Infosectrai01
Uploaded on Apr 25, 2021
Category
Education
The process of identifying vulnerabilities and threats to the information resources used by an organization in achieving business objectives and what countermeasures to take in reducing risk to an acceptable level.
Category
Education
PART 3 – CISA Domain 2 – Governance and Management of IT
www.infosectrain.com
PART 3 – CISA Domain 2 – Governance and
Management of IT
InfosecTrain
About Us
InfosecTrain is one of the finest Security and Technology Training and Consulting organization, focusing on a range of IT
Security Trainings and Information Security Services. InfosecTrain was established in the year 2016 by a team of
experienced and enthusiastic professionals, who have more than 15 years of industry experience. We provide professional
training, certification & consulting services related to all areas of Information Technology and Cyber Security.
PART 3 – C ISA Domain 2 – Governance and
MWanh aatg ies mR ies kn tM aonfa gITe m e n t ?
W h a t a r e t h e s t e p s i n v o l v e d i n R i s k M a n a g e m e n t p r o c e s s ?
W h a t i s H u m a n R e s o u r c e M a n a g e m e n t ?
W h a t a r e t h e S o u r c i n g P r a c t i c e s ?
7.R isk Management :
T h e p r o c e s s o f i d e n t i f y i n g v u l n e r a b i l i t i e s a n d t h r e a t s t o t h e
i n f o r m a t i o n r e s o u r c e s u s e d b y a n o r g a n i z a t i o n i n a c h i e v i n g b u s i n e s s
o b j e c t i v e s a n d w h a t c o u n t e r m e a s u r e s t o t a ke i n r e d u c i n g r i s k t o a n
a c c e p t a b l e l e v e l .
e n c o m p a s s e s i d e n t i f y i n g , a n a l y z i n g , e v a l u a t i n g , t r e a t i n g , m o n i t o r i n g
a n d c o m m u n i c a t i n g t h e i m p a c t o f r i s k o n I T p r o c e s s e s
T h e B o a r d m a y c h o o s e t o t r e a t t h e r i s k i n a n y o f t h e f o l l o w i n g w a y s
1.Avoid—Eliminate the risk by eliminating the cause
2.Mitigate—Lessen the probability or impact of the risk by defining, implementing and
monitoring appropriate controls
3.Share/Transfer (deflect, or allocate)—Share risk with partners or transfer via insurance
coverage, contractual agreement or other means
4.Accept—Formally acknowledge the existence of the risk and monitor it.
4 C C I S O C e r t i fi c a t i o n
P o i n t s t o r e m e m b e r : T h e b e s t t o a s s e s s I T r i s k s i s a c h i e v e d b y –
e v a l u a t i n g t h r e a t s a s s o c i a t e d w i t h e x i s t i n g I T a s s e t s a n d I T
p r o j e c t s .
T h e s t e p s o f R i s k M a n a g e m e n t p r o c e s s i n v o l v e :
Step – 1: Asset identification – Examples: Information, Data, Software, Hardware, documents,
personnel.
Step – 2: Evaluation of threats and vulnerabilities:
1.T h r e a t – A t h r e a t i s a p e r s o n o r e v e n t t h a t h a s t h e p o t e n t i a l f o r
i m p a c t i n g a v a l u a b l e r e s o u r c e i n a n e g a t i v e m a n n e r. C o m m o n c l a u s e s o f
t h r e a t s a r e :
E r r o r s
M a l i c i o u s d a m a g e / a t t a c k
Fr a u d
T h e f t
E q u i p m e n t / s o f t w a r e f a i l u r e
5
1.Vu l n e r a b i l i t y – Vu l n e r a b i l i t y r e f e r t o w e a k n e s s e s i n a s y s t e m . T h e y m a ke
t h r e a t o u t c o m e s p o s s i b l e a n d p o t e n t i a l l y e v e n m o r e d a n g e r o u s . E x a m p l e s
a r e :
L a c k o f u s e r k n o w l e d g e
L a c k o f s e c u r i t y f u n c t i o n a l i t y
I n a d e q u a t e u s e r a w a r e n e s s / e d u c a t i o n ( e . g . , p o o r c h o i c e o f p a s s w o r d s )
U n t e s t e d t e c h n o l o g y
Tr a n s m i s s i o n o f u n p r o t e c t e d c o m m u n i c a t i o n s
S t e p 3 – E v a l u a t i o n o f t h e i m p a c t – T h e r e s u l t o f a t h r e a t a g e n t
e x p l o i t i n g a v u l n e r a b i l i t y i s c a l l e d a n i m p a c t
• In commercial organizations, threats usually result in
1.a d i r e c t fi n a n c i a l l o s s i n t h e s h o r t t e r m o r
2.a n u l t i m a t e ( i n d i r e c t ) fi n a n c i a l l o s s i n t h e l o n g t e r m
6
E x a m p l e s o f s u c h l o s s e s i n c l u d e :
• Direct loss of money (cash or credit)
• Breach of legislation (e.g., unauthorized disclosure)
• Loss of reputation/goodwill
• Endangering of staff or customers
• Breach of confidence
• Loss of business opportunity
• Reduction in operational efficiency/performance
• Interruption of business activity
S t e p 4 – C a l c u l a t i o n o f R i s k – A c o m m o n m e t h o d o f c o m b i n i n g t h e
e l e m e n t s i s t o c a l c u l a t e f o r e a c h t h r e a t : p r o b a b i l i t y o f o c c u r r e n c e ×
m a g n i t u d e o f i m p a c t . T h i s w i l l g i v e a m e a s u r e o f o v e r a l l r i s k .
