1. ASM EDUCATIONAL CENTER INC. (ASM)
WHERE TRAINING, TECHNOLOGY & SERVICE CONVERGE
WWW.ASMED.COM
CISSP- SECURITY & RISK MANAGEMENT
2. OVERVIEW OF DOMAIN:
Addresses the framework and policies, concepts, principles, structures, and standards required for the
effective protection and management of information assets.
It touches the issues of governance, organization behavior and security awareness, in general.
Enterprise-wide business continuity/disaster recovery plans (BC/DRP) are also discussed
comprehensively.
It also emphasizes the power of administrative, technical and physical controls required for the effective
protection of the confidentiality, integrity, and the availability of information assets.
3. SECURITY & RISK MANAGEMENT
C.I.A
The Triad
Confidentiality
Integrity
Availability
C
I A
4. SECURITY & RISK MANAGEMENT
Confidentiality:
Ensures that Data and System resources are private and remain secure against unauthorized
Confidentiality can be enforced by the use of passwords, activating firewalls, and the use of
to secure data.
Confidentiality supports the principle of least privilege and need-to-know.
A security architect must use and important measure such as data classification to ensure
confidentiality.
Encryption may also be used to restrict the usability of information in the event it is accessed
unauthorized user.
5. SECURITY & RISK MANAGEMENT
Integrity:
Integrity is about the trustworthiness and correctness of data.
Ensuring the prevention of modification of data by unauthorized users.
Prevention of the unauthorized or unintentional modification of data by authorized users.
Applies to both data at rest and in transit.
Controls such as “segregation of duties” may be employed to enforce integrity.
6. SECURITY & RISK MANAGEMENT
Availability:
Information resources must be available and accessible by authorized users at all times.
Availability may be affected by Denial-of-service attacks.
Loss of service in times of disasters of all kinds may also affect availability.
Controls such as up-to-date and active malicious code detection mechanisms and a robust
business continuity plan may help loss of service.
7. Security Governance:
Organizational or corporate governance has existed since time immemorial to ensure the efficient
control structures.
Since information security has become an integral part of every organization, it is absolutely necessary
governance structure to be in place.
Information security must also be properly aligned with the mission of the organization.
Information security governance provides a platform for upper management and the board of directors
exercise their oversight on enterprise risk management to required acceptable level.
8. The intent of governance is to provide some guarantee that certain appropriate mechanisms are in
place to reduce risks (please note that risk cannot be completely eliminated).
Executive management must be fully committed to provide the investments required for any
information security activities.
9. SECURITY & RISK MANAGEMENT
The IT Governance Institute (ITGI) defines IT governance as being “the responsibility of the board of
directors and executive management”.
The ITGI also proposes that information security governance must be considered part of IT governance and
that the BOD should:
Be informed about security
Set direction to drive policy and strategy
Provide resources to security efforts
Assign management responsibilities
Set priorities
Support changes required
Define cultural values related to risk assessment
Obtain assurance from internal and external auditors
Insists that security investments are made measurable and reported on for program effectiveness.
10. SECURITY & RISK MANAGEMENT
In addition, the ITGI suggests that the management should:
Write security policies with business input
Ensure that roles and responsibilities are clearly defined and understood
Identify threats and vulnerabilities
Implement security infrastructures and control frameworks (standards, guidelines, baselines, and procedures)
Ensure that policy is approved by the governing body
Establish priorities and implement security projects in a timely manner
Monitor breaches
Conduct periodic reviews and tests
Reinforce awareness education as critical
Build security into the systems development life cycle.
11. SECURITY & RISK MANAGEMENT
Security Governance:
Goals, Mission, and Objectives of the Organization
Information security must support and enable the vision, mission and the business objective of the organization.
Must ensure the interrelationships among risk assessment, policy implementation, response controls, promoting
awareness, monitoring effectiveness, etc., etc.
