Post on 23-Jan-2018
FRSecure 2016 CISSP Mentor Program
EVAN FRANCEN, PRESIDENT & CO -FOUNDER - FRSECURE
CLASS SESSION #1
CISSP Mentor Program Session #1Welcome!• What is the CISSP Mentor Program• History• 1st class was 2010; 6 students
• Today’s class; 80 students
• Why we do it• Success Stories• Heck, it’s free! If you aren’t satisfied, we’ll
refund everything you paid us. ;)
We need MORE good information security people!
CISSP Mentor Program Session #1We need MORE good information security people!
The CISSP is ideal for those working in positions such as, but not limited to:
◦ Security Consultant◦ Security Manager◦ IT Director/Manager◦ Security Auditor◦ Security Architect◦ Security Analyst◦ Security Systems Engineer◦ Chief Information Security Officer◦ Director of Security◦ Network Architect
CISSP Mentor Program Session #1Typical Class Structure• Recap of previous content/session
• Questions
• Quiz
• Current Events
• Lecture
• Homework Assignment - WHAT?! Yeah, we got homework.
• Questions
CISSP Mentor Program Session #1Questions• We may not get to all of the questions during class
• Send questions to Robb Stiffler (rstiffler@frsecure.com) – for now.
• We will soon (probably) assist in setting up (or facilitating) a study group.
• Content will be made available to all students upon request.
CISSP Mentor Program Session #1The Certified Information Systems Security Professional (or “CISSP”)• Maintained by the International Information Systems Security Certification
Consortium (or ISC2®)
• Tests your knowledge (or memorization) of the Common Body of Knowledge(or “CBK”).
• “a mile wide and two inches deep” (or maybe just an inch deep).
• 2015 CBK, updated in April, 2015
• CBK consists of eight domains… next page
CISSP Mentor Program Session #1The Certified Information Systems Security Professional (or “CISSP”)
Eight domains for the CISSP CBK:
• Security and Risk Management
• Asset Security
• Security Engineering
• Communications and Network Security
• Identity and Access Management
• Security Assessment and Testing
• Security Operations
• Software Development Security
CISSP Mentor Program Session #1The Certified Information Systems Security Professional (or “CISSP”)
Preparation (there are bunches of ways)• 3x Book Read (my favorite)• Read the book once, fast• Read the book a second time, focus on concepts• Read the book a third time, focus on mastery and memorization
• Note Cards• Practice Tests (and quizzes)• Study Groups
The CISSP Mentor Program a tool and facilitation of your studies, it does not supplant them! YOU WILL STILL NEED TO STUDY.
CISSP Mentor Program Session #1The Certified Information Systems Security Professional (or “CISSP”)
How to take the exam• Computer-based (“CBT”) at Pearson Vue• 250 questions• Six hour time limit• Two (sort of four) types of questions:• Multiple Choice (four options, two are almost obviously wrong)• “Advanced Innovative”• Scenario• Drag/Drop• Hotspot
• 25 (10%) of the questions are “experimental” or research questions.
CISSP Mentor Program Session #1The Certified Information Systems Security Professional (or “CISSP”)
How to take the exam• Methods• Two-pass
• Three-pass
• Suppose you could do one-pass too if you’re some kind of Jedi Master(or whatever)
• You will know right away if you have passed or failed.
CISSP Mentor Program Session #1The Certified Information Systems Security Professional (or “CISSP”)
Becoming a CISSP• Passing the exam is only one step.
• Need experience• 5 or more years within 2 or more domains (can waive one year with a college degree or
with another relevant certification)
• Not enough experience? Pass the exam and you’re known as an “Associate of (ISC2)”
• Must agree to the (ISC2) Code of Ethics.
• Must be endorsed by another CISSP (in good standing).
CISSP Mentor Program Session #1About me• President & Co-founder of FRSecure
• 20+ years of information security experience
• Big breach inside experience
• Information security evangelist
• Specialties: Security leadership coaching, risk management, methodology development, andSocial Engineering ;)
• CISSP sixty thousand something (I forgot my number).
• Very, very passionate about information security, but most importantly in doing the rightthing.
FRSecure exists to fix the broken industry.
CISSP Mentor Program Session #1Same presentation given numerous times… Good for us too.• Introduction
• We’re all experts right?
• Fundamentals
• The value of listening
• Principles
• Solutions – What to do…
• Questions
Information Security FundamentalsIntroduction• FRSecure• Information security consulting company
• Business since 2008
• 700+ clients, many in legal, healthcare, and finance
• Speaker – Evan Francen• President & Co-founder of FRSecure
• 20+ years of information security experience
• Big breach inside experience
• Information security evangelist
• Specialties: Security leadership coaching, risk management, methodology development, andSocial Engineering ;)
Information Security FundamentalsIf there’s one thing that I’ve learned in 20+ years in information security it’s to LISTEN.
