D1: Security & Risk Management Flashcards
CIA
Confidentiality
Integrity
Availability
Confidentiality
Confidentiality prevents the unauthorized disclosure of data
Confidentiality assures least privilege and need to know
Integrity
Integrity assures no unauthorized modification is made to data from unintentional or malicious actions
Availability
Reliability assures that systems and data is reliable and timely, accessible, fault tolerant and has recovery procedures in place.
IAAA
Requirements for accountability
Identification: when a user claims their identity; used for access control
Authentication: testing a user’s identity via evidence
Accountability: associates actions to the person committing
Authorization: the rights an permissions provided to a person
Privacy
Level of confidentiality and privacy protections
An Organization’s Relationship with Risk
While it’s impossible to eliminate all risk, it’s important to get risk at an acceptable/tolerable level
A popular risk management framework is ISO 27005
To track risk, create baselines - the minimum standards
To reduce/prevent risk, and the budget is not constrained, spend more money on better tools
Responsibilities of ISO
- Documentation
- Computer Incident Response Team
- Security Awareness
- Communicate risk to upper management, as high as possible
- Educate organization that security is everyone’s responsibility
Control Framework Requirements
Consistent with approach & application Measurable ways to determine progress Standardized in one format Comprehension - covers end to end Modular - adaptive, layered and abstraction
Due Care
When an organization did all that it could have reasonably done to try and prevent security breach / compromise / disaster, and took the necessary steps as countermeasures / controls (safeguards).
The benefit of due care can be seen as the difference between the damage with or without safeguards in place - AKA doing something about the threats.
Failing to perform periodic security audits can result in the perception that due care is not being maintained.
Due Diligence
When an organization properly investigated all of its possible weaknesses and vulnerabilities AKA understanding threats
Patent Law
Patent law grants ownership of an invention and provides enforcement for owner to exclude others from practicing the invention
After 20 years the idea is open source of application
Copyright Law
Copyright law protects the expression of ideas but not necessarily the idea itself
Trade Secret
Something that is proprietary to a company and important for its survival and profitability (like formula of Coke)
No application to register?
Trademarks
Trademarks are words, names, product shape, symbol, color or a combination used to identify products and distinguish them from competitor products (McDonald’s M)
@10 Years
Wassenaar Agreement (WA)
Dual use goods & trade
International cryptographic agreement, prevent destabilizing
Computer Crimes
loss, image, penalties???
SOX - Sarbanes Oxley
Implemented in 2002 after ENRON and World Online
Requires independent review by contractors
Section 302: CEO’s and CFO’s can be sent to jail when information they sign is incorrect
Section 404: Requires internal controls assessment; describe logical controls over accounting files, good auditing and information security
COSO - framework for SOX 404 compliance
Corporate Officer Liability
Executives are held liable if the organization they represent is not compliant with the law
Negligence occurs if there is a failure to implement recommended precautions e.g. disaster recovery plan, background checks, information security, policy, laws and regulations
Treadway commission
???
COSO
Strong in anti-spam and legit marketing
Directs public directories to be subjected to tight controls
Takes an OPT-IN approach to unsolicited commercial electronic communications
User may refuse cookies to be stored, and user must be provided with information
Member states in the EU can make own laws e.g. retention of data
Incident
An event that has potential to do harm
Breach
An incident that results in disclosure or potential disclosure of data
Data Disclosure
Unauthorized acquisition of personal information
Event
Threat events can be accidental/intentional exploitations of vulnerabilities.
ITAR
????
FERPA
????
GLBA
Graham, Leach, Bliley; credit related PII
ECS
Electronic Communication Service (Europe)
Notice of breaches
Fourth Amendment
Basis for privacy rights
1974 US Privacy Act
Protection of PII on federal databases
1980 Organization for Economic Cooperation and Development (OECD)
Provides for data collection, specifications, specifications
1986/1996 US Computer Fraud and Abuse Act
Trafficking in computer passwords or information that causes a loss of $1K or more or could impair medical treatment
1986 Electronic Communications Privacy Act
Prohibits eavesdropping or interception w/o distinguishing private/public
1994 Communications Assistance for Law Enforcement Act (CALEA)
Amended the electronic communications privacy act of 1986.
