D1 security and risk management v1.62

 The “Security and Risk Management” domain of the Certified
Information Systems Security Professional (CISSP) Common
Body of Knowledge (CBK) addresses the following main topics :
 The frameworks and policies, concepts, principles, structures, and
standards used to establish criteria for the protection of information
assets
 Assess the effectiveness of that protection.
 Understand issues of governance, organizational behavior.
 Create security awareness education and training plans.
Domain Introduction

G
P
lob
a
al
rK
t
n
1
owledge
f>
Understand and apply concepts of
confidentiality, integrity, and availability.
Apply security governance principles
Compliance
Understand Legal and Regulatory
issues pertaining to Information Security
in a global context
Understand Professional Ethics
Develop and Implement Security Policy
Standards Procedures and Baselines
Understand Business Continuity
Requirements
Contribute to Personnel Security
Policies









Key Area
A Understand and apply concepts of confidentiality, integrity, and availability.
B Apply security governance principles
C Compliance
D Understand Legal and Regulatory issues pertaining to Information Security in a
global context
E Understand Professional Ethics
F Develop and Implement Security Policy Standards Procedures and Baselines
G Understand Business Continuity Requirements
H Contribute to Personnel Security Policies
I Understand and apply Risk Management Concepts
J Understand and apply Threat Modelling
K Integrate Security-Risk considerations into Acquisitions Practice
L Establish and Manage Information SecurityAwareness,Education and Training
Domain Objectives

There are several main objectives of a security program, but the
main three principles in all programs are confidentiality integrity
and availability.

These are referred to as the CIA Triad.

 The level of security required to accomplish these principles
differs per company.
 Because each has its own unique combination of business and
security goals and requirements.
All security controls, mechanisms, and safeguards are
implemented to provide one or more of these principles,
All risks, threats, and vulnerabilities are measured for their
potential capability to compromise one or all of the CIA
principles.


The CIA Triad

Confidentiality: Ensures that information is not compromised
or shared amongst unauthorized participants.
• While data is at rest
• On servers, mail boxes, client
• While data is in transit
Local area network traffic
machines
Confidentiality
Wide area network traffic
Integrity Availability
Confidentiality

 Integrity: Ensures that data is not damaged or
modified while either in transit or storage.
 Protects against both malicious intentional damage and
accidental damage by authorized users
 Ensures data
information
is consistent and is a true reflection of real
Confidentiality
Integrity

 Availability: Ensures that information is always available
the time authorized users need it.
 Availability controls protect against
 Accidental loss – Poor backup procedures
at
 Natural Disasters – Fires Floods hurricanes.
 Deliberate loss – Hacker action
Confidentiality
Availability

 Information security management practices protect the
assets of the organization.
 Controls are used to protect vulnerabilities from threats
so reduce risk through the implementation of…
 Administrative, T
echnical/logical , Physical controls
 Information assets must be managed to reduce the risk
loss to
 Confidentiality Availability and Integrity
and
of
 Failure to protect the organization from Loss Destruction or
unexpected alteration can seriously impact business
viability. Resulting in losses
 Finance, operational productivity and reputation.
Understand and Align the security
function

In a business the risk posture is a changing shifting entity
which needs to be tracked for significant changes to
exposure during major transformational activities in the
modern organization.

The
and
The
security professional needs to understand the nature

activities of the business in which he/she is operating.
next slide outlines some common organizational

activities which the security professional
and interface with in order to provide full
business.
should understand
value to the
Organizational Processes

 When organizations combine for whatever reason, either
friendly or hostile, the security professional must be aware
of the following points
 There will be additional data types needing protection
 New staff and roles will need incorporating into the
awareness program
 Disgruntled employees may arise from redundancy programs
caused by the take-over
 Merging systems may create vulnerabilities
 External business partners need review and assessment
security controls around their data
Acquisitions and Mergers

 This is the selling off all or part of an organization.
Understandably a tense time for existing staff.
 Of particular concern should be…
 Data loss and leakage from departing staff
 New threats from discharged employees
 Need to revise and refresh policies standards
and guidelines.
 System interconnections changing.
procedures
 Unused service ports no longer needing
firewalls
to be open on
Divestitures and Spinoffs

 The modern business organization is subjected to both Legal
and Industry specific regulation.
 These regulatory bodies can have a large impact on the
operational capability of the business in the marketplace.
 T
o ensure compliance with these regulatory requirements most
businesses will employ a governance committee
 These are responsible for the staffing and running of an
organizational governance board
 It is important that the infosec professional interfaces with the
governance comittee in order to..
 Inform the board of the importance of Information Security and Risk
management
 Ensure that the security function is informed of changing business
activities which could impact the security vulnerability of the
organisation.
Governance comittees

End User
Executive management
Security Officer Infosec
Professional
Data/Info/Business owners
Data/Info Custodian
Info systems Auditors Business
continuity planner Infosys/Info
T
ech Professionals Security
administrator
Network/systems administrator











Security Roles and Responsibilities

Senior Manager Ultimately responsibility for security
Info Sec officer Functionally responsibility for security
Owner Determines data classification
Custodian Preserves CIA for the data
User/Operator Performs in accordance with policies.AUP = Acceptable
Use Policy
Identifies gap between policy and reality
Auditor
ROLE DESCRIPTION
Key Information Management Roles and
Responsibilities

 Information security is an enormous task when viewed
a starting point.
 It makes common sense to leverage industry
recommended methods to create a structured
from
Information Security Management System
 Choosing an established framework…
 Enables effective governance
 Helps align infosec with business goals
 Standard process and approach
 Enable structured audit and assessment
 Comply with external requirements
ISMS
Why use a Control Framework

 ISO 270001 270002
 COBIT
 NIST
 ITIL
SP 800
Some well known frameworks

•
•
•
•
Information Security Framework
Requirements and guidelines for development of an
ISMS (Information
Risk Management
Security Management System)
a key component of ISMS
standards
Part of ISO 27000 Series of security
ISO 27001/27002

