Domain 1: GOVERNANCE AND RISK MANAGEMENT Flashcards
Business driver
Condition, process, requirement, or other concern that influences the way an org manages activities
What does understanding why an organization exists and conducts business preceed?
Developing Infosec Governence
Proprietership
Single owner/family owned
Proprietorship decision-making process
Single decision maker
Partnership
Multiple owners
Who is responsible for management and risk in a partnership?
All partners
Corporation purpose
Separate liability from the owners
Articles of incorporation
How a business will be run
Primary force driving governance
Shareholder value
CMMI
Capability Maturity Model Integration
CMMI Levels
- Initial
- Managed
- Defined
- Quantitatively Managed
- Optimizing
CMMI Proactive levels
3-5 (Defined, Quantitatively Managed, Optimizing)
When do orgs realize the benefits of mapping processes to organizational standards and achieving consistency?
CMMI Level 3
Business drivers affect…
Decisions made in an organization
Most important infoSec drivers? (2)
Business compliance
Privacy needs
CISO must understand these drivers (4)
Objectives
Business processes supporting objectives
Information and technology
Threats to operations
First things CISO’s need to do
Understand how org works. People, Revenue streams
ISMS
Policy, guided by Governance and Compliance
Then everything under that.
Risk, Architecture, Asset Classification, SecOps
Business Resilince
Training
Metrics & Reporting
Benefit of a security policy
Provides legal protection because of a stated commitment to requirements
Most common reason companies create security policies…
Regulatory requirements
Other reasons for policies
Compliance
Frameworks (ISO)
Most important content
Understandable
Target Audience
Policy best-practices (5)
Concise
Common Language
Consistent with law
Reasonable
Enforceable
Who must support a policy?
Senior Management
Traditional role of CISO is to develop processes to support 4 objectives
Reduce IT Risk
Establish and implement security policies and procedures
Establish standards and controls
Respond to incidents
Ethics
Moral principles that govern behavior of a person or group.
Seven-question framework for ethical decision-making
Alternatives?
Stakeholders?
Harm?
Most good with least harm?
Are alternatives objectionable?
Am I comfortable with it?
Comfortable telling friends or family?
Does EC-Council have Code of Ethics?
Yes
Risk management
Identification, assessment, and prioritization of risks followed by effort to minimize, monitor, and control probability and impact
Risk management principles (7)
Understand risks
Measure risk
Communicate risk
Select treatment plans
Implement treatment plan
Manage residual risk
Communicate status of risk management program
Who is responsible for the process or framework for communicating risk?
CISO or CRO
Risk management framework provides…
Approach to a specific objective
NIST RMF
Life cycle to incorporate security throughout a system development project
NIST RMF Lifecycle (8)
Categorize systems
Select controls
Supplement controls
Document
Implement
Assess controls
Authorize systems
Monitor controls
How do you know if you own a risk?
Whether you have the authority to fix it or not.
Who is responsible for the final decision to apply a risk treatment?
Business/Asset owner
Risk treatment options (4)
Modification or mitigation
Avoidance
Transfer
Acceptance
Risk modification
Most common
Applying security controls
Risk modification aka
mitigation
Risk avoidance
Eliminate the risk
Risk sharing aka
Risk transfer
Inherent risk
Risk that comes with using a system
Residual risk
Risk following treatment
ISO 27005
Guidelines for information security risk management
Costs money
ISO 27005 steps (4)
Design controls
Deploy
Manage controls
Ongoing analysis of controls
ISO 27005 Risk Assessment Workflow (3)
Risk Identification
Risk Analysis
Risk Evaluation
Risk identification
Determine what can cause loss
Learn how, where, why loss might happen
Risk identification evaluates…
Assets
Threats
Controls
Vulnerabilities
Consequences
Risk identification maps consequences to…
Assets
Business processes
Risk Analysis analyzes… (3)
Consequences
Likelihood
Level of risk (rating)
Risk Evaluation
P
Risk treatment
Prioritized set of risks
Develop recommendations
Risk acceptance occurs….
After risk treatment and validation of control effectiveness
Risk feedback
Monitoring, review, and communication
Risk monitoring feedback loop (2)
Monitor risks and initiate assessment when risks change.
Review risk management program for continuous improvement
Risk communication includes…
Outcome of assessments
Status reports
Assessment issues
General concerns
NIST 800-37r1
Risk Management Lifecycle
800-30
Guidance for risk assessments
800-39
Risk management guidance
Risk framing
Assumptions, constraints, tolerances, priorities that shape an organizations approach to managing risk.
ISO 31000
Enterprise Risk Management
Threat Agent Risk Assessment (TARA)
Process to identify and assess threats and select countermeasures
OCTAVE Allegro
Lean Risk Assessment
Doesn’t select controls
FAIR
Quantifies strength of controls
COBIT
ISACA framework for IT management
ITIL
Practices for IT service management