Docstoc

CISM_Global_Webinar-June_2009

Document Sample
CISM_Global_Webinar-June_2009 Powered By Docstoc
					Presenting

Live From New York City
Global Webinar CISM Exam Refresher Class Spring 2009

CISM Exam Refresher Class
Spring 2009 Instructor

Jay Ranade
CISA, CISSP, CISM, CBCP New York City

Assisting Jay today will be: Felix Ramirez

Instructor Introduction
Jay, a certified CISA, CISM, CISSP, and CBCP, is an internationally renowned expert on computers, communications, disaster recovery, IT Security, and IT controls. He has written and published more than 35 IT-related books on various subjects ranging from networks, security, operating systems, languages, and systems. He also has an imprint with McGraw-Hill with more than 300 books called “Jay Ranade Series”. He has written and published articles for various computer magazines such as Byte, LAN Magazine, and Enterprise Systems Journal. The New York Times critically acclaimed his book called the “Best of Byte”. His books have been translated into Mandarin, Korean, Spanish, Japanese, Portuguese, and German. Jay has consulted and worked for Global and Fortune 500 companies in the US and abroad including American International Group, Time Life, Merrill Lynch, Dreyfus/Mellon Bank, Johnson and Johnson, Unisys, McGraw-Hill, Mobiltel Bulgaria, and Credit Suisse. He was a member of the ISACA International's Publications Committee for 2005-2007. He teaches exam preparation classes globally for CISA, CISM, CISSP, CBCP, CGEIT, and CIA. He also teaches graduate-level classes on Information Security Management and Ethical Risk Management at New York University and IT Auditing for St. John’s University. Jay is Director of Education for TechnoDyne University, the premier educational institution in Certification-related and GRC-related education. He is four times world champion in Arm Wrestling and two times world champion (2002 and 2003) in martial arts breaking. He has appeared on ESPN and ESPN2 numerous times.

© technodyne

www.riebeeckstevens.com www.technodyneuniversity.com

6/1/2009 Slide 3

Instructor Information

• Contact information
– JAYRANADE@technodyne.net – USA +1-917-971-9786

• TechnoDyne University
502 Valley Road, Suite 103 Wayne, NJ 07470 USA

© technodyne

www.riebeeckstevens.com www.technodyneuniversity.com

6/1/2009 Slide 4

Welcome to all • • • • • Global participation from every time zone All continents represented Registrations from 34 plus countries Questions can be sent at any time Consolidated answers would be sent to all participants who participate in the review at the end of the seminar
www.riebeeckstevens.com www.technodyneuniversity.com
6/1/2009 Slide 5

© technodyne

Format of the Seminar • 2 presentations of 85 minutes each with 5 minute break • 88 key concepts of CBK in CISM questions (derived from 605 axioms) • 11 types of questions in the exam • 24 Final suggestions before and during the exam
www.riebeeckstevens.com www.technodyneuniversity.com
6/1/2009 Slide 6

© technodyne

What we expect from you?
• That you have done exam preparation This 3 hour seminar is to enhance your knowledge, not to teach you from scratch • That you have studied prior to today’s class. Usually, candidates spend 200 plus hours in CISM exam studies, in addition to attending a 30-40 hour seminar from an expert instructor • That you have IT, controls and security background

© technodyne

www.riebeeckstevens.com www.technodyneuniversity.com

6/1/2009 Slide 7

Purpose of this seminar…. • To give a last boost of knowledge to push your score beyond 75 percent, minimum requirement for CISM exam • Discuss those topics which are mostly misunderstood by CISM exam candidates • Discuss techniques to answer questions • Material derived from Jay Ranade’s 605 one-line memory aids for CISM exam called “Axioms”
© technodyne

www.riebeeckstevens.com www.technodyneuniversity.com

6/1/2009 Slide 8

Remember……
• It is a global exam, don’t apply your own shop knowledge • If you are CISSP, remember that CISM is more from management’s perspective, although knowledge of technology is required • Each question has a stem and 4 possible answers. Usually 2 of the answers can be thrown out. • There is only one correct answer
www.riebeeckstevens.com www.technodyneuniversity.com
6/1/2009 Slide 9

© technodyne

Remember…… • Preventive controls take preference over detective controls • Think from business perspective, not IT perspective • CISM exam questions which were correct in the past may be incorrect now
– Don’t use old manuals, axioms, or Q/A CDs – Examples: OS patches, WEP vs. WPA wireless security, biometrics hand geometry
www.riebeeckstevens.com www.technodyneuniversity.com
6/1/2009 Slide 10

