Happy New Year 0111 1110 0000

This is the last post of this year which has been intense, stressful and accelerated sometimes and quiet and relaxed other times but it has always been funny and gratifying. This year has had 365 days which is a lot of time to do whatever we want like working, reading, studying and enjoying with friends, family, partners and workmates. I'm going to do a review of this 2015 to try to improve for the next 2016.

In this year, once again, I have seen that relationships is the best tool to improve ourself if we get a team with the same ideas and the same strength to work together toward the same goal which is live, learn and enjoy. Thanks that I participate in many projects during the year I can meet a lot of engineers and know how they work with their limitations, problems and advantages to try to improve their IT infrastructure and therefore their business. For this reason, my wishes to leave the cave, meet other people and interacting with them, improve my English language and contribute with the society have done that I went to Russia this summer for one month to make presentations about Spain, organize English and Spanish lessons for children and help to organize different educational, cultural and sport activities during the camp. Very interesting and delighted.

With regard to certifications and learning about Security and Networking, I got the FCNSP (Fortinet Certified Network Security Professional) certification at the beginning of the year and I also applied for the Second Challenge of ISACA, which I was the winner with the first award. For this award I had to read lots of papers about dynamic reputation systems and learning how attackers evade security controls to develop my own DGA malware, which is a new and innovate technique that it is used for malwares like cryptolocker. This was my opportunity for learning about Information Security Management because the award included an online course and exam about CISM (Certified Information Security Manager), that I took it last month and I'm waiting for the results. On the other hand, I finished my studies in English language and I got the C1 level, and this is the reason why I have begun to write in English language in the blog because I don't want to forget what I learned. In addition, I got an ethical hacking course to improve my technical security skills.

Speaking about projects, I have taught about OSPF and PIM (Protocol Independent Multicast) protocols under Alcatel-Lucent technology to the AENA Company and I have also taught about Cisco Firewall ASA to the Government of Spain. Moreover, I have had the luck to advise, install, configure and support load balancer solutions under F5 Networks and Radware that along with projects about Firewalls and Antispam I have reinforced my knowledge in network and security. Like the last year, I have also had the opportunity to participate in an installation about Open Nebula with HP, Cisco and NetApp equipment. I have not only participated in technical projects but I have also written a lot of documents about policies and procedures to make Disaster Recovery Plans (DRP) and adapt infrastructures to the PCI-DSS Compliance, which is a requirement if you want to work with the card industry like Visa, Mastercard or American Express. In the meantime, I have helped to deliver, support and maintain the Ariolo Cloud Services, I have also installed probes and SIEM systems, and helping to companies with security and networking audit to know how to improve their processes and infrastructures. Last but not less important, this year to keep my CISA certification I have had to give speeches about security, therefore I have given four speeches in EAP, Mérida, CUM and EPCC.

For the next year, I want to renovate my CCNP certification and maybe to begin to learn a new language, will see. Of course I want to keep my CISA certification and improve my English skills but what I want the most is to think big and meet with big professionals to share experiences and knowledge.

Merry Christmas and Happy New Year.

IT Management - Talk

Last week I was at Polytechnic University of Caceres giving a talk about IT Management and it was enjoyable to return to my University where I studied because I could speak with two of my former teachers who taught me Security and Project. This time my goal was to show how works the IT Management outside in the real world to students and future engineers.

Firstly we were talking about why we should have a Management System to deliver services. Today, IT has advanced dizzily and it is difficult to measure and improve without a proper IT Management, consequently we have to bring order to the chaos with policies and procedures if we want to make progress in our company.

Most companies need a lot of resources to make business and lots of technologies as well, therefore it is important to manage efficiently the resources if we don't want to waste it. This is the main reason of creating procedures and deliver services with a methodology because if we want to make big things like a bridge we will need manage resources, measure metrics and improve the life cycle of services. At the end we will have a product or service standardized with a Service Level Agreement (SLA) easily manageable, easily deliverable and easily improvable and it will always have the same quality because we were always following the same steps or procedures to deliver the services.

There are a lot of IT-related standards like ISO 20000, ITIL, Cobit, CMMI, ISO 27001, etc based in best practices that we can follow to improve our organization but we shouldn't forget that we can get a little bit of each of them to adapt them to our organization instead of getting one of them and follow strictly because maybe some processes aren't necessary to our company. With these standards IT departments will align with the business, and technologies will work for the business, thus we should adapt the technology to the business.