ISO 27001
•Requirements
•Auditable
•Certification
Shared Control Objectives
ISO 27002
•Best Practices
•More depth in controls
guidance
ISO 27001 and 27002

ISO 27002 Security Control Domains
Risk Assessment and Treatment
Security Policy
Organizing Information Security
Asset Management
Human Resources Security
Physical and Environmental Security
Communications and Operations Management
Access Control
Information Systems Acquisition, Development and
Maintenance
Information Security Incident Management
Business Continuity Management
Compliance
ISO 27002 – Security Control Domains

 COBIT Guidelines:
 Have been around since mid 1990s
 Are considered de facto standard
 Consists of Six components:
for auditors today
1.
2.
3.
4.
5.
6.
Executive summary
Framework
Control objective
Control practices
Management guidelines
Audit guidelines
Control Objectives for Information and
related Technology

 ITIL the IT Infrastructure Library
 34 books published by British Government between
and 1992 to improve IT service management
 Creates a framework for best practices of IT core
1989
operational
 Change,
 Includes
processes
release and configuration management
IT Financial Management
 Perhaps ITIL’s main contribution is showing how controls
can be implemented for IT service management processes
ITIL

NIST Special Publication 800-53 is part of the Special Publication 800-
series that reports on the Information Technology Laboratory’s (ITL)
research, guidelines, and outreach efforts in information system
security, and on ITL’s activity with industry, government, and academic
organizations.
NIST Special Publication 800-53 covers the steps in the Risk
Management Framework that address security control selection for
federal information systems in accordance with the security
requirements in Federal Information Processing Standard (FIPS) 200.


This includes selecting an initial set of baseline security controls based
on a FIPS 199 worst-case impact analysis, tailoring the baseline
security controls, and supplementing the security controls based on an
organizational assessment of risk.[3]

NIST SP 800 53

The security rules cover 17 areas including access control, incident
response, business continuity, and disaster recoverability.
A key part of the certification and accreditation process for federal


information systems is selecting and implementing a subset of the
controls (safeguards) from the Security Control Catalog (NIST 800-53,
Appendix F) . NIST provides guidance for this
These controls are the management, operational, and technical
safeguards (or countermeasures) prescribed for an information system

to protect the confidentiality, integrity, and availability of the system
and its information.
Scoping
and
T
ailoring
NIST Security Control Catalog

Framework Strengths Focus
COBIT Strong mappings IT Governance
Support of ISACA Audit
Availability
ISO 27001/27002 GlobalAcceptance Information Security
Certification Management System
ITIL IT Service IT Service
Management Management
Certification
NIST 800-53 Detailed, granular Customised
Tiered controls Control Framework
Free Guidance
Frameworks Compared

 Due diligence is similar to due care except that
taken before an event
 A pre-emptive measure
 Avoid harm to a person or property
 Due diligence supports and enables Due Care
 Examples are
 Background Checks
 Credit card checks on business partners
 Penetration testing firewalls
 Due Diligence is “KNOWING WHAT IS RIGHT”
it is care
Due diligence (Knowing what is right)

•
•
•
•
Due care is an important topic to understand.
It is a legal term used to describe the care a “reasonable
person” would take in a certain circumstance
It defines an organization or a persons legal duty
Lack of due care is often considered negligence
• Background checks of employees Credit checks of business
partners Information system security assessments Risk
assessments of physical security systems Penetration tests of
firewalls Contingency testing of backup systems Threat intelligence
services
• Due Care is “DOING THE RIGHT THING”
Due Care (Doing the right thing)

 Organizations operate in strictly regulated environments
 Legal and regulatory bodies demand compliance.
 Laws and regulations such as these must inform the Risk
and Governance management of the organization
 There will be specific sets of actions to be met to achieve
compliance
 Best addressed through the organization’s Security
 Standards Guidelines Procedures and baselines
Policy
Legislative and Regulatory Compliance

• Privacy laws present particular challenges to organisations
•
•
Many high profile breaches of privacy hit the press
Indiscrete emailing is not illegal and does not remove a
right to privacy
• The European Data Protection Directive allows for
processing of personal data under specific circumstances…
•
•
When processing
When processing
subject
is necessary for legal action
is required to protect the life of the
•
•
When
When
public
the subject has provided personal consent
the processing comes under the scope of “the
interest”
Privacy requirements

Key Area
C Compliance
D Understand Legal and Regulatory issues pertaining to Information Security
in a global context
Domain Objectives

Intellectual property is that which results
creative processes of one’s mind.
Forms of intellectual property include:
from intellectual,
 Trademarks and
 Patents
 Copyrights
service marks
 Trade secrets
What Is Intellectual Property? (IP)

Definition:
 A trademark is a distinctive mark, motto, device, or
implement that a manufacturer stamps, prints, or otherwise
affixes to the goods it produces so that they may be
identified in the market and their origins made known.
Trademark Infringement:
 Trademark infringement occurs when one uses the
protected trademark, service mark, or trade name of
another without permission when marketing goods or
services.
Trademarks

Definition:
 A grant from the government that gives an inventor the
exclusive right to make, use, and sell an invention for a
specified period.
Patent infringement:
 Occurs when one uses or sells another’s patented design,
product, or process without the patent owner’s permission.
Patents

Definition:
 An intangible property right granted by law to the author or
originator of a literary or artistic production of a specified
types.
Copyright Infringement
 Occurs whenever the form or expression of an idea is
copied without the permission of the copyright holder.
Copyright

Definition:
 Any formula, pattern, device, or compilation of information
that give a business an advantage over competitors who
not know the information or processes.
Duration of Protection:
 In most jurisdictions indefinitely,
do
 as long
secrets
as the party adequately
from disclosures.
protects his or her trade
Trade Secret