S t e p 5 – E v a l u a t i o n o f a n d r e s p o n s e t o R i s k A f t e r r i s k h a s b e e n
i d e n t i fi e d , e x i s t i n g c o n t r o l s c a n b e e v a l u a t e d o r n e w c o n t r o l s d e s i g n e d
t o r e d u c e t h e v u l n e r a b i l i t i e s t o a n a c c e p t a b l e l e v e l .
• T h e s e c o n t r o l s a r e r e f e r r e d t o a s c o u n t e r m e a s u r e s o r s a f e g u a r d s a n d
i n c l u d e a c t i o n s , d e v i c e s , p r o c e d u r e s o r t e c h n i q u e s
• Re s i d u a l r i s k , t h e r e m a i n i n g l e v e l o f r i s k a f t e r c o n t r o l s h a v e b e e n
a p p l i e d , c a n b e u s e d b y m a n a g e m e n t t o f u r t h e r r e d u c e r i s k b y
i d e n t i f y i n g t h o s e a r e a s i n w h i c h m o r e c o n t r o l i s r e q u i r e d .
7
8.Human Resource Management :
O n H i r i n g p r o c e s s , t h e fi r s t s t e p b e f o r e h i r i n g a c a n d i d a t e i s
b a c k g r o u n d c h e c k s ( e . g . , c r i m i n a l , fi n a n c i a l , p r o f e s s i o n a l , r e f e r e n c e s ,
q u a l i fi c a t i o n s )
A r e q u i r e d v a c a t i o n ( h o l i d a y ) e n s u r e s t h a t o n c e a y e a r , a t a m i n i m u m ,
s o m e o n e o t h e r t h a n t h e r e g u l a r e m p l o y e e w i l l p e r f o r m a j o b f u n c t i o n .
T h i s r e d u c e s t h e o p p o r t u n i t y t o c o m m i t i m p r o p e r o r i l l e g a l a c t s . D u r i n g
t h i s t i m e , i t m a y b e p o s s i b l e t o d i s c o v e r f r a u d u l e n t a c t i v i t y a s l o n g a s
t h e r e h a s b e e n n o c o l l u s i o n b e t w e e n e m p l o y e e s t o c o v e r p o s s i b l e
d i s c r e p a n c i e s ( M a n d a t o r y l e a v e i s a c o n t r o l m e a s u r e )
J o b r o t a t i o n p r o v i d e s a n a d d i t i o n a l c o n t r o l ( t o r e d u c e t h e r i s k o f
f r a u d u l e n t o r m a l i c i o u s a c t s ) b e c a u s e t h e s a m e i n d i v i d u a l d o e s n o t
p e r f o r m t h e s a m e t a s k s a l l t h e t i m e . T h i s p r o v i d e s a n o p p o r t u n i t y f o r a n
i n d i v i d u a l o t h e r t h a n t h e r e g u l a r l y a s s i g n e d p e r s o n t o p e r f o r m t h e j o b
a n d n o t i c e p o s s i b l e i r r e g u l a r i t i e s .
O n Te r m i n a t i o n p o l i c i e s , p o l i c i e s b e s t r u c t u r e d t o p r o v i d e a d e q u a t e
p r o t e c t i o n f o r t h e o r g a n i z a t i o n ’ s c o m p u t e r a s s e t s a n d d a t a . T h e f o l l o w i n g
c o n t r o l p r o c e d u r e s s h o u l d b e a p p l i e d :
• Return of all devices, access keys, ID cards and badges
• Deletion/revocation of assigned logon IDs and passwords
• Notification to appropriate staff and security personnel regarding the employee’s status change to
“terminated”
• Arrangement of the final pay routines
• Performance of a termination interview
8
P o i n t s t o r e m e m b e r :
•T h e C I S A c a n d i d a t e s h o u l d b e a w a r e o f t h e a b o v e p r o c e s s – f r o m
h i r i n g t o t e r m i n a t i o n . I S AC A t e s t s o n t h e k n o w l e d g e a t e a c h s t e p –
o n w h a t t h e e n t e r p r i s e s h o u l d / s h o u l d n o t d o .
