risk that exceeds a
predefined risk level.

 These indicators are generally developed based on experience and emerge from trends in
factors known to increase risk. They can range from increased absenteeism or turnover in key
employees to an increase in security events or incidents.

 KRIS can give early warnings about potential issues or areas of particular risk. As a means of
ongoing monitoring, a variety of risk indicators can be developed for various parts of an
enterprise.

 Aside from experience, KRIs can be chosen based on sources such as industry benchmarks,
external threat-reporting services, or any other factor that can be monitored and indicates
changes in risk to the enterprise.

© The Knowledge Academy Ltd

 Key Risk Indicators
(Continued)
theknowledgeacademy

 The following considerations are involved in identifying useful risk indicators:

 Involvement of all stakeholders in the enterprise. The operational or the strategic side of risk
should not be focused solely by risk indicators.

 To achieve insight, balancing the selection of risk indicators.

 To the root cause of events rather than only focusing on symptoms, confirming that the
chosen indicators drill down.

© The Knowledge Academy Ltd

 Reporting Changes in Risk
 The risk assessment must be update to confirm its continuous accuracy as modifications
theknowledgeacademy

happens in an enterprise.

 The primary responsibility of the information security manager is to report changes to the
suitable levels of the management at the right time.

 To represent a risk status with the related and appropriate stakeholders and with top
management on the overall risk profile of the enterprise, involving modifications in risk level
and status of any open risk, the information security manager should have regular meetings.

 Also, the security program should contain a procedure in that a substantial security event or
breach will trigger a report to top management and a reassessment of risk and suitable
controls because all security incidents or events are the consequence of the loss of or
deficiency of, controls.

 For evaluating security events based on affect tp the enterprise, the information security
manager should have defined procedure.

© The Knowledge Academy Ltd

 Risk Communication, Awareness and Consulting
 It is essential to create and communicate awareness of the issues across the enterprise at
theknowledgeacademy

every step of the risk management procedure for risk management to become part of culture
of the enterprise.

 Communication should contain consultation with all related stakeholders and concentrate on
growth of a typical understanding of the goals and necessities of the risk management
program.

 This procedure will permit deviations in perceptions and needs to be addressed and identified
more effectively.

© The Knowledge Academy Ltd

 Risk Communication, Awareness and Consulting
Risk Awareness
theknowledgeacademy

 Awareness is a strong mean in building the culture, shaping values and affecting the manners
of the members of an enterprise.

 The risk and security awareness program should contain communication of security and risk
information, regular testing as a measure for awareness, and a medium for staff to report
security and risk issues.

 The operational teams of an enterprise are usually the first to be aware of any abnormal
activities or problems.

 Each team member can assist recognising vulnerabilities, suspect activity and potential attacks.

 This may allow a more rapid reaction and more suitable containment of a risk when an attack
occurs.

© The Knowledge Academy Ltd

 Risk Communication, Awareness and Consulting
(Continued)
theknowledgeacademy

 This is acknowledge by the risk awareness that risk is an essential part of the business. It aims
to confirm the following:

 Risk is well known and understood.

 Information risk is recognisable.

 Employees identify that organisational risk can impact on them personally.

 The enterprise uses and recognises the available tools to manage risk.

© The Knowledge Academy Ltd

 Documentation
 Readily and applicable available documentation about risk management standards, policies,
theknowledgeacademy

infrastructure, services, and applications, in addition to further suitable risk-related issues, is

needed to effectively manage risk.

 Decisions regarding the extent and nature of documentation includes related benefits and
costs. The risk management policy, program and strategy describe the documentation
required.

 Documentation should include the following at each stage of the risk management procedure:

Information Decision
Objectives Audience Assumptions
Resources Criteria

© The Knowledge Academy Ltd

 Documentation
 The following should be included in a Typical Documentation of Risk Management:
theknowledgeacademy

 A risk register.

 Likelihood and results of compromise.

 Vulnerability of internal and external factors.

 An inventory information of assets, concluding telecommunication and IT assets.

 A risk action and mitigation plan.

 Audit and monitoring documents.

© The Knowledge Academy Ltd

theknowledgeacademy

Domain 3

Information Security Program

Development and Management
© The Knowledge Academy Ltd.
theknowledgeacademy

Domain 3:
This Domain Covers…
A: INFORMATION SECURITY PROGRAM DEVELOPMENT

Information Security  3A1: Information Security Program Resources

 3A2: Information Asset Identification and

Program
Classification
 3A3: Industry Standards and Frameworks for
Information

Development and
 3A4: Information Security Policies, Procedures, and
Guidelines
 3A5: Information Security Program Metrics

Management
© The Knowledge Academy Ltd
theknowledgeacademy

This Domain Covers (Continued)…

Domain 3: B: INFORMATION SECURITY PROGRAM MANAGEMENT

Information Security  3B1: Information Security Control Design and

Selection
 3B2: Information Security Control Implementation

Program and Integrations

 3B3: Information Security Control Testing and
Evaluation

Development and  3B4: Information Security Awareness and Training

 3B5: Management of External Services
 3B6: Information Security Program Communications

Management and Reporting

© The Knowledge Academy Ltd

theknowledgeacademy

Module 3A1: Information Security

Program Resources

© The Knowledge Academy Ltd.

 Introduction
• The information security manager normally hass access to various organisational resources to
theknowledgeacademy

support continuous alignment and consistent management of the information security

program.

• Implementation of these resources also helps the governance framework principles by assisting
to confirm that the program:

 It relied upon a conceptual model with specified key relationships and components.

 Implements a flexible and open strategy that can be modified based on adjustments and
priorities from key stakeholders while keeping consistency and integrity.

 Supports continued alignment with applicable frameworks, regulations and standards.

© The Knowledge Academy Ltd

 Information Security Program Objectives
• Implementation of the strategy in the most cost-effective manner possible while increasing the
theknowledgeacademy

support of the business functions and decreasing operational operation is the objective the
information security program.

• The primary task will be revolving high-level strategy into physical and logical reality through a
series of initiatives and projects for a well developed security strategy.

• Another prospect is that more useful resolutions may become available during program
development or eventually.

• A great deal of design and planning will be needed to accomplish working project plans
whether a procedure has been developed in significant detail or only to the conceptual level.

• Collaboration in the development of plans is essential to achieve cooperation and consensus

from diverse stakeholders and to decrease subsequent operational and implementation
problems.

© The Knowledge Academy Ltd

 Information Security Program Objectives
Defining Objectives
theknowledgeacademy

• A situation in which no information security activity is present is rarely faced by an information

security manager in an enterprise. It is critical component in developing the security program as
this may require a substantial amount of effort.

• It is important to determine the details that drive the business requirement for the information
security program. The following are the primary drivers for an information security program:

• The growing necessities for regulatory compliance

• Cost and higher frequency relating to security incident
• Problems over reputational harm
• Adoption of industry best standards and practices
• Business objectives or procedures that may grow organisational risk

© The Knowledge Academy Ltd

 Information Security Program Concepts
• If security governance has not been implemented and/or a strategy has not been developed, it
theknowledgeacademy

will still be necessary to define overall objectives for security activities.

• It will still be essential to define overall objectives for security activities if security governance
has not been executed or a strategy has not been developed.

• Ready-made goals can involve conforming to a certain set of standards or acquiring a defined
maturity level relied on the CMMI model. Any security program will likely include developing,
executed and designing controls, whether physical, technical, or procedural. Metrics must be
considered as these controls are monitored and developed.

• Procedure to determine control failure and measure control effectiveness will be necessary.
Execution will generally includes a series of initiatives and projects. It usually includes skills of
project management, involving budgeting, utilising, scheduling time management skills, user
acceptance testing (CAT) and quality assurance.

• Many projects include complex or unusual technical components and may need precise
specification, engineering efforts and design.
© The Knowledge Academy Ltd
 Information Security Program Concepts
Management and Process Concepts
theknowledgeacademy

• Managing and implementing a security program will need the information security manager to
have knowledge of a number of management and procedure concepts involving:

 Architectures
 Budgeting, costing and financial issues
 Business case development
 Business process reengineering
 Communications
 Contingency planning
 Control design and development
 Control implementation and testing
 Control monitoring and metrics
 Control objectives
 Critical thinking
 Documentation
 Personnel issues
© The Knowledge Academy Ltd
 Information Security Program Concepts
Technology Resources
theknowledgeacademy

• An effective information security program is a blend of technology, policies, personnel, and

processes.

• For the program to succeed, the information security manager must be adept at evaluating the
relevance and effectiveness of various solutions in line with the program's goals.

• It's essential for the manager to understand where specific technologies fit within the
framework of detection, containment, prevention, recovery, and response. This knowledge
ensures that the chosen technologies align with the strategic components of the program. For
instance, the manager should be familiar with:

 Antimalware/ antivirus systems

 Application security methodologies

© The Knowledge Academy Ltd

 Information Security Program Concepts
Scope and Charter of an Information Security Program
theknowledgeacademy

 Authorisation and authentication mechanisms

 Archiving and backup methods such as redundant array of low-cost disks
 Management techniques and cloud-based resource provisioning
 Cyberthreat information sharing techniques and methodologies
 Data integrity controls
 Data leak prevention methods
 Digital signatures
 Access and identity management systems
 Firewalls
 Remote access methodologies
 Vulnerability penetration and scanning testing tools
 Web security techniques
 Wireless security methods

© The Knowledge Academy Ltd

 Information Security Program Concepts
Technology Resources
theknowledgeacademy

• The information security manager will to determine the responsibilities, charter and the scope
of the program whether forming a new security program or coming into a current one.

• The security manager will find it hard to determine what to manage or how well a given
security function is meeting objectives without clearly defined responsibilities.

• It is essential to understand the location of information security function fits into the whole
organisational structure in terms of the chain of command.

• Numerous security program functions will already be accepted practice, if a program has been
functioning and established well.

© The Knowledge Academy Ltd

 Information Security Program Concepts
(Continued)
theknowledgeacademy

• It would be sensitive to use any time is available to achieve insight into the existing situation if
the prior manager is available for orientation.

• On developing the correct relationships than on any particular expertise, security is often
politically charged and success may hinge more.

• It is also essential to achieve a thorough knowledge of the current state of security functions in
the enterprise.

• Reviews of recent incidents, audits and other related reports will be useful.

© The Knowledge Academy Ltd

 Common Information Security Program Challenges
• Expanding, initiating or refining a security program will usually consequence in a surprising
theknowledgeacademy

array of unexpected conditions for the information security manager. These involves:

 Due to changes in areas of the responsibility introduced by the program, organisational resistance.
 An insight that increased security will decrease access needed for job functions.
 Subjective metrics overreliance.
 Strategy failure.
 Expectations of procedural compliance without ensuring oversight.
 Delaying security initiatives, inadequate project management.
 Previously hidden, damaged or buggy security software.
 Poor monitoring or management of vendor third-party security activities.
 Deficiency of program alignment with business objectives and goals.

© The Knowledge Academy Ltd

 Common Information Security Program Challenges
Management Support
theknowledgeacademy

• Lack of management support is most common in smaller enterprises or businesses of any size
that are not in high-security industries.

• Because such enterprises are not required to address information security, they frequently
regard it as a minor issue that adds cost with little value.

• Management may require direction on what actions are expected, as well as information on
approaches taken by industry peers to address information security.

• Even if initial education does not result in an immediate increase in support, ongoing education
should be carried out to raise awareness of security needs. The information security
programme strategy must include provisions for managing changes and updates.

• Management support necessitates an ongoing dialogue with a review of objectives and strategy
on a regular basis.

© The Knowledge Academy Ltd

 Common Information Security Program Challenges
Funding
theknowledgeacademy

• One of the most challenging and frustrating issues the information security must address is
inadequate funding for information security initiatives. While this problem may be a sign of an
underlying deficiency of management support, there are usually other aspects the information
security manager is capable to influence.

• Some funding-related problems that may require to be handled by the information security
manager contain:

 Management not identifying the importance of security investments.

 As a low-value cost centre, security being viewed.
 Management not comprehending where current money is going.
 The organisational requirement for a security investment not being apprehended.
 The need for more attention of industry directions in security investment

© The Knowledge Academy Ltd

 Common Information Security Program Challenges
Staffing
theknowledgeacademy

• The root cause of funding problems is usually insufficient staff to meet security program
requirements. Barriers to acquiring adequate staffing levels might incorporate:

 Inadequate knowledge of what activities new resources will do.

 Examining the requirement or advantage of new resource activities.

 Deficiency of awareness of existing staff utilisation activities or levels.

 Trust that current staff are underutilised.

 Expect to analyse outsourcing alternatives.

© The Knowledge Academy Ltd

 Common Information Security Program Constraints
Physical
theknowledgeacademy

• A variety of environmental and physical aspects may affect or constrain an information security
program.

• The prominent ones contain space, environmental hazards, capacity and availability of
infrastructure.

• The program and security strategy should make certain that conditions are made for the
consideration of adequate infrastructure capacity and environmental hazards.

• Contemplation should contain physical needs for recovery in the case of a disaster.

© The Knowledge Academy Ltd

 Common Information Security Program Constraints
Culture
theknowledgeacademy

• The internal culture of enterprise must be considered while developing a security program.

• The culture in that the enterprise works must also be considered. A program that is at
probabilities with cultural standards may encounter resistance and may be hard to execute
successfully.

Organisational Structure
• Organisational structure will have a critical affect on how a management strategy can be
developed, executed and translated into an information security program.

• Cooperation between these functions is essential and generally needs senior management buy-
in and involvement.

© The Knowledge Academy Ltd

 Common Information Security Program Constraints
Costs
theknowledgeacademy

• The implementation and development of a strategy consumes resources involving money and
time.

• The most cost-effective method to execute a program is an essential consideration. Enterprises

often explain spending established on a project's worth.

• With safety projects, however, control of precise compliance and risk with regulations are
generally the primary drivers.

Personnel
• A security strategy must assess what resistance may be experience during execution. Resistance
to important changes, along with probable displeasure against new restriction possibly viewed
as making tasks more time-consuming or difficult, should be expected.

© The Knowledge Academy Ltd

 Common Information Security Program Constraints
Resources
theknowledgeacademy

• An adequate method must evaluate available budgets; the total cost of ownership (TCO) of
additional and new technologies; and the manpower needs of implementation, design,
maintenance, operation and eventual disarm.

• Generally, the TCO must be developed for the whole life cycle of processes, personnel, and
technologies.

Capabilities
• The resources available to execute a procedure should involve the known abilities of the
enterprise, involving skills and expertise.

• A method that depends on shown abilities is more likely to achieve than one that does not.

© The Knowledge Academy Ltd

 Common Information Security Program Constraints
Time
theknowledgeacademy

• Time is a main limitation in implementing and developing a strategy. There may be adherence
deadlines that must be support or met for specific strategic functions, such as a merger, that
must be assisted.

• There may be windows of opportunity for certain business activities that require distinct
timelines for execution of particular strategies.

Technology
• Technological complexness may restrain the execution of a protection strategy compatible
across the enterprise.

• There may be unsupported systems and existing legacy that are impotent to support the
security control execution until they are inactivated. Exemption procedured may be developed
to manage and assess the risk occurring from these constraints.

© The Knowledge Academy Ltd

theknowledgeacademy

Module 3A2: Information Asset

Identification and Classification

© The Knowledge Academy Ltd.

 Information Asset Identification and Valuation
• Identifying and inventory information assets and determining the value or inaccurate value is an
theknowledgeacademy

essential step for the information security program.

• This is required because the business value is a portion of the risk determination. The valuation
process, which includes connecting all values in a typical financial form, is straightforward for
some assets.

• The consequences or impact of breaking personally identifiable information (PII) can be

regulatory sanctions.

• Other possible effects can occur if the individuals suffering identity theft losses file lawsuits for
injuries, or if lawyers file class-action lawsuits on behalf of a lot of victims.

• Incorrect terms of services and products or information directed to wrong investor decisions
can result in substantial failures as a result of different legal actions.

© The Knowledge Academy Ltd

 Information Asset Identification and Valuation
(Continued)
theknowledgeacademy

• Types of distinct information assets that must be allocated a value and protected involve, but
are not limited to the following:

 Proprietary processes and information of all kinds, containing information that can harm the
enterprise.
 Future projections and current financial records.
 Merger plans or acquisition.
 Strategic marketing plans.
 Trade secrets.
 Patent-related information.
 Privacy-related information, involving protected health information (PHI) and PII.
 Customer data, concluding payment card information (PCI).

© The Knowledge Academy Ltd

 Information Asset Valuation Strategies
• Due to complexity of agreeing on related mission importance and priorities, some enterprises
theknowledgeacademy

may avoid asset valuation.

• Many enterprises do not have an exact list of information assets, and the struggle to categorise
and inventory their assets can seem to be a daunting task. The accurateness of the valuation is
not as essential as having a constant strategy to prioritise efforts.

• Values within the similar order of importance as the real loss are adequate for planning
objectives. Media reports include many well-documented failure strategies and loss amounts on
which to establish a valuation.

• Information asset valuation methodologies incorporate multiple variables, involving the level of
technological complexity and the level of possible consequential and direct financial loss.

• Quantitative valuation methodologies are typically the most accurate but can be quite difficult
once downstream and actual effects have been analysed.

© The Knowledge Academy Ltd

 Information Asset Classification
• Information asset classification is needed to determine the criticality of information assets and
theknowledgeacademy

relative sensitivity, periodically directed to collectively as business value.

• As a result of unauthorised disclosure, sensitivity is based on the possible damage to the

enterprise. It gives the basis for safety efforts, user access control and business continuity
planning.

