For newly certified CISAs, the annual and three-year certification period begins on 1 January of the year succeeding certification. Reporting CPE hours attained during the year of certification is not required. However, hours attained between the date of certification and 31 December of that year can be used and reported as hours earned in the initial reporting period.
Handling of Incident ・準備 ・Preparation ・Protection ・識別 ・Identify the problem ・Triage Priority ・封じ込め ・Coordinate the response ・Mitigate the damage ・根絶 ・Investigate the root cause or culprit ・復旧 ・RPOで規定された状態にRTO内に戻す ・教訓 ・Educate team members about avoiding future problem
Computer Forensics 攻撃されたシステムの信頼できるイメージの取得。コピーで調査。電源を切る前に取得。 分析過程の管理 Chain of custody。証拠を収集し整理する際の手順
Chain of evidence 分析過程の管理(Chain of custody): 証拠を収集し整理する際には, 非常に厳格できちんとした手順に従わなければならない. Who, When, Where, What and How Location Time who discovered who secured evidence who controled evidence who maintained evidence
Evidence Life cycle ・Discovery and recognition ・Protection ・Recording ・Collection ・Identification - tagging and marking ・Preservation ・Protect magnetic media from erasure ・Store in a proper environment ・Transportation ・Presentation in a court of law ・Return of evidence to owner
Evidence Admissibility ・Relevant ・Sufficient ・Legally permissive ・Obtained in a lawful manner ・Reliable ・Identified ・Labeling printouts with permanent markers ・OS, HW etc ・Serial NUmber ・Marking evidence without damaging it ・Preserved ・Do not remove power ・Backup hard disk image ・handling magnetic media ・dust and smoke free ・temperature and humidity ・write protect media ・one way hash ・digital signature
Type of evidence ・Best - original。一次的証拠 ・Secondary - copy or oral description。信頼性や強さでやや劣る。 ・ Direct evidence - Proves or disproves a specific act through oral testimony. Evidence provided by witness.バックアップ情報を参照せずにそれだけで事実を証明。 ・Conclusive evidence - Incontrovertible。決定的証拠。反駁や否定できない証拠。 ・opinion evidence - 意見証拠。目撃者が証言するときに意見ルールによって事実のみを言うように定められている ・Expert - based on personal expertise and facts ・Nonexpert - can testify only as facts ・Circumstantial evidence - 状況証拠。中間事実を証明。他の事実の類推に使われる。 ・Corroborative evidence - 補強証拠。考えやポイントを証明する助けとなる。それ自体では役に立たない。 ・Hearsay evidence - third party。伝聞証拠。法廷での口頭もしくは書面の証拠に関しては、また聞きで会ったり正確性に欠けるものもある。
4 Type of evidence ・Direct ・Real ・Documentary ・Demonstrative
BCP process of making the plans that will ensure that critical business functions can withstand a variety of emergencies. strategies to minimize the effect of disturbances and to allow for the resumption of buisness process reduce the risk of financial loss and enhance a company's capability to recover from a disruptive event promptly
4 Prime Elements of BCP ・Scope and Plan Initiation ・First Step ・project parameter definition ・Business Impact Assesment ・Financial (Quantitive) ・Operational (Qualitive) ・Valunerability assessment ・Critical Prioritization ・Downtime estimation - Maximum Tolerable Downtime (MTD) ・Resource requirement ・Business Continuity Plan Development ・Defining the continuity strategy ・Documenting the continuity strategy ・Plan Approval and Implementation ・Senior Management Sign Off ・Creating an awareness of the plan enterprise-wide ・Maintenance of the plan including updating when needed
MTD Maximum Tolerable Downtime ・Critical minutes to hours ・Urgent 24hours ・Important 72 hours ・Normal seven days
Roles and Responsibilities ・The BCP Comittee ・Senior managements ・Business units ・information systems ・security administration ・Senior Management ・Identify and prioritize time critical systems that are of great importance to an organization ・Initiating the project
Steps of BIA ・Gathering Assessment Materials ・Performing the vulnerability assessment ・quantitative ・financial loss ・additional operational expenses ・qualitative ・loss of comletitive advantage or market share ・loss of public confidence or credibility ・Critical Support Area ・Telecommunications, data communications or information technology ・Physical Infrastructure or plant facility ・Accounting, payroll, transaction processing ・Analyzing the information compiled ・Documenting the results and presenting recommendations
Three GOALs of BIA ・Criticality prioritization ・Downtime estimation ・resource requirement
復旧目標の指標 ・MTO Maximum Tolerable Outage - the maximum amount of time the organization can provide services at the alternative site ・SLO Service Level Objective - the level of service provided by alternate processes while primary processing is offline ・MTD Maximum Tolerable Downtime - the longest time that an organization can survive without a critical function ・RTO Recovery Time Objectives - the maximum elapsed time to recover an application at an alternate site ・RPO Recovery Point Objective - How current the data must be or how much data an organization can afford to lose
Classifying Processes ・Core Process - produce revenue ・Supporting Process - require only minimum BCP services ・Discretionary Process - nonessential
DRP making preparations for disaster but also address the procedures to be followed during and after loss provide the capability to implement critical processes at an alternate site and return to the primary site and normal processing within a time frame that minimizes the loss to the organization, by executing rapid recovery procedures.