CALEA requires all communications carriers to make wiretaps possible for law enforcement with an appropriate court order, regardless of the technology in use
1987 US Computer Security Act
Security training, develop a security plan, and identify sensitive systems on govt. agencies
1991 US Federal Sentencing Guidelines
Responsibility on senior management with fines up to $290 mil
Invoke prudent man rule
Address both individuals and organizations
1996 US Economic and Protection of Proprietary Information Act
??
1996 US National Information Infrastructure Protection Act
Encourage other countries to adopt similar frameworks
Health Information Technology for Economic and Clinical Health Act of 2009 (HITECH)
Congress amended HIPAA by this Act
Updated many of HIPAA’s privacy and security requirements
Changed the way the law treats business associates (BA), organizations who handle PHI on behalf of a HIPAA covered entity
Business Associate Agreement: Any relationship between a covered entity and a BA must be governed by a written contract (BAA)
Under the new regulation, BAs are directly subject to HIPAA and HIPAA enforcement actions in the same manner as a covered entity
HITECH also introduced new data breach notification requirements
ISC2 Code of Ethics Canons
Protect society, the commonwealth and the infrastructure.
Act honorably, honestly, justly, responsibly, and legally
Provide diligent and competent service to principals
Advance and protect the profession
Internet Advisory Board (IAB)
????
Ethics and Internet (RFC 1087)
Don’t compromise the privacy of users
Access to and use of Internet is a privilege and should be treated as such
It is defined as unacceptable and unethical if you, for example, gain unauthorized access to resources on the internet, destroy integrity, waste resources or compromise privacy.
Business Continuity Plan - Development
Defining the continuity strategy
Computing strategy to preserve the elements of HW/SW communication lines/data/application
Facilities: use of main buildings or any remote facilities
People: operators, management, technical support persons
Supplies and equipment: paper, forms HVAC
Documenting the continuity strategy
BIA - Business Impact Analysis
Goal is to create a document to be used to help understand what impact a disruptive event would have on the business
Gather Assessment Material:
- Org charts to determine functional relationships
- Examine business success factors
Vulnerability Assessment
- Identify Critical IT resources out of critical processes
- Identify disruption impacts and MTD (Max Tolerable Downtime)
- Quantitative Loss (revenue, expenses for repair)
- Qualitative Loss - competitive edge, public embarrassment
- Presented as LOW, MEDIUM, HIGH
Analyzed the compiled information
- Document the process
- Identify inter-dependability
- Determine acceptable interruption periods
Documentation and Recommendation
Separation of Duties
Assignment of different parts of tasks to different individuals so no single person has total control of the system’s security mechanisms
Prevents collusion
M of N Control
A requirement that a minimum number of agents (M) out of a total number of agents (N) work together to perform high-security tasks
Ex: Implementing 3 of 8 controls would require three people out of the 8 with assigned work task of key escrow agent to work together to pull a single key of the key escrow database.