• The foremost step in the classification process is to confirm the information asset list is done,
involving the identification of the location and purpose of each asset.

• A great benefit of information asset classification is the fact that connecting security to business
goals decreases the risk of either under-protection or expensive overprotection of information
assets.

• Providing the same high level of protection to all assets can be very costly, if the enterprise is
risk-averse and needs a high level of security,

© The Knowledge Academy Ltd

 Methods to Determine Criticality of Assets and Impact of
Adverse Events
theknowledgeacademy

 Several approaches exist to determine the criticality and sensitivity of information resources and
the effect of negative events. A BIA is a typical process to identify the effect of adverse events.

 The information security manager may use the methodologies outlined within MST, COBIT and
other frameworks that are representatives of the resources. It is essential, however, to confirm
that concerns contain both the direct impact and any downstream outcomes.

 The foremost step to determining

information asset significance is to crack
the organisational or corporate structure
into departments or business units.

Top Layer of Business Risk Structure

© The Knowledge Academy Ltd.
 Methods to Determine Criticality of Assets and Impact of
Adverse Events
theknowledgeacademy

(Continued)

 Identifying the critical organisational functions is the next step. The focus for each business
department or unit is to define what tasks are essential to the unit in attaining its goals.

Critical Function Layer of Business Risk Structure

© The Knowledge Academy Ltd.
 Methods to Determine Criticality of Assets and Impact of
Adverse Events
theknowledgeacademy

(Continued)

Aligning Assets to the Critical Function Layer

© The Knowledge Academy Ltd.

 Methods to Determine Criticality of Assets and Impact of
Adverse Events
theknowledgeacademy

(Continued)

Asset Vulnerabilities

© The Knowledge Academy Ltd.

theknowledgeacademy

Module 3A3: Industry Standards and

Frameworks for Information Security

© The Knowledge Academy Ltd.

 Enterprise Information Security Architectures
• An enterprise information security architecture (EISA) can be a strong tool for the
theknowledgeacademy

implementation, integration and development of a strategy.

• Being an integral part of enterprise architecture, the effectiveness of an EISA depends on it. The
loss of enterprises to adopt the concept of security architecture seems to have several
recognisable causes.

• Even though technical security has significantly improved, the lack of architecture has resulted
over time in functionally less security integration and increasing vulnerability across the
enterprise.

• This deficiency of integration donates to the raising problem in handling enterprise security
efforts effectively.

© The Knowledge Academy Ltd

 Enterprise Information Security Architectures
(Continued)
theknowledgeacademy

• The following are the Objectives of Information Architecture Approaches:

 Give overarching coherence, cohesiveness and structure.

 Act as a program development road map.
 Confirm strategic alignment between security and business.
 Enable and support attainment of business strategy.
 Implement security strategy and policies.
 Confirm traceability back to distinct business requirements, key principles and business strategy.
 Provide a class of abstraction independent of distinct preferences and technologies.
 Within the enterprise, establish a common language for information security.
 Permit many people, and supporters, to work jointly to accomplish objectives.

© The Knowledge Academy Ltd

 Enterprise Information Security Architectures
(Continued)
theknowledgeacademy

• TOGAF handles the following corresponding areas of specialisation, named architecture

domains:

1. Business architecture, that describes the business governance, strategy, key business and
organisation procedures of the enterprise.

2. Data architecture, that defines the structure of an enterprise's physical and logical data
assets and the related data management resources.

3. Applications architecture, that gives a blueprint for the individual application systems to be
used, the relations among the application systems, and their relationships to the centre
business procedures of the enterprise with the frameworks for services to be revealed as
business functions for integration

4. Technical architecture that defines the software, network and hardware infrastructure
needed to sustain the deployment of core mission-critical applications.
© The Knowledge Academy Ltd
 Enterprise Information Security Architectures
(Continued)
theknowledgeacademy

The TOGAF Architecture Development Method

© The Knowledge Academy Ltd

 Enterprise Information Security Architectures
Enterprise Architecture Domains
theknowledgeacademy

• There are generally taken subsets of general enterprise architecture:

• A business architecture describes the business governance, organisation, strategy and critical
business procedures.

• A data architecture defines the structure of an enterprise's physical and logical data
management resources and data assets.

• An architecture of application gives a blueprint for the individual application system to be used,
their interconnection and their relations to the enterprise's core business procedures.

• A technology architecture represents the component relationships, hardware and software

infrastructure and architectural principles planned to support the use of core, mission-critical
applications.

© The Knowledge Academy Ltd

 Enterprise Information Security Architectures
Objectives of Information Security Architectures
theknowledgeacademy

• To give a framework for successfully managing complexity, one of the main functions of
architecture as a tool.

• As a project increases in complexity and size, numerous design and designer influences must
work as a team to make something that has the impression of being made by a single design
authority.

• As the complexness of the business environment evolves, many business operations and
support processes must combine seamlessly to give adequate management and services for
the business, its partners and customers. Architecture gives a way to handle that complexity.

© The Knowledge Academy Ltd

 Information Security Management Frameworks
• A conceptual representation of an information security management structure is the
theknowledgeacademy

information security management framework.

• The technical, operational, managerial, administrative, and educational components of the

programme should be described, as well as the organisational units and leadership in charge of
each one, the control or management goal that each component should achieve, the interfaces
and information exchange between the components, and the concrete results of each
component.

• Other outcomes of an effectual security management framework concentrate on shorter-term

necessities.

• Both directly and indirectly, these objectives include demonstrating the following:

 The program adds strategic and tactical value to the enterprise.

© The Knowledge Academy Ltd

 Information Security Management Frameworks
(Continued)
theknowledgeacademy

 The program is being worked efficiently and with consideration for cost problems.

 Information security capabilities and knowledge are increasing as an outcome of the program.

 Management has a clear knowledge of information security benefits, needs, activities and
drivers.

 The program encourages goodwill and cooperation among organisational units.

 There is the assistance of information security stakeholders' understanding of their

responsibilities, expectations and roles.

 The program contains conditions for the continuity of business of the enterprise.

© The Knowledge Academy Ltd

 Information Security Management Frameworks
Control Objectives for Information and Related Technologies (COBIT)
theknowledgeacademy

• COBIT allows IT and information to be managed and governed entirely for the enterprise,
managing the IT and business functional areas of responsibility, and thinking the information-
related interests of internal and external stakeholders.

• COBIT is relied on two sets of principles: 1) principles that defines the central necessities of a
governance system for enterprise information and technology, 2) principles for a framework
that can be employed to create a governance system for the enterprise.

• COBIT involves multiple focus locations that define particular governance topics, issues and
domains that can be directed by a group of governance and management goals and their
elements.

© The Knowledge Academy Ltd

 Information Security Management Frameworks
ISO/IEC 27001:2013
theknowledgeacademy

• Based on the British Standard, this standard has been slightly expanded to include the
following control areas:
A.5 Information Security Policies
A.6 Information Security Organisation
A.7 Human Resource Activity
A.8 Asset Management
A.9 Access Control
A.10 Cryptography
A.11 Environmental and Physical Security
A.12 Operations Security
A.13 Communications Security
A.14 System Development and Maintenance
A.15 Supplier Relationships
A.16 Information Security Incident Management
A.17 Information Security Aspects of Business Continuity Management
A.18 Compliance

© The Knowledge Academy Ltd

 Information Security Management Frameworks
NIST Cybersecurity Framework
theknowledgeacademy

• Formally titled the NIST Framework for Enhancing Critical Infrastructure Cybersecurity, this
model gives high-level advice for aligning a cybersecurity program with enterprise goals. The
framework underlines the requirement for adequate risk management integration and it
greatly supports progress in supply chain risk management.

• The MST Cybersecurity Framework does not give commands to be used. Examination of the
gaps in conditions allows the use of controls-based frameworks to enhance information
security risk management. The following are the Components of the MST Cybersecurity
Framework:

Framework
The Framework Framework
Implementation
Core Profile
Tiers

© The Knowledge Academy Ltd

 Information Security Management Frameworks
NIST Risk Management Framework
theknowledgeacademy

• The system development life cycle can be integrated with security, privacy, and cyber supply
chain risk management tasks using the KIST Risk Management Framework (RMF).

• The RMF includes provisions for monitoring the ongoing efficacy and efficiency of risk
management procedures as well as a risk-based method for categorising pertinent assets,
choosing and implementing controls to ensure adequate protection, and categorising relevant
assets. The following are the RMF steps:

Prepare Categorise Select Implement

Assess Authorise Monitor

© The Knowledge Academy Ltd

 Information Security Frameworks Components
Technical Components
theknowledgeacademy

• Information security is generally included in all of the technical IT elements of an enterprise,

containing giving and keeping proper security standards, examining strategies for policy
compliance, designing and implementing suitable security metrics, and giving general
oversight.

• It is important that all technology elements have an recognised owner and that there are no
orphan methods. This is required to confirm accountability and responsibility for keeping all
systems in adherence with security policies and for proper treatment and ownership of
associated risk to acceptable levels.

• The extensive majority of the enterprise's information will reside with IT and will be a major
priority of the information security framework, from an information security perspective.

• The information security function must sufficiently regulate the IT function and give direction
to confirm policy compliance adequate to acquire acceptable risk levels constant with the
information security strategy goals.
© The Knowledge Academy Ltd
 Information Security Frameworks Components
Operational Components
theknowledgeacademy

• Operational elements of a security program are the administrative activities and ongoing
management that should be conducted to give the needed level of security assurance.

• These operational components contain items like business operation security practices, SOPs,
administration and maintenance of security technologies.

• They are usually performed on a daily to weekly timeline. The information security manager
should give current management of the operational information security elements.

© The Knowledge Academy Ltd

 Information Security Frameworks Components
Management Components
theknowledgeacademy

• Management components generally contain strategic implementation activities such as

standards modification or development, oversight of initiatives, program implementation or
policy reviews.

• These activities usually take place less often than operational components, possibly on a
timeline measured in years, months or quarters.

• Management policies, necessities and objectives are key in shaping the information security
program, that, in turn, describes what must be managed.

• To be the basis for changing security policies and modifying and developing standards, periodic
or ongoing analysis of risk, assets, threats and organisational impact must continue.

© The Knowledge Academy Ltd

 Information Security Frameworks Components
Administrative Components
theknowledgeacademy

• The information security manager in responsible of such an operation should confirm that HR,
financial and other management functions are adequate.

• Financial administration functions commonly consist of timeline planning, TCO

management/analysis, ROI management/analysis, purchasing/acquisition and stock
management.

• The information security manager must create a working rapport with the finance department
of the enterprise to confirm a strong working relationship, support, and keeping with financial
procedures and policies.

• HR management functions generally involve organisational planning, job description

management, hiring and recruitment, payroll and time tracking administration, performance
management, employee development and education, and termination management.

© The Knowledge Academy Ltd

 Information Security Frameworks Components
Educational and Informational Components
theknowledgeacademy

• Employee awareness and education about security risk is often merged with initial training and
employee orientation.

• General organisational procedures and policies, such as adequate use policies and employee
observe policies, should be administered and communicated at the HR level of the enterprise.

• At the business unit level, responsibilities and issues that are distinct to role of an employee or
enterprise should be administrated and communicated.

• Interactive education techniques, like role-playing and online testing, are usually more
adequate than a cleanly informational approach.

• The information security manager should cooperate with business and HR departments to
recognise information security education requirements.

© The Knowledge Academy Ltd

theknowledgeacademy

Module 3A4: Information Security Policies,

Procedures, and Guidelines

© The Knowledge Academy Ltd.

 Policies
• Policies are the prominent statements of expectations, direction and management intent.
theknowledgeacademy

• For extended periods, well-developed policies in a mature enterprise can stay fairly static.

• Policies must be lined up with and support the planned security objectives of the enterprise.

• For the situations in which policy compliance cannot be obtained, an exception procedure
must be established.

• The exception procedure must contain formally documented governance oversight admitting
approval of the risk made by not adhering to the information security policy.

© The Knowledge Academy Ltd

 Policies
Policy Development
theknowledgeacademy

• To modify or create standards and policies as required, one of the most essential aspects of the
action plan to implement the strategy.

• The road map must demonstrate the sequence and steps, milestones and dependencies.

• To implement the strategy following the road map the action plan is essentially a project plan.

• Each of the related 14 domains and major subsections must be the subject of one or more
policies, if the objective is ISO/IEC 27001:2013 compliance.

• This can be effectively accomplished with about two dozen particular policies for large
organisations in practice. The finished strategy gives the basis for modification or creation of
existing policies.

© The Knowledge Academy Ltd

 Standards
• Standards are employed to determine whether systems, procedures, processes meet
theknowledgeacademy

requirements of policy.

• It is demonstrated by metrics whether a procedure concedes with a standard or not.

• Boundaries are set in terms of permitted limits on people, technologies and processes.

• To confirm security while maximising procedural options, standards must be carefully crafted
to give only the required limits.

• Multiple standards will normally exist for each policy, relying on the classification level or
security domain.

• For example, the password standard would be more restraining when retrieving high-security
domains.

© The Knowledge Academy Ltd

 Standards
Standards Development
theknowledgeacademy

• Standards are extremely effective security management tools. They define the permitted
boundaries for technology and system procedures and practises, as well as for people and
events.

• They are the legislation to the policy constitution when properly applied. They serve as a
yardstick for policy compliance and a solid foundation for audits. Standards are the primary
tool for executing good security governance, and the information security manager must own
them.

• Additional standards and norms governing format, content, and mandatory approvals must be
established. Standards must be communicated to those who are regulated by them as well as
those who are affected by them.

• Processes for review and change must also be developed. Exception processes must be
designed for standards that are not easily achievable due to technological or other constraints.

© The Knowledge Academy Ltd

 Procedures
• Procedures fall under the purview of operations, including security operations, however they
theknowledgeacademy

are included here for clarification.

• Procedures must be clear and include all procedures required to complete certain jobs. They
must define the expected outcomes, displays, and prerequisite circumstances for execution.
Procedures must also include the procedures to take if unexpected findings arise.

• Procedures and terminology must be precise and unambiguous. For example, the phrases
"must" and "shall" are used for any necessary task.

• The word "should" must be used to refer to a desired but not required action. The words
"may" or "can" must only be used to indicate completely discretionary action.

• Discretionary tasks should only be included in procedures if absolutely essential, as they dilute
the procedures' signals.

© The Knowledge Academy Ltd

 Guidelines
• Operations is in charge of developing processes and executing them. Guidelines should include
theknowledgeacademy

information that will be useful in carrying out procedures, such as policy and standard
clarification, dependencies, ideas and examples, narratives defining the procedures,
background information that may be valuable, and instruments that can be employed.

• Guidelines can be beneficial in a variety of other situations, but they are discussed here in the
context of information security governance.

• Policies, procedures, standards, and guidelines should be cross-referenced so that they may be
easily understood, referred to when needed, and kept up to date.

• It is usually a good idea to have an intranet or another mechanism to keep them so that the
proper audience may access them when needed.

© The Knowledge Academy Ltd

theknowledgeacademy

Module 3A5: Information Security

Program Metrics

© The Knowledge Academy Ltd.

 Introduction
• A metric is defined as a quantifiable element that permits the achievement of a process goal to
theknowledgeacademy

be measured.

• Security is defined as the absence or prevention of harm. As a result, security metrics should
inform us about the state or degree of safety in comparison to a reference point.

• Technical metrics can be used to manage the tactical operational aspects of technical security
systems.

• They can show that the infrastructure is in good working order and that technical
vulnerabilities have been found and resolved.

• They provide few indicators of policy compliance or whether objectives for acceptable levels of
potential effect are being met, and they provide little information on whether the information
security program is on track and achieving the anticipated results.

© The Knowledge Academy Ltd

 Effective Security Metrics
• Any action that cannot be measured is difficult or impossible to manage. The primary goal of
theknowledgeacademy

metrics, measures, and monitoring is to aid in decision making. The key to good metrics is to
employ a set of criteria to identify which of the virtually limitless number of metrics candidates
is the most appropriate. Good metrics include:

 Specific—based on a well-defined purpose; clear and concise.

 Measurable—capable of being measured; quantifiable (objective), rather than subjective.

 Achievable—Realist; founded on essential aims and ideals.

 Relevant—Inextricably linked to a specific action or aim.

 Timely—based on a certain time period.

© The Knowledge Academy Ltd

 Effective Security Metrics
Governance Implementation Metrics
theknowledgeacademy

• Implementing an information security governance plan and structure can be time-consuming.

Relevant metrics must be in place during the execution of an information security program.

• The total security program's performance will be too far downstream to offer timely
information on implementation, thus another solution will be required.

• KGIs and KPIs can be used to offer information on the achievement of process or service goals,
as well as to identify whether organisational milestones and objectives are accomplished.

• Because diverse components of governance are frequently implemented through projects or

initiatives, traditional project measurement methodologies can meet metrics needs.

© The Knowledge Academy Ltd

 Effective Security Metrics
Strategic Alignment Metrics
theknowledgeacademy

• Strategic alignment of information security in support of organisational objectives is critical to

the information security program's eventual success in bringing value to the firm.

• It should be obvious that the cost-effectiveness of the security program is inextricably linked to
how well it meets the enterprise's objectives and at what cost.

• The development of a security strategy that defines security objectives in business terms and
ensures that the objectives are directly articulated from planning to implementation of
policies, standards, procedures, processes, and technology is the best overall indicator that
security activities are in alignment with business (or organisational) objectives.

• The litmus test is the ability to reverse-engineer a specific control to a specific business
requirement.

