Information Security Governance and Risk Management Flashcards
Principles and Terms
CIA Triad
Vulnerability
Threat
Threat Agents
CIA Triad - Confidentiality, Integrity, Availability
Vulnerability - absence or weakness of a countermeasure
Threat - occurs when vulnerability is identified or exploited by an attacker
Threat Agents - Entity that carries out the threat. Not all will actually exploit a vulnerability
Principles and Terms
Risk
Exposure
Countermeasures
Due Care
Risk - Probability that a threat agent will exploit a vulnerability and the impact if it’s carried out
Exposure - Occurs when an asset is exposed to loss
Countermeasures - A Control or Mechanism that reduces potential risk. AKA safeguards or controls
Due Care - Organization took all reasonable measures to perfect security breaches and took steps to mitigate damages caused by successful breaches. NOT due diligence. Lack of due care means company new about a risk and did nothing to prevent it
Principles and Terms
Due Diligence
Job Rotation
Due Diligence - Organization investigated all vulnerabilities. Includes performing audits and assessments to ensure they’re protected
Job Rotation - Ensures more than one person can perform job tasks, providing redundancy. Important tool to help recognize when fraudulent activities have occurred
Principles and Terms
Separation of Duties and 2 ways to do it
split knowledge
dual controls
Ensures one person can’t compromise organizational security.
split knowledge - no single employee knows all details to perform task
dual controls - requires 2 employees to be available to do a certain task to complete the job
Security Frameworks and Methodologies
ISO / IEC 27000 Series (over 40)
27001 - overview, vocabulary 27002 - ISMS requirements 27003 - code of practice for infosec mgmt 27004 - ISMS implementation guidelines 27005 - ISMS measurement guidelines
Security program development standard on how to develop and maintain information security management system (ISMS)
These standards are developed by ISO / IEC bodies but certification or conformity assessment is provided by third parties
Security Frameworks and Methodologies
Zachman Framework
2D, 6x6 grid of questions and views
Enterprise architecture framework
2-Dimensional classification system based on 6 questions (What, Where, When, Why, Who, How) that intersect with different views (Planner, Owner, Designer, Builder, Subcontractor, Actual System)
Allows analysis of an org. to be presented to different groups in the org. in ways that relate to their responsibilities
Not security oriented, but helps relay information in a language and format that is useful to target audience
Security Frameworks and Methodologies
The Open Group Architecture Framework (TOGAF)
TOGAF - enteprise architecture framework
helps orgs design, plan, implement, govern an enterprise information architecture.
Based on 4 domains: technology, applications, data, business
Security Frameworks and Methodologies
Department of Defense Architecture Framework (DoDAF)
DoDAF - architecture framework
organizes set of products under 4 views: operational (OV), system (SV), technical standards (TV), all view (AV)
ensures new DoD technologies integrate properly with current infrastructure
Security Frameworks and Methodologies
British Ministry of Defense Architecture Framework (MODAF)
MODAF - architecture framework
Divides information into 7 viewpoints:
strategic (StV) operational (OV) service-oriented (SOV) systems (SV) acquisition (ACV) technical (TV) all (AV)
Security Frameworks and Methodologies
Sherwood Applied Business Security Architecture (SABSA)
Enterprise security architecture framework that is risk driven
Similar to Zachman framework
uses same 6 communication questions that intersect with six layers instead of views (operational, component, physical, logical, conceptual)
Security Frameworks and Methodologies
Control Objectives for Information and Related Technology (COBIT)
Security Controls development framework
Uses process model to subdivide IT into 4 domains: Plan and Organize (PO) Acquire and Implement (AI) Deliver and Support (DS) Monitor and Evaluate (ME)
4 domains are further broken down into 34 processes
aligns with ITIL, PMI, ISO, TOGAF frameworks
mainly used in private sector
Security Frameworks and Methodologies
NIST SP 800-53
NIST SP 800-55
SP 800-53
Security CONTROLS DEVELOPMENT framework
Divides controls into 3 classes: technical, operational, mgmt
each class contains categories, or control families
SP 800-55
information security METRICS framework
provides guidance on developing performance measuring procedures with a US Govt viewpoint
Security Frameworks and Methodologies
NIST SP 800-53
NIST SP 800-55
SP 800-53
Security CONTROLS DEVELOPMENT framework
Divides controls (countermeasures) into 3 classes: technical, operational, mgmt
each class contains categories, or control families
SP 800-55
information security METRICS framework
provides guidance on developing performance measuring procedures with a US Govt viewpoint
Security Frameworks and Methodologies
Committee of Sponsoring Organizations (COSO) of the Treadway Commission Framework
COSO
Corporate governance framework.