Least Privilege
A system’s user should have the lowest level of rights and privileges necessary to perform their work and should only have them for the shortest amount of time
Read-Only, Read/Write and Access/Change
Two Man Control
Two persons review and approve the work of each other, for every sensitive operation
Dual Control
Two persons are required to complete a task
Rotations of Duties
Limiting the amount of time a person is assigned to perform a security related task before being moved to a different task to prevent fraud
Reduces collusion
Mandatory Vacations
Prevents fraud and allows for investigations
One week minimum
Kills processes
Need to Know
The subject is given only the amount of information required to perform an assigned task, business justification
Employment
Staff members pose more threat than external factors
- loss of money
- stolen equipment
- loss of time work hours
- loss of reputation
- declining trusts and loss of resources
- bandwidth theft
- due diligence
Voluntary and Involuntary - Exit Interview
Agreements
NDA
Acceptable Use
No Compete
Third Party Controls
Vendors
Consultants
Contractors
Ensure Vendors are properly supervised, rights based on policy
Risk Management Concepts
Threat - damage
Vulnerability - weakness to threat vector (never does anything)
Likelihood - probability it will happen
Impact - overall affects if it happens
Residual Risk - amount leftover
Organization owns the risk
Risk is determined by a byproduct of likelihood and impact
ITIL
ITIL - best practices for IT core operational processes, not for audit
- Service
- Change
- Release
- Configuration
Strong end to end customer focus/expertise
About services and service strategy
Risk Management Goal
The goal of risk management is to determine the impact of the threat and risk of threat occurring and to reduce risk to an acceptable level
Risk Assessment Steps
- Prepare for Assessment (purpose, scope, etc.)
- Conduct Assessment
- ID threat sources and events
- ID vulnerabilities
- Determine likelihood of occurrence
- Determine magnitude of impact
- Determine risk - Communicate Risk/Results
- Maintain Assessment/regularly
Types of Risk
Inherent Risk: chance of making an error with no controls in place
Control Risk: chance that controls in place will prevent, detect or control errors
Detection Risk: chance that auditors won’t find an error
Residual Risk: Risk remaining after a control is in place
Business Risk: Concerns about effects of unforeseen circumstances
Overall Risk: combination of all risks aka Audit Risk
Preliminary Security Examination (PSE)
Helps to gather the elements that you will need when the actual risk analysis takes place
Risk Analysis Steps
- Identify Assets
- Identify Threats
- Calculate Risks
Risk Assessment Steps
- Prepare
- Perform
- Communicate
- Maintain
Qualitative Risk Analysis
????
SLE
Single Loss Expectancy
SLE = Asset Value * Exposure Factor
Exposure Factor
Percentage loss of an asset
ARO
Annualized Rate of Occurrence
ALE
Annual Loss Expectancy
SLE * ARO
Loss
Probability * Cost
Quantitative Risk Analysis
Mitigate: Reduce risk by implementing controls
Assign: insure the risk to transfer it
Avoid: Stop business activity
Residual Risk
When the cost of applying extra countermeasures is more than the estimated loss resulting from a threat or vulnerability (C > L)
Legally the remaining residual risk is not counted when deciding whether a company is liable.
Controls Gap
The amount of risk that is reduced by implementing safeguards. A formula for residual risk is as follows:
total risk - controls gap = residual risk
RTO
How quickly you need to have that application’s information available after downtime has occurred
RPO
Recovery Point Objective
Point in time that application’s information data must be recovered to resume business functions
Amount of data you’re willing to lose
MTD
Maximum Tolerable Downtime
Maximum delay a business can be down and still remain viable
MTD = critical / minutes to hours MTD = urgent / 24 hours MTD = important / 72 hours MTD = normal / 7 days MTD = non-essential / 30 days
Risk Response
Risk Avoidance: discontinue activity because you don’t want to accept risk
Risk Transfer: passing on the risk to another entity
Risk Mitigation: elimination or decrease in level of risk
Risk Acceptance: live with it and pay the cost
Background checks - mitigation, acceptance, avoidance
Control Costs
Control cost should be less than the value of the asset being protected
Administrative/Managerial Policy
Preventative: hiring policies, screening security awareness (soft measures)
Detective: screening behavior, job rotation, review of audit records
Technical / Logical Policy
Preventative: protocols, encryption, biometrics, smartcards, routers. firewalls
Detective: IDS and automatic generated violation reports, audit logs, CCTV (never preventative)
Preventative: fences, guards, locks
Detective: motion detectors, thermal detectors, video cameras
Risk Analysis and Its Prime Objective
A process that analyzes threat scenarios and produces a representation of the estimated potential loss.