© The Knowledge Academy Ltd

 Effective Security Metrics
Risk Management Metrics
theknowledgeacademy

• Risk management is the main goal of all information security activities and organisational
assurance efforts. A successful risk management program is one that meets expectations and
achieves set objectives while keeping risk at levels acceptable to management in an efficient,
effective, and consistent manner. Indicators of effective risk management may include:

 Organisational risk appetite and tolerance described in enterprise-relevant terms.

 The comprehensiveness of an overall security plan and program for attaining acceptable risk levels.
 The number of identified major risk mitigation targets.
 Procedures for managing or mitigating negative consequences.
 A systematic, ongoing risk management procedure covers all business-critical systems.
 Periodic risk assessment trends reflecting progress toward stated goals.
 Impacts trends.

© The Knowledge Academy Ltd

 Effective Security Metrics
Value Delivery Metrics
theknowledgeacademy

• When security investments are optimised in support of organisational goals, value delivery
occurs. When strategic security goals are met and an acceptable risk posture is obtained at the
lowest possible cost, optimal investment levels are reached.Key performance indicators (KGIs
and KPIs) include:

 Security activities aimed at achieving specified strategic goals in a cost-effective manner.

 The cost of security is proportionate to the asset's worth.
 Security resources are distributed based on the level of evaluated risk and potential impact.
 Protection expenses that are pooled based on revenue or asset valuation.
 Controls that are well-designed, based on established control objectives, and that attain and fully
utilise those control objectives.
 A sufficient and suitable number of controls to achieve acceptable levels of risk and effect.

© The Knowledge Academy Ltd

 Effective Security Metrics
Resource Management Metrics
theknowledgeacademy

• Information security resource management refers to the processes that are used to organise,
assign, and govern information security resources, such as people, processes, and technology,
in order to improve the efficiency and effectiveness of business solutions. The following are
some indicators of effective resource management:

 Infrequent rediscovery of issue solutions.

 Capture and sharing of knowledge that is effective.
 The level of standardisation of security-related processes.
 Clearly defined information security roles and responsibilities.
 Every project plan includes information security.
 The proportion of information assets and related threats that have been appropriately addressed by
security efforts.
 The appropriate organisational location, level of authority, and personnel number for the information
security function.
 Employee Productivity.

© The Knowledge Academy Ltd

 Effective Security Metrics
Performance Measurement
theknowledgeacademy

• To guarantee that organisational goals are met, information security processes must be
measured, monitored, and reported on. Effective performance measurement indicators
include:

 The time required to detect and report security occurrences.

 The amount and frequency of unreported occurrences that were later uncovered.
 Comparable enterprise cost and effectiveness benchmarking.
 The capacity to assess control effectiveness/efficiency.
 Unmistakable evidence that security objectives are being met.
 The outcomes of internal/external audits.
 The absence of unanticipated or unreported security incidents.
 Understanding of evolving and emerging dangers.
 A reliable method for identifying organisational vulnerabilities.
 Methods for monitoring changing riskLog review processes must be consistent.
 Business continuity planning/disaster recovery test results.

© The Knowledge Academy Ltd

 Security Program Metrics and Monitoring
• Several metrics considerations must be examined during the information security programme
theknowledgeacademy

management process.

• Unmonitored key controls represent an unacceptable danger and should be avoided.

Enterprise security entails far more than specific technical measures such as firewalls,
passwords, intrusion detection, and disaster recovery plans.

• The ability to measure and quantify is a key principle of systems engineering. Measurement
supports correct design, precise execution to specifications, and efficient management
operations such as goal setting, progress tracking, benchmarking, and prioritisation.

• In essence, measurement is a crucial prerequisite for the success of a security program. An

effective security program includes the design and planning, execution, and continuous
management of the people, processes, and technology that impact all elements of company
security.

© The Knowledge Academy Ltd

 Metrics Tailored to Enterprise Needs
• The information security governance process should result in a set of enterprise-specific goals
theknowledgeacademy

for the information security program.

• Metrics for information security programes that directly correspond to these control objectives
are critical for program management.

• It should be obvious that developing meaningful security management metrics will be

impossible without the basis of governance to set goals and create points of comparison.

• That is, measurements that lack a reference point in the form of objectives or goals are not
metrics and are unlikely to be effective in program guiding.

• Metrics ultimately serve only one purpose: decision assistance. It measures to offer
information on which to build educated judgments on what it is attempting to achieve.

© The Knowledge Academy Ltd

 Metrics Tailored to Enterprise Needs
Strategic
theknowledgeacademy

• Strategic metrics are frequently a synthesis of other management indicators designed to

indicate that the security program is on track, on goal, and within budget to accomplish the
desired results.

• The information required at the strategic level is primarily navigational in nature (i.e.,
determining whether the security program is headed in the right direction to achieve the
defined objectives leading to the desired outcomes).

• Both of the information security manager and senior management require this information in
order to provide adequate oversight.

© The Knowledge Academy Ltd

 Metrics Tailored to Enterprise Needs
Management
theknowledgeacademy

• Management (or tactical) metrics are those required to run the security program, such as
policy and standard compliance, incident management and response effectiveness, and
personnel and resource utilisation.

• At the security management level, information on compliance, developing risk, resource usage,
alignment with corporate goals, and other subjects is necessary to make the decisions required
for effective management.

• The information security manager also necessitates a summary of technological metrics to

ensure that the machinery is operating properly and within acceptable ranges, just as the
driver of a car wants to know that there is fuel in the tank and that the oil pressure and water
temperature are within acceptable limits.

© The Knowledge Academy Ltd

 Metrics Tailored to Enterprise Needs
Operational
theknowledgeacademy

• The most popular technical and procedural metrics are operational metrics, which include
open vulnerabilities and patch management status. Purely technical metrics are particularly
important for IT security managers and system administrators. There are various other
considerations for development, including:

Manageable Meaningful Actionable Unambiguous Reliable

Accurate Timely Predictive Geniune

© The Knowledge Academy Ltd

theknowledgeacademy

Module 3B1: Information Security Control

Design and Selection

© The Knowledge Academy Ltd.

 Introduction
 Controls are a method of risk management.
theknowledgeacademy

 They include many of the previous elements (such as policies, procedures, guidelines,
practises, and organisational structures) and are the primary elements to consider when
developing an information security program.

 Controls are executed to attain specific goals, and they collaborate to enable stakeholder goals
through the strategic program plan.

 Control objectives aid in the alignment and achievement of security and privacy goals.

 Control objectives are defined as a statement of the desired outcome or purpose of executing
control procedures in a specific process.

© The Knowledge Academy Ltd

 Managing Risk Through Controls
 Physical, technical, and administrative controls are all possible. The selection of controls should
theknowledgeacademy

be based on several factors, including assuring their effectiveness, cost or potential restriction
of business activities, and optimal form of control.

IT Controls
 As information and technology play such an important role in the operations of many
businesses, IT controls account for the majority of the controls they require. While technical
controls are included, many IT controls are both technical and administrative in nature.

Non-IT Controls
 The information security manager should be aware that information security controls for non-
IT-related information processes, such as secure marking, handling, and storage requirements
for physical information, and considerations for dealing with and preventing social engineering,
must also be developed. Environmental controls should be considered so that otherwise
secure systems are not simply stolen, as has happened in some well-publicised cases.

© The Knowledge Academy Ltd

 Managing Risk Through Controls
Layered Defences
theknowledgeacademy

 Defence in depth, or layering defences, is an important concept in developing an effective

information security strategy or architecture.

 The layers should be designed in such a way that the failure of one layer does not result in the
failure of the next layer. The number of layers required will be determined by asset sensitivity
and criticality, defence reliability, and degree of exposure.

 Excessive reliance on a single control is likely to lead to overconfidence. A company that relies
solely on a firewall, for example, may still be vulnerable to a variety of attack methods.

 A human firewall, which can serve as an additional layer of defence, can be created through
education and awareness. Another defensive layer can be created by segmenting the network.

© The Knowledge Academy Ltd

 Managing Risk Through Controls
Technologies
theknowledgeacademy

 Several security technologies have been developed over the last few decades to address the
ever-increasing threats to information resources.

 One of the pillars of an effective security strategy is technology.

 The information security manager must understand how technologies can be used as controls
to achieve the desired level of security.

 However, technology cannot compensate for management, cultural, or operational

shortcomings, and the information security manager should not rely too heavily on it.

© The Knowledge Academy Ltd

 Controls and Countermeasures
 To achieve control objectives, the information security program must include both general and
theknowledgeacademy

system-level controls in its design.

 General, or common, controls are control activities that, as part of the security infrastructure,
support the entire enterprise in a centralised fashion.

 Because infrastructure is frequently shared by different departments within the same

enterprise, the term general controls is frequently used to refer to all controls in the
infrastructure.

 Control activities in support of an operating system, network security, and facility security are
examples. These controls typically include centralised user administration policies, standards,
and procedures, as well as technical elements like access controls, firewalls, and intrusion
detection systems (IDSs).

 Subordinate system-level activities can then inherit these general controls to achieve control
objectives.

© The Knowledge Academy Ltd

 Control Categories
 Controls should be implemented across several control categories to support the development
theknowledgeacademy

of a defence-in-depth strategy and to ensure comprehensive achievement of control

objectives, including:

Preventive Detective Corrective Compensating Deterrent

© The Knowledge Academy Ltd

 Control Design Considerations
 Controls and countermeasures are most effective when based on a top-down, risk-based
theknowledgeacademy

approach to assure comprehensive and practical design.

 This is due to the fact that control objectives are largely determined by management's defined
acceptable risk levels. The controls must be designed to achieve the objectives of acceptable
risk levels.

 As a result, the control objectives serve as both the design objective and the subsequent
control metric for effectiveness.

 Control objectives must be defined during program development and apply to physical,
administrative, and technical controls.

 Control objectives necessitate the use of a variety of control types. A technical control, such as
a firewall, may necessitate a physical protection control, a configuration procedural control,
and administrative oversight.

© The Knowledge Academy Ltd

 Control Methods
 Security controls include administrative, technical, and physical controls, as well as the use of
theknowledgeacademy

technical and nontechnical methods. Technical controls are safeguards built into computer
hardware, software, or firmware.

 Management and operational controls, such as security policies, standards, operational

procedures and personnel, and physical and environmental security, are examples of
nontechnical controls.

Category Description
Managerial Controls pertaining to a process's oversight, reporting, procedures, and operations. Policies,
processes, balancing, employee development, and compliance reporting are examples of
these.
Technical Controls are provided by technology, a piece of equipment, or a device. Firewalls, network or
host-based intrusion detection systems, passwords, and antivirus software are some
examples. To function properly, a technical control requires proper managerial controls.
Physical Locks, fences, closed-circuit television (CCTV), and other devices installed to physically
restrict access to a facility or hardware. Physical controls necessitate maintenance,
monitoring, and the ability to assess and respond to an alert in the event of a problem.

© The Knowledge Academy Ltd

 Control Methods
Countermeasures
theknowledgeacademy

 In addition to the general safeguards provided by standard controls, the information security
manager may require a control against a specific threat on occasion. A countermeasure is a
type of control.

 Countermeasures frequently provide targeted protection, making them more effective but less
efficient than broader, more general safeguards—though not always less cost-effective,
depending on the original and residual ALE associated with the threat being countered.

 Countermeasures are controls that are put in place in response to a known threat. They can be
preventive, investigative, or corrective in nature, or any combination of the three. Nontechnical
countermeasures can also be used, like offering a reward for information leading to the arrest
of hackers.

 Countermeasures used to address specific threats or vulnerabilities are frequently costly, both
operationally and financially, and can become a distraction from core security operations.

© The Knowledge Academy Ltd

 Control Methods
Physical and Environmental Controls
theknowledgeacademy

 All efforts to protect information are built on a strong physical barrier that protects the physical
media on which the information is stored. Physical security is often provided as part of facilities
management in many businesses.

 The physical security organisation may establish requirements building by building and enforce
those requirements through a combination of physical security technology and manual
procedures.

 An information security manager must validate technology choices in support of physical

security processes and ensure that adequate physical security policies and standards are
developed.

 Physical and environmental controls are a subset of general controls that are used by all
computing facilities and personnel. Furthermore, some technologies include features that
enable physical mechanisms to override logical controls.

© The Knowledge Academy Ltd

 Control Methods
Control Technology Categories
theknowledgeacademy

 Consider operational authority and the types of controls available when determining the types
of control technologies that must be considered by the information security manager.

 As the majority of technical controls are under the direct control of the IT department, it is
necessary to consider how security will be maintained. IT and the security department may
share operational authority in some cases.

 In terms of the types of controls available, technologies typically fall into one of three
categories:

1 2 3
Native Supplemental Support
Control Control Control
Technologies Technologies Technologies

© The Knowledge Academy Ltd

 Control Methods
Technical Control Components and Architecture
theknowledgeacademy

 Dealing with a wide range of technical components previously classified as native control
technologies, supplementary control technologies, and management support technologies is
part of information security management.

 The technical security architecture is made up of native control and support technologies. This
construct can be applied to individual business applications or to the enterprise as a whole,
with the goal of revealing how individual technical components interact to give overall
enterprise or application security.

 This comprehensive view of technical component capabilities avoids the point-solution

approach that leads to poor overall security. Technical security architecture analysis must be
closely coordinated with threat and risk factor reviews and analysis.

 The information security manager should assure that the technical security architecture
components are in sync with the enterprise's risk and threat postures as well as its business
requirements.
© The Knowledge Academy Ltd
theknowledgeacademy

Module 3B2: Information Security Control

Implementation and Integration

© The Knowledge Academy Ltd.

 Introduction
 Controls are the foundation of strategy execution. Executing a strategy entails designing,
theknowledgeacademy

developing, testing, and implementing various types of controls in variety of combinations.

 The strategy's development includes determining acceptable risk and risk tolerance.

 Control objectives, which define the main requirements for the controls, are determined using
acceptable risk levels.

 Controls must also meet some or all of the criteria outlined in the preceding section.

 Controls that affect all aspects of an enterprise, including people, technology, and processes,
are required for effective information security.

 To achieve the control objectives, a combination of controls is frequently required. The control
options are virtually limitless, which adds to the difficulty.

© The Knowledge Academy Ltd

 Introduction
(Continued)
theknowledgeacademy

 Access control, for example, is a preventive control that prevents unauthorised access that
could harm systems. Because it detects unauthorised access, intrusion detection is a detective
control.

 Backup and restoration procedures are a corrective measure that allows a system to be
recovered if the damage is severe enough that data is lost or irreparably damaged, resulting in
impact.

 Compensating controls (for example, insurance) are similar to corrective controls in that they
compensate for an impact caused by a compromise.

 Security products frequently include a variety of control combinations. A firewall is a common

control that filters network traffic to limit which protocols (or ports) can be used to enter or
exit an internal network, as well as which addresses or address ranges are allowed as a source
and destination.

© The Knowledge Academy Ltd

 Introduction
(Continued)
theknowledgeacademy

 This is a preventive control because it prevents unauthorised access to specific network ports,
protocols, or destinations.

 The same firewall may have more advanced features, such as the ability to scan inbound
network traffic for malware and send alerts to an operations centre if suspicious traffic passes
through the device. This is a control for detectives.

 The firewall may also include a feature that lets operations to redirect incoming traffic to a
backup site if it is discovered that a virus has reduced capacity at the primary site after
responding to the virus alert.

 Because it allows the systems to resume normal operations, this is a recovery or corrective
control.

 As a deterrent control against unauthorised access, the proxy service that runs on the firewall
may be capable of displaying a warning banner.
© The Knowledge Academy Ltd
 Introduction
(Continued)
theknowledgeacademy

 Controls must be automated as much as possible so that bypassing them is technically

impossible. Common control practises that make it difficult for users to circumvent controls
include the following mechanisms:

1 2 3 4

Access (Logical) Secure Principle of Compartmentalising

Control Failure Least Privilege to Minimise Damage

5 6 7 8

Segregation of
Transparency Trust Zero Trust
Duties (Sod)

© The Knowledge Academy Ltd

 Baseline Controls
 Defined baseline security controls must be required for all new system development. As part of
theknowledgeacademy

the system documentation, baseline security requirements must be defined and documented,
typically in standards.

 Adequate traceability of security requirements must be assured and supported throughout the
life cycle. Authentication functions, logging, role-based access control, and data transmission
confidentiality mechanisms are a few examples.

 The information security manager should understand the enterprise's risk tolerance and must
consult industry and regional sources to establish a baseline set of security functions that are
appropriate for organisational policies and acceptable risk levels.

 Based on vulnerability, threat, and risk analysis, additional controls may be warranted, and
these controls must be involved in the requirements-gathering process.

 During the design and development phases, the information security team may be consulted
to assess how well solution options meet acceptable risk requirements.

© The Knowledge Academy Ltd

 Baseline Controls
(Continued)
theknowledgeacademy

 There is almost never a perfect solution, and there will always be trade-offs between security
requirements, performance, costs, and other demands.

 To achieve control objectives, the information security manager must be diligent in identifying
and communicating solution deficiencies, as well as developing mitigating or compensating
controls.

 To ensure that coding practises and security logic are adequate, the information security
manager should use internal or external resources to review them during development.

 The information security manager must coordinate testing of originally established functional
security requirements as well as testing system interfaces for vulnerabilities during the quality
and acceptance phases.

© The Knowledge Academy Ltd

theknowledgeacademy

Module 3B3: Information Security Control

Testing and Evaluation

© The Knowledge Academy Ltd.

 Introduction
 Following the implementation of controls, the next step is to assess the extent to which they
theknowledgeacademy

attain their intended purpose.

