Course Review: Path to the ISAM

| March 31, 2011

isam.jpgCourse Review by Wardell Motley

I recently had the opportunity to travel to Colorado Springs, Co. and took the Information Security Assessment Methodology (ISAM) course by Security Horizon. The ISAM, which was formerly the NSA-IAMIEM, course has now been merged into a combined 3-day, 24-hour course.

The ISAM was created by examining the processes and techniques implemented within the information security community by seasoned assessors from both industry and government sectors. The purpose of the ISAM is to provide a detailed systematic standard for the community to perform an information security assessment by thoroughly examining cyber vulnerabilities. Unlike other courses, the ISAM concentrates heavily on the actual methods and processes of an assessment and is not a tool-based or theory-heavy course.

Although no class can teach the fundamentals or give the experience of being able to communicate effectively with the target audience, the ISAM provides a roadmap on how to deal with flaky answers from executives and scared employees that fear their answers may end up putting them out of a job.

Active Image
Active Image del.icio.us

Discuss in Forums {mos_smf_discuss:/root}

isatrp.jpgThe Information Security Assessment Methodology (ISAM) is part of the offerings of the Information Security Training and Rating Program (ISATRP). As stated on the ISATRP website:

"The Information Security Training and Rating Program (ISATRP) sets the standards for Information Security Assurance services through the information security assurance methodologies (Information Security Assessment Methodology, Information Security Red Team Methodology), trains and certifies individuals in the methodologies, and rates Information Security Assurance organizations through the use of a standard metric Information Security Assurance – Capability Maturity Model (ISA-CMM). The ISATRP then provides this information to consumers so they are better informed when negotiating with Information Security Assurance Providers."

In my opinion a course like this is exactly what the security community needs, since there are already many ‘Tool Jockey’ courses that are readily available. But what happens when the assessor needs to sit down with the client and ask delicate questions that no one really knows how to answer? Upon the arrival of an assessor to a client’s site, the assessor is seen as the adversary and the one that forces department heads to come down on their employees to get a hastily prepared policy into place. 

Upon arrival I was pleasantly surprised at the small class size and level of professionalism shown by the instructors. During Day 1 of classes the students were introduced to some of the bedrock principles behind the ISAM. As seen in figure one, a quick high level view of the ISAM methodology was presented. The pre-assessment phase focused on finding and identifying vital information and systems. It also helped in defining the level of impact to the entity, should the loss of any of the CIA triad occur.

isam_triad_relationship.jpg 

Module 2 was also introduced in Day 1, where the students got a real good sense of what actually needs to happen before reaching the client’s site. Getting to know the business and understanding the goals of the business will help better define their critical information and infrastructure. Obtaining upper management buy-in and assessing scope are also discussed during this module.

During the instructor-led sessions, we were constantly challenged and given the opportunity to discuss our own experiences in the field. This helped greatly in driving the discussions and kept everyone in the class motivated and highly engaged during the entire course.

On Day 2, Modules 3 and 4 were introduced and examined the actual on-site phase of an assessment. The goals and purpose of the assessment were defined within Module 3 as well the process of conducting pre-assessment interviews. During this phase of the course we ran through mock interviews with our instructors and classmates to get a feel for how the questions should be asked during the pre-assessment interviews. Couple this with the in-class exercises that were given after every module, and the students got a good idea of the processes that need to take place and how to execute them. Module 4 continued the discussion of the on-site phase activities and shed additional light on some of the more intricate features that needed to be examined within an organization. One such area dealt with an analysis of the client’s information security posture in order to discover possible vulnerabilities and ways to mitigate them.

On the 3rd and final day, course Modules 5 and 6 were presented. It’s during the evaluation phase where an in-depth analysis of the client’s blue team activities will be discovered. This allows the assessor to get a better picture of how everything might eventually come together at the end of an assessment. See Figure 2.

vuln_discovery_triad.jpg 

During Module 5 we discussed some of the common and not so common tools and techniques that were used to exam and enumerate network infrastructures. Vulnerability scanning as well as application scanning was also covered during this module. Module 6 concluded with an in-depth review of post assessment activities, layered security concepts, and the preparation of the final assessment report. security_horizon_logo.jpg

In conclusion the ISAM course by Security Horizon is a well put together information security course that I would recommend to any seasoned security practitioner. The Security Horizon instructors, Shane Morris (Senior Instructor) and Dana Rollins (Instructor), were well-versed with the material and are highly knowledgeable. You can get more information regarding the ISAM by visiting http://www.securityhorizon.com/


Wardell Motley is a Certified Ethical Hacker and a Systems Administrator for a large clothing manufacture in Dallas, Texas. He is an active member of the ISSA, Infragard North Texas, OWASP & former member of the U.S Army. In his spare time he works as a freelance IT security researcher and contributes to Hakin9 Magazine & Ethicalhacker.net.

Category: /root

Comments are closed.