•T h e e m p l o y e e s s h o u l d b e a w a r e o f t h e e n t e r p r i s e I S p o l i c y. I f n o t ,
t h e l a c k o f k n o w l e d g e w o u l d l e a d t o u n i n t e n t i o n a l d i s c l o s u r e o f
s e n s i t i v e i n f o r m a t i o n
•W h e n a n e m p l o y e e i s t e r m i n a t e d , t h e i m m e d i a t e a c t i o n / m o s t
i m p o r t a n t a c t i o n / fi r s t s t e p t h a t t h e e n t e r p r i s e s h o u l d d o i s –
d i s a b l e t h e e m p l o y e e ’ s l o g i c a l a c c e s s a n d c o m m u n i c a t e o n t h e
t e r m i n a t i o n o f t h e e m p l o y e e
9.Sourc ing Pract i ces :
D e l i v e r y o f I T f u n c t i o n s c a n i n c l u d e :
• Insourced – Fully performed by the organization’s staff
• Outsourced – Fully performed by the vendor’s staff
• Hybrid – Performed by a mix of the organization’s and vendor’s staffs; can include joint
ventures/supplemental staff
9
I T f u n c t i o n s c a n b e p e r f o r m e d a c r o s s t h e g l o b e , t a k i n g a d v a n t a g e o f
t i m e z o n e s a n d a r b i t r a g i n g l a b o r r a t e s , a n d c a n i n c l u d e :
• Onsite – Staff work onsite in the IT department.
• Offsite – Also known as nearshore, staff work at a remote location in the same geographic
• Offshore—Staff work at a remote location in a different geographic region
O b j e c t i v e o f o u t s o u r c i n g – t o a c h i e v e l a s t i n g , m e a n i n g f u l i m p r o v e m e n t
i n b u s i n e s s p r o c e s s e s a n d s e r v i c e s t h r o u g h c o r p o r a t e r e s t r u c t u r i n g t o
t a ke a d v a n t a g e o f a v e n d o r ’ s c o r e c o m p e t e n c i e s
T h e m a n a g e m e n t s h o u l d c o n s i d e r t h e f o l l o w i n g a r e a s f o r m o v i n g
I T f u n c t i o n s o ff s i t e o r o ff s h o r e :
• Legal, regulatory and tax issues
• Continuity of operations
• Personnel
• Telecommunication issues
• Cross-border and cross-cultural issues
10
P o i n t s t o r e m e m b e r :
•T h e m o s t i m p o r t a n t f u n c t i o n o f I S m a n a g e m e n t i n o u t s o u r c i n g
p r a c t i c e s i s – m o n i t o r i n g t h e o u t s o u r c i n g p r o v i d e r ’ s
p e r f o r m a n c e
•T h e e n t e r p r i s e c a n n o t o u t s o u r c e t h e a c c o u n t a b i l i t y f o r I T
s e c u r i t y p o l i c y. T h e a c c o u n t a b i l i t y a l w ay s l i e s w i t h t h e s e n i o r
m a n a g e m e n t / B o a r d o f d i r e c t o r s
•W h e n t h e o u t s o u r c i n g s e r v i c e i s p r o v i d e d i n a n o t h e r c o u n t r y,
t h e m a j o r c o n c e r n f o r t h e I S a u d i t o r i s – t h e l e g a l j u r i s d i c t i o n
c a n b e q u e s t i o n e d
•T h e c l a u s e i n o u t s o u r c i n g c o n t r a c t t h a t c a n h e l p i n i m p r o v i n g
t h e s e r v i c e l e v e l s a n d m i n i m i z e t h e c o s t s i s – G a i n - s h a r i n g
p e r f o r m a n c e b o n u s e s .
11
12
A B O U T O U R C O M PA N Y
OUR CONTACT
InfosecTrain welcomes overseas customers to come and
attend training sessions in destination cities across the globe
and enjoy their learning experience at the same time.
https://www.facebook.com/Infosectr
1800-843-7890
ain/
sales@infosectrain. https://www.linkedin.com/company/infos
ec-train/
com
www.infosectrain.c https://www.youtube.com/c/Infose
cTrain
om
Comments