12. SECURITY & RISK MANAGEMENT
Security Governance:
Organizational Processes
Acquisitions and mergers
Divestitures and spinoffs
Governance committees
Security Roles and Responsibilities
Today’s organizational structure
Role of the Information Security Officer
Communicate risks to executive management
13. SECURITY & RISK MANAGEMENT
Security Governance:
Information Security Strategies
Strategic planning – Long term (3 to 5 years) and must be aligned with business objectives.
Tactical planning – Short term ( 6 to 18 months) used to achieve specific goals. May consist of multiple projects.
Operational and project planning – Specific plans with milestones, dates, and accountabilities provide communication
and direction for project completion.
14. SECURITY & RISK MANAGEMENT
The Complete & Effective Security Program
Oversight Committee Representation
Security council vision statement
Mission statement
Security program oversight
End users
Executive management
Information Systems Security Professionals
15. SECURITY & RISK MANAGEMENT
The Complete & Effective Security Program
Control Frameworks
Many organizations adopt control frameworks to ensure security and privacy.
Frameworks provide: Consistency, Metrics, Standards, etc. (31).
NIST SP 800-53 revision 4 is such a framework made up of 285 controls under 19 families.
16. SECURITY & RISK MANAGEMENT
The Complete & Effective Security Program
Due Care
Exercising a “prudent man’s judgment” to protect an organization’s assets.
Failure to exercise due care leads to legal liabilities (negligence) that may be civil, criminal, or
Due Diligence
Investigative steps taken by management, all in an effort to protect the assets of the organization.
Due diligence complements the execution of due care.
17. SECURITY & RISK MANAGEMENT
Compliance – HIPAA, GLBA, PCI-DSS, etc.
Governance, Risk Management, and Compliance (GRC)
Legislative and Regulatory Compliance
Privacy Requirements Compliance
18. SECURITY & RISK MANAGEMENT
The Many Facets of Cyber laws
Computer crimes are relatively new in our society
Many laws and regulations, albeit inadequate, try to handle the many challenges faced in this arena of crime
Judicial systems are experiencing growing pains at the complexities of these crimes and inadequate resources
to handle them, human and otherwise.
The Crux of Computer Crime Laws
Cyber laws around the world deals with incidents such as unauthorized modification or destruction of data,
disclosure of sensitive information, unauthorized access, and the distribution of malware, among many other.
Laws have been created to deal with certain categories of computer crimes
19. SECURITY & RISK MANAGEMENT
Computer Crimes
To be able to deal effectively with computer crimes we need to understand the general categories of computer
crimes:
Computer as a target
Involves sabotage of computers and networks
Involves stealing of information such as intellectual property or marketing information that are stored on computers
Examples of crimes in this category may include DoS attacks, sniffers, and password attacks.
Computer as the instrument
Where computers are used as a means to perpetrate crimes or create chaos for an organization
Includes theft of money from online bank accounts and fraudulent use of credit card information as well as telecommunications
fraud.
20. SECURITY & RISK MANAGEMENT
Computer Crimes
Computer as incidental to other crimes
Involves crimes where computers are not really necessary for such crimes to be committed.
these crimes and make them difficult to detect.
Examples of crimes in this category may include money laundering and unlawful activities on
Crimes associated with the prevalence of computers
Includes crimes resulting from the popularity of computers
Crime of this category are usually traditional in nature, but the targets are ever evolving
Examples include copyright violations of computer programs, software and movie piracy, and black
peripherals.
21. SECURITY & RISK MANAGEMENT
Computer Crimes
Please bear in mind that although computer crimes can be categorized, a single criminal
in multiple crime categories. Therefore, there can be an overlap between such
22. SECURITY & RISK MANAGEMENT
Motivation for Computer Crimes
Grudge (against a company or an individual
Political reasons (terrorist activities, info warfare)
Financial reasons
Business (competitive intelligence)
Fun (script kiddies)
M -motive
O - opportunity
M - means
23. SECURITY & RISK MANAGEMENT
Global Legal and Regulatory Issues
Computer/Cyber Crime
CryptoLocker Ransomware – Spreads via email and propagates rapidly. Encrypts various file types and then a pop-up
window appears to inform user about the actions performed on computer and, therefore demand a monetary
payment for files to be decrypted.
