PART 3 – CISA Domain 2 – Governance and Management of IT


Infosectrai01

Uploaded on Apr 25, 2021

Category Education

The process of identifying vulnerabilities and threats to the information resources used by an organization in achieving business objectives and what countermeasures to take in reducing risk to an acceptable level.

Category Education

Comments

                     

PART 3 – CISA Domain 2 – Governance and Management of IT

www.infosectrain.com PART 3 – CISA Domain 2 – Governance and Management of IT InfosecTrain About Us InfosecTrain is one of the finest Security and Technology Training and Consulting organization, focusing on a range of IT Security Trainings and Information Security Services. InfosecTrain was established in the year 2016 by a team of experienced and enthusiastic professionals, who have more than 15 years of industry experience. We provide professional training, certification & consulting services related to all areas of Information Technology and Cyber Security. PART 3 – C ISA Domain 2 – Governance and MWanh aatg ies mR ies kn tM aonfa gITe m e n t ?  W h a t a r e t h e s t e p s i n v o l v e d i n R i s k M a n a g e m e n t p r o c e s s ?  W h a t i s H u m a n R e s o u r c e M a n a g e m e n t ?  W h a t a r e t h e S o u r c i n g P r a c t i c e s ? 7.R isk Management :  T h e p r o c e s s o f i d e n t i f y i n g v u l n e r a b i l i t i e s a n d t h r e a t s t o t h e i n f o r m a t i o n r e s o u r c e s u s e d b y a n o r g a n i z a t i o n i n a c h i e v i n g b u s i n e s s o b j e c t i v e s a n d w h a t c o u n t e r m e a s u r e s t o t a ke i n r e d u c i n g r i s k t o a n a c c e p t a b l e l e v e l .  e n c o m p a s s e s i d e n t i f y i n g , a n a l y z i n g , e v a l u a t i n g , t r e a t i n g , m o n i t o r i n g a n d c o m m u n i c a t i n g t h e i m p a c t o f r i s k o n I T p r o c e s s e s  T h e B o a r d m a y c h o o s e t o t r e a t t h e r i s k i n a n y o f t h e f o l l o w i n g w a y s 1.Avoid—Eliminate the risk by eliminating the cause 2.Mitigate—Lessen the probability or impact of the risk by defining, implementing and monitoring appropriate controls 3.Share/Transfer (deflect, or allocate)—Share risk with partners or transfer via insurance coverage, contractual agreement or other means 4.Accept—Formally acknowledge the existence of the risk and monitor it. 4 C C I S O C e r t i fi c a t i o n P o i n t s t o r e m e m b e r :   T h e b e s t t o a s s e s s I T r i s k s i s a c h i e v e d b y – e v a l u a t i n g t h r e a t s a s s o c i a t e d w i t h e x i s t i n g I T a s s e t s a n d I T p r o j e c t s .  T h e s t e p s o f R i s k M a n a g e m e n t p r o c e s s i n v o l v e : Step – 1: Asset identification – Examples: Information, Data, Software, Hardware, documents, personnel. Step – 2: Evaluation of threats and vulnerabilities: 1.T h r e a t   – A t h r e a t i s a p e r s o n o r e v e n t t h a t h a s t h e p o t e n t i a l f o r i m p a c t i n g a v a l u a b l e r e s o u r c e i n a n e g a t i v e m a n n e r.   C o m m o n c l a u s e s o f t h r e a t s a r e :  E r r o r s  M a l i c i o u s d a m a g e / a t t a c k  Fr a u d  T h e f t  E q u i p m e n t / s o f t w a r e f a i l u r e 5 1.Vu l n e r a b i l i t y   – Vu l n e r a b i l i t y r e f e r t o w e a k n e s s e s i n a s y s t e m . T h e y m a ke t h r e a t o u t c o m e s p o s s i b l e a n d p o t e n t i a l l y e v e n m o r e d a n g e r o u s . E x a m p l e s a r e :  L a c k o f u s e r k n o w l e d g e  L a c k o f s e c u r i t y f u n c t i o n a l i t y  I n a d e q u a t e u s e r a w a r e n e s s / e d u c a t i o n ( e . g . , p o o r c h o i c e o f p a s s w o r d s )  U n t e s t e d t e c h n o l o g y  Tr a n s m i s s i o n o f u n p r o t e c t e d c o m m u n i c a t i o n s  S t e p 3 – E v a l u a t i o n o f t h e i m p a c t –   T h e r e s u l t o f a t h r e a t a g e n t e x p l o i t i n g a v u l n e r a b i l i t y i s c a l l e d a n i m p a c t • In commercial organizations, threats usually result in 1.a d i r e c t fi n a n c i a l l o s s i n t h e s h o r t t e r m o r 2.a n u l t i m a t e ( i n d i r e c t ) fi n a n c i a l l o s s i n t h e l o n g t e r m 6 E x a m p l e s o f s u c h l o s s e s i n c l u d e : • Direct loss of money (cash or credit) • Breach of legislation (e.g., unauthorized disclosure) • Loss of reputation/goodwill • Endangering of staff or customers • Breach of confidence • Loss of business opportunity • Reduction in operational efficiency/performance • Interruption of business activity  S t e p 4 – C a l c u l a t i o n o f R i s k   – A c o m m o n m e t h o d o f c o m b i n i n g t h e e l e m e n t s i s t o c a l c u l a t e f o r e a c h t h r e a t :   p r o b a b i l i t y o f o c c u r r e n c e × m a g n i t u d e o f i m p a c t . T h i s w i l l g i v e a m e a s u r e o f o v e r a l l r i s k . S t e p 5 – E v a l u a t i o n o f a n d r e s p o n s e t o R i s k A f t e r r i s k h a s b e e n i d e n t i fi e d , e x i s t i n g c o n t r o l s c a n b e e v a l u a t e d o r n e w c o n t r o l s d e s i g n e d t o r e d u c e t h e v u l n e r a b i l i t i e s t o a n a c c e p t a b l e l e v e l . • T h e s e c o n t r o l s a r e r e f e r r e d t o a s c o u n t e r m e a s u r e s o r s a f e g u a r d s a n d i n c l u d e a c t i o n s , d e v i c e s , p r o c e d u r e s o r t e c h n i q u e s • Re s i d u a l r i s k , t h e r e m a i n i n g l e v e l o f r i s k a f t e r c o n t r o l s h a v e b e e n a p p l i e d , c a n b e u s e d b y m a n a g e m e n t t o f u r t h e r r e d u c e r i s k b y i d e n t i f y i n g t h o s e a r e a s i n w h i c h m o r e c o n t r o l i s r e q u i r e d . 7 8.Human Resource Management :  O n H i r i n g p r o c e s s ,   t h e fi r s t s t e p b e f o r e h i r i n g a c a n d i d a t e i s b a c k g r o u n d c h e c k s ( e . g . , c r i m i n a l , fi n a n c i a l , p r o f e s s i o n a l , r e f e r e n c e s , q u a l i fi c a t i o n s )  A r e q u i r e d v a c a t i o n   ( h o l i d a y ) e n s u r e s t h a t o n c e a y e a r , a t a m i n i m u m , s o m e o n e o t h e r t h a n t h e r e g u l a r e m p l o y e e w i l l p e r f o r m a j o b f u n c t i o n . T h i s r e d u c e s t h e o p p o r t u n i t y t o c o m m i t i m p r o p e r o r i l l e g a l a c t s . D u r i n g t h i s t i m e , i t m a y b e p o s s i b l e t o d i s c o v e r f r a u d u l e n t a c t i v i t y a s l o n g a s t h e r e h a s b e e n n o c o l l u s i o n b e t w e e n e m p l o y e e s t o c o v e r p o s s i b l e d i s c r e p a n c i e s ( M a n d a t o r y l e a v e i s a c o n t r o l m e a s u r e )  J o b r o t a t i o n   p r o v i d e s a n a d d i t i o n a l c o n t r o l ( t o r e d u c e t h e r i s k o f f r a u d u l e n t o r m a l i c i o u s a c t s ) b e c a u s e t h e s a m e i n d i v i d u a l d o e s n o t p e r f o r m t h e s a m e t a s k s a l l t h e t i m e . T h i s p r o v i d e s a n o p p o r t u n i t y f o r a n i n d i v i d u a l o t h e r t h a n t h e r e g u l a r l y a s s i g n e d p e r s o n t o p e r f o r m t h e j o b a n d n o t i c e p o s s i b l e i r r e g u l a r i t i e s .  