© technodyne

Information Security Governance (46 questions in the exam)

© technodyne

www.riebeeckstevens.com www.technodyneuniversity.com

6/1/2009 Slide 11

Information Security Governance
• One of the responsibilities of the Information security Governance Steering committee is to prioritize information security projects and initiatives Data custodians (aka security administrators) are responsible for enforcing access rights to the data by individuals and applications. However, data owners are responsible for approving such rights Primary purpose of creating an information security policy is to support business objectives of the organization More or less, policies and standards are usually fairly static. However, procedures are more likely to change as new versions of software and hardware are released

•

• •

© technodyne

www.riebeeckstevens.com www.technodyneuniversity.com

6/1/2009 Slide 12

Information Security Governance
• One of the qualifications of a CISO should be that he/she should have the ability to understand an organization’s business needs and enable security technologies to support those needs. An organization’s security must be aligned with that organization’s business requirements A CISO should preferably report to the CEO of the organization. Reporting only to the CIO or CTO could be a potential issue if the security goals are compromised due to conflicting infrastructure goals One of the important pieces of information that should be included in the information security strategic plan is documentation of current state and the target state in future. If you do not know where you are going, any road will take you there ;)

•

•

© technodyne

www.riebeeckstevens.com www.technodyneuniversity.com

6/1/2009 Slide 13

Information Security Governance
• Usually, there are regulatory requirements for retention of certain records for a certain period of time. The most important factor in planning for meeting such requirements is changes in applications systems and media which can render the records unreadable or inaccessible Information security manager will be well prepared for regulatory and internal audit reviews if he/she does periodic control assessment to detect any control weakness and requirement for remediation A global organization has to deal with regulatory requirements from multiple of number of governments from different countries. Best way to deal with this is to establish baseline standards for all and then add supplemental standards for each country if required Information Security is not the same thing as IT Security
© technodyne

•

•

•

www.riebeeckstevens.com www.technodyneuniversity.com

6/1/2009 Slide 14

Information Security Governance
• Information security exists to help organization meet its business objectives. CISO should establish security metrics to measure success of security of security program. What can not be measured, can not be improved CISO does not approve information security policies, it’s the management that approves it Management is ultimately responsible for information security
© technodyne

•

•

•

www.riebeeckstevens.com www.technodyneuniversity.com

6/1/2009 Slide 15

Information Risk Management (44 questions in the exam)

© technodyne

www.riebeeckstevens.com www.technodyneuniversity.com

6/1/2009 Slide 16

Information Risk Management
• • RTO is the main deliverable of BIA A threat exploits a vulnerability to cause damage to the assets which cause a risk to the business process. Controls are put in place to mitigate such risk Information security risk analysis gives the risk factor. You implement controls to mitigate such risks and bring the risk to an acceptable level. Only senior business management (not IT management or CISO) can determine what is the acceptable residual risk level
www.riebeeckstevens.com www.technodyneuniversity.com
6/1/2009 Slide 17

•

•

© technodyne

Information Risk Management
• • • Risk can only be mitigated. Complete elimination of risk is not possible After controls have brought the risk to an acceptable level, residual risk can be accepted, transferred, or ignored Process owners have the most intimate knowledge of the business and associated risks and controls. So, they are very suitable for doing risk and control self assessment (RCSA). Quantitative (aka Objective) risk analysis can be done only if you can put a hard money value resulting from the loss.

•

© technodyne

www.riebeeckstevens.com www.technodyneuniversity.com

6/1/2009 Slide 18

Information Risk Management
• Quantitative (objective) risk analysis puts hard money value on the risk, while qualitative (subjective) risk analysis does not Only data owners can determine requirements of RPO Data replication reduces RPO, not RTO. Some critical business processes require RPO of zero Purpose of using risk management techniques is to maximize ROI of limited resources for mitigation of risk

• •

•

© technodyne

www.riebeeckstevens.com www.technodyneuniversity.com

6/1/2009 Slide 19

Information Risk Management
• In risk analysis, you can not and should not ignore the value of assets. You can not assume that all assets should be treated equally. Loss of each asset has different impact on the business processes. It means different assets have different risk factors Risk acceptance is a component of risk mitigation In IT, most of the risk assessment done is qualitative in nature (for lack of historical data on frequency of threats), therefore you can not effectively do cost benefit analysis of controls Eliminating inherent risk is impossible
www.riebeeckstevens.com www.technodyneuniversity.com
6/1/2009 Slide 20