When I was talking about processes to students, they were a little weird because they don't understand adequately this abstract noun. I told them that if we always want to deliver a service in the same way with the same quality and without “surprise” we have to follow a set of steps to get the result. Sometimes these steps or procedures have to be changed because the board of directors change the strategy of our company or simply because they want to spread out the business with new products or services. In this moment, we will have to change the procedures and policies to adapt the processes and technology to the new strategy. This is like the new service of Amazon who wants to sell food, do you think they will have to adapt the technology to the new service? Of course, they'll do. Amazon will have to create new processes, policies and procedures to adapt the IT to the new service.

I hope students learned something new about IT Management in this talk because they will be the future engineers who will manage IT departments in big or small companies, it doesn't matter, the important thing is that they know how to manage an IT department regardless where they work. I'm glad to participate in this kind of initiatives to try to bring the real world to the University.

Best regards my friend and remember, if you have any question, go ahead!!

Gestion de las TI from dromerotrejo

CISM – Certified Information Security Manager

El año pasado me preparé, estudié, presenté y aprobé la certificación de Auditor de Sistemas de Información de ISACA, CISA por sus siglas en inglés, dedicada a validar los conocimientos en los campos de auditoría, control y seguridad de los sistemas de información. Aquella experiencia donde aprendí bastante sobre el campo de la auditoría de sistemas fue bastante gratificante y por eso este año opté por prepararme la Certificación en Gestión de Seguridad de la Información (CISM), también emitida por la organización ISACA e introducida en su catálogo de certificaciones en el año 2002, la cual está dirigida específicamente a profesionales experimentados en la Seguridad de la Información y orientada a la gerencia de riesgos y gestión de la seguridad de la información.

Realmente el capítulo de Madrid de ISACA ha sido el que me ha empujado a presentarme este fin de semana pasado al examen de CISM al regalarme un curso completo de preparación, además de las tasas de examen, todo ello gracias a ser el ganador del II Reto ISACA. La certificación CISM, al igual que la certificación CISA, requiere acreditar 5 años de experiencia en el sector, y además estamos obligados a mantenernos formados en materia de Seguridad de la Información obteniendo créditos CPE (Continuing Professional Education) que validan la formación continua.

Desde principios de año estaba valorando prepararme alguna certificación de seguridad como CISSP o CISM, pero finalmente tras ganar el premio del Reto ISACA y con la ayuda del Capitulo de Madrid me decidí por comenzar a estudiar el CISM en Septiembre después de mi vuelta de Rusia en las vacaciones de verano.

Tengo que reconocer que tras la experiencia del CISA sabía lo que me venía por delante, muchas horas de estudio y un examen complicado y agotador, pero todo ello merecía la pena porque sabía que aprendería nuevos conceptos y profundizaría en otros que me darían una visión sobre la Gestión de la Seguridad de la Información que no tenía y que todo ello luego podría aprovecharlos para aplicarlos en el día a día de mi trabajo. Y os puedo asegurar que así ha sido, el CISM te muestra la seguridad desde una perspectiva global para proteger la información de la organización, es decir el CISM te enseña a gestionar la seguridad elaborando políticas que se alineen con el negocio, y desarrollando procedimientos y baselines para proteger la información, por supuesto sin dejar atrás el proceso de Gestión de Riesgos y el de Incidentes de Seguridad.

El material utilizado y el orden de estudio ha sido el siguiente:

• Ver los vídeos de CBT Nuggets.
• Leer el libro Manual de Preparación al examen CISM 2015 de ISACA.
• Leer el libro Manual de Preguntas, Respuestas y Explicaciones de Preparación al Examen CISM 2014.
• Realizar el Curso Oficial de Preparación CISM de ISACA.
• Practicar el examen a partir de la base de datos de preguntas de ISACA.

La certificación CISM está dividida en cuatro áreas o dominios. Siendo los porcentajes que veis a continuación la importancia de cada uno de los dominios.