 The goal, as with other elements of the security strategy and program, is to make sure that the
layers of controls implemented achieve the agreed-upon acceptable level of risk, rather than to
ensure that the controls completely eliminate any risk.

 Throughout the operation of the security program, testing and evaluation of the various
management, technical, and physical controls will be ongoing, including system-specific
controls that will be continuously assessed throughout the system life cycle.

 As changes arise to risk objectives, the threat landscape, and system operation change, the
evaluation procedure should evolve to assure that control objectives, such as cost-
effectiveness and mission alignment, are met.

© The Knowledge Academy Ltd

 Control Strength
 The type of control being evaluated (preventive, detective, manual, automated, etc.) and the
theknowledgeacademy

quantitative and qualitative compliance testing results can be used to determine control
strength.

 Although an automated control is usually preferable to a manual control, a thorough

examination may indicate that a manual control is superior. Alerts and automatic reports may
be generated by an automated control design.

 Yet, a careful examination of the procedure may reveal that there is no evidence of review and
that subsequent response actions, including resolution, cannot be measured. The control fails
in this scenario.

 However, if handwritten notes with initials and dates are recorded within IDS log reports on a
daily basis, and if the same notes contain analysis, action plans, ticket numbers, and resolution,
then the manual control is far more effective than the automated one.

 Of course, no final conclusion about the strength of the control can be reached until it has
been thoroughly tested.
© The Knowledge Academy Ltd
 Control Strength
(Continued)
theknowledgeacademy

 A control's strength can be measured in terms of its inherent (or design) strength and
likelihood of effectiveness. Balancing the books to account for all cash and dividing accounting
accountabilities within numerous employees are two examples of inherently strong controls.

 Accessing sensitive areas or materials requires dual control, which is an example of an

inherently strong control by design.

 Risk mitigation must be linked to supported business functions in order to demonstrate value
and alignment with business objectives.

 This assures that information security and IT governance initiatives are automatically followed,
and that cost justification for the treatment procedure is self-explanatory and easily available.

© The Knowledge Academy Ltd

 Control Recommendations
 Control elements to consider when evaluating control strength include whether the controls
theknowledgeacademy

are preventive or detective, manual or automated, formal (documented in procedure manuals

with evidence of operation) or ad hoc.

 Controls that could mitigate or eliminate the identified risk (as appropriate to the enterprise's
operations) to an acceptable level are provided during this step of the process.

 When recommending controls and alternative solutions to achieve control objectives, the
following factors should be considered:

 Effectiveness of recommended options

 Compatibility with other impacted systems, processes and controls
 Relevant legislation and regulation
 Organisational policy and standards
 Organisational structure and culture
 Operational impact
 Safety and reliability
 Measurement
© The Knowledge Academy Ltd
 Control Recommendations
(Continued)
theknowledgeacademy

 Control recommendations are the outcomes of the risk assessment and analysis process, and
they serve as input to the risk treatment process.

 The recommended procedural and technical security controls are evaluated, prioritised, and
implemented during the risk treatment process.

 To determine which are required and appropriate for a specific enterprise, a cost-benefit
analysis for the proposed controls should be performed to demonstrate that the costs of
implementing the controls can be justified by a reduction in the level of risk or impact.

 The control implementation process should seek input from the appropriate business unit
owner for effective results.

© The Knowledge Academy Ltd

 Control Testing and Modification
 Changes in the technical or operational environment can frequently alter the protective effect
theknowledgeacademy

of controls or introduce new vulnerabilities that existing controls are not designed to address.

 Control testing is required in most publicly traded companies and must be executed as a
regular practise in all businesses to assure that procedural controls are carried out consistently
and effectively.

 Technical or operational controls changes should be made with caution. Changes to technical
controls must be made in accordance with change control procedures and with the approval of
stakeholders.

 The information security manager must conduct an analysis of the proposed control
environment to determine if there are any new or recurring vulnerabilities in the design and to
assure that the control is designed properly.

 Following implementation, acceptance testing should be performed to assure that the

mechanisms enforce the prescribed policies.

© The Knowledge Academy Ltd

theknowledgeacademy

Module 3B4: Information Security

Awareness and Training

© The Knowledge Academy Ltd.

 Security Awareness Training and Education
• By addressing the behavioural aspect of security through education and regular application of
theknowledgeacademy

awareness techniques, an active security awareness program can significantly minimise risk.

• Common user security problems, such as password selection, appropriate use of computing
resources, email and online browsing safety, and social engineering, should be addressed
through security awareness programes.

• Education and understanding of the necessity of the information security programme is a key
part of achieving compliance with the program.

• Employee awareness should begin when they join the company and continue on a regular
basis.

• All enterprise personnel and, when applicable, third-party users must get proper training and
regular updates on the importance of enterprise security policies, standards, and procedures.

© The Knowledge Academy Ltd

 Developing an Information Security Awareness Program
• The information security manager should adopt a rigorous approach to developing and
theknowledgeacademy

conducting the education and awareness programme, taking into account factors such as:

 Who is the target audience?

 What is the desired message?

 What is the intended outcome?

 What communication mechanism will be used?

 What is the organisational structure and culture?

© The Knowledge Academy Ltd

 Role Based Training
• While broad training on organisational policies and practises is required for all employees and
theknowledgeacademy

third-party partners, the security program should also include training relevant to the duties of
those in security-specific work tasks, including leadership roles. Particular considerations
include:

1. Executive, leader, and manager training to help them understand their roles in defining risk
expectations.

2. Training for persons in positions of authority should emphasise specific approaches for
safeguarding precious resources.

3. Physical security personnel training focuses on those who are responsible for physical
security, including environmental variables that support the confidentiality, integrity, and
availability of critical organisational assets.

© The Knowledge Academy Ltd

 Role Based Training
• To confirm that all relevant workers receive the right training, a systematic approach to
theknowledgeacademy

assessing and tracking course delivery and results should be implemented. Consider the
following when conducting such tracking:

1 2 3

Automation
Coverage Grading and
Deployment

© The Knowledge Academy Ltd

theknowledgeacademy

Module 3B5: Management of External

Services

© The Knowledge Academy Ltd.

 Governance of Third-Party Relationships
• The rules and practises used when dealing with third-party relationships are an important
theknowledgeacademy

feature of information security governance. These parties are:

1. Service providers
2. Outsourced operations
3. Trading partners
4. Merged or acquired enterprises

• The capacity to manage security effectively in these partnerships is a big problem for the
information security manager.

• There may be incompatibilities in technology between the organisations, process variations

that may not integrate smoothly, or insufficient levels of baseline security.

• Concerns may also be raised about incident response, business continuity, and catastrophe
recovery capabilities.

© The Knowledge Academy Ltd

 Third Party Service Providers
• A typical firm makes extensive use of information resources to support its business processes.
theknowledgeacademy

When outsourcing, the information security manager must examine numerous factors,
involving:

 Ensuring that suitable controls and processes are in place to support outsourcing.
 Ensuring that proper information risk management terms are included in the outsourcing
contract.
 Ensuring that a risk assessment is completed for the outsourced process.
 Ensuring that enough due diligence is completed prior to contract signature.
 Day-to-day management of information risk for outsourced services.
 Ensuring that major changes to the relationship are identified and that updated risk
assessments are conducted as needed.
 Ensuring that right procedures are followed when ending relationships.

© The Knowledge Academy Ltd

 Third Party Service Providers
Outsourcing and Service Providers
theknowledgeacademy

• Third-party providers of security services and outsourced IT or business operations that must
be integrated into the overall information security program are the two forms of outsourcing
that an information security manager may encounter.

• Outsourcing is primarily motivated by economic considerations. As a result, early involvement

by the information security manager is critical to ensuring that individuals making these
decisions do not jeopardise security for the sake of cutting costs.

• It is also likely that when the business grows, it may want more services, which may necessitate
substantially greater fees from the outsourcer.

© The Knowledge Academy Ltd

 Third Party Service Providers
(Continued)
theknowledgeacademy

• This could happen if the organisation determines that the constraints imposed by outsourcing
are unacceptable, or if the costs connected with a new arrangement are prohibitively
expensive. Other essential and potentially negative factors to consider while examining
outsourcing possibilities are:

 Loss of critical skills.

 Lack of transparency into security processes.
 New access and an additional control risk.
 The third-party vendor's viability.
 Incident management complexity.
 Distinctions in culture and ethics.
 Unexpected expenses and service deficiencies.

© The Knowledge Academy Ltd

 Outsourcing Challenges
• Outsourced information resources may bring additional obstacles to an information security
theknowledgeacademy

manager, such as external firms that may be hesitant to share technical specifics on the nature
and scope of their information protection measures.

• From the standpoint of risk management, it is critical that incident management and response,
business continuity planning/disaster recovery planning, and testing include all critical
outsourced services and operations.

• Key clauses that should be included in a third-party contract include, but are not limited to:

 Right to source code in the event of provider default.

 Requirement that the vendor comply with industry and regulatory obligations on time.
 The right to inspect the vendor's books and premises.
 The right to inspect the vendor's processes.
 Described SOPs
 The ability to examine the skill sets of vendor resources
 Advance notice if the deployed resources are to be altered

© The Knowledge Academy Ltd

 Outsourcing Contracts
• Contracts serve two purposes: 1) to guarantee that the parties to the agreement are aware of
theknowledgeacademy

their responsibilities and rights within the relationship; and 2) to give a way to resolve
problems after the contract is in effect.

• The information security manager should be aware with specific security and information
protection provisions within that framework.

• The most prevalent type of security provision is one that addresses secrecy or nondisclosure.
The information security manager must identify the particular amount of destruction required.

• The contract may also require either or both parties to maintain security procedures to
guarantee that the systems and information used in the agreement are adequately protected.

• The contract should explain what is meant by "suitable," as well as the conditions for
demonstrating the effectiveness of those safeguards.

© The Knowledge Academy Ltd

 Third-Party Access
• Under any circumstances, third-party access to the information security manager's enterprise's
theknowledgeacademy

processing facilities should be controlled based on risk assessment and clearly described in a
SLA.

• Access should be granted using the least privilege, need-to-know, and need-to-do criteria.
Third-party access must be based on clearly defined means of access, access permissions, and
levels of functionality, and access must need the asset owner's agreement.

• Access usage should be fully logged and examined on a regular basis by the security manager.
The frequency of reviews should be determined by considerations such as:

o The importance of the information to which access privileges are granted.

o The importance of the privileges granted.
o Contract duration.

© The Knowledge Academy Ltd

theknowledgeacademy

Module 3B6: Information Security

Program Communications and Reporting

© The Knowledge Academy Ltd.

 Program Management Evaluation
• Certain conditions necessitate the information security manager assessing the present state of
theknowledgeacademy

an existing information security program.

• It is also critical for the information security manager to reevaluate the program's efficacy in
light of changes in organisational demands, settings, and limits on a regular basis.

• The findings of such an analysis should be shared with the information security steering
committee or other stakeholders for discussion and formulation of necessary program
improvements.

• While the information security manager must decide the most appropriate scope for current
state assessment, the following section offers many essential topics for consideration.

© The Knowledge Academy Ltd

 Program Management Evaluation
Program Objectives
theknowledgeacademy

• The information security manager must assess the program's documented security objectives.
Important considerations include:

 Has an information security plan and roadmap for development been developed?
 Have appropriate risk and impact criteria been established?
 Are policies, standards, and processes complete and up to date?
 Are program objectives in sync with governance objectives?
 Are the objectives measurable, reasonable, and tied to specified deadlines?
 Do the program objectives correspond to the organisation's goals, initiatives, compliance
requirements, and operational environment?
 Is there agreement on program goals? Were goals developed collaboratively?
 Have measures been implemented to track program performance and shortfalls?
 Is there a regular assessment of objectives and accomplishments by management?

© The Knowledge Academy Ltd

 Program Management Evaluation
Compliance Requirements
theknowledgeacademy

• Compliance criteria alignment and fulfilment are two of the most apparent indicators of
security management status. Because numerous standards specify program management
requirements, the information security manager must compare the management program—
framework and components—to mandatory and optional compliance standards. Important
considerations include:

 Has management established the level of compliance that the organisation will pursue, as well as the
timetables and milestones?
 Is close cooperation between the compliance and information security groups facilitated? Are the
requirements for information security compliance well defined?
 Does the information security program incorporate compliance requirements precisely into its
policies, standards, procedures, operations, and success metrics?
 Do the technical, operational, and management components of the program correspond to the
components required by regulatory standards?

© The Knowledge Academy Ltd

 Program Management Evaluation
Program Management
theknowledgeacademy

• The level of management support and the overall depth of the existing program are revealed
by evaluating program management components. Consider the following programme
management components:

 Is the program itself thoroughly documented? Have essential policies, standards, and procedures been
reduced to simple operational instructions and given to those responsible?
 Do those in positions of responsibility understand their roles and responsibilities?
 Are the duties and responsibilities of members of senior management, boards, and so on defined? Do
these organisations recognise and act on their responsibilities?
 Are information security duties reflected in company managers' objectives and included in their
performance evaluations?
 Have policies and standards been finalised, formally approved, and disseminated?

© The Knowledge Academy Ltd

 Program Management Evaluation
Security Operations Management
theknowledgeacademy

• The success with which the information security programme implements security operational
operations, both within the security organisation and in other organisational units, must be
evaluated by the information security manager. Among the most important considerations are:

 Are security requirements and processes addressed in security, technology, and business unit standard
operating procedures?
 Do security-related SOPs mandate accountability, process transparency, and management oversight?
 Do security-related operations such as configuration management, access management, security
system maintenance, event analysis, and incident response have established SOPs?
 Is a timetable of routinely conducted procedures (for example, technical configuration review) in
place? Is it possible to keep track of scheduled activities in the program?

© The Knowledge Academy Ltd

 Program Management Evaluation
Technical Security Management
theknowledgeacademy

• The management of the technological security environment is crucial to guaranteeing the

effective implementation of information processing systems and security procedures. In
addition to reviewing the current technical environment, the information security manager
should think about the following aspects when it comes to managing technical security
concerns:

 Are there technological standards for configuring specific networks, systems, apps, and other
technology components for security?
 Are there standards that address architectural security challenges like as topology, communication
protocols, and crucial system compartmentalisation?
 Do high-level policies and requirements support and enforce standards? Are standards developed in
collaboration with technical, operations, and security personnel?
 Are technical standards applied consistently? Do mechanisms exist to evaluate and report on technical
standard compliance on a regular basis? Is there a systematic method in place to handle exceptions?
 Are important controls continuously monitored? Do controls provide failure notifications?

© The Knowledge Academy Ltd

 Program Management Evaluation
Resource Levels
theknowledgeacademy

• The information security manager must examine the program's financial, human, and technical
resources.

• Deficiencies must be discovered and escalated to high management or the steering committee.
Consider the following:

Financial Resources HR Technical Resources

© The Knowledge Academy Ltd

 The Plan-Do-Check-Act Cycle
• The information security program is built around the effective and efficient management of
theknowledgeacademy

controls that are established and executed to address or minimise threats, risks, vulnerabilities,
and impacts.

• The total quality management (TQM) system's concepts and procedures are well suited to the
unique reliance on effective, efficient management of a business process such as information
security.

© The Knowledge Academy Ltd

 Security Reviews and Audits
• The manager of an information security program must have a consistent, standardised strategy
theknowledgeacademy

to analysing and evaluating the state of various parts of the program during its creation and
management.

• Using a consistent strategy will provide trend information over time and can act as a metre for
program improvements. This is possible through a security assessment procedure similar to an
audit. Security reviews, like regular auditing procedures, have:

Objective Scope Constraint Approach Result

© The Knowledge Academy Ltd

 Security Reviews and Audits
Audits
theknowledgeacademy

• Auditors identify, examine, test, and assess the effectiveness of controls in the professional
field of information systems auditing.

• An audit team gathers documentation that 1) maps controls to control objectives, 2) indicates
what the team performed to test those controls, and 3) relates those test findings to the final
evaluation while executing an audit.

• Work papers are documents that may or may not be presented with the final report.

• A framework or external standard, such as COBIT or ISO/IEC 27001 and 27002, provides a
structure for control goals, allowing an audit team to arrange its assessment of existing
controls.

© The Knowledge Academy Ltd

 Security Reviews and Audits
Auditors
theknowledgeacademy

• The information security manager must establish effective working relationships with auditors,
both internal and external. Internal and external auditing operations must be included into the
information security program.

• Procedures for scheduling, observing personnel activities, and providing configuration data
from technical systems should be set in advance. In some situations, an auditor's finding of a
flaw may not apply to the information security manager's unique organisation.

• If issues are discovered during an audit, the information security manager should collaborate
with the auditors to determine the related risk, mitigating variables, and acceptable control
objectives.

• The findings of the audit give robust, impartial input for the steering committee and
management to utilise in evaluating the performance of the information security program.

© The Knowledge Academy Ltd

 Compliance Monitoring and Enforcement
• Compliance enforcement mechanisms must be considered throughout program creation to
theknowledgeacademy

ensure eventual effectiveness and manageability once the program is implemented.

• Compliance enforcement refers to any activity inside the information security program that is
aimed to ensure compliance with the enterprise's security policies, standards, and procedures.

• Enforcement processes should be created with the assumption that control activities are in
place to support control objectives.

• Control selection is frequently influenced by the ease of monitoring and enforcement.

• These procedures add another layer of control to guarantee that the procedures defined by
management are followed.

© The Knowledge Academy Ltd

 Compliance Monitoring and Enforcement
Policy Compliance
theknowledgeacademy

• Policies serve as the foundation for all accountability for security duties across the company.