• •

•

© technodyne

Information Risk Management
• Risk management is an ongoing process. Risks change constantly. Risk assessment should be performed annually or if a significant change has occurred (e.g. merger, acquisition, major change in assets etc) Purpose of NAT (network address translation) is translation of an Internet Protocol address (IP Address) used within one network to a different IP address known within another network. The purpose is not to let anyone outside the internal network know the origin of the message Background check on temporary employees or consultants is to reduce the risk of internal attack launch

•

•

© technodyne

www.riebeeckstevens.com www.technodyneuniversity.com

6/1/2009 Slide 21

Information Security Program Development (34 questions in the exam)

© technodyne

www.riebeeckstevens.com www.technodyneuniversity.com

6/1/2009 Slide 22

Information Security Program Development
• Screened subnets ate DMZs which prevent external attacks on an internal network Security patches should not be applied when a critical application needs to be run such as month-end, quarter-end, or year-end closing or processing Phishing uses social engineering techniques and exploits human vulnerability. Awareness training is the only way to mitigate phishing attacks A mail server (relay) should be in a DMZ
© technodyne

•

•

•

www.riebeeckstevens.com www.technodyneuniversity.com

6/1/2009 Slide 23

Information Security Program Development
• When a mobile user has the requirement to login the organization’s network via Internet, two-factor authentication is a must for security reasons Two factor authentication can be what you know (e.g. password), what you have (e.g. physical token), and what you are (e.g. biometric) Firewalls are installed on hardened servers where minimum number of services are enabled After a successful security awareness training, reported incidents increase and that shows the success of the awareness training program. It means that the staff is paying attention to security

•

• •

© technodyne

www.riebeeckstevens.com www.technodyneuniversity.com

6/1/2009 Slide 24

Information Security Program Development
• • • Digital signatures are used for authenticity and nonrepudiation If an IDS is not properly tuned, it will either give too many false-positives or fail to recognize a true intrusion Business process owners understand specific business risks better than others. Therefore they should be involved in the evaluation and management of IS security risks Balance scorecard is a method used to help the corporate governance in measuring the attainment of goals. It is done by establishing CSFs. Establishing KPIs is a prerequisite for balanced scorecard.
www.riebeeckstevens.com www.technodyneuniversity.com
6/1/2009 Slide 25

•

© technodyne

Information Security Program Development
• Signed employee statement that he/she has read and understood the security policies and procedures just indicates that employee has taken the responsibility but it is not indicative of comprehension thereof Change management process controls ensure that unintended changes do not get introduced into an environment. It is achieved by separation of duties (e.g. a programmer can not put the program in production) and placing due change management processes in place Predetermined or preset automatic expiration dates must be established when issuing login ID to a contractor, consultant, or temporary worker

•

•

© technodyne

www.riebeeckstevens.com www.technodyneuniversity.com

6/1/2009 Slide 26

Information Security Program Management (48 questions in the exam)

© technodyne

www.riebeeckstevens.com www.technodyneuniversity.com

6/1/2009 Slide 27

Information Security Program Management
• Best way to make sure that your corporate network is safe from external threats/hackers is to perform penetration testing. Penetration testing ensures parameter security. If passwords are sent over the internal network in a unencrypted format, they can be captured using a sniffer Establishment of security steering committees are very important in ensuring that management is committed to the security program and has taken leadership ownership for it
www.riebeeckstevens.com www.technodyneuniversity.com
6/1/2009 Slide 28

•

•

© technodyne

Information Security Program Management
• After a number of infrastructure changes have taken place, it is a good idea to perform penetration tests to identify any security holes and exposures There is a possibility that a patch which is received through email is not from authentic source. One must validate the authenticity before it is put to use. Data owner’s approvals are not required that frequently when role-based access controls are implemented Standards (which are always mandatory) provide the link between high-level policy statements and detailed procedures
www.riebeeckstevens.com www.technodyneuniversity.com
6/1/2009 Slide 29

•

• •

© technodyne

Information Security Program Management
• • • Best way to determine if security policies are being followed is to perform periodic review for compliance Steering committees usually have IT management and business process owners as its members System administrator has enormous control over corporate data and systems. Security manager should ensure that contract personnel do not work in a system administrator’s role because they could use it to grant themselves access to sensitive files Security professionals implement controls. Internal auditors test the presence and efficacy of those controls.
www.riebeeckstevens.com www.technodyneuniversity.com
6/1/2009 Slide 30