• Gobierno de la Seguridad de la Información (24%)
• Gestión de Riesgos de la Información y Cumplimiento (33%)
• Desarrollo y Gestión del Programa de Seguridad de la Información (25%)
• Gestión de Incidentes de Seguridad de la Información (18%)

Para todo aquel que me haya seguido durante los últimos meses en el blog habrá podido observar que he realizado muchas entradas referentes a la gestión de la seguridad, el motivo principal de ello ha sido que mientras iba estudiando también iba escribiendo en el blog para compartir mis conocimientos y experiencias con todos vosotros. Básicamente las entradas referentes a gestión de la seguridad que he escrito mientras estudiaba son las siguientes:

• Business Impact Analysis
• Due Diligence
• Obstacles to effective InfoSec Program Management
• Overview of InfoSec Program Management
• Government and Management aren't the same
• Security Program Scope
• Overview of InfoSec Program Development
• Threats and Vulnerabilities
• Risk Management Process
• Overview of Risk Management
• Approaches to a Security Framework
• Information Security Governance Metrics
• Information Security Governance

Todas las entradas anteriores os pueden servir para haceros una idea de los conceptos que se tratan en la certificación CISM y que por lo tanto hay que tenerlos claros. Al igual que el examen de CISA, esta certificación no me ha resultado nada fácil ya que aunque hayas hecho muchos tipos test, en el examen te encontrarás muchísimas preguntas que no has visto o simplemente planteadas de otra manera, por tanto es muy importante tener claro los conceptos para responder las 200 preguntas de opción múltiple en las 4 horas que dura la prueba.

Tan solo me queda recomendar a todo aquel que esté interesado en la seguridad de la información que estudie certificaciones como esta, ya que además de aprender y reforzar conceptos, sirve para que un tercero de confianza valide tus conocimientos. Veremos qué tal salen los resultados dentro de un mes, pero sean los que sean os puedo asegurar que estos últimos tres meses de estudios han merecido la pena por la visión en cuanto a seguridad que proporciona preparase una certificación como el CISM.

Un saludo amigos, y como siempre, cualquier aportación y/o duda, adelante.

Business Impact Analysis

Several times I have mentioned about Business Impact Analysis (BIA) but I have never written a whole post about that. We are going to see a closer look about some of the elements of BIA and how it is related to the overall process of Incident Management and Incident Response.

The overall purpose of BIA is to generate documents that help executive management has a good idea of what impact a particular incident that we can have on the business of our organization.

We have three main goals. The first goal is to prioritize how critical certain process and systems in an area of our business are. Therefore, each business unit process must be identified and prioritized as far as mission criticality. It's also need to be valued as far as what type of incident can occur and the impact in our organization. As a result, the higher the impact the higher the priority of that particular system. The second goal is to estimate the downtime. Therefore, we have to estimate the Maximum Tolerable Downtime (MTD) for each system. How much downtime can the system tolerate to still be viable? This can be the longer period of unavailability of critical processes, services and information assets before our company can no longer operate. And finally, the third goal is what are our resource needs. What are the requirements for these critical processes? We also have to identify those during the Business Impact Analysis. Obviously, the most time sensitive and higher impact to our processes and systems, they are going to need the most resource allocation.

Our Business Impact Assessment can involve four key steps: First of all, gathering information for identifying which business unit is the most critical to our organization and it can drill down the tasks for those critical business that we need to do to ensure business survival. Second, performing a vulnerability assessment. Third, analysing the data we have compiled from our information gathering and vulnerability assessment process. During this third step we can identify inter-dependence between different departments, we can also identify potential documentation threats and about these threats we can provide alternatives methods to respond. And finally, documenting.

The four steps commented before are going to lead to the overall BIA report which give us three things. First, it should establish the escalation of loss over time. In other words, the more hours our critical systems are down, how is that going to impact to our organization as far as time, money and the overall impact in the industry? Second, it should identify the minimum resources that we need to recover. Thirdly, it helps us to prioritize the recovery of processes and supporting systems.

The way the BIA is going to be implemented in the organization really depends because each organization is different but there are some things and elements that they are common in all organizations in the way the implementer can duck a BIA. There are five common elements that we can see next:

• Describe the mission of business unit.
• Identify critical functions.
• Identify time cycles to deliver functions.
• Estimate impact on business operations.
• Estimate recovery time.

Best regards my friend and remember, if you have any question, go ahead!!