• Policies must be comprehensive enough to cover all instances in which information is handled,
while also being flexible enough to enable for new processes and procedures to grow for
different technologies while remaining compliant.

• It is the responsibility of the information security manager to guarantee that there are no
orphan systems or systems without policy compliance owners during the assignment process.

• A policy exception process is frequently mentioned in information security management

literature.

• This is a technique for business units or departments to analyse a policy and decide not to
implement it based on a variety of considerations.

© The Knowledge Academy Ltd

 Compliance Monitoring and Enforcement
Standards Compliance
theknowledgeacademy

• Standards define the possibilities for systems, processes, and behaviours that nevertheless
adhere to policy.

• Based on the criticality and sensitivity of the resources, the standards must be created to
ensure that all systems of the same type within the same security domain are configured and
operated in the same manner.

• It is also possible that a business scenario justifies a variation from established standards while
remaining within the policy's goal.

• Standards exceptions, like policy exceptions, must entail risk assessment and acceptance by
competent management. If exceptions must go through the change management process (if
one exists), analysing the risk of the change will be a standard element of the procedure.

© The Knowledge Academy Ltd

 Compliance Monitoring and Enforcement
Resolutions of Compliance Issues
theknowledgeacademy

• Noncompliance issues can pose a danger to the organisation, thus it is critical to design
specialised methods to deal with them effectively and efficiently. A method for identifying
criticality and then establishing a risk-based response mechanism benefits the security
manager. Noncompliance concerns and other deviations can be found through a variety of
approaches, including: • routine monitoring • audit reports • security reviews • vulnerability
scans • due diligence work.

Compliance Enforcement
• Conformity enforcement is a continuous collection of activities aimed at bringing policy and, by
default, standards requirements that are not being met into compliance.

• Legal and internal audit divisions are frequently in charge of evaluating business plans and
operations, respectively.

© The Knowledge Academy Ltd

 Monitoring Approaches
• The security manager must devise a consistent, dependable mechanism for determining the
theknowledgeacademy

program's overall continuous effectiveness. One method is to conduct risk assessments on a

regular basis and track progress over time.

• Another common approach for determining system vulnerabilities is the use of external and
internal scanning and penetration testing, albeit this will only reveal the efficacy of one aspect
of the whole program.

Monitoring Security Activities in Infrastructure and Business Applications

• Because an enterprise's vulnerability to security breaches is likely to exist at all times, the
information security manager should undertake continuous monitoring of security operations.

• Continuous DDS and firewall monitoring can provide real-time information on efforts to
penetrate perimeter defences. Training help desk staff to escalate suspicious reports that could
indicate a breach or an attack can act as an effective monitoring and early warning system.

© The Knowledge Academy Ltd

 Monitoring Approaches
Determining Success of Information Security Investments
theknowledgeacademy

• Processes must be in place for the information security manager to determine the overall
efficacy of security investments and the extent to which objectives have been met.

• The information security manager should confirm that KPIs are created and agreed upon
during the design and implementation of the security program, and that a method to assess
progress against those indicators is implemented.

• In addition to the original procurement and implementation costs, it is critical to account for:

 Costs to administer controls

 Training costs
 Maintenance costs
 Monitoring costs
 Update fees
 Fees for consultants or help desks

© The Knowledge Academy Ltd

 Measuring Information Security Management Performance
• The information security manager should understand how to develop processes and systems
theknowledgeacademy

that allow the information security program's successes and shortfalls to be assessed.
Measuring success entails creating quantifiable objectives, recording the most relevant
metrics, and assessing results on a regular basis to identify areas of success and improvement
potential.

Measuring Information Security Risk and Loss

• The basic goal of an information security program is to ensure that risk is effectively managed
and that the consequences of unfavourable events are within acceptable boundaries.

• It is nearly impossible to achieve absolute security while maintaining system usability.

• Determining if the security program is operating at an appropriate level—balancing operational

efficiency with adequate safety—can be handled from a variety of angles.

© The Knowledge Academy Ltd

 Measuring Information Security Management Performance
Measuring Support of Organisational Objectives
theknowledgeacademy

• The information security program must support the primary goals of the organisation. The
information security steering committee and executive management might assess the
following qualitative measures:

 Is there a written link between significant organisational milestones and the information
security program's objectives?

 How many information security objectives in support of organisational goals were

completed?

 Were there organisational goals that were not fulfilled because information security
objectives were not met?

 How strong is the agreement that programme objectives are full and suitable among
business units, upper management, and other information security stakeholders?

© The Knowledge Academy Ltd

 Measuring Information Security Management Performance
Measuring Operational Productivity
theknowledgeacademy

• There are no endless resources in an information security program. The information security
manager must maximise operational productivity, especially given the increasing development
of IT firms.

• Security management automation solutions can operate as labour multipliers, significantly

increasing the completion of operational duties.

• When used in a time-based comparison analysis, productivity measurements are most useful.

• Productivity is a measure of the amount of work produced per unit of resource. The
information security manager should establish regular targets for boosting the program's
productivity through specialised activities.

© The Knowledge Academy Ltd

 Measuring Information Security Management Performance
Measuring Security Cost-Effectiveness
theknowledgeacademy

• Financial constraints are a common cause of security failings, including inability to prepare for
continuing maintenance requirements, thus the information security programme must be
financially sustainable.

• This procedure starts with precise cost forecasting and budgeting. The success of this operation
is often determined by comparing budget utilisation to initial forecasts, which can assist in
identifying difficulties with security cost planning.

• The information security manager should create systems to monitor the continuous cost-
efficiency of security components, which is typically performed by tracking cost-result ratios, in
addition to budgeting effectiveness.

• By assessing the overall cost of producing a certain output, this approach creates cost-
efficiency goals for new technologies and improvement goals for existing technologies.

© The Knowledge Academy Ltd

 Measuring Information Security Management Performance
Measuring Organisational Awareness
theknowledgeacademy

• Personnel actions, even in a well controlled technical setting, might pose hazards that can only
be managed via education and awareness.

• Employees are the most widely used for tracking organisational awareness. The information
security manager should collaborate with the human resources department to develop metrics
for measuring organisational awareness success.

• Employee testing is another way to assess the effectiveness of an awareness campaign. To

assess the success of training, the information security manager should provide instruments
such as brief online or paper assessments that are conducted soon after training.

© The Knowledge Academy Ltd

 Measuring Information Security Management Performance
Measuring Effectiveness of Technical Security Architecture
theknowledgeacademy

• One of the most visible aspects of an information security programme is generally the technical
security architecture.

• The information security manager must develop quantitative metrics of the technical control
environment's efficacy.

• For reporting and analysis, technical security metrics can be classified by protected resource
and geographic location. The following are some examples of technical security effectiveness
metrics:

1. Network access control devices resist probe and attack attempts; qualify based on asset or resource
targeted, source geography, and attack kind.
2. Internal network probe and attack attempts identified by intrusion detection systems; differentiate by
internal versus external source, resource targeted, and attack type.
3. The number and type of real compromises; categorise by attack severity, attack type, effect severity,
and attack source
© The Knowledge Academy Ltd
 Measuring Information Security Management Performance
Measuring Effectiveness of Management Framework and Resources
theknowledgeacademy

• Efficient information security management maximises the output of the components and
procedures that it employs. Mechanisms for collecting process input, recognising difficulties
and opportunities, tracking implementation consistency, and effectively conveying changes and
information all contribute to program effectiveness. Tracking the program's progress in this
area includes the following methods:

 Monitoring the occurrence of issues.

 Monitoring the extent to which operational knowledge is captured and disseminated.
 Standardising process execution.
 Clearly and comprehensively documenting information security duties and responsibilities.
 Including information security needs in all project plans.
 Improving the program's productivity and cost-effectiveness.
 Keeping track of overall security resource consumption and trends.
 Alignment with and support for company goals.

© The Knowledge Academy Ltd

 Measuring Information Security Management Performance
Measuring Operational Performance
theknowledgeacademy

• Measuring, monitoring, and reporting on information security processes assist the information
security manager in ensuring that the program's operational components properly support
control objectives. Security operational performance metrics include:

 Detection, escalation, isolation, and containment of incidents.

 Time elapsed between vulnerability discovery and resolution.
 The number, frequency, and severity of occurrences found after the fact.
 Average time between vulnerability patch vendor release and application.
 The percentage of systems that have been audited within a specific time frame.
 The number of changes released without full change control approval.

© The Knowledge Academy Ltd

 Ongoing Monitoring and Communication
• Monitoring considerations are numerous when designing or operating a security program,
theknowledgeacademy

regardless of its scope. In addition to countless other design issues, new or updated controls
necessitate ways for determining if they are performing as intended.

• Procedural and process controls are often just as important as operational controls, although
they are more complex to install. Monitoring the security of information systems is an essential
operational component of any information security program. The following are some examples
of commonly observed event types:

 Inability to gain access to resources.

 Processing errors that may suggest meddling with the system.
 Power outages, racing conditions, and design or other flaws.
 Modifications to system configurations, including security controls.
 Unrestricted system access and activity.
 Fault detection in technical security components.

© The Knowledge Academy Ltd

theknowledgeacademy

Domain 4

Incident Management
© The Knowledge Academy Ltd.
theknowledgeacademy

This Domain Covers…

A: INCIDENT MANAGEMENT READINESS

Domain 4:  4A1: Incident Response Plan

 4A2: Business Impact Analysis (BIA)

Incident 


4A3: Business Continuity Plan (BCP)
4A4: Disaster Recovery Plan (DRP)
4A5: Incident Classification/Categorisation

Management  4A6: Incident Management Training, Testing and

Evaluation

© The Knowledge Academy Ltd

theknowledgeacademy

This Domain Covers (Continued)…

B: INCIDENT MANAGEMENT OPERATIONS

Domain 4:  4B1: Incident Management Tools and Technologies

 4B2: Incident Investigation and Evaluation

Incident 

4B3: Incident Containment Methods
4B4: Incident Response Communications
 4B5: Incident Eradication and Recovery

Management  4B6: Post – Incident Review Practices

© The Knowledge Academy Ltd

theknowledgeacademy

Module 4A1: Incident Response Plan

© The Knowledge Academy Ltd.

 Introduction
• A risk management incident management program focuses on the planning, preparedness, and
theknowledgeacademy

identification of occurrences that depart from normal, scheduled operations.

• The desired outcome is to:

 Lessen an enterprise's effect.

 Recover and resume operations at acceptable levels.

• The speed with which an enterprise can recognise, assess, respond to, and recover from an
event decreases the enterprise's effect and, ultimately, the incident's expenses.

• This usually leads to senior management realising that the organisation requires an effective
and quick method of responding to an issue.

© The Knowledge Academy Ltd

 Relationship Between Incident Management and Incident
Response
theknowledgeacademy

• There are subtle distinctions and complexities between incident management and incident response
functions.

• The ability to give and ensure the start-to-finish management of an issue within the company is
referred to as incident management.

• This entails determining how tasks and processes interact with one another, how information is
transmitted (internally and externally), and what actions must be coordinated in order to properly
manage an incident.

• The processes, methods, and activities undertaken when responding to an incident are referred to as
incident response, and they focus on the detection, triage, containment, eradication, and recovery
steps taken to restart normal, planned operations.

• In a nutshell, incident management encompasses all of the processes, practises, and activities that
occur before to, during, and after an incident.

© The Knowledge Academy Ltd.

 Goals of Incident Management and Incident Response
• Incidents can arise from a variety of sources, including large-scale cyberattacks, losses caused
theknowledgeacademy

by natural catastrophes, the loss of critical individuals, workplace accidents, or any other
unforeseen bad occurrences caused by a shift in the threat landscape.

• Efforts must include managing and responding to occurrences involving information security,
regardless of the media (logical, physical, or human). The approach taken is based upon a
number of factors, including:

 Constituency to be Served: Who will make use of this capability?

 Enterprise Mission, Goals and Objectives: Is the strategy properly matched with the
organisation?

 Service to be provided: What services are being committed to address the needs of
constituents?

© The Knowledge Academy Ltd

 Goals of Incident Management and Incident Response
(Continued)
theknowledgeacademy

 Organisational Model and the Relationship with Various Stakeholders: Who holds the
enterprise accountable and responsible?

 Funding for Start-up Costs and ongoing Operations: How will this capability be supported
financially?

 Resources needed by the Computer Security Incident Response Team (CSIRT): What
resources are required to provide the necessary capabilities to the constituents served?

• Incident management encompasses all steps taken prior to, during, and after an information
security incident occurs.

• Incident management encompasses program management (planning, training, testing),

operational (processes, procedures, protocols), and tactical (evidence gathering, triage, initial
analysis) techniques, as well as individual activities.

© The Knowledge Academy Ltd

 Goals of Incident Management and Incident Response
(Continued)
theknowledgeacademy

• With the following goals in mind, incident management methods must be devised to limit the
effects of an incident and enable efficient and successful recovery:

• Contribute to the broader enterprise strategy.

• Provide an effective technique of dealing with the problem in order to minimise the impact on the
organisation.

• Provide management with enough information to make informed decisions.

• Maintain or restore enterprise service continuity in accordance with business continuity and
disaster recovery policies.

• Act as a first line of defence against following attacks.

• Increase deterrence by utilising technology, investigation, and prosecution.

© The Knowledge Academy Ltd
 Incident Handling and Management Life Cycle
• Incident handling is a service that encompasses all of the processes or tasks connected with
theknowledgeacademy

dealing with events and incidents. It performs several functions:

 Detection and Reporting: Receiving and reviewing event information, incident reports, and
alerts.

 Triage: The steps performed to categorise, prioritise, and assign events and incidents in
order to maximise the usefulness of limited resources.

 Analysis: The attempt to determine what happened, the impact and threat, the harm that
ensued, and the appropriate recovery or mitigation procedures.

 Incident Response: The measures done to address or mitigate an incident, coordinate and
disseminate information, and develop follow-up strategies to prevent recurring occurrences.

© The Knowledge Academy Ltd

 Incident Handling and Management Life Cycle
Progression of a Disaster
theknowledgeacademy

© The Knowledge Academy Ltd

 Incident Management and Incident Response Plans
• Effective incident management ensures that incidents are recognised, detected, recorded, and
theknowledgeacademy

managed in order to minimise their consequences.

• Incidents must be recorded so that incident response actions may be followed, information can
be provided to facilitate planning efforts, and no component of an incident is neglected
mistakenly.

• The recording is necessary in order to correctly document material, which may include forensic
data that can be utilised to pursue disciplinary or legal possibilities.

• Incidents must be categorised in order to be properly prioritised and routed to the appropriate
resources.

• Incident management comprises initial support operations that allow new occurrences to be
evaluated against known defects and difficulties in order to quickly identify any previously
identified workarounds.

© The Knowledge Academy Ltd

 Incident Management and Incident Response Plans
(Continued)
theknowledgeacademy

• Incident management establishes a framework for investigating, diagnosing, resolving, and

closing problems.

• Throughout the incident's life cycle, the procedure guarantees that it is owned, tracked, and
monitored.

• Major occurrences may necessitate a response that goes above and beyond what is given by
the standard incident process, necessitating the activation of C/DR capabilities.

• The final step in an incident-handling process is incident response, which includes the planning,
coordination, and execution of appropriate containment, eradication, and recovery activities
and may involve the development of recommendations or lead to follow-on initiatives
identified during the lessons learned.

© The Knowledge Academy Ltd

 Importance of Incident Management
• As enterprises rely more on information processes and systems, and significant disruption to
theknowledgeacademy

those operations has unacceptably severe consequences, the importance of good incident
management and response has expanded.

• Some of the elements that increase the importance of excellent incident management are as
follows:

 The increasing incidence and mounting losses caused by information security events.

 An increase in software or system vulnerabilities that affect major areas of an enterprise's

infrastructure and have an impact on operations.

 Security controls that fail to prevent incidents.

© The Knowledge Academy Ltd

 Importance of Incident Management
(Continued)
theknowledgeacademy

 Legal and regulatory requirements necessitate the establishment of incident management

capabilities.

 Threat factors' sophistication and capability are increasing.

 Persistent advanced threats (APTs).

 Taking advantage of poorly managed IT procedures and practices.

 A rise in zero-day attacks.

© The Knowledge Academy Ltd

 Outcomes of Incident Management
• The following are the outcomes of effective incident management and response:
theknowledgeacademy

 The enterprise can efficiently deal with unexpected threats to disrupt the business (e.g.,
recovery time objective [RTO] and recovery point objective [RPO]).

 The enterprise will have adequate detection and monitoring capabilities to ensure that
issues are identified as soon as possible.

 Well-defined severity and declaration criteria, as well as established escalation and

notification mechanisms, will be in place.

 Personnel will be taught in incident recognition, severity criterion application, and proper
reporting and escalation procedures.

© The Knowledge Academy Ltd

 Outcomes of Incident Management
(Continued)
theknowledgeacademy

 The enterprise will have responsiveness that demonstrate a clear support for the business plan
by being sensitive to the criticality and sensitivity of the resources safeguarded.

 The enterprise will serve to proactively manage incident risk in a cost-effective manner, as well
as to provide integration of security-related organisational functions to maximise effectiveness.

 The enterprise will give monitoring and metrics to assess the performance of incident
management and response capabilities, and it will test its capabilities on a regular basis to
confirm that information and plans are up to date, current, and available when needed.