Consists of 5 inter-related components: control environment, risk assessment, control activities, information and communication, monitoring
COSO is for IT governance
COBIT was derived from COSO and is for corporate governance
Security Frameworks and Methodologies
ITIL
Process Management Development. Primary concern is managing SLA’s, but has a security component
5 Core Publications containing 26 processes ITIL Service Strategy ITIL Service Design ITiL Service Transition ITIL Service Operation ITiL Continual Service Improvement
As part of OMB circular A-130 Independent review of security controls should be performed every 3 years
Security Frameworks and Methodologies
Six Sigma
Process Improvement Standard. Designed to ID and remove defects in manufacturing process, but can be applied to many business functions incl. security
2 project methodologies inspired by Deming’s Plan/Do/Check/Act cycle
DMAIC - Define, Measure, Analyze, Improve, Control
DMADV - Define, Measure,Analyze, Design, Verify
Security Frameworks and Methodologies
Capability Maturity Model Integration (CMMI)
Process Improvement Approach
Addresses 3 areas of interest:
Product, Service Development (CMMI Development)
Service Establishment, Mgmt (CMMI Services)
Product Service, Acquisition (CMM Acquisitions)
5 levels of maturity for processes 1 Initial 2 Managed 3 Defined 4 Quantitatively Managed 5 Optimized
All processes in each level of interest are assigned one of the 5 levels of maturity
Security Frameworks and Methodologies
Top-Down vs Bottom-Up approach
Top-Down
management initiates, supports, directs security program
Bottom-Up
staff members develop security program before getting direction and support from management
top-down is more efficient because management support is so important
Security Frameworks and Methodologies
Steps of Security Program Life Cycle
- Plan and Organize
- Implement
- Operate and maintain
- Monitor and evaluate
plan and organize
perform risk assessment, establish mgmt and steering committee, evaluate business drivers, get mgmt approval
implement
ID and manage assets, manage risk, identity and access control, training on security and awareness, implement solutions
operate and maintain
perform audits, do tasks, manage SLA’s
monitor and evaluate
review auditing and logs, evaluate security goals, develop improvement plans for integration into Step 1 - Plan and Organize
Risk Assessment
Tool to identify vulnerabilities and threats, asses impact of them and determine which controls to implement
Risk Assessment
4 goals of risk Assessment
ID assets and asset value
ID vulnerabilities and threats
calculate threat probability and business impact
balance threat impact with countermeasure cost
Risk Assessment Process
before starting risk assessment, determine which assets and threats to consider to establish the size of the project
risk assessment team provides report to mgmt on value of assets considered
mgmt finalizes the asset list and determines budget of risk assessment project
if risk assessment project not support by sr. mgmt, it will fail
mgmt must define the purpose and scope, allocate personnel, time and budget for the project
Risk Assessment
NIST SP 800-30
Identifies these steps in risk assessment process
ID Assets and value ID threats ID vulnerabilities Determinte likelihood ID impact Determine risk as combination of likelihood and impact
Asset Values, Vulnerabilities and Threats
Information and Asset (tangible and intangible) Values and Costs
6 considerations to determine asset value
after determining value, then determine vulnerabilities and threats
Tangible assets
Intangible assets - IP, data, reputation
6 considerations to determine asset value:
value to owner work needed to develop or obtain asset costs to maintain asset damage caused by losing asset cost competitors would pay for asset penalties if asset was lost
Asset Values, Vulnerabilities and Threats
Vulnerabilities and Threats Identification
Threat agents can be grouped into 6 Categories
Human - malicious, non malicious, insiders, outsiders, terrorists
Natural - flood, fire, etc
Technical - hardware, software failure, malware, new tech
Physical - failures of CCTV, biometrics, perimeter security
Environmental - power failure, traffic, hazmat spills, biological warfare, traffic issues
Operational - any process or procedure than can affect CIA
Quantitative Risk Analysis
Assigns monetary and numerical values t all facets of the risk analysis process.