Child Pornography Scareware – A user might visit an infected site and the scareware would lock up the computer and
threaten that laws have been violated. Then an extortion sets into motion.
Fake or Rogue Anti-Virus Software – Victims are scared into purchasing anti-virus software that would allegedly
remove viruses from their computers via a pop-up window. By clicking on the pop message, the computer is then
infected with all kinds of malware.
24. SECURITY & RISK MANAGEMENT
Global Legal and Regulatory Issues
Licensing and Intellectual Property
Unlike criminal laws, intellectual property laws do not look at what is right or wrong. Instead, intellectual
property laws help to define how individuals or organizations can protect the resources that are rightfully theirs.
Intellectual property laws also helps to define the course of action that an individual or an organization should
take in case this law is violated.
But to be able to prosecute the offender, the individual or the organization should be able to prove that he/she/it
did everything possible to protect the resources.
25. SECURITY & RISK MANAGEMENT
Intellectual Property Laws
Copyright
Protects “original works of authorship”
Protects expression of an idea rather than the idea itself
Author controls how work is distributed, reproduced or modified
Source code and object code are all copyrightable
Copyright lasts for the length of author’s life plus additional 70 years after the person dies.
Patent
A patent is a legal document issued to an inventor granting the inventor exclusive rights to the inventor for an
The patent provides the inventor the right to exclude any other person from practicing an invention for a specified
Invention must be novel (possess newness) and non-obvious.
In the USA, patents are issued by the US Patent and Trade Office.
26. SECURITY & RISK MANAGEMENT
Intellectual Property Laws
Trade Secret
Maintains confidentiality of proprietary business-related data
Owner must adequately protect such data
Owner has invested substantial resources to produce such data
Data must provide competitive value, be proprietary to a company, and important for its
Trademark
Protects word, name, symbol, sound, shape, color or combinations thereof which identifies a
distinguishes it from others
Protects the “look and feel” of a company
27. SECURITY & RISK MANAGEMENT
Global Legal and Regulatory Issues
Import/Export
Governmental laws that restrict import and export regimes
Terrorism is suspected in most cases
National security concerns, etc., etc.
Trans-Border data Flow
Similar concerns as above
Privacy
Very thorny issue here and abroad
Data breaches – many recent examples
Relevant Laws and Regulations
HIPAA, GLBA, FERPA (Family Educational Rights Privacy Act), etc.
28. SECURITY & RISK MANAGEMENT
Understand Professional Ethics
Regulatory Requirements for Ethics Programs
Topics in Computer Ethics
Common Computer Ethics Fallacies
Hacking and Hacktivism
Ethics Codes of Conduct and Resources
(ISC)2 Code of Professional Ethics
Support Organization’s Code of Ethics
29. SECURITY & RISK MANAGEMENT
Develop & Implement Security Policy
Policy – High level management directives
Security policy – Defines how security is to be managed
Standards – Describes the specific requirements
Procedures – Step-by-step approach to accomplish a task
Guidelines – Recommendations (usually discretionary)
Baselines – Uniform ways of implementing a safeguard
Implementations – Must be well communicated
30. SECURITY & RISK MANAGEMENT
Policies, Standards, Procedures, Guidelines, & Baselines:
Document Example Mandatory or Discretionary
Policy Protect the CIA of PII by hardening the OS Mandatory
Standard Use rugged Toshiba laptop hardware Mandatory
Procedure Step 1: Install pre-hardened OS image Mandatory
Guidelines Patch installation may be automated via
the use of an installer script
Discretionary
Baselines Use the Windows Hardening benchmark Discretionary
31. SECURITY & RISK MANAGEMENT
Business Continuity (BC) & Disaster Recovery (DR)
Requirements
Project Initiation and Management
Develop and Document Project Scope and Plan
Conduct the Business Impact Analysis (BIA)
Identify and Prioritize
Assess exposure to Outages
Recovery Point Objectives (RPO)
32. SECURITY & RISK MANAGEMENT
BC - Proper Planning
An organization is more vulnerable after a disaster hits
Organization still has responsibilities even after a disaster (protection of confidential and
Recovery is more than just having an offsite location
People must be trained to know what to do
Various recovery procedures need to be developed and documented
Understand organization’s vulnerabilities, true threats, and business impact of different types of disasters
Being proactive
Implementing redundant power supplies
Backing up communication mechanisms
Identifying single points of failures
Recognizing necessary fault tolerant solutions
ETC., etc…….