 International protection for intellectual property exists under
various international agreements, including:
 Berne Convention (1886) - every country that has signed
the convention must recognize copyrights granted to authors
in all others.
 TRIPS (Trade-Related Aspects of Intellectual Property
Rights) Agreement - An International agreement
administered by the World Trade Organization (WTO) that
sets down minimum standards for many forms of
of
intellectual
property (IP) regulation
Members
as applied to nationals other WTO
International Protection for IP

 DRM is a set of access controls
 Digital rights management (DRM) is a class of technologies
that are used by hardware manufacturers, publishers,
copyright holders, and individuals with the intent to
control the use of digital content and devices after
purchase.
 First generation DRM intention was to control copying
 Second generation intention to control execute view
copying works or devices
Digital Rights Management DRM

 Depending on the initial location and destination of
sale of some software products the sale and
distribution of some software products it may be either
illegal or closely controlled
 The Wassenaar arrangement, for example, places
controls on the distribution and dissemination of dual
use goods and technologies
 This definition includes cryptographic products
 May be only exported to some countries
capabilities ie shorter key strength
with reduced
Import Export controls

 There is a concern about the flow of data through
internationally located servers.
 Different countries have differing policies with regards to
ownership and access to data
 Information Security professionals must acquaint
themselves with the routing taken by the corporate data
flow
 Depending on the country which the data flows
 Jurisdiction and rights to privacy may become at risk
Trans Border Data Flow

Every individual has an expectation of privacy.
Varies by Culture and Nation.
Danger point is monitoring individual’s activities.
In most instances communication about the organization’s
privacy policies is key to ensuring privacy related
complaints are minimized.
Many organizations place conspicuous signs that state
CCTV or other types of monitoring are being conducted in
an area.
Ensure all such monitoring is done within the laws of the
local jurisdiction.
Clear with legal team.







Privacy

 In the modern connected internet age there is an increasing
concern about personal privacy.
 Identity theft
 Shopping/browsing patterns
 There is an obligation to protect a citizen’s personal information
 No single international law
 Makes this a minefield
 Privacy is the rights and obligations of individuals and
organizations with regards to the collection, use , retention and
disclosure of personal information.
 What is personal information ?
 Information about or on an individual…definition varies.
 The best practice available is the OECD guidelines…
Privacy

Collection Limitation Principle
There should be limits to the collection of personal data and any such data
should be obtained by lawful and fair means and, where appropriate, with
the knowledge or consent of the data subject.
Data Quality Principle
Personal data should be relevant to the purposes for which they are to be
used, and, to the extent necessary for those purposes, should be accurate,
complete and kept up-to-date.
Purpose Specification Principle
The purposes for which personal data are collected should be specified not
later than at the time of data collection and the subsequent use limited to
the fulfilment of those purposes or such others as are not incompatible with
those purposes and as are specified on each occasion of change of
purpose.
Organization for Economic Cooperation and
Development 8 Privacy Guidelines

OECD Guidelines continued...
Use Limitation Principle
Personal data should not be disclosed, made available or otherwise used
for purposes other than those specified in accordance with Paragraph 9
except:
a) with the consent of the data subject; or
b) by the authority of law.
Security Safeguards Principle
Personal data should be protected by reasonable security safeguards
against such risks as loss or unauthorised access, destruction, use,
modification or disclosure of data.
Openness Principle
There should be a general policy of openness about developments,
practices and policies with respect to personal data. Means should be
readily available of establishing the existence and nature of personal data,
and the main purposes of their use, as well as the identity and usual
residence of the data controller.

OECD Guidelines continued
Individual Participation Principle
An individual should have the right:
a) to obtain from a data controller, or otherwise, confirmation of whether or
not the data controller has data relating to him;
b) to have communicated to him, data relating to him
i) within a reasonable time;
ii) at a charge, if any, that is not excessive;
iii) in a reasonable manner; and
iv) in a form that is readily intelligible to him;
c) to be given reasons if a request made under subparagraphs (a) and (b)
is denied, and to be able to challenge such denial; and
d) to challenge data relating to him and, if the challenge is successful to
have the data erased, rectified, completed or amended.
Accountability Principle
A data controller should be accountable for complying with measures which
give effect to the principles stated above.

 Problem – the root cause issue that gives rise to
successive incidents
 Lack of adequate virus checker.
 Incident – A security event that compromises the integrity,
confidentiality, or availability of an information asset.
 Virus infection
 Breach – An incident that results in the disclosure or
potential exposure of data.
 Data Disclosure – A breach
data was actually disclosed
unauthorized party.
for which it was confirmed
(not just exposed) to an
that
Data Breach Terminology

ISC2 code of ethics – the mandatory canons:
 Protect society, the commonwealth, and the
 Act honorably, honestly, justly, responsibly,
and legally
 Provide diligent and competent
service to principles
infrastructure
 Advance and protect the profession
ISC2 Code of Ethics

 Ethics and the Internet RFC 1087
 Defines the following as unethical:
 Seeking unauthorized access to Internet
 Destroying integrity of information
 Disrupting Internet use
 Wasting resources
 Compromising privacy of users
resources
 Practicing negligence in Internet experiments
Internet Architecture Board

Domain Objectives
Key Area
C Compliance
global context
F Develop and Implement Security Policy Standards Procedures and
Baselines

Strategic
Tactical
Guidelines Baselines
Procedures
Standards
Security Policy
Tactical Goals and Documents

 Security policy − general statement:
 Produced by senior management
 Dictates what
 Organizational:
 Laws
 Regulations
 Liabilities
 Issue-specific
 System-specific
role security plays within an organization
Strategic Goals and Security Policy

Regulatory Policies
Ensure that organization
specific industry or law.
is following the standards by a
Advisory Policies
Strongly suggest certain types of behavior and activities.
Informative
Inform about some topics, is not an enforceable policy but
is intention is educational.
3 Security Policy Categories

Organizational security policy - provides scope and
direction for all future security activities within the
organization and