Prime Objective is to reduce the effects of security threats and vulnerabilities to a tolerable level
Access Control - Main Categories
Directive: specify rules of behavior
Deterrent: discourage people, change my mind
Preventative: prevent incident or breach
Compensating: sub for loss of primary controls
Detective: signal warning, investigate
Corrective: mitigate damage, restore control
Recovery: restore to normal after incident
Penetration Testing
Testing a network’s defenses by using the same techniques as external intruders
Scanning and Probing - port scanners
Demon Dialing - war dialing for modems
Sniffing - capture data packets
Dumpster Diving - searching paper disposal areas
Social Engineering - most common, get information by asking
Blue Team
Has knowledge of the organization, can be done frequently and is the least expensive
Red Team
External and stealthy
White Box
Ethical hacker knows what to look for, sees code as a developer
Grey Box
Partial knowledge of the system, sees code, act as a user
Black Box
Ethical hacker not knowing what to find
4 Stages of Penetration Test Planning
- Planning
- Discovery
- Attack
- Reporting
Pen Test Strategies and Categories
Strategies: external, internal, blind, double-blind
Categories: zero, partial, full knowledge tests
Software License - Public Domain
Available for anyone to use
Software License - Open Source
Source Code made available with a license in which the copyright holder provides the rights to study, change and distribute the software to anyone
Software License - Freeware
Proprietary software that is available for use at no monetary cost. May be used without payment but may usually not be modified, re-distributed or reverse-engineered without the author’s position
Wire Tapping
Eavesdropping on communication - only legal with prior consent
Data Diddling
Act of modifying information, programs, or documents to commit fraud, tampers with INPUT data
Privacy Laws
Data collected must be collected fairly and lawfully and used only for the purpose it was collected
Water Holing
Create a bunch of websites with similar names
Work Function (factor)
The difficulty of obtaining the clear text from the cipher text as measured by cost/time
Fair Cryptosystems
In this escrow approach, the secret keys used in a communication are divided into two or more pieces, each of which is given to an independent third party.
When the government obtains legal authority to access a particular key, it provides evidence of the court order to each of the third parties and then reassembles the secret key.
Information Security Program
Provides the means for achieving strategy
Defines:
- policies/standards/procedures/guidelines
- roles and responsibilities
- SLAs/Outsourcing
- Data Classification/Security
- C&A (Certification and Accreditation)
- Auditing
Types of Policy
- Corporate/Organizational Policy
- management’s intent, commitment and philosophy to the organization - System Specific Policy
- policy will state that MFA is required, and the standard will state the details of what type of MFA - Issue Specific Policy
- can’t rely on common sense
*Policies don’t change often, but standards do - they fill in the gaps in policy
Change Management
Changes are not implemented randomly, but follow a formalized process to implement change - approved, tested, etc.
Acceptable Use
How organizations expect their resources to be treated.
Privacy
Do employees have an expectation of privacy in the workplace - the answer should be yes. employer doesn’t have to provide privacy, but the employee would have to be notified.
Biggest part of privacy policy is notification.
Data/System Ownership
Be clear of who owns the system and who owns the information - these people are responsible for determining the classification of information and dictate the controls
Separation of Duties
ALWAYS THE RIGHT ANSWER
no one individual has too much power, it’s a conflict of interest
SODs forces collusion = if an employee wants to commit fraud, they would have to bring in another employee and would be less successful
Mandatory Vacation
A detective control, usually in banks
If a person is committing fraud, they absence would highlight this.
Job Rotation
Cross training; redundancy
A detective control, someone can view the work that was done
Least Privilege/Need to Know
Least Privilege = action
Need to Know = data
- rights to access to data
Dual Control
Preventing the abuse of power because it would take two individuals to commit fraud.