If there’s one more thing that I’ve learned in 20+ years in information security it’s that I don’t know everything!
Although too many information security “experts” won’t admit it.
Information Security FundamentalsOne thing is clear…
We’re missing the information security fundamentals!
Information Security FundamentalsWhat are some of the fundamentals?
We’re all experts, right?
What is “information security”?We can argue about who’s definition is better, but we need to start with a common understanding (or definition).
Information Security FundamentalsWhat are some of the fundamentals?
Information security is the application of administrative, physical, and technical controls to protect the confidentiality, integrity, and availability of information.
“Most organizations overemphasize technical controls to protect confidentiality and do so at the expense of other critical controls and purposes.”
Seems fundamental. How about a story?
Information Security FundamentalsWhat are some of the fundamentals?
Probably one of the most overused words in all of security…
What is “risk”?Again, we can argue about who’s definition is better, but we need to start with a common understanding (or
definition).
Information Security FundamentalsWhat are some of the fundamentals?
Risk is the likelihood of something bad happening and the impact if it did.
“The likelihood of a threat exploiting a vulnerability, leads an associated impact.”
Seems fundamental. How about another story?
Information Security FundamentalsWhat are some of the fundamentals?
Risk
Anybody know who this guy is?
Information Security FundamentalsWhat are some of the fundamentals?
What is information security?
What is risk?
Why are these definitions so important?
Because they should drive everything you’re doing.
Information Security FundamentalsThe value of listening.
To keep us honest (and humble), we organized the FRSecure Customer Advisory Board (or “CAB”).
We posed two simple questions…What is your greatest frustration with respect to information security?
What is your greatest challenge with respect to information security?
Then we listened…
Information Security FundamentalsThe value of listening.
Greatest frustrations:
1. Lack of common information security understanding.
2. Different interpretations of different information security regulations and standards.
3. Lack of education for practitioners and executive management.
4. Constantly changing priorities based on outside influences.Together we derived a core frustration that sums up everything; we are all speaking different languages
for the same topic.
Information Security FundamentalsThe value of listening.
Greatest Challenges:
1. Education/training for executives, IT personnel, and users.
2. Management commitment to continuous improvement.
3. Obtaining the necessary resources to manage informationsecurity.
4. Measuring information security (metrics, status, improvements,etc.)
Greatest frustrations could be summed up with; we don’t know how to fix the issues facing us within the greater context of a strategic information security program.
Information Security FundamentalsSo what are we going to do?
Our two problems, summed up by listening:
1. We are all speaking different languages for the same topic.
2. We don’t know how to fix the issues.
Now we can offer some advice, but only after listening.
Information Security FundamentalsWe are all speaking different languages for the same topic.
1. Define and live by your definition of information security. Get everybody in agreement with the common definition because it will (or should) drive everything.
2. Define and live by your definition of risk. If you can understand and communicate risk well:• You will automatically be compliant with regulations.
• You will be able to make good decisions.
• You will build a security program that works for you.
Information Security FundamentalsWe don’t know how to fix the issues.
Start with defining your information security principles. These are the rules that you are going to live by. Here’s ours:
1. A business is in business to make money.
2. Information Security is a business issue.
3. Information Security is fun.
4. People are the biggest risk.
5. “Compliant” and “secure” are different.
Information Security FundamentalsWe don’t know how to fix the issues.
Start with defining your information security principles. These are the rules that you are going to live by. Here’s ours:
6. There is no common sense in Information Security.
7. “Secure” is relative.
8. Information Security should drive business.
9. Information Security is not one size fits all.
10. There is no “easy button”.
Information Security FundamentalsWe don’t know how to fix the issues.
Now that you’re bought in on principles for managing your security program, go here:
1. Management commitment. For real. Either you’re in or you’re not.
2. Asset management. You can’t secure what you don’t know you have.
3. Access control. You can’t secure what you can’t control.
4. Change control. See step 3.
5. Measure, measure, measure. You can’t manage what you can’tmeasure.
Information Security FundamentalsAs you build, implement, manage, and improve your security program…
Don’t forget to listen!
The things that people are telling you are real, and you might learn a thing or two.
It’s also OK to admit that you don’t know everything.
Questions?Aaaaaannnnnnnd we’re back.
Homework for Thursday (4/28)◦ Please read Chapter 2/Domain 1: Security and Risk Management
◦ Pages 11 – 74 (only 63ish pages)
We’ll dig in!
Questions?Hopefully about security.
Thank you!
Evan Francen
◦ FRSecure
◦ efrancen@frsecure.com
◦ 952-467-6384