States the amount of risk the
to accept. (Risk Appetite)
Defines
How the security progam will
The goals of the program.
Assigns responsibilities.
senior management is willing


 be set up.
Declares the strategic and tactical value of security.
Describes how enforcement should be carried out.
Organizational Security Policy

 System policies includes policy
 Computing systems
 Networks,
 Application
 Data.
 an approved software list.
for:
 how
 how
.
to configure firewalls.
databases have to be protected.
System-specific policy

Standards refer to mandatory activities, actions, rules, or
regulations.
Standards can give a policy its support and reinforcement in
direction.
Standards could be internal, or externally mandated (government
laws and regulations).
Organizational security standards may specify how hardware and
software products are to be used.
They can also be used to indicate expected user behavior.
They provide a means to ensure that specific technology,






applications, parameters, and procedures are implemented
uniform manner across the organization.
in a
Standards

 Provide definitions for the minimum security level
necessary throughout the organization,
Example
 All workstations configured to C2 level
C2.
access control
 See ITSEC Orange Book for
Baselines

Procedures
Tasks detailed step by step to achieve certain goal.
Procedures spell out how the policy, standards, and
guidelines will actually be implemented.
Guidelines
Recommended actions and operations to the staff and
users when a specific standard doesn't apply.
Guidelines are flexible.
Guidelines and Procedures

 Business continuity planning and Disaster Recovery
Planning are split across two domains of the CIB.
 Security and Risk management
 Security Operations.
 I have decided to give a brief but essential introduction to
the three main outputs of the Business Impact Assessment
BIA here.
 We will do a more detailed coverage of the entire Business
Continuity and Disaster Recovery Planning processes in
the Security Operations Domain.
The Business Impact Analysis

 The first step in building the Business Continuity (BC)
program is project initiation and management.
 During this phase, the following activities will occur:
 Obtain senior management support to go forward with the project
 Define a project scope, the objectives to be achieved, and the
planning assumptions
 Estimate the project resources needed to be successful, both
human resources and financial resources
 Define a timeline and major deliverables of the project In this
phase,
 The program will be managed like a project, and a project manager
should be assigned to coordinate the team’s activities.
Project Initiation and Management

 Before the project can start, it must have committed senior
management support.
 Without that support, the project will fail.
 To convince leadership that the organization needs to build an
enterprise-wide Business Continuity Plan BC and DR
Disaster Recovery Plan the planner needs to help them
understand the risk they are accepting by not having one and
the potential cost to the organization if a disaster were to occur.
 The risks to the organization are found in three areas:
 Financial (how much money the organization stands to lose),
 Reputational (how negatively the organization will be
perceived by its customers and its shareholders),
 Regulatory (fines or penalties incurred, lawsuits filed against
them).
Senior Leadership Support

 The next step in the planning process is to have the
planning team perform a BIA.
 The BIA will help the company decide what needs to be
recovered, and how quickly.
 To help determine the appropriate prioritization. Mission
functions are typically
 Critical,
 Essential,
 Supporting, and
 Nonessential
designated with terms such as:-
Conducting the Business Impact Analysis
(BIA)

 Organizations do not hire staff to perform nonessential
tasks.
 Every function has a purpose, but some are more time
sensitive than others.
 A bank that has suffered a building fire could easily stop its
marketing campaign but would not be able to stop check
processing and deposits made by its customers. The
organization needs to look at every function in this same
light.
 How long can the company not perform this function
without causing significant financial losses, significant
customer unhappiness or losses, or significant penalties
fines from regulators or lawsuits?
or
Identify and Prioritize Critical Organization
Functions

 All organizational functions and the technology that
supports them need to be classified based on their
recovery priority.
 Recovery time frames for organizational operations are
driven by the consequences of not performing the function.
 The consequences may be the result of contractual
commitments not met resulting in fines or lawsuits, lost
goodwill with customers, etc.
 The planner will need to define for the planning team what
a low, medium, or high impact is in that organization in
each of the impact areas, as well as the time before impact
is realized.
Estimate Recovery Time Frames

 All applications, need to be classified as to their time
sensitivity for recovery
 Even if those applications do not support organization
functions that are time sensitive.
 For applications, this is commonly referred to as Recovery
Time Objective (RTO) or Maximum Tolerable Downtime
(MTD).
 This is the amount of time the organization can function
without that application before significant impact occurs.
Determine Maximum Tolerable Downtime

 That is the end of our brief introduction to the BIA
 We will complete a more thorough examination of BCP
DR processes in the Security Operations Domain
 Remember for now the three main outputs of a BIA are
useful for many other processes across the day to day
business operations.
 Those three outputs are :-
 Criticality Prioritization
and
 Maximum Estimated Downtime
 Essential resource requirements to support the critical
business functions identified in the criticality
Prioritization.
BIA Benefits

Domain Objectives
Key Area
C Compliance
global context

 The main effort here is the work of HR.
 The important aspect for security is to identify those with
unsuitable past actions who may be applying for sensitive
positions.
 Job Descriptions should be well written and provide the
basis for further conversation with the candidate at
interview.
 Role Based
improve the
Access Control (RBAC) can simplify and
allocation of access to new employees
Employment candidates

 Usually signed by the employee on
employment.
 Purpose to protect the organization
employed.
 Examples
the first day of
while the individual is
 Non Disclosure Agreements
 Acceptable Use Policy
 Code of Conduct.
Employment Agreements and policies

Two type of terminations occur.
 Friendly
 Use a standard set of procedures from HR dept.
 Cover exit interviews , return of keys, closure of accounts, removal
of access rights etc.
 Exit interview should include a conversation about the continued
responsibility for confidentiality of company
Unfriendly
 Need to be handled carefully.
 Individual cases require different techniques.
 Beware of malicious actions.
information.
Employment termination process