M of N
Variables stating that so many of the total needs to be present
Standards
States the specifics of policy
- mandatory
- created to support policy, while providing more details
- reinforces policy and provides direction
- can be internal or external
Procedures
Mandatory, how-to’s
SOP - standard operating procedures
Guidelines
Not mandatory
best practices, recommendations
will have words like - whenever possible, should, etc.
Documentation Relationships
Guidelines - suggestions
Procedures - how
Standards - what
Policies - why
Baselines
Mandatory
Minimum acceptable security configuration for a system or process
The purpose of security classification is to determine and assign the necessary baseline config to protect data
Senior Management
Provide
- strategy and oversight
- funding and support
- ensure testing and results
- prioritize business functions (BIA) (COO)
- common vision/strategy/framework for the enterprise
- ‘sign-off’ on Policy, BIA and other organization documents
Business Impact Analysis (BIA)
The document that prioritizes business processes, services, etc. based on criticality to the organization
COO
Steering Committee
- Oversight of Information Security Program
- acts as liaison between management, business, information technology, and information security.
- assess and incorporate results of the risk assessment activity
- intro the decision-making process
- ensures all stakeholder interests are addressed
- oversees compliance activities
CISO Chief Information Security Officer
Senior Management - provides the what
- directly involved in strategic planning using CIA triad
- policy development
- technology assessments
- not just digital data, also verbal and physical
- process improvements
- acquisitions
- capital planning
- security
Information Security Manager
Functional Management - provides the how
- plays leading role in introducing an appropriate, structured methodology - solutions work, tested and are validated
- acts as a major consultant in support of senior management
Business Managers
Owners of systems and information
- determine classification of assets, data access, how it is protected etc
Our customers, heads of business units
Accountable for the protection of the information
Security Practitioner
Implement, configure the security requirements
Support or use the risk management process to identify and assess new potential risk and implement new security controls as needed to safeguard their IT systems
Auditors
Audit controls and policies to ensure that they are being implemented and are effective - and report on this.
If internal auditing is in place, auditors should not report to the head of a business unit, but rather to the COO or some other entity without direct stake in results
Auditors document, they do not modify and should never have write access
Auditors are there for compliance, and will tell you if they are compliant with policy. Audit will not tell you if something works, you’ll need to have to test.
Security Trainers
Must understand the risk management process
Develop appropriate training materials
Conduct security trainings and awareness programs catered to roles within the organization
Incorporate risk assessment into training programs to educate the end users
Encourage users to report violations
Should make a security positive environment, and stay away from blame culture
Important to talk about WHY we enforce what we do
Information Security/Enterprise Risk Management
ISRM is the process of managing risks associated with the use of info technology
Involves identifying, assessing, and treating risks to the confidentiality, integrity and availability of an organization’s assets.