•

© technodyne

Information Security Program Management
• Digital signatures provide non-repudiation, authenticity, and integrity Signature-based IDS can not detect new attack methods for which signatures have not been created Periodic performance of penetration testing ensures that firewall rules and settings are adequate Security staff should not be forewarned about the penetration tests. Their ability to detect penetration attempts without being informed is very important
© technodyne

•

•

•

www.riebeeckstevens.com www.technodyneuniversity.com

6/1/2009 Slide 31

Information Security Program Management
• If a user managed IT environment is not following the corporate security policies and standards, impact analysis must be performed to determine risk exposure Number of security-related complaints to the help desk rise after a successful security awareness training program During a third party penetration test, it would not be proper to alert those who monitor such intrusions. However, the management must know about it. Periodic security reviews of consultants must be performed to ensure that they comply with organization’s security policies
www.riebeeckstevens.com www.technodyneuniversity.com
6/1/2009 Slide 32

• •

•

© technodyne

Incident Management and Response (28 questions in the exam)

© technodyne

www.riebeeckstevens.com www.technodyneuniversity.com

6/1/2009 Slide 33

Incident Management and Response
• To ensure a successful DR test, it is important that materials from off site storage or DR site ONLY are used to conduct the test. In a real disaster, you will not have access to or availability of materials from the primary site CIRT manual should include ranking criteria to determine severity of an incident. It is the primary purpose of a CIRT document Five important components of DR are: personnel, data, computing equipment, facility, and network connectivity BIA includes incremental daily cost of losing systems and processes. Result of BIA is RTOs for different business processes in case of an incident
© technodyne

•

• •

www.riebeeckstevens.com www.technodyneuniversity.com

6/1/2009 Slide 34

Incident Management and Response
• Hackers usually footprint the network perimeter before launching an attack. When a security manager is informed that this is taking place, instructions should be given to check and monitor the IDS logs for any active attacks and continue monitoring the situation If an organization finds out that an attack on network is in progress, and the business demands can not allow the company to close network access entry points, best strategy is to isolate the affected network segment. This is a preventive control. Logs can be analyzed later to detect the vulnerabilities Reciprocal agreements can not be enforced. Most common cause of failure of reciprocal agreements is due to the fact that hardware and software become incompatible over time
© technodyne

•

•

www.riebeeckstevens.com www.technodyneuniversity.com

6/1/2009 Slide 35

Incident Management and Response
• If the RPO is low or almost zero due to the criticality of the business (trading system, internet-based ordering site etc), a mirrored site is the best choice for DRP. In a forensic investigation, chain of custody of evidence is very important. Chain of custody must be identifiable to a single individual or groups of individuals with compensating controls One of the important determining factor in establishing a BCP is to find out the incremental cost to the business resulting from unavailability of the system. This sets up the RTOs for the business processes. Unavailability of backup data makes other recovery components (servers, network, facility) useless.

•

•

•

© technodyne

www.riebeeckstevens.com www.technodyneuniversity.com

6/1/2009 Slide 36

Incident Management and Response
• In a zero day file attachment-related virus attack, for which the file format (e.g. .gif) is known, for which the anti-virus signatures are not available yet, best strategy is to block such emails Response and recovery plans that have not been tested present organizations with an elevated risk that the plans may not work Organizations that already outsourced their information technology operations may benefit from close integration if incident management is to be outsourced to the same vendor If a DR test is conducted at a vendor’s hot site, where organization’s production files were loaded and tested, one must ensure BEFORE leaving that all the data has been deleted AND erased

• •

•

© technodyne

www.riebeeckstevens.com www.technodyneuniversity.com

6/1/2009 Slide 37

11 Types of Questions

© technodyne

www.riebeeckstevens.com www.technodyneuniversity.com

6/1/2009 Slide 38

Types of Questions…..
• Questions to test knowledge
– Example: What is RTO and RPO – They usually are straightforward

• Questions where two answers are very similar
– Usually one answer is subset of the other

• Questions on Controls
– All 4 choices look fine – But preventive control prevails amongst the choices

© technodyne

www.riebeeckstevens.com www.technodyneuniversity.com

6/1/2009 Slide 39

Types of Questions….. • Question stem has too much superfluous information
– You do not need all the information to answer the question

• Case study questions
– Case study followed by 2 to 4 questions – Do not get intimidated, they are easiest to answer
www.riebeeckstevens.com www.technodyneuniversity.com
6/1/2009 Slide 40

© technodyne

Types of Questions…..
• Questions of practical knowledge
– You have to have practical experience – Example: Use of guards outside data center

• Questions requiring mathematical formulas
– Example: How many symmetric key pairs required by 6 people. Answer: 15 – Formula: (N x (N-1))/2

• Technical definition
– Stem defines and asks you what is it?