Includes asset value, threat frequency, vulnerability severity, impact, safeguard costs, etc
Quantitative Risk Analysis
Single Loss Expectancy (SLE)
SLE - monetary impact of each threat occurrence.
To determine it, you must know the Asset Value (AV) and the Exposure Factor (EF).
EF is the % value or functionality of an asset that is lost when a threat occurs
SLE = AV * EF
asset costs $20,000 and assessment says exposure factor for power failure is 25% then SLE is $5000
Quantitative Risk Analysis
Exposure Factor (EF)
EF - The percent value or functionality of an asset that will be lost when a threat occurs
Quantitative Risk Analysis
Annual Loss Expectancy (ALE)
ALE - expected risk factor of an annual threat event
Must first know the SLE and the ARO
ALE = SLE * ARO
ALE = (AV * EF) * ARO
Ex.
If ARO is 50%, AV is $20,000 and EF is 25%
then
ALE = (20,000 * .25) * (.5) ALE = 5000 * .5 ALE = $2,500
Quantitative Risk Analysis
Annual Loss Expectancy (ALE)
ALE - expected risk factor of an annual threat event
Must first know the SLE and the ARO
ALE = SLE * ARO
ALE = (AV * EF) * ARO
Ex.
If ARO is 50%, AV is $20,000 and EF is 25%
then
ALE = (20,000 * .25) * (.5) ALE = 5000 * .5 ALE = $2,500
Qualitative Risk Analysis
Techniques
intuition, experience, best practices
brainstorming, focus groups
surveys,questionnaires, meetings and Delphi
Qualitative Risk Analysis
Advantages of Qualitative Risk Analysis
Prioritizes risks and identifies areas for immediate improvement in addressing threats
Qualitative Risk Analysis
Disadvantages of Qualitative Risk Analysis
results are subjective and dollar value is not provided for cost-benefit analysis or budgeting
All organizations experience issues with any estimates. This lack of confidence in an estimate is called uncertainty and expressed as a percentage
All risk assessment reports should include the uncertainty level
Safeguard Selection
Criteria for choosing safeguards (or controls)
the cost effectiveness of the safeguard or control. Including planning, designing, implementing, maintenance costs
Safeguard Selection
Formula to calculate cost-benefit analysis.