asset
Anything of value to the company and what we’re protecting
First step in RA is identifying assets and its values
- could be devices, information, IP
vulnerability
a weakness in an asset; the absence of a safeguard
threat
something that could pose loss to all or part of an asset
threat agent
what carries out the attack; person and/or software
exploit
an instance of a compromise
risk
the probability of a threat materializing if I do nothing to mitigate the risk
ties in with likelihood
controls
aka safeguards (proactive) aka firewall or countermeasures (reactive) reviewing an audit log
physical, administrative, and technical protections
total risk
the risk that exists before any control is implemented
aka inherent risk
residual risk
leftover risk after applying a control
could be because you can’t, or because you don’t want to - just get it to an acceptable level
risk management about getting residual risk to acceptable levels
secondary risk
when one risk response triggers another risk event
security patches, service packs - security problem is fixed but not as available
incident
a risk event that has transpired
Risk Identification
Identify:
- determine the value for assets (what am I protecting and what is it worth)
– threats
— current controls and policies
—- vulnerabilities and residual risk
—– consequences of the residual risk
Risk Assessment (Value)
Qualitative
Quantitative
Risk Mitigation/Response
Reduce Accept Transfer Avoid Reject
Risk Management Steps
- Identification
- Assessment
- Mitigation/Response
- Ongoing Evaluation
A revolving life cycle
Methods of identifying risk
- sources of risk documentation
- audit reports incident reports
- interviews with SMEs and public media
- annual reports
- press releases
- vulnerability assessments and penetration tests
Methods of identifying risk
- sources of risk documentation
- audit reports incident reports
- interviews with SMEs and public media
- annual reports
- press releases
- vulnerability assessments and penetration tests
- business continuity and disaster recovery plans
- interviews and workshops
- threat intelligence services
Alignment with Business Goals and Objectives
- the most important step for a CISM is to understand the business; review org vision and strategy FIRST
- look beyond IT - risk is measure by the impact the risk has on the BUSINESS not the SYSTEM
- senior management must be supportive and involved
- —- management funds and supports risk mgmt
- —- good metrics means we have attainable objectives
- —- good communication and transparency help is make risk-aware business decisions
Organizational Structure + Impact on Risk
Risk Context: the context in which the org operates; culture, environment, constraints, high risk activities. Factors that influence how risk is addressed
Risk Management approach should be enterprise wide and a common framework should be shared across all departments - TESTABLE!!!!
- framework, strategy and programs should all be universal
Three lines of defense
RACI Charts should be used to indicate responsibilities
Three Lines of Defense
1st Line: Business Units - Admins, Senior Management
- involved in day-to-day risk management
- follow a risk process
- apply internal controls
- dealing with systems and information
2nd Line: Risk and Compliance - Hands-On
- oversee and challenge risk management
- provide guidance and direction
- develop risk management framework
3rd Line: Audit - Auditors
- review 1st and 2nd lines
- provide an independent perspective and challenge the process
- objective and offer assurance
Risk Management Lifecycle
- IT Risk Assessment
- Risk Response and Mitigation
- Risk and Control Monitoring and Reporting
- IT Risk Identification
IT Risk Assessment
Objective is to justify the mitigation strategy
Risk Value
Potential for loss associated with the risk
Qualitative Risk Analysis
- the starting point
- brainstorming - example, planning a picnic in 3 weeks; what’s a risk to this picnic? % weather
- not expensive or takes a long time
- Subjective analysis to help prioritize probability and impact of risk events
- May use Delphi Technique: anonymous surveying; people are more honest when anonymous
- Probability and Impact Matrix to complete this
- Assess risks based on subjective input
- Uses terms like high, medium and low
- inexpensive, and quick way to begin the prioritization and ranking of risk
Quantitative Risk Analysis
- THE DOLLARS!!!!
- per year I’m losing 8K, but if I spend 10K i wont have that risk anymore
- Providing a dollar value to a particular risk event
- Much more sophisticated in nature, quantitative analysis is much more difficult and requires a special skill set
- Business decisions are made on a quantitative analysis
- Can’t exist on its own. Quantitative analysis depends on qualitative information
(AV) asset value
Dollar figure that represents that the asset is worth to the organization
$300K warehouse
- test questions won’t be tricky for these
$300K warehouse that has 75K of hardware = count it all together
(EF) exposure factor
The percentage of loss that is expected to result in the manifestation of a particular risk
Every time there is a fire, I lose 50% of the asset = will lose $150K
(SLE) single loss expectancy**
Dollar figure that represents the cost of a single occurrence of a threat instance
every time the risk event happens, what does it cost me?
AV + EF = SLE
(ARO) annual rate of occurrence
How often the threat is expected to materialize
(ALE) annual loss expectancy**
Cost per year as a result of the threat
Every time a hard drive fails (risk event), it costs the company $3K (AV or EF?). Hard drive fails 3x a year (ARO) = $9K (ALE). You can spend $5K (cost of control) to mitigate it.