© The Knowledge Academy Ltd

 Incident Management Resources
• An incident management and response strategy may be developed using a variety of internal
theknowledgeacademy

and external resources. These resources in a typical enterprise may include, but are not limited
to, the following:

Facilities Insurance
Compliance Office HR Internal Audit
Management Provider

IT Department Law Enforcement Legal Department Local Government Physical Security

Sales and
Privacy Offer Public Relations Risk Management Training Partners
Marketing

© The Knowledge Academy Ltd

 Policies and Standards
• Policies, standards, and procedures must be well-defined to support the incident response plan
theknowledgeacademy

(IRP). It is critical to have a defined set of policies, standards, and processes in order to:

 Ensure that incident management actions are in line with the mission of the incident
management team (IMT).

 Establish realistic expectations.

 Advise on operational requirements.

 Maintain service consistency and dependability.

 Understand the duties and responsibilities.

 Establish requirements for identified alternate personnel for all critical functions.

© The Knowledge Academy Ltd

 Incident Management Objectives
• The primary goal is to respond to and contain security issues while restoring regular operations
theknowledgeacademy

as rapidly as feasible.

• Failure to do so frequently results in a disaster declaration and the necessity for recovery
efforts.

• This may entail relocating to a different location to resume activities as stated in the BC/DR
plans.

• The goals of incident management are as follows:

 Handle events as they occur so that the exposure can be limited or eliminated, allowing
recovery to occur within recovery time goals (RT0s) and recovery point objectives (RPOs).

© The Knowledge Academy Ltd

 Incident Management Objectives
(Continued)
theknowledgeacademy

 Restore regular operation of systems and business processes.

 Avoid reoccurring incidents by documenting and learning from previous ones.

 Implement proactive steps to prevent/reduce the likelihood of future events.

 Implement safeguards to protect and minimise the impact on assets in the case of an incident.

© The Knowledge Academy Ltd

 Strategic Alignment
• Incident management, like many other support tasks, must be integrated with an enterprise's
theknowledgeacademy

strategic plan. The following elements may assist in achieving this alignment:

Constituency Organisational Structure

Resources
Mission

Funding
Services
Management Support

© The Knowledge Academy Ltd

 Response and Recovery Plan
• Enterprises should have a systematic, targeted, and coordinated strategy to incident response,
theknowledgeacademy

including an incident response plan (IRP) that lays out the steps for developing the incident
response capability.

• Each enterprise requires a plan that addresses its specific needs, which are related to the
mission, size, structure, and operations of the enterprise.

• The strategy should specify the resources and management assistance that are required. The
following items should be included in the IRP:

1. Mission.

2. Goals and Strategies.

3. Senior Management’s Approval.

4. Approach to incident response inside an organisation.

© The Knowledge Academy Ltd

 Response and Recovery Plan
(Continued)
theknowledgeacademy

5. Personnel with key decision-making roles and responsibilities.

6. Communication inside the enterprise and with other enterprises.

7. Metrics for evaluating the effectiveness of incident response capacity.

8. Roadmap for developing the capability for responding to incidents.

9. What role the program plays in the larger enterprise.

© The Knowledge Academy Ltd

 The Role of Information Security Manager in Incident
Management
theknowledgeacademy

• The enterprise's size, industry, applicable regulatory requirements, and the maturity of BC, DR, and
incident response capabilities will all have an impact on the information security manager's role in
BC, DR planning, and incident response.

• Responding to situations involving information security is normally the responsibility of the

information security manager.

• In enterprises, the information security manager may be involved in all aspects of backup and
recovery (BC), disaster recovery (DR), and incident response.

• This includes helping the business units complete their business impact analyses (BIAs), collaborating
with the IT department to find suitable backup and recovery solutions, coordinating incident
response efforts as events become more serious, and providing the regular information security
services the business needs.

© The Knowledge Academy Ltd.

 Risk Management
theknowledgeacademy

Successful risk management outcomes depend on effective incident

management and response capabilities. Any risk that manifests
and is not stopped by the enterprise's internal controls is
considered an incident, which needs to be managed and dealt with
in order to prevent it from turning into a catastrophe.

© The Knowledge Academy Ltd

 Assurance Process Integration
theknowledgeacademy

• Successful risk management outcomes depend on effective

incident management and response capabilities.

• Any risk that manifests and isn't stopped by the enterprise's

internal controls is considered an incident, which needs to be
managed and dealt with in order to prevent it from turning into a
catastrophe.

© The Knowledge Academy Ltd

 Value Delivery
• In addition to the technological controls used to prevent or respond to occurrences, incident
theknowledgeacademy

management also entails a number of procedures that can strike the ideal balance between
containment, prevention, and restoration.

• For incident management to be effective, it should:

 Work as seamlessly as feasible with business procedures and structures.

 Enhance enterprises' ability to manage risk and provide assurance to stakeholders.

 Complement the business continuity plan (BCP).

 Integrate into an enterprise's broader strategy and endeavour to safeguard and secure vital
business functions and assets.

 Act as a safety net and optimise risk management efforts

© The Knowledge Academy Ltd

 Resource Management
• Time, people, budget, and other aspects are all considered in resource management in order
theknowledgeacademy

to fulfil objectives efficiently within given resource limits.

• Incident management and response operations require resources, which must be handled
effectively.

• This is accomplished by adequate oversight, resource monitoring, and regular reporting. When
achieving all objectives is not possible, good resource management ensures that the most
critical priorities are handled first.

• Effective triage capabilities in incident response guarantee that limited resources are deployed
most effectively to restrict and limit harm.

• This is based on swiftly identifying compromised assets that must be addressed immediately,
assets that are unaffected and can wait, and assets that can be restored most efficiently with
the available resources.

© The Knowledge Academy Ltd

 Defining Incident Management Procedures
theknowledgeacademy

• There is not a single, rigid set of incident management practises

that applies to all enterprises. However, there are a few basic
practises that the majority of enterprises follow and tailor to suit
their unique requirements.

© The Knowledge Academy Ltd

 Detailed Plan of Action for Incident Management
• The following process is described in the incident management methodology defined by
theknowledgeacademy

CMU/SEI:

© The Knowledge Academy Ltd

 Current State of Incident Response Capability
• Survey of senior management, business managers and IT representatives - Uses input from
theknowledgeacademy

senior management, business line managers and technology representatives, employee

surveys and focus groups to gather information to help determine the past performance and
perception of the IMT and its process capabilities.

• Self Assessment - The IMT conducts self-assessment against a set of criteria to develop an
understanding of present skills. This is the simplest way because it does not necessitate the
participation of several parties. The disadvantage of this strategy is that it may only provide a
restricted picture of present capabilities as well as other characteristics that stakeholders may
find significant.

• External Assessment or Audit - This is the most complete option, including interviews, surveys,
simulation, and other assessment approaches. This option is typically utilised by a company
that already has an appropriate incident management capability but is looking to improve it or
reengineer the processes. These strategies will assist in establishing whether the existing state
is effective and, if not, in determining the intended state of incident response capabilities.

© The Knowledge Academy Ltd

 Current State of Incident Response Capability
Threats
theknowledgeacademy

• Threats are defined as any incident that has the potential to harm an enterprise's assets,
operations, or staff. There are several threats to be considered, such as:

Environmental Technical Human Driven

Vulnerability
• A vulnerability is a flaw in a system, technology, process, person, or control that can be
exploited and lead to compromise. Risk originates from a weakness that adversaries can
exploit. One part of risk management is managing vulnerabilities in order to keep risk within
acceptable boundaries set by the enterprise's risk appetite and tolerance criteria.

© The Knowledge Academy Ltd

 Developing and Incident Response Plan
• The incident response plan (IRP) is the operational component of incident management. The
theknowledgeacademy

plan specifies the actions, personnel, and activities that will be carried out if anticipated
circumstances result in the loss of data, information systems, or processes.

• The incident response team should be formed, managed, and maintained as part of the plan.

Elements of and Incident Response Plan

Preparation Identification Containment

Eradication Recovery Lessons Learned

© The Knowledge Academy Ltd

 Developing and Incident Response Plan
Gap Analysis
theknowledgeacademy

• A gap analysis gives information on the gap between present incident response capabilities and
the target level defined by top management. When the two levels are compared, advances in
capabilities, skills, and technology can be found, including:

 Processes that must be improved in order to become more efficient and effective

 Resources required to meet the incident response capability's objectives

• The gap analysis report produced can be used for planning purposes to establish the measures
required to close the gaps between the present and intended states.

• It can also be used to determine the most effective technique for achieving the goals and
prioritising efforts. Priorities should be determined by the areas with the largest potential
impact and the best cost-benefit ratio.

© The Knowledge Academy Ltd

 Incident Management Response Teams
• Before an incident occurs, the plan must identify teams and outline their assigned duties. To
theknowledgeacademy

put the business recovery strategies into action, key decision-making, technical, and end-user
team leaders must be identified and trained.

• Depending on the size of the business, the team could be made up of just one person. The
involvement of these teams is determined by the severity of the service disruption and the
sorts of assets lost, compromised, damaged, or endangered.

• This will make it easier to estimate the amount of the effort and activate the right team
combination. The following are some examples of the kind of teams that are frequently
required:

 Emergency Action Team: First responders who have been designated to deal with fires or
other emergency response circumstances.

© The Knowledge Academy Ltd

 Incident Management Response Teams
(Continued)
theknowledgeacademy

 Damage Assessment Team: Qualified personnel who analyse the level of asset damage and
make an initial decision as to what is a total loss vs what is restorable or salvageable.

 Emergency Management Team: In charge of coordinating the actions of the other recovery
teams and making critical decisions.

 Relocation Team: Coordination of the process of transferring from the impacted location to an
alternative site or the restored original location.

 Security Team: When the organisation does not define a designated/formal capacity, the
security team frequently becomes the de facto CSIRT. It is in charge of monitoring the security
of systems and communication links, containing any ongoing security threats, fixing any
security issues that limit the rapid recovery of systems, and assuring the appropriate
installation and operation of every security software package.

© The Knowledge Academy Ltd

 Organising, Training and Equipping the Resource Staff
• Training the emergency response teams is not only necessary, but also important. To ensure
theknowledgeacademy

that team members are comfortable with their jobs and responsibilities, the information
security manager should create reasonable, real-world event scenarios and test the reaction
and recovery plans.

• The teams will determine the resources needed for reaction and recovery during this phase.
Training has the extra benefit of discovering and changing unclear procedures to achieve
clarity, as well as determining recovery resources that may be insufficient or ineffective.

• IMT members must complete the following training programme:

• Induction to the IMT

• Mentoring Team Members regarding Roles, Responsibilities and Procedures
• One-the-Job Training
• Formal Training

© The Knowledge Academy Ltd

 Incident Notification Process
• A security incident notification mechanism that is both effective and timely is a crucial
theknowledgeacademy

component of any security program. When possible, implement notification methods that
allow an automated detection system or monitor to send email or phone messages. When
accidents occur, the following roles are most likely to require information:

 Application development
 Business process owners
 Cybersecurity
 HR
 IT department
 Legal/general counsel
 Network operations
 Physical and information security
 Privacy department
 PR/corporate communications
 Risk management
 Senior management
 Threat intelligence team
© The Knowledge Academy Ltd
 Challenges in Developing an Incident Management Plan
• There may be unexpected challenges while designing and maintaining an event management
theknowledgeacademy

plan as a result of:

1. Lack of Management Buy-in and Organisational Consesus

2. Mismatch to Organisational Goals and Structure

3. IMT Member Turnover

4. Lack of Communication Process

5. Complex and Broad Plan

© The Knowledge Academy Ltd

theknowledgeacademy

Module 4A2: Business Impact Analysis

© The Knowledge Academy Ltd.

 Introduction
• A BIA is used to assess the impact of losing the availability of any resource on an enterprise.
theknowledgeacademy

• It identifies the lowest resources required to restore and prioritises the recovery of processes
and supporting systems.

• The BIA is frequently mentioned in the context of BC and DR. Other methodologies, in addition
to the BIA, may be used to assess possible impact.

• The bottom line of risk is impact, and the range of severity in terms of the enterprise must be
identified in order to offer the necessary information and lead risk management actions.

• Although high likelihood events with little or no individual impact are not always cause for
concern, they should not be discounted without first comprehending the event's significance
within the wider system it supports.

© The Knowledge Academy Ltd

 Elements of Business Impact Analysis
• The manner in which BIAs are conducted differs by enterprise. However, there are some
theknowledgeacademy

similarities. BIAs, in general:

 Explain the business mission of each specific business/cost centre.

 Determine the functions that define each business function.
 Identify dependencies, such as necessary inputs from other procedures.
 Determine the subsequent operations based on the function.
 Determine key processing cycles (in terms of time intervals) for each function.
 Calculate the impact of each sort of occurrence on business operations.
 Determine the amount of time required for recuperation (i.e., RTO).
 Determine the resources and activities required to restore an acceptable level of operation.
 To determine RPOs, determine the quantity of data that can be lost and must be recreated.
 Consider possible workarounds, such as manual or PC-based operation or workload shifting.
 Estimate how long it will take to recover from each type of occurrence in respect to the RTO.

© The Knowledge Academy Ltd

 Benefits of Conducting a Business Impact Analysis
• Conducting BIAs yields several significant benefits, including:
theknowledgeacademy

 Increasing awareness of the amount of possible loss and other negative consequences that
could emerge from specific types of mishaps caused by the loss of a specific function,
including catastrophic events that could jeopardise the business's life.

 Prioritising restoration activities and comprehending recovery choices

 Understanding the interdependence of diverse functions

 Raising enterprise-wide knowledge of response management

© The Knowledge Academy Ltd

theknowledgeacademy

Module 4A3: Business Continuity Plan

© The Knowledge Academy Ltd.

 Integrating Incident Response with Business Continuity
• Effective integration of incident response and BC/DR planning necessitates careful
theknowledgeacademy

consideration of the relationships between RTO, RPO, SDO, and MTO, as the transition from
incident response to disaster recovery operations for any solution other than mirrored or
duplicate processing sites will take time.

• DR has traditionally included a strategy to recover an IT-processing facility or a business unit's

plan to recover an operating facility.

• With the continuing expansion and widespread acceptance of cloud services, there is a shift
away from perceiving IT as a facility and toward viewing IT as a capability.

• The incident management and recovery plan must be compatible with and support the
enterprise's overall IT plan.

© The Knowledge Academy Ltd

 Methods for Providing Continuity of Network Services
• Among the methods for providing network service continuity are:
theknowledgeacademy

Long-Haul
Alternative
Redundancy Diverse Routing Network
Routing
Diversity

Last-Mile Circuit Telephone

Voice Recovery
Protection Recovery

© The Knowledge Academy Ltd

 High-Availability Considerations
• The loss or disruption of servers that manage sensitive and vital business activities could have
theknowledgeacademy

disastrous consequences for an organisation.

• Plans should include operational failover solutions to avoid servers falling down for an
extended amount of time.

• Server recovery should be part of the DRP. The employment of universal power supplies (UPSs)
and failover systems to prevent power failures of varied levels is one way for offering failover
or fault-tolerant capabilities.

• Direct attached storage (DAS) is a data storage and availability solution in which the storage
device (for example, a disc drive) is physically connected to a server or client. To access the
DAS, each user must have direct access to the server that houses the storage device.

• A network-attached storage (NAS) appliance is a dedicated network-attached data storage equipment

that has its own operating system. An existing Ethernet network is used for file storage and user
access.

© The Knowledge Academy Ltd

 Insurance
• The IRP should include information about the enterprise's insurance arrangements, such as
theknowledgeacademy

general coverage, cyber insurance, or information technology-related insurance.

• Current insurance policies for information systems processing typically require a multi-peril
policy tailored to provide several forms of IT coverage. Typically, an organisation cannot insure
against failure to comply with legal and regulatory requirements or any other violation of the
law. There are several types of coverage available, including:

IT Equipment and Professional and

Media Reconstruction Cybersecurity
Facilities Commercial Liability

Valuable Papers and

Extra Expense Business Interruption Errors and Omissions
Records

© The Knowledge Academy Ltd

theknowledgeacademy

Module 4A4: Disaster Recovery Plan

© The Knowledge Academy Ltd.

 Disaster
• Disasters are unforeseen and unplanned occurrences leading to company disturbance.
theknowledgeacademy

• A disaster could be a regional event spread over a broad geographic region, or it could happen
within a single room boundaries.

• The effect of a disaster will also differ, from a full disruption to a mere slowdown in all business
activities.

• The types of Disaster are as follows:

 Natural Disasters

 Human-Caused Disasters

© The Knowledge Academy Ltd

 Business Continuity and Disaster Recovery Procedures
• When developing reaction and recovery plans, various factors must be considered, including
theknowledgeacademy

available resources, expected services, and the categories, types, and intensity of threats
encountered by the company.

• The state of monitoring and detection capabilities must be known, as well as the level of risk
that the enterprise is ready to take.

• An effective recovery plan strategy strikes the most cost-effective balance between risk
management, incident management and response, and BC/DR planning.

• Business continuity is defined by ISACA as "the prevention, mitigation, and recovery from
disruption“. While BCP goals include incident prevention and mitigation, the DRP focuses on
what must be done to restore operations after an incident has occurred.

• A BCP is a continuous process that is actively implemented in business-as-usual settings,

whereas a DRP is reactive in nature and is implemented only when a specified set of conditions
is met.

© The Knowledge Academy Ltd

 Recovery Operations
• Once the enterprise is in recovery mode, the BC teams should keep an eye on the restoration
theknowledgeacademy

progress at the primary site.

• This is done to determine whether it is safe to return and to run tests to determine whether
the primary data centre and facilities are accessible, operational, and capable of operating at
regular capacity and processing load.