 Business partners and other third parties often bring personnel into an
organization.
 The organization must ensure controls are in place to prevent the loss
of sensitive information
 Also mitigate any damage these individuals could intentionally or
unintentionally perform to an organization.
 There are several approaches to take depending on the nature of the
relationship between the vendor and the organization.
 If the third party is infrequently on site or accessing systems but has
administrative access, consider:
 Escorting the individual while on site to monitor activities.
 Virtually monitoring the employee with screen sharing technology
 Recording all actions performed.
Vendor, Consultant, and Contractor
Controls

 If the third party is on site for a more permanent basis and has
administrative access, consider:
Performing a background investigation and determining if
any suitability issues arise.
Virtually monitoring the employee with screen sharing
technology and recording all actions performed.
Ensuring an appropriate non-disclosure agreement with



specific sanctions has been signed by the individual
the individual’s organization if applicable.
Ensuring the third party identifies who the specified
personnel gaining access are and verifying their
identification upon access
and

Vendor, Consultant, and Contractor
Controls

Part 1 - Classwork
Global Knowledge f>
Practice Questions
Exercises
Discussions

 Spend 15 minutes reviewing
 Skim read
 Make notes
the work we just covered.
 Mind map or Written
learn
 Absorb don’t
Private Review

 Having reviewed the materials now think like an examiner
and chose two topics you would write a test question on.
 If you have time create those questions to try on your in
class colleagues.
Create 2 Practice questions

 Here are 5 Practice questions on this topic.
 Remember never take more than 10 at a time.
 Remember the principle of testing for exam preparation is
to identify
 Your task
 Filling the
gaps in your knowledge.
then is to fill the gap before you move
gap
on.
 Research the correct answer
 Make notes on it either on
 Mind map onto your XMIND knowledge
 Hand written notes
dump
Lets try some questions

Which of the following steps should be performed first
business impact analysis (BIA)?
in a
A. Identify all business units within an organization
B. Evaluate
C. Estimate
D. Evaluate
the
the
the
impact of disruptive events
Recovery Time Objectives (RTO)
criticality of business functions
Question 1

 Answer: A is correct
 The four cyclical steps in the BIA process are:
 Gathering information;
 Performing a vulnerability assessment;
 Analyzing the information
 Documenting the results and presenting the
recommendations.
 The initial step of the BIA is identifying which business units
are critical to continuing an acceptable level of operations.
 To do this the team will need to identify ALL business units
within the organization
Q1 Answer

Why must senior management endorse a security policy?
A. So that they will accept ownership for security within
the organization.
B. So that employees will follow the policy directives.
C. So that external bodies will recognize the
organizations commitment to security.
D. So that they can be held legally accountable.
Question 2

Answer: A
Explanation: Upper management is legally accountable
External organizations answer is not really to pertinent
Employees need to be bound to the policy regardless of who
signs it but it gives validity.
Ownership is the correct answer in this statement. Here is a
reference. "Fundamentally important to any security program's
success us the senior management's high-level statement of
commitment to the information security policy process and a
senior management's understanding of how important security
controls and protections are to the enterprise's continuity. “
Answer 2

Which of the following describes elements that create
reliability and stability in networks and systems and which
assures that connectivity
A. Availability
B. Acceptability
C. Confidentiality
D. Integrity
is accessible when needed?
Question 3

Correct answer is A
Wiki says…
Availability
For any information system to serve its purpose, the information must be
available when it is needed.
This means that the computing systems used to store and process the
information, the security controls used to protect it, and the communication
channels used to access it must be functioning correctly.
High availability systems aim to remain available at all times, preventing
service disruptions due to power outages, hardware failures, and system
upgrades.
Ensuring availability also involves preventing denial-of-service attacks,
such as a flood of incoming messages to the target system essentially
forcing it to shut down.[18]
Answer 3

What are the three main outputs of a Business Impact
Assessment
A. Criticality Prioritization, Minimum Estimated
Essential resource requirements
Downtime,
B. Criticality Prioritization, Mean Time To Repair, Essential
Contact List
C. Critical Personnel Contact List, Maximum Estimated
Downtime, Essential resource requirements
D. Criticality Prioritization, Maximum Estimated
Essential resource requirements
Downtime,
Question 4

Answer D is correct
There are several benefits
whole information security
main outputs.
of a BIA which are useful across the
process but these three are the
 Criticality Prioritization
 Maximum Estimated Downtime,
 Essential resource requirements
Answer 4

Which answer correctly describes a Trade Mark ?
A. An intangible property right granted by law to the author or originator of
a literary or artistic production of a specified types.
B. Any formula, pattern, device, or compilation of information that give a
business an advantage over competitors who do not know the information
or processes
C. A grant from the government that gives an inventor the exclusive right
make, use, and sell an invention for a specified period.
D. A distinctive mark, motto, device, or implement that a manufacturer
stamps, prints, or otherwise affixes to the goods it produces
to
Question 5

The correct answer is D
A trademark is A distinctive mark, motto, device, or implement
that a manufacturer stamps, prints, or otherwise
goods it produces.
affixes to the
BONUS Question
What do the other answers describe
A.
?
B.
C.
Answer 5

G
P
lob
a
al
rK
t
n
2
owledge
f>
Understand and apply Risk
Management Concepts
Understand and apply Threat
Modelling
Integrate Security-Risk
considerations into Acquisitions
Practice
Establish and Manage Information
Security Awareness,Education
and Training

 Accurate Risk Analysis is a critical skill for an information
security professional.
 Risk decisions dictate which safeguards we deploy to
protect our assets, and the amount of money and
resources we spend doing so
Risk analysis

Controls Protect
Assets Assets
All assets have
Vulnerabilities V
Controls
Reduce V
Controls
Controls
Reduce
R
V x T = R
Vulnerabilities are exposed to
Threats T
exposed Threats create
Risk R
Vulnerabilities
RISK
which are
Assets Vulnerabilities Threats and Controls