(TCO) total cost of ownership
Total cost of implementing a safeguard. Often in addition to initial costs, there are ongoing maintenance fees as well.
Make sure you are looking at both upfront costs and maintenance fees - printer example, cheap to buy but have to keep buying ink every 20 prints
(ROI) return on investment
amount of money saved by implementation of a safeguard. Sometimes referred to as the value of the safeguard/control
Looking for controls that mitigates risk to an acceptable level = ROI
Steps for Quantitative Analysis
- Assign Asset Value (AV)
- Calculate Exposure Factor (EF)
- Calculate Single Loss Expectance (SLE)
- Assess the annualized rate of occurrence (ARO)
- Derive the annualized loss expectancy (ALE)
- Perform cost/benefit analysis of countermeasures
Risk Mitigation and Response
Risk Assessment will dictate the appropriate risk response
- reduce
- avoidance
- transfer
- accept
- rejection - not acceptable
Risk Reduction/Avoidance
When action is taken to lessen the frequency and/or impact of a risk. Can’t lessen the probability of rain, but can Lessens the impact, by bringing an umbrella
- may require the use of several controls until it reaches levels of risk acceptance or risk tolerance
If you’ve brought risk probability down to zero - you have avoided the risk
- there’s usually a negative payoff, like not doing or having something that we want
Examples of risk mitigation
- strengthening overall risk management practices, such as implementing sufficiently mature risk management processes
- deploying new technical, management or operational controls that reduce either the likelihood or the impact of an adverse event
- installing a new access control system
- implementing policies or operational procedures
- developing an effective incident response and business continuity plan (BCP)
- using compensating controls
ULTIMATE RISK REDUCTION IS AVOIDANCE!! but there is NO RISK ELIMINATION - no such thing!! TESTABLEEEEEEEEEEEEEEEE
Risk Reduction/Transference
Risk transference is a decision to reduce loss through sharing that risk with another organization
- insurance
- just because you have transference, does not reduce the risk of fire, but will reduce the potential for loss
Transference Examples:
SLA (Service Level Agreements) and contracts establish the degree of transference.
Outsourcing work - i am a healthcare provider have no idea how to remain HIPAA compliant, so I outsource to a company to maintain liability
BUT YA CAN’T TRANSFER LIABILITY!!!!
- if the HIPAA company fails to protect the data, the liability is still on the healthcare provider
Risk Acceptance
Sometimes you just cant mitigate the risk, not feasible due to price, complexity, etc.
bring it up next quarter maybe
Examples:
- provides no active mitigation
- based on cost/benefit analysis, it is determined the cost of the control is less than the potential for loss
- sometimes acceptance is the only choice
- risk acceptance still includes due diligence, and can still be use to indicate good business decisions were made
- level of risk and impact is always changing, so regular reviews are needed
Difference between risk rejection and risk acceptance is with acceptance is the due diligence and that good business decisions were made
Risk Monitoring and Reporting
A risk response is designed and implemented based on a risk assessment that was conducted at a single point in time
Because of the changing nature of risk and associated controls, ongoing monitoring is an essential step of the risk management life cycle
- controls can become less effective
- the operational environment may change and new threats, technologies and vulnerabilities may emerge
Controls need to be re-evaluated for risk mitigation at least once per year, or after a major change
- just because something isn’t broken OR there hasn’t been a compromise yet
Key Risk Indicators (KRIs)
essentially a warning sign that a risk may materialize ex. if the risk is rain, a KRI would be dark clouds, thunder, etc. so we should move into the alternate indoors area
- provide early warning
- provide backward-looking view on risk events
- enable documentation and analysis of trends
- provide an indication of risk appetite and tolerance
- increase the likelihood of achieving strategic objectives
- assist in optimizing risk governance
Examples of KRIs
- quantity of unauthorized equipment or software detected in scans
- number of instances of SLAs exceeding thresholds
- high average time to research and remediate operations incidents
- number of desktops/laptops that do not have current antivirus signatures or have not run a full scan within scheduled periods
KRIs Support The Following
- risk appetite
- risk identification
- risk mitigation
- risk culture
- risk measurement and reporting
- regulatory compliance
Risk Management Process Review
Risk Assessment
- usually the most difficult to accomplish
- many unknowns
- necessary effort of gathering the right data
Risk Analysis
- can be done qualitatively and/or quantitatively
Risk Mitigation
- takes steps to reduce risk to acceptable level
Risk Monitoring
- remember - risk must be managed since it cannot be totally eliminated
Legal Consideration - note about its exam worthiness
NOT HUGE ON THE EXAM bc it’s US based law and its a global exam
Liabilities
Who is at fault?