33. SECURITY & RISK MANAGEMENT
Business Continuity Planning (BCP)
How an organization can stay in business even in a crippled state
Plan contains steps for continuing critical business functions using alternative mechanisms until
be resumed at the primary site or elsewhere.
Reduce overall impact of business interruption
Disaster Recovery Planning (DRP)
How to survive a disaster and how to handle the recovery process
Emergency response responsibilities and procedures
Plan lists and describes the efforts to resume normal operations at the primary site of business.
BCP and DRP may sound like the same thing, BUT they are not the same.
34. SECURITY & RISK MANAGEMENT
Business Continuity Planning (BCP)
Business Continuity (BC): represents the final response of the organization when faced
critical operations
More than 50% of all organizations that close their doors for more than a week never
planning.
BC is designed to get the organization’s most critical services up and running as quickly as
DR rather focuses on resuming operations at the primary site; BCP concentrates on
an alternate site.
35. SECURITY & RISK MANAGEMENT
Where Do We Start From:
Project Initiation
Management Support sought
Make a business case
Cost vs. benefit
Regulatory requirement
Current inherent vulnerabilities of organization
Ramifications of similar organizations not having such plans
Business issues of partners, insurance, and obtaining capital
36. SECURITY & RISK MANAGEMENT
Where Do We Start
Senior Executive Management’s Role
Due diligence and Due care
Drive all phases of the plan
Consistent support and final approval
Ensure that testing takes place
Create a budget for this work
37. SECURITY & RISK MANAGEMENT
Why Is BCP/DRP a Hard Sell to Mgmt.
Resource intensive and takes years to complete
Direct return on investment (ROI) not perceived
Rather a drain on organization’s bottom line
Importance of Plan
Organization could vanish if not prepared
Capability of staying “up and running”, avoiding any significant down time
Lack of plan could affect insurance, liability, and business opportunities
Part of business decisions today (Partners need to know, Shareholders/Board of trustees demand it, A Regulatory MUST)
9/11 Has Fueled Change of Attitudes About BCP
38. SECURITY & RISK MANAGEMENT
Who Does It?
BCP/DRP Teams
Group that will perform risk assessment and analysis
Representatives from different organization’s departments
Analysis must be performed before developing plan
A BCP coordinator must be appointed to oversee and execute:
A Business Impact Analysis
Plan development and implementation
Testing and plan maintenance
39. SECURITY & RISK MANAGEMENT
BC Team Organization
Emphasis should be on generalized business and technology skills
BC team should have representatives from:
Senior management
Corporate functional units, including HR, Legal, and Accounting
IT managers and a few technical specialists with broad technical skill sets
InfoSec managers and a few technical specialists
BC team members cannot also be on the DR team
40. SECURITY & RISK MANAGEMENT
BC Team Organization
BC team may be divided into sub-teams:
BC management team
Operations team
Computer setup (hardware) team
Systems recovery (OS) team
Network recovery team
Applications recovery team
Data management team
Logistics team
41. SECURITY & RISK MANAGEMENT
BC Team Organization
BC Management team:
Command and control group responsible for all planning and coordination
Facilitates the transfer to the alternate site
Handles communications, business interface, and vendor contact functions
Operations team:
Works to establish core business functions needed to sustain critical business operations
Computer setup (hardware) team:
Sets up hardware in the alternate location
42. SECURITY & RISK MANAGEMENT
BC Team Organization
Systems recovery (OS) team:
Installs operating systems on hardware, sets up user accounts and remote
team
Network recovery team:
Establishes short- and long-term networks, including hardware, wiring, and
connectivity
Applications recovery team:
Responsible to get internal and external services up and running
43. SECURITY & RISK MANAGEMENT
BC Team Organization
Data management team:
Responsible for data restoration and recovery
Logistics team:
Provides any needed supplies, materials, food, services, or
alternate site
44. SECURITY & RISK MANAGEMENT
BC Planning process
Develop the BC planning policy statement
Review the BIA
Identify preventive controls
Develop relocation strategies
Develop the continuity plan
Testing, training, and exercises
Plan maintenance
45. SECURITY & RISK MANAGEMENT
BC Planning process
Purpose:
Executive vision
Primary purpose of the BC program
Scope:
Organizational groups and units to which the policy applies