 Assets :- are the valuable resources you are trying to
protect ,
 People, buildings, property. Intellectual property etc.
 The value or criticality of the asset dictates the safeguards
you deploy.
 A threat is a potentially harmful occurrence, such as
 Natural Threats :- Earthquake, Flood, Fire
 Technical Threats :-
worm like Conficker
Power outage, or a network-based
 Human Threats :-
employee
Malicious activity by a disgruntled ex-
The Risk Triad
Assets Vulnerabilities and Threats

 A vulnerability is a weakness that allows a threat to cause
harm.
 Examples of vulnerabilities are
 Buildings that are not
 A data center without
 A Microsoft Windows
built to withstand earthquakes,
proper backup power
XP system that has not been
patched in a few years.
 Or if it automatically runs software on a USB token
when inserted.
 A Linux system has no vulnerability to Conficker and
therefore runs no risk from it.
The Risk Triad
Assets Vulnerabilities and Threats

NIST SP 800-30, Risk Management Guide for Information
Technology Systems describes a very useful Risk
Analysis process
A Risk Analysis Process

 Step 1 System Characterization
 Describes the scope of the risk management effort and the
systems that will be analyzed. Threat Identification and
Vulnerability Identification,
 Steps 2 and 3, Threat and Vulnerability
 Identify the threats and vulnerabilities required to determine
risks using the formula
“Risk = Threat × Vulnerability”
The NIST Risk Analysis Steps 1,2,3

 Step 4a, Control Analysis,
 Analyses the security controls (safeguards) already in
place or currently planned to mitigate risk.
 Steps 4b, Likelihood Determination and Impact Analysis,
 Identify important risks (especially those with high
likelihood and high impact/consequence)
I = Impact of
Occurrence
P = Probability of occurrence
High impact
Low likelihood
High impact
High likelihood
Low impact
Low likelihood
Low impact
High likelihood
The NIST Risk Analysis Step 4

Step 5 – Countermeasure Recommendations. Once the
previous steps
to recommend
formalised risk
have been completed you are in a position
controls based on
analysis process.
the results of a
 Selection criteria include
 Product costs
 Design/planning costs
 Implementation costs
 Environment modifications
 Compatibility with other countermeasures
 Repair, replace, or update costs
 Operating support costs
 Effects on productivity

Step 6 – Document results
Report back to the Senior Management and Sponsors on
the findings.

 Quantitative and Qualitative Risk Analysis are
two methods for analysing risk.
 Quantitative Risk Analysis uses hard metrics, such
as cost.
 Qualitative Risk Analysis uses
values and estimations.
 Quantitative is more objective;
 Qualitative is more subjective.
simple approximate
Qualitative and Quantitative
Risk Analysis methods

 Real numbers assigned:
 Costs of countermeasures
 Amount of damage that can take place
 Popular metric for management decisions
 Concrete percentages calculated
 Purely quantitative risk analysis is difficult:
 There will always be a factor of attempting
dollar values to every conceivable threat.
to assign
Quantitative Risk Analysis

The main steps of quantitative risk analysis include:
1.
2.
3.
4.
Assign value to information assets
Estimate potential risk
Perform threat analysis
Derive the overall loss potential
per risk
Choose remedial measures
5.
6. Reduce, assign, or accept the risk
Quantitative Risk Analysis Steps

Single Loss Expectation
 SLE = asset value x exposure
Exposure factor
 EF = percentage of asset loss
threat
Annual Loss Expectation
 ALE = SLE x ARO
Annual Rate of Occurance
factor
caused by identified
 ARO = estimated frequency
a year
a threat will occur within
Quantitative Risk Analysis Terms

 As an example I have a vehicle with a value of $5000
 If it is in a crash the expected damage to the vehicle would
be 20%
 Thankfully that kind of crash only occurs once in 4 years.
 Calculate the amount of insurance I should take.
Asset Value AV = 5000
Exposure factor EF = 20% (0.2)
Single Loss Expectancy = 5000 x .2 = $1000
Annualized Rate of Occurance = .25 (once in 4 years)
Annual Loss expectation = SLE x ARO = $250
I need driving lessons…
Quantitative Risk Analysis (cont.)

Generally expected:
 Assigned monetary values
 List of possible and significant threats
 Probability of the occurrence rate
 Loss potential that company can endure over a year
 Recommended safeguards, countermeasures, and actions
 Difficulties of Qualitative analysis
 It is hard to place a capital amount on every threa
 Insurance and historical records may help but that is only a
start.
Results of Quantitative Risk Analysis

 Is scenario based:
 One scenario is examined and assessed for each critical or major
threat to an IT asset.
 Examines the asset, the threat, and the exposure or potential for loss
that would occur if the threat were realized on the IT asset
 Requires the risk analysis team to ask, “What if?” regarding specific
threat conditions on IT assets
 Purpose: Provide a consistent and subjective assessment of the risk to
specific IT assets
 Risk analysis team task: Develop real scenarios that describe a threat
and potential losses to organizational assets:
 No dollar amounts are assigned
Qualitative Risk Analysis

risk
risk
risk
risk
Example of a ranking matrix: P x I
Likelihood of occurrence
A Frequent
Failure
probability
increases
High risk High risk
Very high
risk
Very high
risk
Very high
B Probable
Medium
risk High risk High risk
Very high
risk
Very high
C Occasional Low risk
Medium
risk High risk
Very high
risk
Very high
D Remote Low risk Low risk
Medium
risk High risk
Very high
E Improbable Low risk Low risk
Medium
risk High risk High risk
1 2 3 4 5
Negligible Marginal Important Critical Catastrophic
Consequence or impact increases
Qualitative Risk Exposure Scoring

Property Quantitative Qualitative
Financial hard costs 
Can be automated 
Little guesswork 
No complex calculations 
Low volume of information required 
Short time and easier work load 
Easy to communicate results 
Quantitative vs. Qualitative Comparison

 Acceptable risk:
 Minimum acceptable risk that an organization is willing to
take
 Residual risk:
 Risk remaining after security controls and countermeasures
have been implemented
 Risk management:
 Process of reducing risk to IT assets by identifying and
eliminating threats
 Risk analysis:
 Process of identifying the severity of potential risks and
vulnerabilities, and assigning a priority
Some more Risk Terms to remember.