© technodyne

www.riebeeckstevens.com www.technodyneuniversity.com

6/1/2009 Slide 41

Types of Questions….. • Dual Negative question
– Which of the following is “NOT inappropriate” … means which of the following three are “appropriate”

• Good vs. Bad situation
– Example: which of the following will increase costs of recovery (look for something bad) – Which of the following will speed up recovery (look for something something good)
© technodyne

www.riebeeckstevens.com www.technodyneuniversity.com

6/1/2009 Slide 42

Types of Questions….. • Poorly worded questions
– Poor grammar, wrong punctuation – Remember that questions are contributed globally

© technodyne

www.riebeeckstevens.com www.technodyneuniversity.com

6/1/2009 Slide 43

24 Final Suggestions

© technodyne

www.riebeeckstevens.com www.technodyneuniversity.com

6/1/2009 Slide 44

Do’s and Don’ts
• • • • • • • • • • If you can, choose to take test in “English” language Best overall vs. amongst choices First overall vs. amongst choices “Concern” is not always bad Highest Priority Most Critical It is a Global Profession Don’t think of how you do it in your company Don’t overeat. Blood rushes to the stomach to digest food while it is needed in your brain to understand the questions ☺ Take a good night sleep the night before (remember it is always a Friday the evening before)
www.riebeeckstevens.com www.technodyneuniversity.com
6/1/2009 Slide 45

© technodyne

Do’s and Don’ts
• • • • • • Plan on reaching the examination center at least 2 hours before the exam. Provide for delays due to accidents, traffic jams, cop stopping you for speeding etc ☺ Don’t get tense or nervous. Tension is a state of mind not a state of being. Even if you think that you know the answer from first few choices, read all choices anyway. You have one hour (60 minutes) for each set of 50 questions. Feel free to underline key words on the question sheet (e.g. Best, First, Concern, Highest Priority etc.) Don’t skip answers. You can review them later of you have time. Skipped answer does not give you credit. Guessed answer has 25 percent probability of getting correct. You can put a check mark on guessed answers for speedy identification and reviewing them later if you have time.
© technodyne

www.riebeeckstevens.com www.technodyneuniversity.com

6/1/2009 Slide 46

Do’s and Don’ts
• • • • • • • • Don’t feel discouraged if other candidates are flipping pages faster than you are. Keep your pace. Success depends upon total score, not how fast you flip pages ☺ Spend all 4 hours even if you finish it earlier. Review the answers. Don’t hurry because your friends finished it earlier and are waiting outside for you. Not many people feel confident after CISM exam. Don’t let it bother you. Don’t plan any activity after the exam. Go home and relax. Expect results around end of July by email. Don’t forget to tell your instructor at jayranade@aol.com to let him know how you fared. Remember, ISACA has two other certifications called CISA and CGEIT. TechnoDyne University will organize webinars on those in the near future After you are certified, keep enhancing your knowledge as a life long passion. Passing CISM is the means, not an end in itself. Practice ISACA code of ethics. Stakeholders around the world depend upon auditors being ethical.

© technodyne

www.riebeeckstevens.com www.technodyneuniversity.com

6/1/2009 Slide 47

Questions • We will consolidate and answer pertinent questions • Additional questions can be emailed to us up to June 2 • Consolidated questions and answers will be emailed soon to all participants who complete the class survey

© technodyne

www.riebeeckstevens.com www.technodyneuniversity.com

6/1/2009 Slide 48

Thanks…………
• To Felix Ramirez, Padma Allen, and Reddy Allen for sponsoring this seminar and bearing all the expenses • Kwongmei To, Director of New York Chapter for for unselfish dedication to this worthy cause • Gouri Smitha for helping out with the Power Point Deck • Ruchi Verma Gupta for helping me out with IS Security material
www.riebeeckstevens.com www.technodyneuniversity.com
6/1/2009 Slide 49

© technodyne

Questions Contact information
JAYRANADE@technodyne.net
– USA +1-917-971-9786

– Felix.Ramirez@riebeeck.com – USA +1-908-230-4562

© technodyne

www.riebeeckstevens.com www.technodyneuniversity.com

6/1/2009 Slide 50


				
DOCUMENT INFO
Shared By:
Categories:
Stats:
views:107
posted:12/14/2009
language:English
pages:50
Description: cisa study material