Roles and responsibilities:
Identifies key players and their responsibilities
Resource requirements:
Allocates specific resources to be dedicated to the development of the BC
46. SECURITY & RISK MANAGEMENT
BC Planning process
Training requirements:
Training for various employee groups
Exercise and testing schedule:
Stipulation for the frequency and type of testing for the BC plan
Plan maintenance schedule:
Frequency of review and who is involved
Special considerations:
Overview of information storage and retrieval plans and who is responsible
47. SECURITY & RISK MANAGEMENT
Review the BIA
BIA contains the prioritized list of critical business functions
Should be reviewed for compatibility with the BC plan
BIA is usually acceptable as it was prepared and released by the
Contingency Planning Management Team Contingency Planning Management Team
48. SECURITY & RISK MANAGEMENT
Identify Preventive Controls
Preventive controls should already have been identified and implemented as part of the
security activities
BC team should review and verify that data storage and recovery techniques are
maintained
49. SECURITY & RISK MANAGEMENT
Forming the Disaster Recovery Team
Should include members from IT, InfoSec, and other departments
DR team is responsible for planning for DR and for leading the DR process when a disaster
Must consider the organization of the DR team and the needs for documentation and
50. SECURITY & RISK MANAGEMENT
Forming the Disaster Recovery Team
DR team
Should include representatives from every major organizational unit
Should be separate from other contingency-related teams
May include senior management, corporate support units, facilities, fire and safety,
May be advisable to divide the team up into sub teams.
51. SECURITY & RISK MANAGEMENT
Forming the Disaster Recovery Team
Sub-teams may include:
Disaster management team: command and control, responsible for planning and
Communications: public relations and legal representatives to interface with senior
general public
Computer recovery (hardware): recovers physical computing assets
Systems (OS) recovery: recovers operating systems
Network recovery: recovers network wiring and hardware
52. SECURITY & RISK MANAGEMENT
Forming the Disaster Recovery Team
Sub-teams (continued):
Business interface: works with remainder of organization to assist in recovery of non-
Logistics: provides supplies, space, materials, food, services, or facilities needed at the
Other teams needed to reestablish key business functions as needed
53. SECURITY & RISK MANAGEMENT
Disaster Recovery Team
Guidelines are found in NIST Contingency Planning Guide for Information Technology
Planning process steps:
Develop the DR planning policy statement
Review the business impact analysis (BIA)
Identify preventive controls
Develop recovery strategies
Develop the DR plan document
Test, train, and rehearse
Plan maintenance
54. SECURITY & RISK MANAGEMENT
Disaster Recovery Team
Purpose:
Provide for the direction and guidance of any and all DR operations
Must include executive vision and commitment
Business disaster recovery policy should apply to the entire organization
Scope:
Identifies the organizational units and groups of employees to which the policy
Roles and responsibilities:
Identifies the key players and their responsibilities
55. SECURITY & RISK MANAGEMENT
Disaster Recovery Team
Resource requirements:
Identifies any specific resources to be dedicated to the development of the DR
Training requirements:
Details training related to the DR plan
Exercise and testing schedules:
Specifies the frequency of testing of the DR plan
Plan maintenance schedules:
Details the schedule for review and update of the plan
56. SECURITY & RISK MANAGEMENT
Disaster Recovery Team
Special considerations:
May include issues such as information storage and retrieval plans, off-
backup schemes, or other issues
Review the BIA within the DR context
Ensure that the BIA is compatible with the DR specific plans and operations
BIA is usually acceptable as it was prepared and released by the
Contingency Planning Management Team Contingency Planning Management Team
57. SECURITY & RISK MANAGEMENT
Business Impact Analysis (BIA)
Identify organization’s critical business functions
Identify functions resource requirements
Calculate how long these functions can operate without such resources
Identify vulnerabilities and threats to the functions
Calculate risk for each different business function
Develop backup solutions based on tolerable outage times
Develop recovery solutions for the organization’s individual departments and for the
58. SECURITY & RISK MANAGEMENT
Identifying the Most Critical Functions
If Function “X” Is Not Up and Running………..