 Total Risk before the application of controls is shown as
 Threats x vulnerability x asset value = total risk
 The residual Risk is the risk left after the application of the
control. Remember no control completely eliminates risk
there will be a control gap.
so
 (Threats x vulnerability x asset value ) x control gap =
Residual Risk
Some other Risk Formulas

Acceptable ways to deal with risk include:
 Accept:
 Organization believes the benefits outweigh
loss
 Transfer:
 Insurance, outsourcing
 Mitigate (Reduce):
the potential
 Choose remedial measures
 Countermeasure selections
to counteract each risk
Choosing How to Deal with Risk

There are three main Control types
 Technical/Logical controls :- Firewalls, IDS,
Biometric Access Control Devices
 Administrative controls – Security Policy. Job
rotation, Seperation of Duties
 Physical Controls :- Fences,
Supression Systems
Lighting, Fire
The three main control types

There are seven categories of control.
Directive Deterrent Preventative Compensating Detective Corrective Recovery
Access control categories

controls
Low
Medium
High
Planning Establish defences Incident Discover/react Adjust/regroup
Deterrent
controls
Recovery
Preventative
controls
Detective
controls
Corrective
controls
Compensating
controls
Directive controls
Access control impact / incident timeline

 Directive Controls
 Are designed to provide personnel with guidance about the
expectation of behaviour within the organization’s security
environment
 Provide guidelines
 Apply to internal staff and external visitors and contractors
 Deterrent controls
 As it says on the tin ! Should act as a deterrent to threats and
attacks.
 Typically designed so that the effort to circumvent the control is
greater than the value percieved in breaking it
Pre-incident Control Categories

 Preventative Controls.
 These attempt so stop an event from occurring. For example
change management controls.
 Prevent changes to systems and procedures from
accidentally reducing the availability and security of the
system
 Compensating controls
 These are used when the existing controls do not
adequately meet the requirement described in the
policy
security
Pre incident controls continued….

 Detective Controls.
 Provide notification to appropriate personnel if the detective
preventative and deterrent controls have not denied an attack
 They tell you something has happened and are the first part of
the post incident timeline
 Corrective controls.
 For example a Cisco Intrusion detection system may dynamically
alter the access control list on a border router in response to
some warning from the detective controls.
 Recovery controls
 Once the security related event is over it is necessary to return
the system to “Normal Operations”
Post incident controls

•Controls are deployed in combinations of category and function.
•This chart shows some example control combinations
and Monitoring
Server
depth (layers)
Attribute Directive Deterrent Preventive Detective Corrective Recovery Compensating
Administrative Policy AUP
User
Registration
Review
violation
reports
Reassignment
or Termination
Incident
Response
Plan
Supervision
Technical
Config
standards
Warning
Banner
Password
based login
Anti-virus
Reboot or
restart
Backups
Redundant
Physical
Authorised
personel
only signs
Electric
Fence
Sign
8-ft Fence
Motion
Detector
Fire
Extinguisher
Restoration
of Backups
Defense in
Some Example Control Combinations

Threat modelling enables informed decision making about
application security risk.
Threat modelling produces a prioritised list of security
improvements to the concept, requirements, design, or
implementation of a system or application.
As part of the design phase of the Software Development
Life Cycle (SDLC), threat modelling allows software
architects to identify and mitigate potential security issues
early, reducing the total cost of development.



Threat modelling is a procedure
Application/ Internet Security by
vulnerabilities and then defining
for optimizing Network/
identifying objectives and
countermeasures to

prevent, or mitigate the effects of, threats to the system.
Threat Modelling

Step Description
Assessment Scope Identify critical assets to protect. Closely related with BIA
priorities.
Identify Threat
Agents and
possible attacks
Identify the Who or What wants to attack .
Consider insiders outsiders malicious or accidental threat
agents
Understand
Existing
Countermeasures
Do an audit of what is currently in place
Is it effective ?
Identify exploitable
vulnerabilities
Look for vulnerabilities that impact on the BIA critical path
Prioritize identified
risks
Threat modelling operates on priorities
Cannot protect everything. Residual risk needs justification
Identify
Countermeasures
to reduce risk
Use the information gathered to complete the defence posture
by deploying countermeasures against prioritised
vulnerabilities.
Threat modelling process.

 Once threat modelling is complete the Security Architect
Security Practitioner and Security Professional should work
together to to deploy the most appropriate technologies
and processes to remediate threat.
 There is of course no correct answer to which processes
and procedures.
 Everything depends on the output of the threat model.
 Typical technologies include
 IDS/IPS, Firewalls, Access control biometrics…..etc
Technologies & Processes to Remediate
Threats

 Supply chain risks are usually referring to tangible property
exposures.
 Fires, Natural disasters.
 Information and communication technologies are also
vulnerable to failure and loss both accidental and
malicious.
 It is part of the challenge for the modern Security
Professional to analyse and understand
organizations supply chains
 In particular for critical systems
the risks to his/her
Acquisition Supply Chain Risks

Institute baseline cybersecurity requirements as a
of contract award for appropriate acquisitions.
Address cybersecurity through relevant training.
Develop common cybersecurity definitions for the
acquisitions process
Institute an acquisition cyber risk strategy.
condition




 Include a requirement to purchase from Original Equipment
Manufacturers OEMs , their trusted sources and authorised
resellers
Increase organisational accountability for cyber risk
management

Acquisition Security Best Practices

 Security professionals should be included in any
agreements for hardware software and cloud services from
a third party.
 Organizations should be cautious about the jurisdiction and
regulations pertinent to the third party involved and their
own partners and suppliers
 Particular care must be taken both with the due diligence
before any binding supply chain agreement is made.
Third party Assessments