Knowing corrected ARO after safeguard is implemented is necessary for determining safeguard value
legal liability exists if cost of safeguard is less than estimated loss if the threat is exploited
safeguard value =
(ALE before safeguard) - (ALE after safeguard) - (annual cost of safeguard)
To complete this equation you have to know the revised ALE after safeguard is implemented (which can be hard to assess)
Total Risk vs Residual Risk
Total Risk
Residual Risk
Total Risk - risk that organization could encounter if it decides not to implement any safeguards
Residual risk - risk that is left over after safeguards are implemented
Total Risk vs Residual Risk
Equation to represent residual risk
equation is more conceptual than an actual calculation
residual risk = (total risk) - countermeasures
Risk Management
Total Risk vs Residual Risk
Total Risk
Residual Risk
Total Risk - risk that organization could encounter if it decides not to implement any safeguards
Residual risk - risk that is left over after safeguards are implemented
Risk Management
Total Risk vs Residual Risk
Equation to represent residual risk
(this is more conceptual than an actual calculation)
residual risk = (total risk) - countermeasures
Risk Management
Handling Risk
4 basic methods
risk avoidance - terminating activity that causes risk, or choosing safer alternative
risk transfer - passing risk to a 3rd party (ie insurance company)
risk mitigation - defining acceptable risk level and reducing risks to it
risk acceptance - understanding and accepting risks and potential costs
Risk Management
Risk Management Principles
After risk assessment is complete, organization must implement and maintain safeguards
organization must decide on future risk analysis that occurs because it should be done regularly
risk mgmt involves developing and maintaining risk mgmt policy and maintaining a risk mgmt and risk analysis team
Risk Management
Risk Management Policy objectives to list
Formal statement of Sr. management’s commitment to to risk management
Must include overall risk management plan and list these objectives
risk mgmt team objectives responsibilities and roles acceptable levels of risk risk identification process risk and safeguards mapping safeguard effectiveness monitoring process and targets future risk analysis plans and tasks
Risk Management
Risk Management Team
could be one person or a group
goal is to protect organization and assets from risk in most cost effective way
sr. management must put a resource allocation measure in place. Ensure members of the team have necessary training and tools
Risk Management
Risk Analysis Team
Must have a representative from as many departments and employment levels as possible. Diversity ensures risks from all areas can be addressed
Or the team must interview each department to understand all risks to that department
During Risk Analysis process, the team should determine threat events that could occur, impact of them, frequency of them and level of confidence in the information gathered
Information Security Governance Components
Steps for senior management to complete before developing any organizational security policy
define scope of program
ID assets that need protection
determine level of protection each asset needs
determine personnel responsibilities
develop consequences for noncompliance with policy
Information Security Governance Components
Policies
2 definitions
are broad and provide foundation for developing standards, baselines, guidelines, procedures all of which provide the security structure
dictate role of security and is strategic in nature (provides end result of security)
definition 1 - level in organization at which they’re enforced
definition 2 - category to which they’re applied
independent of specific technology or solution
must contain exception area to deal with unforeseen situations
Information Security Governance Components
levels of policies
organization
system specific
issue-specific
Information Security Governance Components
categories of policies
regulatory
advisory
informative
Information Security Governance Components
Organizational Policies
highest level security policy, steered by business goals
should have these components:
define overall goals of security policy
define overall steps and importance of security
define security framework to meet biz goals
state management approval of policy
define all relevant terms
define security roles and responsibilities
address relevant laws and regulations
identify major functional areas
define compliance requirements
Information Security Governance Components
Organizational Security Policies
highest level security policy, steered by business goals
should have these components:
define overall goals of security policy
define overall steps and importance of security
define security framework to meet biz goals
state management approval of policy
define all relevant terms
define security roles and responsibilities
address relevant laws and regulations
identify major functional areas
define compliance requirements
Information Security Governance Components
Organizational Security Policies
system specific
issue specific
must be supported by stakeholders, have a high visibility for personnel, be discussed regularly
each version should be maintained and documented
system-specific security policy addresses a specific computer, network, technology or application
issue-specific security policy addresses specific issue like email privacy, virus checking, employee termination, no expectation of privacy, etc.