How much will this affect the revenue stream?
How much will this affect the production environment?
How much will it increase operational expenses?
How much it affect the organization’s reputation and public confidence?
How much will the organization possibly lose its competitive edge?
How much will it result in violations of contract agreements or regulations?
What delayed costs could be endured?
What hidden costs are not accounted for?
59. SECURITY & RISK MANAGEMENT
Identifying Interdependencies
It is difficult but very important
When the activities of functions A and B are mutually reliant on each other to successfully
activities.
When activities of function B cannot be performed without the input from the activities of
receive input from A results in incomplete or inadequate implementation of B activities.
Identifying interdependencies is difficult because an organization truly needs to
work together
Many times there are subtle interdependencies that are easily missed in the equation
60. SECURITY & RISK MANAGEMENT
Identifying Functions’ Resources
Critical Items for Certain Functions to Run…..
Specific types of technologies
Necessary software
Communication mechanisms
Electrical power
Safe environment for workers
Access to specific outside entities
Networked production environment
Physical production environment
Specific supplies
Interdepartmental communications
Etc., etc.
61. SECURITY & RISK MANAGEMENT
Identifying Vulnerabilities and Threats
Threats Types
Man-made
Strikes, riots, fires, terrorism, hackers, vandals, burglars
Natural
Fires, tornado, floods, hurricanes, earthquakes
Technical
Power outage, device failure, loss of communication lines
62. SECURITY & RISK MANAGEMENT
Categories
Disaster Types
Non-disaster
Disruption of service
Device failure
Software malfunction
Disaster
Entire facility unusable for a day or more
Catastrophe
Facility totally destroyed
63. SECURITY & RISK MANAGEMENT
Survival Without Resources?
Maximum Tolerable Downtime (MTD) NIST Guidelines
Non-essential = 30 days
Normal = 7 days
Important = 72 hours
Urgent = 24 hours
Critical = Minutes to hours
Each Function/Resource Must Have an MTD Calculated
It outlines the criticality of individual function and resources
It also helps indicate which function or resources need backup options developed
Hot swappable devices
Software and data backups
Facility space
64. SECURITY & RISK MANAGEMENT
Alternate Sites
Organization-owned & Subscription Services (Exclusive Use Strategies):
Hot site - fully configured computer facility with all services, communication links, and
Warm site - similar to hot site, but software and/or client workstations may not be
Cold site - provides only rudimentary services and facilities, no computer hardware
Mobile site – configured like hot site except that this is on wheels.
The major deciding factor for exclusive use strategies is cost.
66. SECURITY & RISK MANAGEMENT
Results from the BIA
Result contains:
Identified critical functions and required resources
MTD for each function and resource
Identified threats and vulnerabilities
Impact the company will endure with each threat
Calculation of risk
Protection and recovery solutions
Document and present to management for approval
The results from the BIA are used to create a BCP/DRP.