• The teams in charge of shifting to the alternate location and making it operational repeat the
process to return to the primary site.

• When the primary facility and data processing capabilities have been fully restored, the
recovery teams will notify the BC leader, who will then declare normalcy in cooperation with
the crisis management team and shift operations back to the primary site.

© The Knowledge Academy Ltd

 Recovery Operations
(Continued)
theknowledgeacademy

• If the primary site is completely destroyed or severely damaged, the enterprise may make a
strategic decision to convert the alternative recovery site to the primary operations site or to
identify, acquire, and establish another site where operations will eventually be restored and
which will serve as the primary site.

• This is especially true if the organisation subscribes to a third-party disaster recovery site, as
the costs of functioning from such a site for a lengthy period of time may prove prohibitively
expensive.

• Enterprises establishing a BCP should address the processes, roles, and responsibilities
involved in identifying an incident, declaring a disaster, and managing operations in a disaster
mode, but it should also define processes to restore operations at the primary site and
announce the return to normalcy.

© The Knowledge Academy Ltd

 Evaluating Recovery Strategies
• There are several techniques for retrieving crucial information resources. The best strategy is
theknowledgeacademy

likely to be one that addresses probable occurrences with acceptable recovery periods at a
reasonable cost.

• The overall cost of a recovery capacity includes the expense of preparing for potential
interruptions as well as the cost of implementing these in the event of an occurrence.

• The effects of disruptions can be mitigated to some extent by various types of business
interruption insurance, which should be regarded as a strategy alternative.

• Depending on the size and scale of the enterprise, as well as the state of recovery planning, the
information security manager should understand that developing an incident management and
response plan is likely to be a challenging and time-consuming task.

• It may be necessary to develop numerous alternative strategies, each with its own set of
capabilities and costs, before presenting them to management for a final selection.

© The Knowledge Academy Ltd

 Addressing Threats
• Some proactive tactics to consider in incident management while responding to threats
theknowledgeacademy

include:

1. Eliminate or Neutralise a Threat: Although eradicating or neutralising a threat may appear to

be the greatest option, it is often unrealistic when dealing with external threats. It may be
possible to eradicate a threat if it is internal and specialised.

2. Minimise the likelihood of a Threat’s Occurrence: The best alternative is often to reduce or
eliminate vulnerabilities or exposure to reduce the possibility of a threat occurring. This goal
can be attained by putting in place the necessary physical, environmental, and security
controls.

3. Minimise the Effects of a Threat if an Incident Occurs: There are several approaches to
mitigate the effects of an incident, including good incident management and response,
insurance, redundant systems with automated failover, and other compensating or remedial
procedures.

© The Knowledge Academy Ltd

 Recovery Sites
• The most acceptable possibilities for a recovery site must be based on the likelihood of severe
theknowledgeacademy

outages occurring, the nature and amount of the impact on the enterprise's capacity to
continue operations, and total cost. Longer and more expensive outages or calamities that
disrupt the primary physical facility are likely to necessitate offsite backup options. Offsite
backup facilities that can be considered include:

Hot Sites Warm Sites Cold Sites Mobile Sites

Disaster
Reciprocal
Duplicate Sites Mirror Sites Recovery as a
Agreements
Service

© The Knowledge Academy Ltd

 Basis for Recovery Site Selection
• The following factors should be considered when choosing a site for a response and recovery
theknowledgeacademy

strategy:

AIW RTO RPO SDO

Nature of the
Proximity
MTO Locations Probable
Factors
Disruptions

© The Knowledge Academy Ltd

 Response and Recovery Strategy Implementation
• A detailed reaction and recovery plan should be established based on the response and
theknowledgeacademy

recovery strategy decided by management. It should handle all aspects of disaster recovery.
Several elements should be addressed when constructing the plan, including:

• Preincident readiness
• Evacuation procedures
• How to claim a Disaster
• If the incident response fails, the procedures to disaster recovery are taken
• Recognise the business processes and IT resources that must be restored
• Individuals having decision-making authority and duties in the plan should be identified
• Identification of the persons (and alternatives) in charge of each plan function
• Identifying contact information
• A step-by-step breakdown of the recovery alternatives
• Identifying the various resources needed for recovery and ongoing activities
• Making certain that other logistics, such as worker transfer and temporary housing, are taken into
account

© The Knowledge Academy Ltd

theknowledgeacademy

Module 4A5: Incident

Classification/Categorisation

© The Knowledge Academy Ltd.

 Introduction
theknowledgeacademy

Incident Classification Incident Categorisation

© The Knowledge Academy Ltd

 Escalation Process for Effective Incident Management
• A set of actions should be stated in the sequence to be executed for every believable and
theknowledgeacademy

actionable event. Every action specified should identify the person responsible, alternatives in
the event of unavailability, and an expected time for completion.

• When all of the activities have been successfully executed, the process should proceed in the
part devoted to the emergency's conclusion. The following entities and personnel may receive
an alert notification, but are not limited to:

Backup Business General Insurance

Customers HR
Facilities Partners Counsel Companies

Network Privacy Risk

Internal Audit Public Relations Regulators
Operations Department Management

© The Knowledge Academy Ltd

 Help/Service Desk Processes for Identifying Security Incidents
• The information security manager should develop protocols for help/service desk workers to
theknowledgeacademy

discern between a regular inquiry and a potential security issue.

• The help/service desk is likely to receive the first reports indicating a security issue. Prompt
recognition of an ongoing event and prompt referral to appropriate parties are crucial for
limiting the damage caused by such incidents.

• Proper training also helps to lessen the likelihood that the help/service desk may be
successfully targeted in a social engineering attack aimed to get account access, such as a
perpetrator posing as a user who has been locked out and requires immediate access to the
system.

• In addition to spotting potential security incidents, help/service desk workers should be aware
of the necessary reporting and escalation procedures.

© The Knowledge Academy Ltd

theknowledgeacademy

Module 4A6: Incident Management

Training, Testing and Evaluation

© The Knowledge Academy Ltd.

 Incident Management Roles and Responsibilities
• An enterprise's incident management capacity serves as the first responder to a number of
theknowledgeacademy

incidents, including information processing and processes.

• It responds to and handles incidents in order to contain and reduce damage, limit disruptions
to business processes, and promptly restore operations.

• Incidents that are poorly managed have the potential to become disasters.

• Understanding the hierarchy and organisational structure associated with the various incident
management positions is critical.

• To avoid miscommunication during a crisis, each position must be clearly defined and
conveyed.

• The duties connected with incident management will differ from company to company.

© The Knowledge Academy Ltd

 Incident Management Roles and Responsibilities
(Continued)
theknowledgeacademy

• Typical responsibilities in incident management activities include, but are not limited to, the
following:

o Affected Business Unit Representation

o Corporate Communication
o Executive Sponsor
o General Counsel
o Human Resources
o Lead Investigator
o Incident Coordinator
o Lead Investigator
o Security Analysis
o Technology Analysts
o Public Relations
o Threat Intelligence Analysts

© The Knowledge Academy Ltd

 Incident Management Roles and Responsibilities
Senior Management Commitment
theknowledgeacademy

• A business case can demonstrate that, in many cases, effective event management and
response are less expensive than attempting to develop controls for all possible conditions.

• Tested incident management and response may also provide the firm with more revenue
opportunities by allowing for higher levels of acceptable risk based on a shown capacity and
capability to handle security issues.

• Sufficient incident response, combined with effective information security, is likely to provide
the most cost-efficient risk management strategy and may be the most wise resource
management decision.

• These elements should be included in the business case, which will be utilised to acquire the
necessary senior management commitment to ensure the program's success.

© The Knowledge Academy Ltd

 Incident Management Roles and Responsibilities
Responsibilities
theknowledgeacademy

• The information security manager is responsible for a variety of incident management tasks,
including:

 Creating incident management and response plans for information security incidents.

 Effectively and efficiently handling and organising information security incident response
actions.

 Validating and reporting logical, physical, or administrative safeguard or countermeasure

solutions.

 All aspects of information security incident management and response planning, budgeting,
and programme creation.

© The Knowledge Academy Ltd

 Incident Management Metrics and Indicators
Responsibilities
theknowledgeacademy

• The criteria used to measure the efficacy and efficiency of the incident management function
include incident management metrics, measures, and indicators.

• Metrics based on key performance indicators (KPIs) and programme goals (KGIs) established
for incident management should be submitted to top management as rationale for ongoing
support and funding.

• They allow senior management to understand the enterprise's incident management

competence as well as areas of risk that must be addressed. The following are examples of
common incident management metrics criteria:

 Total number of incidents reported

 Total number of incidents discovered
 Number of incident-free days

© The Knowledge Academy Ltd

 Incident Management Metrics and Indicators
(Continued)
theknowledgeacademy

 The average time it takes to resolve an event

 Total number of events resolved successfully
 Incidents that were not effectively resolved
 Proactive and preventative actions have been implemented
 The total number of employees that have received security awareness training
 Total damage caused by reported and identified occurrences if incident response was
ineffective or non-existent
 Total savings from possible incidents resolved
 Total resources used to respond to occurrences
 Time between detection and notification

© The Knowledge Academy Ltd

 Incident Management Metrics and Indicators
Recovery Time Objectives
theknowledgeacademy

• As part of the overall risk evaluation, the information security manager must understand RTOs
and how they apply to the enterprise's information resources.

• The RTO will be determined by the enterprise's business demands, which are typically
described as the amount of time required to restore an acceptable level of regular operations.
The SDO establishes the acceptable level.

• The information security manager should keep in mind that the RTO may change depending on
the month or year.

• Financial data may not be as important at the start of the month, when the new fiscal month
begins. RTOs are defined by doing a BIA in tandem with constructing a BCP.

• Because the interconnectivity of systems and their dependencies affects the order of
restoration, most or all systems associated to important business processes will require a BIA.

© The Knowledge Academy Ltd

 Incident Management Metrics and Indicators
(Continued)
theknowledgeacademy

• A divisional supervisor's essential information asset may not be critical in the eyes of the vice
president of operations, who is able to integrate the total organisational risk in the RTO
evaluation.

• The information security manager should recognise the importance of both perspectives and
work toward an RTO that takes both into account.

• The outcome will be incorporated into the BCP, as will the extent of the services to be restored
and the priority order for system recovery. In the end, top management makes the final choice.

• Senior management is in the best position to arbitrate the needs and requirements of the
various aspects of the business, such as the regulatory requirements to which the enterprise is
subject, and to decide that what processes are the most crucial to the business's continuing
existence, in addition to determining acceptable costs.

© The Knowledge Academy Ltd

 Incident Management Metrics and Indicators
RTO and its Relation to Business Continuity Planning and Contingency Planning
theknowledgeacademy

Objectives and Processes

• Understanding the RTO for information systems and their associated data is required for an
enterprise to create and execute an adequate BC program.

• The enterprise can create and identify contingency strategies that will meet the RTOs of the
information resources, once the RTOs are known.

• System proprietors consistently favour shorter RTOs, but the tradeoffs in price may not be
certified.

• When necessary, near-instantaneous recovery can be performed via technologies like mirroring
of information systems, ensuring that the systems are always readily available in the case of a
disruption.

• If the RTO for a given resource is longer, then the cost of recovery is less in general.

© The Knowledge Academy Ltd

 Incident Management Metrics and Indicators
Recovery Point Objectives
theknowledgeacademy

• In case of operation disruption, the RPO is determined based on the acceptable data loss.

• It demonstrates the most current point in period to which it is sufficient to recover the data,
that is generally the latest backup. In case of interruption, RPO effectively quantifies the
allowable amount of data loss.

• It may be preferable to decrease the time between backups to stop a problem where recovery
becomes impossible because of the volume of data to be recovered, depending on the volume
of data.

• Additionally, it is likely that the time needed to restore a significant amount of data prevents
the RTO from being achieved.

• While this is generally the scope of DR and BC planning, it is an essential factor when creating a
risk management strategy.

© The Knowledge Academy Ltd

 Incident Management Metrics and Indicators
Service Delivery Objectives
theknowledgeacademy

• To meet business requirements until normal operations can be resumed, SDOs are defined as
the minimum level of service that must be restored after an event.

• By RPOs and RTOs, SDOs will be affected and must be examined in any risk management
strategy and execution. More levels of service will typically need greater resources and more
current RPOs.

Maximum Tolerable Outage

• The maximum period an enterprise can work in alternative mode is referred as MTO.

• The factors may affect the MTO, such as accessibility of a recovery site which might located
remotely, limited operational capacity of the recovery site, and availability of fuel to use
emergency generators.

© The Knowledge Academy Ltd

 Incident Management Metrics and Indicators
(Continued)
theknowledgeacademy

• The RTO will be affected by the variable, that in turn affects the RPO. To minimise risk of
inadequate recovery to the enterprise, the relationship between the MTO, RPO, and RTO must
be considered from a risk management perspective.

Allowable Interruption Window

• AIW is the portion of period the usual functions can be down before the enterprise faces
greater financial problems that endanger its existence.

• To minimise the risk to the enterprise in the event of a disaster, the MTO should in any event
be as long as the AIW.

© The Knowledge Academy Ltd

 Performance Measurement
• For achieving the defined objectives and expanding cost-effectiveness, the performance
theknowledgeacademy

measurements for incident management and response focus on it.

• CPIs and 'KGIs for the action should be specified and decided on by stakeholders and approved
by senior management.

• The standard range of KGIs contains the successful handling of circumstances whether by live
testing or beneath existing conditions.

• By successfully handling incidents that endangers business operations within the RTOs, key
performance measures can be identified.

© The Knowledge Academy Ltd

 Updating Recovery Plans
• The response and recovery plans also need to change as the enterprises constantly change and
theknowledgeacademy

evolve.

• A process must be established by the information security manager in which recovery plans are
updated as changes arise in an enterprise.

• Considering the recovery and response plan necessities in the change management process
within an enterprise is an important part of adequate response management.

• To reflect continuing recognition of changing requirements, strategies and plans for recovery
and response should be updated and reviewed according to a schedule.

© The Knowledge Academy Ltd

 Updating Recovery Plans
(Continued)
theknowledgeacademy

• Along with others not listed, the following factors may affect neccessities and the requirement
for the plan to be updated:

 A method that is suitable at one point in period may not be sufficient as the requirements of
an enterprise modification.

 New applications may be acquired or developed.

 Modifications in business process may change the value of essential applications or result in
other applications being considered crucial.

 Modifications in the software or hardware environment may make existing conditions

outdated or unsuitable.

 Modifying physical and environmental events may also require to be assessed.

© The Knowledge Academy Ltd

 Testing Incident Response and Business Continuity/Disaster
Recovery Plans
theknowledgeacademy

• All aspects of the MP should be tested regularly in order to confirm success in incident response.

• The following factors should be focused by testing:

1. Identifying gaps

2. Verifying assumptions

3. Testing timelines

4. Determining the effectiveness of strategies

5. Evaluating the personnel performance

6. Determining the currency and accuracy of plan information

© The Knowledge Academy Ltd.

 Periodic Testing of the Response and Recovery Plans
• It is important to understand and integrate these functions' scope and capabilities as well as
theknowledgeacademy

their exact relationship.

• The full scope of incident management responsibilities, including the escalation and the
involvement of, or handover to, the disaster management and recovery operation if it is the
duty of another group, must be tested up to the point of a disaster declaration, regardless of
the structure.

• Periodic testing of the response and recovery plans should be carried out by the information
security manager with help from the recovery team's structure.

• The following factors should be involved in testing:

 Development of test objectives.

 Execution of the test.
 To improve the effectiveness of testing processes and the response and recovery plans, developments of
recommendations.
 To ensure the implementation of the recommendations, implementing a follow-up process.
© The Knowledge Academy Ltd
 Testing for Infrastructure and Critical Business Applications
• Testing response and recovery plans must contain both critical and infrastructure applications,
theknowledgeacademy

although not required at the same time.

• With securing the systems not only during normal operations but also during disaster events,
the information security manager is tasked with enterprises depending heavily on IT.

• The information manager can recognise important applications the enterprise needs and the
infrastructure needed to support them, based on the business impact information and risk
assessment.

• The information security manager needs to conduct accurate recovery tests for ensuring that
these are recovered in a timely fashion.

© The Knowledge Academy Ltd

 Types of Tests
theknowledgeacademy

• To increase confidence and lower risk

to the business, testing should begin
simply and gradually become more
complex, stretching the goals and
success criteria of earlier iterations.

• After individual plans have been tested

separately with satisfactory results,
full-interruption tests should be
conducted annually at a minimum.

© The Knowledge Academy Ltd

 Test Results
• There are particular results that should be anticipated as a result of conducting a test.
theknowledgeacademy

• A recovery test should seek to, at a minimal, achieve the given tasks:

• Confirm the entirety and precision of the response and recovery plan.
• Consider the performance of the personnel included in the practice.
• Evaluate the ascertained level of training and awareness of people who are not part of the
recovery/response team.
• Consider the coordination between the team members and external suppliers and vendors.
• Count the capacity and ability of the backup site to conduct defined processing.
• Evaluate the critical records recovery capability.
• Consider the quantity and state of equipment and supplies that have been reposition to the
recovery site.
• Count the general implementation of operational and information systems processing activities
connected to maintaining the business entity.

© The Knowledge Academy Ltd

 Recovery Test Metrics
• In addition to assessing the effectiveness of the plan, the resulting metrics should also be used
theknowledgeacademy

to enhance it.

• The following general types of metrics typically apply, although specific measurements depend
on the test and the enterprise:

Percentage or
Time Amount Accuracy Plans
Number

© The Knowledge Academy Ltd

theknowledgeacademy

Module 4B1: Incident Management Tools

and Technologies

© The Knowledge Academy Ltd.