Information Security Governance Components
Regulatory Security Policies
address specific industry regulations, including mandatory standards
ie. healthcare, public utilities, financial institutions
Information Security Governance Components
Advisory security Policies
cover acceptable and unacceptable activities
gives examples of possible consequences if users engage in unacceptable activities
Information Security Governance Components
Informative Security Policies
provide information on certain topics, act as educational tool
Information Security Governance Components
Standards
describe how baselines will be implemented
Mandatory actions or rules that are tactical - they provide the steps needed to achieve security
Information Security Governance Components
Baselines
reference points defined and captured to use as future reference
should be captured when a system is properly configured and updated
when updates occur, new baselines should be captured and compared to previous ones
Adopting new baselines from most recent data may be necessary
capturing is important but so is using them to assess security state
Information Security Governance Components
Guidelines
recommended actions, allow for unforeseen circumstances
provide guidance when standards don’t apply
Information Security Governance Components
Procedures
all detailed actions to follow and are closest to the computers and other devices
often include step-by-step lists on how policies, standards, guidelines are implemented
Information Classification Lifestyle
classify data by its value
assigning value to data lets you determine resources to protect it
classifying data lets you apply different protections
after data is classified, it can be segmented based on level protection needed
organization should determine classification levels based on needs of organization
Information Classification Lifestyle
Commercial business usually classify data on 4 main levels
Information life cycle should be based on this classification of data
Confidential - trade secrets, intellectual property, code
Private - personnel records, medical, salary, HR
Sensitive - information that needs extra measures
Public - data that wouldn’t cause negative impact if lost
Information Classification Lifestyle
Government and Military classify data on 5 main levels
Top Secret - weapon blueprints, tech specs. Grave damage if disclosed
Secret - deployment plans, missile placement. Serious damage if disclosed
Confidential - patents, trade secrets. seriously affect if disclosed
Sensitive - medical, personnel records, questions arise if disclosed
Unclassified
Responsibilities and Roles
Board of Directors
Senior Officials
Management
Board of Directors
elected by shareholders to ensure org is run properly. Loyalty is to shareholders
Senior Officials
Sr. Management, board of directors
Management
responsible for preserving, protecting org data
CEO, CFO, CIO, CPO, CSO
Responsibilities and Roles
Business Unit Managers Audit Committee Data Owner Data Custodian System Owner System Administrator
Business Unit Managers
provide departmental information, controls for dept. data
Audit Committee
evaluates org’s financial reporting to ensure accuracy
Data Owner
determines classification level of information, and protection
Data Custodian
implements info classification and controls after owner determines them
System Owner
ensures appropriate controls exist on systems. multiple data owners can be responsible for info on the system
System Administrator
runs day to day operations
Responsibilities and Roles
Security Administrator Security analyst application owner supervisor user auditor
Security Administrator
maintains security devices and software (firewalls, etc)
Security analyst
analyzes security needs of org, develops governance documents (policies, standards, guidelines)
application owner
determine personnel who can access an application
supervisor
manages group of users and assets in a group
user
any person who access data for work
auditor
monitors user activities to ensure appropriate controls are in place
Personnel Security
Personnel cause majority of security issues
Organizations should have personnel security policies (screening, hiring, firing)
Screening
Hiring
Screening - occurs before offer of employment. Could include background check, drug testing, education verification
Hiring - signing appropriate documents, NDA’s, policies, etc. Employee ID’s issued at this stage
Personnel Security
Termination. Handled differently for friendly and unfriendly situations
Management Control - mandatory vacations
NDA’s (and similar)
HR Procedures ensure property is returned, user access is removed
unfriendly terminations
procedures must be proactive to prevent asset damage . Revoke accesses before termination notification, security escort
mandatory vacations ensure another employee can perform job duties in someone else’s absence
NDAs and similar (noncompete clauses, etc)
protect organization and assets after employee is gone
Security Awareness Training
Security Awareness Training (what) vs Security Training (how) vs Security Education (why)
Awareness training
reinforces fact that valuable resources must be protected by implementing security measures
Security Training
teaches skills to enable performing job securely
Both Awareness and Security Training are usually combined to improve awareness of security and ensure users can be held accountable for the jobs
Security Education
more independent, targeted at security professionals who require expertise and act as in-house experts
Security Awareness Training
Security Awareness Training should be based on the audience
high-level management
middle management
technical staff
high-level management
training explains risks, threats, applicable laws and regulations, effects of security issues on reputation
middle management
training covers policies, standards, guidelines, baselines, procedures, how these map to departments
technical staff
training covers technical training on configuring and maintaining security controls. Industry certifications, degrees.