67. SECURITY & RISK MANAGEMENT
BCP/DRP Plan design and development – Some Items to include
Emergency response
Personnel responsibility/notification
Backups and off-site storage
Communications
Utilities
Logistics and supplies
Documentation
Business resumption planning
68. SECURITY & RISK MANAGEMENT
Implementation
Training
Testing/Drills and assessment
Recovery procedures
Maintenance
69. SECURITY & RISK MANAGEMENT
Training
Systematic approach to training is required to support the BCP/DRP plans
A sufficient number of qualified staff members must be cross-trained to ensure coverage
Trained staff must also have the required credentials to be able to execute the actions required by the
70. SECURITY & RISK MANAGEMENT
Testing and Drills
Testing Characteristics
Testing helps to indicate if an organization can actually recover
Testing should be an annual affair or after significant changes have occurred in the environment
Identifies items that need to be improved upon (expect mistakes)
Action
Decide on the type of drill (Classroom/tabletop or Functional)
Create a disaster scenario
Create goals to be accomplished during drill
Run drill
Report results to management
71. SECURITY & RISK MANAGEMENT
Types of Tests
Checklist Test
Copies of BCP/DRP distributed to functional managers
They review parts that address their department
Structured Walk-Through
A meeting is held where functional managers go (walk) through the entire plan
Simulation Test
Carry out or practice a disaster scenario
Could involve the actual offsite facility
Parallel Test
Test conducted including parallel processing from offsite facility
Full-Interruption Test
Original site shut down
All processing takes place at offsite facility
72. SECURITY & RISK MANAGEMENT
Recovery Procedures
Procedures on what to do, when to do, and in which sequence
Procedures should cover several different types of events
Copies of recovery plans should be kept offsite or another safe location
Employees must be taught and drilled
The least critical department/function/resources should be moved first to restored primary
73. SECURITY & RISK MANAGEMENT
BCP/DRP Plan Maintenance
Ongoing maintenance of the BC/DR plan is a major commitment for an organization
Maintenance includes:
Effective after-action review meetings
Plan review and maintenance
Ongoing training of staff involved in incident response
Rehearsal process to maintain readiness of the BC/DR plan
74. SECURITY & RISK MANAGEMENT
The After-Action Review
After-action review (AAR): a detailed examination of events that occurred from incident detection to recovery
Identify areas of the BC/DR plans that worked, didn’t work, or need improvement
AAR’s are conducted with all participants in attendance
AAR is recorded for use as a training case
AAR brings the BCP/DRP teams’ actions to a close
75. SECURITY & RISK MANAGEMENT
The After-Action Review (AAR)
AAR serves several purposes:
Documents the lessons learned and generates BC/DR plan improvements
Is a historical record of events, for possible legal proceedings
Becomes a case training tool
Provides closure to the incident
77. SECURITY & RISK MANAGEMENT
Risk Management Concepts
Organizational Risk Management Concepts
Risk Assessment Methodologies
Identify Threats and Vulnerabilities
Risk Assessment/Analysis
Countermeasure Selection
Implementation of Risk Countermeasures
Types of Controls
Access Control Types
Controls Assessment/Monitoring and Measuring
78. SECURITY & RISK MANAGEMENT
Risk Analysis
Quantitative Analysis (ALE=SLE x ARO)
ALE = Annualized Loss Expectancy (A dollar amount that estimates the loss potential from a risk in a span of year)
SLE = Single Loss Expectancy (A dollar amount that is assigned to a single event that represents the company’s potential loss)
ARO = Annualized Rate of Occurrence (Frequency of a threat expected to occur in a period of one year)
Qualitative Analysis (Delphi Method)
Quantitative vs. Qualitative (Pros & Cons)
Protection Mechanisms/Countermeasures Selection
Total Risk vs. Residual Risk
Risk Control Strategies
79. SECURITY & RISK MANAGEMENT
Risk Control Strategies
Avoidance
Apply safeguards that eliminate or reduce the remaining uncontrolled risks for a particular vulnerability.
Transfer
Transfer risks to outside entities or other areas of the organization.
Acceptance
Understand the consequences and accept risk.