 Incident Management Systems
• The unsubstantial amount of activities and information in progressively difficult systems has
theknowledgeacademy

urged the growth of automated incident management systems in past years.

• Many manual processes are automated by these systems that provide filtered information that
can recognise potential technical incidents and alert the IMT. An effective STEM will be the
following:

• Correlate and consolidate inputs from various sources.

• Recognise potential incidents or incidents.
• Notify staff.
• Arrange incidents based on impact of business.
• Follow incidents until they are closed.
• Give notifications and status tracking.
• Integration with major IT management systems.
• Execute good practices.

© The Knowledge Academy Ltd

 Incident Management Systems
Endpoint Detection and Response
theknowledgeacademy

• Endpoint security has been historically reactive, identifying perceived or potential security
threats utilising signatures for known attack patterns.

• EDR focuses on recognising threats, malware which are designed to avoid traditional security
defences while trying to be predictive in nature.

• Some king cyberthreat intelligence with machine learning abilities in conjunction with threat
detection and file analysis will leverage by most EDR solutions.

• EDR solutions generally make a historical audit path in which user /system manners and
security events are captured for follow-on examination by security analysts.

• EDR solutions also support in root cause analysis and not only in incident response efforts.

© The Knowledge Academy Ltd

 Incident Management Systems
Extended Detection and Response
theknowledgeacademy

• A developed version of EDR, XDR takes a holistic strategy to endpoint response and detection.

• XDR not only gives an enterprise information security teams a suitable view across the
endpoints but also conducts examination of servers, the networks and cloud.

• XDR creates on the abilities of EDR, machine learning, artificial intelligence capabilities and
leveraging automation to give context about security events.

Managed Detection and Response

• MDR is a hybrid mixture of service provider and technology. The value is for those
circumstances that lack both appropriate skills and expertise or have restricted resources
required to appropriately observe possible attack vectors.

• Generally the service provider will be liable for giving instrumentation.

© The Knowledge Academy Ltd

 Incident Response Technology Foundations
• The following security concepts must be included in IRTs:
theknowledgeacademy

1 2 4
Security
Vulnerabilities/Wea
Security Principles knesses The Internet

5 6 7

Programming
Operating Systems Malicious Code Skills

© The Knowledge Academy Ltd

 Personnel
• An IMT usually comprises of an information security manager, advisory board or steering
theknowledgeacademy

committee, and supporting group members.

• Team members may be recognised ad hoc, reliable full-time IMT support or committed
currently during incidents.

• The arrangement of team members set and how they will support the IMT will differ from
enterprise to enterprise.

• The team is usually lead by the information security manager. In bigger enterprises, it may be
more adequate to employ a particular IRT leader manager that concentrates on answering to
incidents.

• The SSG also authorises exceptions and deviations to normal practice. The primary tasks in the
IMT/IRT are performed by dedicated team members.

© The Knowledge Academy Ltd

 Personnel
• Incident handlers examine incident data, specify the effect of the incident and suggest the
theknowledgeacademy

proper measures to restrict the damage to the enterprise and recover normal services. Usually,
the team will cooperate with general users, complementary groups, and business managers.

• The Following are the IRT Models that have proven to work:

1. Central IRT

2. Distributed IRT

3. Coordinating IRT

4. Outsourced IRT

© The Knowledge Academy Ltd

 Personnel
Roles and Responsibilities
theknowledgeacademy

Position Roles Responsibilities

Security Steering Group (SSG) Utmost structure of an enterprise’s 1. For overall incident management and response
functions connected to information concept, takes responsibility.
security 2. Permits incident management team charter.
3. Take final decisions .

Information Security Manager IMT leader and main interface to 1. Maintains and develops response capability and
SSG incident management.
2. Manages incidents and risks effectively.

Incident Response Manager Incident response team leader 1. Supervision of incident response tasks.
2. To effectively perform incident response tasks,
coordinates resources.
3. Represents incident lesson learned and response
plan to SSG members.

© The Knowledge Academy Ltd

 Personnel
(Continued)
theknowledgeacademy

Position Roles Responsibilities

Incident Handler IRT/IMT team member 1. To contain exposures from an incident, performs
incident response tasks.
2. Documenting steps taken where implementing the
IRP.

Investigator IRT/IMT team member 1. Conducts investigation tasks for a particular

incident.
2. Search root cause of an incident.

IT Security Specialist IRT/IMT team member, IT security 1. As a part of the IRP, performs in-depth and
subject matter expert complex IT security-related tasks.
2. Performs IT security audits/assessment as a part
of vulnerability management and proactive
measure.

© The Knowledge Academy Ltd

 Personnel
(Continued)
theknowledgeacademy

Position Roles Responsibilities

Business Manager Business function owners, 1. Takes decisions on matters connected to
information system/assets owners information systems/assets.
2. Give clear knowledge of business affect in BIA
procedure or in IRP.

IT Representatives/Specialists IT services subject matter expert 1. Give support to IRT/IMT while solving an incident.
2. Keep information system in a good condition per
company good practices and policies.

Human Resources (HR) HR area subject matter expert 1. When there is a need to investigate an employee
suspected of causing an incident, provides help in
incident response/management .
2. Integration of HR policy to support incident
response/management

© The Knowledge Academy Ltd

 Skills
• The following are the personal skills:
theknowledgeacademy

Ability to Follow
Communication Leadership Skills Presentation Skills Procedures and Team Skills
Policies

Self- Time
Integrity Coping with Stress Problem Solving
Understanding Management

© The Knowledge Academy Ltd

 Awareness and Education
• While security incidents and high-profile breaches have raised the security awareness of most
theknowledgeacademy

people, end users are the foremost line of protection in controlling safety breaches.

• Therefore, it is important for the information security manager to confirm that an enduring
awareness campaign underlines the significance of being aware in order to decrease
vulnerability to actions that may lead to a security breach.

• A skills assessment is suitable to determine whether the necessary skill is available in the
enterprise for the IRT. In some cases, appropriate education or training may be in service to
give the required skills.

• When a circumstance occurs in which in-house knowledge is inadequate, the technical

specialists can be reached on to serve the gap in skill.

© The Knowledge Academy Ltd

 Audits
• Internal and external audits are conducted to identify adherence with standards, policies, and
theknowledgeacademy

procedures that are defined by an enterprise.

• Within the enterprise, internal audits are performed by specialists and are generally intended
to improve risk and incident management and support compliance requirements.

• External audits include a third party that conducts the tasks. While most external audits are
employed as part of required conditions, they are normally exploit as part of business
association.

• Both types of audits can be suitable in studying incident management and response
capabilities and plans.

• Periodic audits of the procedures and processes determined in the methods can give validation
that security will not be compromised in policy compliance, legal requirements and the event
of an incident are addressed properly.

© The Knowledge Academy Ltd

 Outsourced Security Providers
• It could be more cost-effective to outsource incident management capabilities, particularly for
theknowledgeacademy

smaller enterprises.

• These enterprises might not have the internal resources to offer the requisite IMT/IRT
expertise in a sufficient manner. If incident management is outsourced to the same vendor as
IT operations, businesses who outsource their IT operations may profit from close integration.

• When security functions are partially or fully outsourced, the information security manager
should consider the following:

 Comparing the enterprise's incident reference numbers with the agents for every relevant
incident.

 Integration of the change management functions of the enterprise with the vendor’s.

 Need from the vendor for regular review of incidents that happens on a regular basis

© The Knowledge Academy Ltd

theknowledgeacademy

Module 4B2: Incident Investigation and

Evaluation

© The Knowledge Academy Ltd.

 Introduction
• The information security manager must be aware of the modest difference between the two as
theknowledgeacademy

not every event is an incident.

• An event is something that occurs at a typical time or place : a door opening, an account logon,
an automated procedure ending.

• These all are events that have shortage on any context that happen little to no reference.

• The related to the event or contextual data adjacent required to be examined to determine if
the event was in fact abnormal or normal.

• Proper actions can be taken once legitimacy of and event is known. The escalation and
initiation of an event to an incident is performed by the prmary investigation and then
assessing the affect to the enterprise.

© The Knowledge Academy Ltd

 Executing Response and Recovery Plans
• Untested plans could end up failing to function as expected.
theknowledgeacademy

• It is also reasonable to assume that the event management and response teams will face more
turmoil, confusion, and issues the more serious the incident.

• An attack that takes down IT systems or a building collapse are both examples of incidents.

• All reasonably possible events must be expected, planned for, and tested in order to give a
reasonable confidence that the enterprise will be preserved under predicable conditions.

Ensuring Execution as Required

• A facilitator is required to oversee task execution, communicate with top management, and
direct tasks within the response and recovery plans to ensure they are carried out as intended.

© The Knowledge Academy Ltd

 Executing Response and Recovery Plans
(Continued)
theknowledgeacademy

• In the overall process of carrying out the reaction and recovery plans, developing appropriate
response and recovery methods and alternatives is a crucial step.

• It is crucial to test the plans to make sure they can be carried out as needed.

• An impartial observer should be chosen by the information security manager to track

development and record any exceptions that arise during testing and a real occurrence.

© The Knowledge Academy Ltd

theknowledgeacademy

Module 4B3: Incident Containment

Methods

© The Knowledge Academy Ltd.

 Incident Containment Methods
• Containment contains all the tasks, steps and activities taken in the attempt of reducing or
theknowledgeacademy

limiting the effect of an incident.

• Containment is a tactical and short-term action that is intended purely to prevent the bleeding,
not necessarily to recognise or rectify the root cause that permitted the incident to happen.

• The following are the common containment activities conducted during a security incident:

 Escalation and notification to suitable stakeholders.

 Memory analysis and captures
 Enterprise-wide password modifications of all accounts
 Updating firewall rule sets to drop/block/deny traffic
 Updation of IDS signatures
 Log review, analysis and collection
 Forensically image affected systems
 Malware reversal engineering
 Terminating the device from the network

© The Knowledge Academy Ltd

theknowledgeacademy

Module 4B4: Incident Response

Communication

© The Knowledge Academy Ltd.

 Introduction
• Given the number of employs related with reacting to an incident, creating an authoritative
theknowledgeacademy

source for communicating is compulsory.

• Due to lacking or misunderstanding proper context and insight, speculation may be taken for
facts or facts downplayed often.

• There will be various communication methods and channels that ought to be defined primary
to an incident being announced.

• Several communication channels must be established during an incident, as decisions on

whether to communicate with enterprise staff, external third parties, and affected business
partners as communications will require to happen between the LMT manager and senior
management.

• Every communication channel required to be clearly understood, conveyed and defined to all
impacted members to confirm the appropriate messages are communicated to their
audiences.

© The Knowledge Academy Ltd

 Notification Requirements
• Notification requirements are central parts of the incident and IRP management.
theknowledgeacademy

• The IRP should contain a directory of main IRT members, end users, information systems
owners, decision-making personnel, and others mandated to create and bring response
measures.

• The following individuals should be included in the directory:

 Representatives of software and equipment vendors.

 Contacts within companies designated to give equipment, services and supplies.
 Contacts at recovery facilities, containing predefined network communications rerouting services or hot
site representatives.
 Contacts at offsite media storage services and the contacts in the company that are allowed to recover
media from the offsite service.
 Insurance company agents.
 Contact information for regulatory bodywork.
 Law enforcement contacts

© The Knowledge Academy Ltd

 Communication Networks
• The plan must include details of the telecommunication network required to recover business
theknowledgeacademy

operations of the enterprise.

• Telecommunication networks are liable to the same raw disasters as data bases but are also
weak to disruptive events distinctive to telecommunications.

• These include errors, central switching office disasters, communication software glitches, cable
cuts, and security breaches from hacking and a host of additional human errors.

• Wide area networks, LANs, third-party providers, and telephone voice circuits are included in
telecommunications capabilities.

• Essential capability needs should be recognised for the diverse thresholds of outage, such as 2
hours, 8 hours or 24 hours, for every telecommunications ability.

• Continuous power supplies (UPSs) should be acceptable to give backup for both computer and
telecommunications equipment.

© The Knowledge Academy Ltd

theknowledgeacademy

Module 4B5: Incident Eradication and

Recovery

© The Knowledge Academy Ltd.

 Eradication Activities
• The following are the consideration included in common eradication activities conducted
theknowledgeacademy

during a security incident:

 Root cause analysis

 Removal and clean-up of artefacts gone behind from the incident
 Implementation of any outstanding patches
 DNS null routing of completely qualified domain names and malicious IP addresses
 Additional modifications to DDSs and firewalls as required
 Scanning for added indicators of compromise
 Eliminating malicious software
 Wipe rebuilding affected systems
 Recovering from backups

© The Knowledge Academy Ltd

 Recovery
• Recovery efforts track after the successful eradication and containment stages of the incident
theknowledgeacademy

response process life cycle.

• The focus changes to confirming that the business can successfully return to operations after
the incident has been properly addressed and root cause problems remediated, that means
restoring affected systems to normal. To prevent same events from happening, the activities
should be implemented and planned during the recovery phase.

• Typical recovery activities conducted after a security incident has been successfully eliminated
contains the following:

 Validating and testing security baseline.

 Monitoring networks for IoCs and indicators of attack
 Actively researching for recognised adversary antiques across the enterprise
 Transferring affected systems back into production once retrieved and affirmed to meet the
security baseline.

© The Knowledge Academy Ltd

theknowledgeacademy

Module 4B6: Post-incident Review

Practices

© The Knowledge Academy Ltd.

 Introduction
• Understanding the purpose and structure of post-incident reviews and follow-up procedures
theknowledgeacademy

allows the information security manager to improve the security programme on a continuous
basis.

• A consistent methodology must be adopted within the information security enterprise so that
when a problem is discovered, an action plan is developed to decrease/mitigate it.

• The most valuable part of the effort is the follow-up process in incident response. After the
business has successfully retrieved, activities may contain, but are not limited to, the given:

• Incident documenting
• Stakeholder feedback and review
• Completing the report for senior management
• Recognising changes required
• Recognising process issues
• Updating procedures as required

© The Knowledge Academy Ltd

 Identifying Causes and Corrective Actions
• Security incidents can be the conclude of internally initiated attacks, failures or externally
theknowledgeacademy

initiated attacks in security controls that have been executed. An incident review team should
be appointed by the information security manager for a systematic review of security incidents.

• The root causes of numerous system centres, such as, are nonexistent or weak vulnerability
assessment and patch management efforts.

• The purpose of the examination should be answers of the following questions:

 Who is included?
 What was occurred?
 Location of the attack originated
 Reason of the attack
 What was the time frame?
 How did the attack happened?
 What was the attacker’s motivation?

© The Knowledge Academy Ltd

 Documenting Events
• The information security manager should have processes in place to develop a clear record of
theknowledgeacademy

events during and after any actual or potential security incident.

• This information will allow the investigation of events and can be given to a forensics team or
authorities if required.

• To make sure that this record-keeping happens, one or more people must be specifically
charged with incident documentation and evidence preservation.

• Documentation of any event with potential security implications can give clarity on whether an
incident was an accident, a mistake, or a deliberate attack.

• A major incident is usually chaotic. Good documentation is essential for post-incident

investigation and forensics, and it may also be useful in incident resolution.

© The Knowledge Academy Ltd

 Establishing Legal Procedures to Assist Post-Incident Activities
• Creating a complete IRP is an essential foremost step to confirm an effective and efficient
theknowledgeacademy

reaction to a security incident and the unavoidable wave of regulatory and legal landmines.

• A customised to the enterprise and has been vetted, tested and developed by key internal
stakeholders and legal counsel is a suitable IRP.

• The check-the-box strategy is not helpful while it may be easy to pull a standards IRP form from
the intermit when an incident actually happens. The IRP should:

 Recognition of a responders' core team that will managed the response.

 Give a method for documenting the events directing to and pursuing the discovery of a
compromise.

 Set an immediate and clear communication plan that contains communications to third
parties , internal contacts, customers, media and the advisors.

 Establish key decision points.

© The Knowledge Academy Ltd
 Requirements for Evidence
• It should be understood by the information security manager that any contamination of
theknowledgeacademy

evidence following an incident can stop an enterprise charging a perpetrator and restrict its
options.

• Disconnecting power from a compromised computer is typically advised to preserve as much

data on the hard drive as possible.

• This strategy is mainly recommended for law enforcement relying on the risk of the evidence
being compromised.

• This can happen as a consequence of the system exchange files overwriting evidence, malware
or an intruder removing evidence of compromise. There is the risk of tainting evidence.

• Sudden power loss and data in memory loss may result in corruption of critical information on
the hard disk as it is one argument against disconnecting power.

© The Knowledge Academy Ltd

 Legal Aspects of Forensic Evidence
• For evidence to be permitted in legal activities, it must have been obtained in a forensically
theknowledgeacademy

sound manner and its chain of custody preserved.

• For acquisition of evidence by properly trained independent personnel, the information

security manager in charge of an incident must have documented and established processes.
The following are the necessary documents to preserve legally allowable evidence:

 Chain of custody.
 Checklists to obtain technicians.
 Exact activity log templates for obtaining technicians.
 An updated case log.
 Signed confidentiality/nondisclosure forms for all technicians concerned in retrieving
evidence.
 Investigation template of report.

© The Knowledge Academy Ltd

Congratulations
Congratulations on completing this course!
Contact Us
info@theknowledgeacademy.com

www.theknowledgeacademy.com/tickets

https://uk.trustpilot.com/review/theknowledgeacademy.com

theknowledgeacademy