 The Due diligence should include a combination of
 On Site Assessments of the
 Document exchanges.
 Process and Policy review.
 The security professional should become involved in all
three of these activities to ensure that the supplier is
following an acceptable formal security control framework
within its own organisation.
 Exchanging documentation and reviewing processes and
policy to ensure there is an understanding of the potential
risks involved in the transaction.
Third Party Acquisitions Due Diligence

 During the requirements gathering phase of a
project.
 Best practices use a Statement of Requirements
document covering
 A
 A
 A
succinct requirement specification for management.
statement of key objectives.
description of the environment in which the system
will operate.
 Background information and references
 Information on major design constraints.
Minimum security requirements

 Two useful document in the due diligence process.
Ensuring these are well formed complete and non-
contradictory will greatly reduce risk in third party
acquisitions
 SLR contains the description of the expected
the client viewpoint.
 SLA Is an agreement between the third party
customer documenting
 The IT service
 Service Level Targets
service from
and the
 Responsibilities of both supplier and customer
Service level requirements SLR and
Service Level Agreement SLA

Domain Objectives
Key Area
C Compliance
global context
L Establish and Manage Information Security Awareness,Education and
Training

 Most organizations perceive value in promoting an
awareness of security within their environments.

 Security awareness addresses the why of policy.
 If end-users understand the why, they are more apt to
follow the policy.
 Generally, people follow policy more consistently if
they understand why policy exists and how to comply.
Security awareness can be defined as helping establish
an understanding of the importance and how to comply
with security policies within the organization.
Security Education, Training, and
Awareness Policies - Awareness

 Security is a broad discipline, and as such, there are
topics that could be covered by security awareness
training.
 Topics that can be investigated within the security
awareness curriculum include:
 Corporate security policies
 The organization’s security program
many
 Regulatory compliance requirements for the organization
 Social engineering Business continuity Disaster recovery
 Emergency management,
 Security incident response
 Data classification…..and lots of others !
Training Topics

 Security Job Training assists personnel with the
development of their skill sets relative to performance of
security functions within their roles.
 A typical security curriculum will include specialty training
for individuals performing specialized roles within the
organization, such as those in IT, accounting, and others.
 Within these business units, more specialized training will
occur.
 For example, in the IT area, it would be advisable for
network staff responsible for maintenance and
monitoring of the firewalls, intrusion detection/
prevention systems, and syslog servers
Security Job Training

 It is important to track performance relative to security for
the purposes of both enforcement and enhancement of
security initiatives under way.
 It is also important for the organization to ensure that users
acknowledge their security responsibilities by
 Signing off after each class that they have heard and
understand the material and
 Agreeing to be bound by the organization’s security program,
policies, procedures, plans, and initiatives.
 Measurement can include periodic walk-throughs of
business unit organizations, periodic quizzes to keep staff
up to date, and so on.
Security Training Performance Metrics

Part 2 - Classwork
Global Knowledge f>
Practice Questions
Exercises
Discussions

When is it acceptable to
risk?
A. Never. Good security
B. When political issues
being addressed.
not take action on an identified
addresses and reduces all risks.
prevent this type of risk from
C. When the necessary countermeasure
D. When the cost of the countermeasure
value of the asset and potential loss.
is complex.
outweighs the
Question 1

Answer D
Companies may decide to live with specific risks they are
faced with if the cost of trying to protect themselves would
be greater than the potential loss if the threat were to
become real.
Countermeasures are usually complex to adegree, and
there are almost always political issues surrounding
different risks,but these are not reasons to not implement
a countermeasure.
Answer 1

Which best describes a quantitative risk analysis?
A. Scenario-based analysis to research different security
threats
B. A method used to apply severity levels to potential
loss, probability of loss, and risks
C. A method that assigns monetary values to components
in the risk assessment
D. A method that is based on gut feelings and opinions
Question 2

Answer C.
A quantitative risk analysis assigns monetary values and
percentages to the different components within the
assessment.
A qualitative analysis uses opinions of individuals and
rating system to gauge the severity level of different
threats and the benefits of specific countermeasures.
a
Answer 2

Why is a truly quantitative risk analysis not possible to
achieve?
A. It is possible, which is why it is used.
B. It assigns severity levels. Thus, it is hard to translate
into monetary values.
C. It is dealing with purely quantitative elements.
D. Quantitative measures must be applied to qualitative
elements.
Question 3

Answer D.
During a risk analysis, the team is trying to properly
predict the future and all the risks that future may bring.
is somewhat of a subjective exercise and requires
educated guessing.
It is very hard to properly predict that a flood will
It
take place once in ten years and cost a company up
$40,000 in damages but this is what a quantitative
analysis tries to accomplish.
to
Answer 3

Which best describes the purpose of the ALE calculation?
A.
B.
C.
D.
Quantifies the security level of the environment
Estimates the loss possible for a countermeasure
Quantifies the cost/benefit result
Estimates the loss potential of a threat in a span of a
year
Question 4

Answer D.
The ALE calculation estimates the potential loss that can
affect one asset from a specific threat within a one-year
time span.
This value is used to calculate the amount of money that
should be earmarked
this threat.
to protect this asset from
Answer 4

How do you calculate residual risk?
A.
B.
C.
D.
Threats risks asset value
(Threats asset value vulnerability) risks
SLE frequency = ALE
(Threats vulnerability asset value) controls gap
Question 5

Answer D.
The equation is more conceptual than practical. It is hard
to assign a number to a vulnerability and a threat
individually.
This equation enables you to look at the potential loss of
a specific asset and look at the controls gap (what the
specific countermeasure cannot protect against). What is
left is the residual risk.
Residual risk is what is left over after a countermeasure is
implemented.
Answer 5

D1 security and risk management v1.62

More Related Content

What's hot

Similar to D1 security and risk management v1.62

Recently uploaded

D1 security and risk management v1.62