O n Te r m i n a t i o n p o l i c i e s ,   p o l i c i e s b e s t r u c t u r e d t o p r o v i d e a d e q u a t e p r o t e c t i o n f o r t h e o r g a n i z a t i o n ’ s c o m p u t e r a s s e t s a n d d a t a . T h e f o l l o w i n g c o n t r o l p r o c e d u r e s s h o u l d b e a p p l i e d : • Return of all devices, access keys, ID cards and badges • Deletion/revocation of assigned logon IDs and passwords • Notification to appropriate staff and security personnel regarding the employee’s status change to “terminated” • Arrangement of the final pay routines • Performance of a termination interview 8 P o i n t s t o r e m e m b e r : •T h e C I S A c a n d i d a t e s h o u l d b e a w a r e o f t h e a b o v e p r o c e s s – f r o m h i r i n g t o t e r m i n a t i o n . I S AC A t e s t s o n t h e k n o w l e d g e a t e a c h s t e p – o n w h a t t h e e n t e r p r i s e s h o u l d / s h o u l d n o t d o . •T h e e m p l o y e e s s h o u l d b e a w a r e o f t h e e n t e r p r i s e I S p o l i c y. I f n o t , t h e l a c k o f k n o w l e d g e w o u l d l e a d t o u n i n t e n t i o n a l d i s c l o s u r e o f s e n s i t i v e i n f o r m a t i o n •W h e n a n e m p l o y e e i s t e r m i n a t e d , t h e i m m e d i a t e a c t i o n / m o s t i m p o r t a n t a c t i o n / fi r s t s t e p t h a t t h e e n t e r p r i s e s h o u l d d o i s – d i s a b l e t h e e m p l o y e e ’ s l o g i c a l a c c e s s a n d c o m m u n i c a t e o n t h e t e r m i n a t i o n o f t h e e m p l o y e e   9.Sourc ing Pract i ces :  D e l i v e r y o f I T f u n c t i o n s c a n i n c l u d e : • Insourced – Fully performed by the organization’s staff • Outsourced – Fully performed by the vendor’s staff • Hybrid – Performed by a mix of the organization’s and vendor’s staffs; can include joint ventures/supplemental staff 9  I T f u n c t i o n s c a n b e p e r f o r m e d a c r o s s t h e g l o b e , t a k i n g a d v a n t a g e o f t i m e z o n e s a n d a r b i t r a g i n g l a b o r r a t e s , a n d c a n i n c l u d e : • Onsite – Staff work onsite in the IT department. • Offsite – Also known as nearshore, staff work at a remote location in the same geographic • Offshore—Staff work at a remote location in a different geographic region   O b j e c t i v e o f o u t s o u r c i n g – t o a c h i e v e l a s t i n g , m e a n i n g f u l i m p r o v e m e n t i n b u s i n e s s p r o c e s s e s a n d s e r v i c e s t h r o u g h c o r p o r a t e r e s t r u c t u r i n g t o t a ke a d v a n t a g e o f a v e n d o r ’ s c o r e c o m p e t e n c i e s  T h e m a n a g e m e n t s h o u l d c o n s i d e r t h e f o l l o w i n g a r e a s f o r m o v i n g I T f u n c t i o n s o ff s i t e o r o ff s h o r e : • Legal, regulatory and tax issues • Continuity of operations • Personnel • Telecommunication issues • Cross-border and cross-cultural issues 10 P o i n t s t o r e m e m b e r : •T h e m o s t i m p o r t a n t f u n c t i o n o f I S m a n a g e m e n t i n o u t s o u r c i n g p r a c t i c e s i s   – m o n i t o r i n g t h e o u t s o u r c i n g p r o v i d e r ’ s p e r f o r m a n c e •T h e e n t e r p r i s e c a n n o t o u t s o u r c e t h e a c c o u n t a b i l i t y f o r I T s e c u r i t y p o l i c y. T h e a c c o u n t a b i l i t y a l w ay s l i e s w i t h t h e s e n i o r m a n a g e m e n t / B o a r d o f d i r e c t o r s •W h e n t h e o u t s o u r c i n g s e r v i c e i s p r o v i d e d i n a n o t h e r c o u n t r y, t h e m a j o r c o n c e r n f o r t h e I S a u d i t o r i s – t h e l e g a l j u r i s d i c t i o n c a n b e q u e s t i o n e d •T h e c l a u s e i n o u t s o u r c i n g c o n t r a c t t h a t c a n h e l p i n i m p r o v i n g t h e s e r v i c e l e v e l s a n d m i n i m i z e t h e c o s t s i s – G a i n - s h a r i n g p e r f o r m a n c e b o n u s e s . 11 12 A B O U T O U R C O M PA N Y OUR CONTACT InfosecTrain welcomes overseas customers to come and attend training sessions in destination cities across the globe and enjoy their learning experience at the same time. https://www.facebook.com/Infosectr 1800-843-7890 ain/ sales@infosectrain. https://www.linkedin.com/company/infos ec-train/ com www.infosectrain.c https://www.youtube.com/c/Infose cTrain om