The DRP Process ・Data Processing Continuity Planning - Planning for the disaster and creating the plans to copy with it ・Mutual aid agreement = reciprocal agreement ・Subscription service ・Hot Site ・Warm Site ・Cold Site ・Multiple Centers = Dual Sites 処理が複数のサイトに分散。利用可能なリソースを共有。ただし大きな災害では複数サイトの許容量を超えることも。 ・Service Bureaus 代替バックアッププロセスサービスの全てを提供してもらうことをサービスビューロと契約。 ・Other data center backup alternatives ・Rolling/Mobile Backup Site ・In-House or external supply of hardware replacement ・Prefabricated Building ・Data Recovery Plan Maintenance - Keeping the plans up to date and relevant
GFS Tape Lotation ・Grandfather Father and Son ・Monthly backup - Weekly Full backup - Daily incremental backup
Tower of Hanoi
DRP Test ・Checklist Test - 計画のコピーがマネジメントにレビューのために配布される ・机上テスト - 連携関係 関連メンバーの参加必要 ・Structured Walk-through test - 少ない労力 よく知ってもらう Overview 理解の促進 ペーパーテスト updateのチェックにいい ビジネスユニットのマネジメントが計画のレビューのために集まる ・Simuration Test - 準備テスト 全体環境のシュミレーション シナリオの理解 費用対効果高い 有効性を判定 ・準備完了テスト - フルテストの限定版 シミュレーション 有効性評価 ・Parallel Test - 重要なシステムが代替サイトで実行される ・Full Interruption Test - 通常の生産が中断され, 実際の災害復旧プロセスが行われる.
徐々に難易度を上げるテストケース ・計画に関する机上でのwalk through ・模擬の災害シナリオを用いた机上でのwalk through ・復旧計画に関するインフラと通信コンポーネントのテスト ・インフラと重要アプリケーションの復旧テスト ・インフラ、重要アプリ、ユーザー参加のテスト ・完全な復元テスト ・抜き打ちテスト
Security Policy ・Policies - the first and highest level of documentation ・Senior Management Statement of Policy ・General Organization Policies ・Functinal Policy ・Standards - Baseline, the use of specific technology ・Guidelines - recommneded actions, flexible ・Procedures ・プロシージャーは頻繁に更新 ・How to 文書
Roles and Responsibility ・Senior Manager - Has the ultimate responsibility for security ・InfoSec Officer - Has functional responsibility for security ・Owner - Determines the data classification ・Custodian - Preserves the informations CIA ・User/Operator - Performs iAW the stated policies ・Auditor Examines security, security policy and procedures. Report to senior management
Risk Analysis Fomulas, especially for Quantitative Risk Analysis. ・EF - Exposure Factor, percentage of loss ・SLE - Single Loss Expectancy, the dollar figure that is assinged to a single event Asset Value ($) x EF = SLE ・ARO - Annualized Rate of Occurrence, a number that represents the estimated frequency. The event occurred once every 100 years -> ARO 0.01 ・ALE - Annualized Loss Expectancy, a dollar value derived from followings. SLE x ARO = ALE Asset Value x Exposure Factor x ARO ・Total Risk = Threat x Vulnerability x Asset Value ・Threat -> Man-mad and natural
・Residual Risk 残余リスク = ( Threats x Valunerability x Asset Value) x Control Gap or (Threats, Valunerability, Asset Valu)- counter measures
・FRAP, Facilitated Risk Analysis Process -> Done by team ofbuisness managers and technical staff. Check the group of 26 common controls
・Risk Mitigation is the "process" of determining the level of risk at which the organization can operate and function effectively. ・Risk Acceptance is the act of accepting risk. ・Risk trasference is the act of moving th erisk to another party. ・Risk reduction is the act of working toward reducing risk in the organization.
リスクを受容する目安 ・MTO Maximum Tolerable Outage - the maximum amount of time the organization can provide services at the alternative site ・SLO Service Level Objective - the level of service provided by alternate processes while primary processing is offline ・MTD Maximum Tolerable Downtime - the longest time that an organization can survive without a critical function ・RTO Recovery Time Objectives - the maximum elapsed time to recover an application at an alternate site ・RPO Recovery Point Objective - How current the data must be or how much data an organization can afford to lose
Policy, Standard and Procedure ・Policies - the first and highest level of documentation ・Senior Management Statement of Policy ・General Organization Policies ・Functinal Policy ・Standards - Baseline, the use of specific technology ・Guidelines - recommneded actions, flexible ・Procedures ・プロシージャーは頻繁に更新 ・How to 文書
The software Capability Maturity Model (CMM) ・能力成熟度モデル CMMI ・レベル1 初期 Initiating プロセスは予測不能 variable, inconsitent and depend heavily on institutional knowledge ・レベル2 管理 Repeatable プロセスはプロジェクト向けに特徴づけられ反応型 反復可能 processes are seen as repeatable ・レベル3 定義 Defined 明確化 理解 事前対応型 quantitative process improvement, documented standards are put in place ・レベル4 定量的管理 Managed プロセスは測定、制御されている 定量的目標 metrics and management standards are in place ・レベル5 最適化 Optimizing 重点はプロセスの向上