Mitigation
Putting in place some controls to reduce impact should vulnerabilities be exploited
80. SECURITY & RISK MANAGEMENT
Risk Management Concepts Cont’d
Controls Assessment/Monitoring and Measuring
Tangible and Intangible Asset Valuation
Continuous Improvement
Risk Management Frameworks
A risk framework is a guideline or recipe for how risk is to be assessed, resolved, and monitored. The
framework referenced by the CISSP exam is that defined by NIST in Special Publication 800-37.
This publication provides guidelines for applying the Risk Management Framework (RMF) to federal
six-step RMF includes security categorization, security control selection, security control
assessment, information system authorization, and security control monitoring.
81. SECURITY & RISK MANAGEMENT
Threat Modeling
Threat modeling is the security process where potential threats are identified,
Threat modeling can be performed as a proactive measure during design and
measure once a product has been deployed
Whether a proactive or reactive measure, the process identifies the potential harm, the
occurrence, the priority of concern, and the means to eradicate or reduce the threat.
Determining Potential Attacks and Reduction Analysis
Technologies & Processes to Remediate Threats
82. SECURITY & RISK MANAGEMENT
Acquisitions Strategy and Practice
Hardware, Software & Services
Organizations must implement supply chain risk management programs to proactively address certain exposures
Manage Third-Party Governance (i.e. Cloud Computing, etc).
When evaluating a third party for your security integration, consider the following processes: On-site assessment;
Process/Policy reviews
Minimum Security & Service-Level Requirements
For all acquisitions, establish minimum security requirements. These should be modeled from your existing security
When purchases are made without security considerations, the risks inherent in those products remain throughout
83. SECURITY & RISK MANAGEMENT
Security Education, Training, & Awareness
Policies define what an organization needs to accomplish with regards to information security.
Formal security awareness training is usually included in organization’s information security
Security awareness training is a method by which organizations inform employees and all
roles, expectations involving their roles, in the observance of information security
Additionally, training provides guidance in the performance of certain risk management
Educated (security-aware) users help an organization to fulfill its security program objectives
facilitate certain regulatory compliance (such as HIPAA, SOX, GLBA, etc.), if so required.
84. SECURITY & RISK MANAGEMENT
Training Topics
Corporate security policies
The organization’s security program
Regulatory compliance requirements for the organization
Social engineering
Malware
Business continuity
Disaster recovery
Security incidence response
Data classification
Personnel security
Appropriate use of computing resources
Ethics
Physical security, etc., etc.
85. SECURITY & RISK MANAGEMENT
Awareness Activities & Methods – Creating Culture of Awareness
Formalized courses, delivered in the classroom , using slides, handouts, or books, or via a
(CBT).
Use of posters that call attention to security awareness, such as emphasizing on password
security, social engineering, among other issues.
Business unit walk-through to aid employees to identify unacceptable practices, such as
notes in conspicuous places, etc.
Emphasis on maintaining “clean desk” practices as acceptable
Use organizations intranet to post security reminders
Appoint security awareness mentors to aid with FAQs and concerns from employees
86. SECURITY & RISK MANAGEMENT
Awareness Activities & Methods – Creating Culture of
Awareness – cont’d
Sponsor an enterprise-wide security awareness day, complete with security activities,
recognition of the winners.
Sponsor an event with an external partner such as the ISSA, ISACA, ISC2, SANS, etc.
Provide trinkets for the users within an organizations.
Consider a special event day, week, or month that coincides with industry or world
the Global Security Awareness Week (annually in September) and the Security
October).
Provide security management videos, books/pamphlets, etc.
87. SECURITY & RISK MANAGEMENT
Job Training
Security training to assist security personnel to enhance and develop their skills sets relative to the
functions.
Training must be clearly aligned with security risk management activities.
Performance Metrics
It is important that the organization tracks performance relative to security for the purpose of both
of risk management initiatives.
Users must acknowledge their security responsibilities by signing off after the training and also provide
Measurement can include periodic walk-through of business units, periodic quizzes to keep staff up to
mentors, etc.
88. GOOD LUCK!
ASM EDUCATIONAL CENTER INC. (ASM)
WHERE TRAINING, TECHNOLOGY & SERVICE CONVERGE
WWW.ASMED.COM