The document discusses concepts related to information security governance and risk management. It covers identifying risks through frameworks and assessments, analyzing risks through likelihood and impact, and treating risks through controls, compliance, and cost-benefit analysis. Maintaining a risk register is important for recording risks, assessments, and mitigation activities over time.

1. CISM PREP
Topic 2
Information Security Governance

2. • Achieving optimal balance between realising
opportunities for gain and minimising the
likelihood of loss
• Risks are identified and addressed so as not to
impact the business in negative manner
• Resources are not wasted addressing unrealistic
risks
• Requires knowledge of:
– Leadership perception
– Ability to absorb loss
– Cost to implement controls
– Risk-benefit ratio
Risk management

3. How do we identify, prioritise and reduce risk?
• Choosing a framework and structure
• Periodic assessment
• Continuous improvement
• Align with organisational strategy, culture, hierarchy and, risk
appetite and financial position
• Perform a gap analysis
• Prioritise
Risk management program

4. Three elements
1. Actor
– Bad guy, good guy
– External, internal
– Incidental, malicious
2. Negative impact
– Exposure / unauthorised access
– Loss of service
– Loss of data
3. Asset
– Confidential information
– Privileged function or business functionality
Threat Scenarios

5. Vulnerability – For convenience, staff are storing corporate credit cards on
pastebin.
Threat Scenario – An external attacker may gain unauthorised access to
the list of corporate credit card numbers.
Vulnerability – Big “delete all” button right next to the “update record” button in the
customer relationship manager application.
Threat Scenario – A staff member may accidentally delete the full customer
database.
Threat Scenarios - Examples

6. Forums and committees:
• Identify risks at technical level
• Disseminate risk knowledge at
management level
• Request direction for risk treatment from
leadership
Establish a risk management program
Responsibility sits with the Information
Security Manager
Risk communication and awareness

7. ISO/IEC 27001 – Information security management system
ISO/IEC 27005 – Information security risk management
ISO/IEC 27005 – Risk management – risk assessment
NIST SP 800-39
COBIT 5 – ISACA IT Governance
RIMS Risk Maturity Model
FRAP – Facilitated risk assessment process
Risk management frameworks

8. • Program scope
• Information risk objectives
• Information risk policy
• Risk appetite/tolerance
• Roles and responsibilities
• Risk management life-cycle process
• Risk management documentation
• Management review
Risk management framework components

9. • System characterisation
• Threat identification
• Vulnerability identification
• Control analysis
• Likelihood determination
• Impact analysis
• Risk determination
• Control recommendations
• Results documentation
NIST SP 800-39

10. • Gaps in controls against a criteria
• Published good practices
• Security groups (industry, AISA,
ISACA)
• Security news (RiskyBiz)
• Published research
• Security training
• Vulnerability alerting
Gap analysis and external support

11. Risk management lifecycle

12. Types
• PII (customer, staff)
• Privileged functions
• Internal information
• Trade secrets
• Payment data
• Financial records
Loss scenarios
Value based on business knowledge
Intangible and tangible value
Asset Identification and Valuation

13. Viability and plausibility
• Exist or reasonable expected to
• Subject to some form of control
Experienced staff
• Organisational knowledge
• Cyber security knowledge
External vendors and consultants
Risk Assessment: Identification of Risk

14. Categories
• Physical
• Logical
• Loss of service
• Technical failures
• Unauthorised activity
Internal and external threats
Learn from industry sources
Advanced persistent threats – APT
Third parties
Risk Assessment: Threats

15. Weakness
Degrees of vulnerability
Identify before exploitation
Categorise vulnerabilities
Vulnerability examples
• Software bugs
• Misconfiguration
• Weak passwords
• Staff awareness
• Clear text transmission
Risk Assessment: Vulnerabilities

16. 1. Why is the information security manager responsible for the risk
management program and strategy?
2. What is the difference between a plausible risk and a possible
risk?
3. Name and describe two types of common vulnerabilities.
4. Why does organisational knowledge assist in threat
identification?
Discussion Questions

17. Three elements
• Actor
• Asset
• Negative impact
Example:
An external attacker gains unauthorised access to bulk
customer information.
Threat Scenarios

18. Determine the level of risk by analysing:
• Risk sources
• Asset exposure
• Negative consequences
• Likelihood of risk realisation
• Assessment of controls
Sources of this information:
• Past experience
• Published standards
• Experiments and testing
• Consultants
Risk Analysis

19. Volatility – varying likelihood
Velocity – amount of prior warning before incident
Proximity – time between event and impact
Motivation – what is in it for the attacker
Skill – level of difficulty exploit
Visibility – how easy is a vulnerable system found
Risk Likelihood

20. Influenced by the asset value
Impact types
• Loss of money
• Criminal liability
• Reputational damage
• Breach of privacy
• Competitive edge
• Interruption to business
Maximum tolerable outages
Risk Impact

21. Qualitative Analysis

22. Assigning a financial figure
Calculating a loss expectancy with a simple equation
Annual loss expectancy (ALE)
Single loss expectancy (SLE)
Annual rate of occurrence (ARO)
ALE = SLE x ARO
OCTAVE
Quantitative Analysis

23. Is the risk acceptable?
Further analysis required
Rank risks by severity
How can the risk be treated
• Avoid
• Transfer
• Mitigate
• Accept
• Ignore
Inherent and residual risk
Risk Treatment and Ownership

24. Methods to reduce the likelihood or impact of a risk
Categories
• Administrative
• Technical
• Physical
Impact of regulation of the organisation
Enforcement – where is the pressure coming from?
Compliance levels
The compliance plan
Control implementation and compliance levels are a business decision
Controls and Regulatory

25. Is the cost less than the benefit
What are the obvious and hidden costs?
• Acquisition
• Deployment and integration
• Support and maintenance
• Testing
• Compliance monitoring and enforcement
• Inconvenience to users (useability vs security)
• Slowing the business
• Training
• Decommissioning and disposal
Cost vs Benefit

26. The minimum level of security for staff,
systems and processes
Reasons for change
• Based on the asset value
• Industry developments
• New threats
• New lines of business
• Exploitation in the public domain
Security Baselines

27. Determine levels of sensitivity and criticality
Considerations
• How many levels?
• How will it be identified and labelled?
• How will levels be handled?
• How is it created, updated, archived and disposed
of?
• How long will it be retained?
• Who is the owner and custodian?
• Who approves access?
Keep is SIMPLE
Information Asset Classification

28. Business impact analysis
Focus on information
• Loss of Confidentiality
• Loss of Integrity
• Loss of Availability
Impact Assessment and Analysis

29. Risks that occur due to failed process or mistakes
Recovery time objectives - RTOs
• RPO (recovery point objective) – data restoration
• SDO (service delivery objective) – service restoration
• MTO (maximum tolerable outage) – maximum time in
recovery mode
• AIW (allowable interruption window) – maximum service
loss
Operational Risk

30. A record of cyber risk across the organisation
Record of risk management activities
Contents
• Vulnerabilities
• Threat scenarios
• Risk owners
• Date identified
• Date closed
• Status
Keep it SIMPLE
Risk Register

31. Communicate risk at multiple levels
Obtain risk information from multiple sources
Build risk assessment into processes
Every risk discussion is a training opportunity
Document risk clearly
Keep it SIMPLE
Final Thoughts on Risk

32. 1. Write a plausible threat scenario involving password
guessing.
2. What is the difference between quantitative and
qualitative risk analysis?
3. Name and describe two ways to treat risks.
4. What is the purpose of a risk register?
Discussion Questions