- failure of management to execute Due Care/Due Diligence can be termed negligence
- culpable negligence is often used to prove liability
Prudent Man Rule:
- perform duties that prudent people would exercise in similar circumstanced - ex: due diligence - researching industry standards and best practices, due care - setting and enforcing policy to bring organization into compliance
Downstream liabilities
Integrated technology with other companies can extend one’s responsibility outside the normal bounds
Types of Law
Criminal
Civil
Regulatory
Intellectual property
Criminal Law
Difficult to get a conviction for cyber crimes
- beyond a reasonable doubt - can be difficult to meet this burden of proof in computer-related crimes. Technical details are hard
Penalties: financial, jailtime, death
- felonies: more serious of the two, often penalty results in incarceration of at least a year
misdemeanors: normally the less serious of the two with fines or jail-times of less than one year
The goal of criminal penalties is punishment, and deterrence
Civil (Tort) Law
Burden of proof = Preponderance (amount of) of evidence
Damages
- compensatory: paid for the actual damage which was suffered by a victim, including attorney fees, loss of profits, medical costs, investigative costs, etc.
- punitive: designed as a punishment for the offender
- statutory: an amount stipulated within the law rather than calculated based on the degree of harm to the plaintiff. Often, statutory damages are awarded for acts in which it is difficult to determine the value of the harm to the victim
Liability, Due Care, Due Diligence, Prudent Person Rule are all pertinent to civil law, as well as administrative law
Administrative (Regulatory) Law
Defines standards of performance and regulates conduct for specific industries
- Banking (Basel II)
- Energy (EPAct) of 2005
- Health Care (HIPAA)
Burden of proof = ‘more likely than not’
Penalties consist of financial or imprisonment
Intellectual Property
Intellectual Property Law
- protecting products of the mind
- company must take steps to protect resources covered by these laws or these laws may not protect them
Main international organization run by the UN is the World Intellectual Property Organization (WIPO) - investigates copyright issues
Licensing is the most prevalent violation, followed by plagiarism, piracy and corporate espionage
Trade Secret
Resource must provide competitive value and a unique edge
Ex: McDonalds mac sauce recipe
Must be reasonably protected from unauthorized use or disclosure
Proprietary to a company and important for survival
Must be genuine and not obvious
Knowledge Transfer
TRAIN YOUR PEOPLE!
Awareness, Training, Education
“People are often the weakest link in securing information. Awareness of the need to protect information, training in the skills needed to operate them securely and education in security measures and practices are of critical importance for the success of an organization’s security program”
The goal of knowledge transfer is to modify employee behavior
- there may be more incident reports because they know what’s wrong and know how to report
Security Awareness Training
- employees can’t and won’t follow the directives and procedures if they don’t know them
- employees must know expectations and ramifications, if not met
- employee recognition award program
- part of due care
- administrative control
Shouldn't be One Size Fits All: Sr. management also needs training - due diligence, due care, culpable negligence End Users - basic cyber hygiene
Overriding Benefits
- modifies employee behavior and improves attitudes towards information security
- increases ability to hold employees accountable for their actions
- raises collective security awareness level of the organization
