Security Management and Risk Assessment

Question 1

IT Security Management

Answer 1

A process used to achieve and maintain appropriate levels of confidentiality, integrity, availability, accountability, authenticity, and reliability.

Question 2

IT Security Functions include

Answer 2

determining organization IT security objectives, strategies, and policies

Determining organizational IT security requirements

Identifying and analyzing security threats to IT assets within the organization

Identifying and analyzing risks

Specifying appropriate safeguards

Monitoring the implementation and operation of safeguards that are necessary in order to cost effectively protect the information and services within the organization

Developing and implementing a security awareness program

Detecting and reacting to incidents

Question 3

Four approaches to identifying and mitigating risks

Answer 3

Baseline approach

Informal approach

Detailed risk analysis

Combined analysis

Question 4

Baseline Approach to identifying and mitigating risks

Answer 4

Aims to implement a basic general level of security controls on systems using baseline documents, codes of practice, and industry best practice

Advantages:

• -does not require expenditure of additional resources in conducting a more formal risk assessment
• Same measurements can be replicated over a range of systems

Disadvantage:
no special consideration is given to variations in the organization’s risk exposure based on who they are and how their systems are used

Goal:
implement generally agreed controls to provide protection against the most common threats

Question 5

Informal approach to identifying and mitigating risks

Answer 5

Involves conducting some form of informal, pragmatic risk analysis for organization’s IT systems. No formal structured process

Advantage:

• -individuals performing the analysis require no additional skills
• -assessment performed quickly and cheaply
• -judgments made about specific vulnerabilities and risks (unlike baseline approach)

Disadvantage:

• -risks may not be considered appropriately, leaving org vulnerable
• -insufficient justification for suggested controls
• -inconsistent results over time

Question 6

Details risk analysis approach for identifying and mitigating risks

Answer 6

Most comprehensive approach

Greatest degree of assurance

Stages:

• -Establish the context or system characterization (define risk appetite)
• -Asset Identification
• -Identification of threats, risks, and vulnerabilities
• -Threat identificaiton
• -analyze likelihood of the risk
• -analyze existing controls
• -determine consequences
• • determine resulting risk to org

Question 7

Combined approach for identifying and mitigating risks

Answer 7

Aims to provide reasonable levels of protection as quickly as possible, and then examine and adjust protection controls deployed on key systems over time

Stages:

1. Start with implementation of suitable baseline security recommendations
2. systems either exposed to high risk levels or critical to business objectives are identified in the high level risk assessment.
3. decision made to conduct informal risk assessment on key systems, with aim of relatively quickly tailoring controls to more accurately reflect their requirements
4. ordered process of performing detailed risk analyses of these systems

Question 8

Managing Security

Answer 8

Technical controls (authentication, access control etc.) are used to reduce the risk of attacks on valuable assets.

Legal and compliance drivers for cyber security
–Financial and health data

What technical controls should be deployed?

• -Must understand risks posed by threats
• -Costs and benefits of security measures

Question 9

Key Challenges

Answer 9

What assets are under risk?

What are the threats and how serious is the risk posed by them?

Likelihood of successful attack and its impact

What technological solutions/controls exist to counter threats?

How can we address risk in a cost-effective manner?
–Cost is less than reduction in risk

How do we understand people and process aspects of cyber security management?

Question 10

Management controls

Answer 10

focus on security policies, planning, guidelines, and standards that influence the selection of operational and technical controls to reduce the risk of loss and to protect the organization’s mission.

Question 11

Operational controls

Answer 11

Address the correct implementation and use of security policies and standards, ensuring consistency in security operations and correcting identified operational deficiencies.

These controls relate to mechanisms and procedures that are primarily implemented by people rather than systems

They are used to improve the security of the system or group of systems

Question 12

Technical controls

Answer 12

involve the correct use of hardware and software security capabilities in systems

Question 13

Control classes include

Answer 13

Supportive controls

Preventative controls

Detection and recovery controls

Question 14

NIST06 suggests adjustments may be needed for these

Answer 14

Technology

Common controls

Public access system

Infrastructure controls

Scalability issues

Risk assessment

Question 15

Security Planning: Controls

Answer 15

Identity and access management (IAM)

• -Credentialing, account creation and deletion
• -Password policies

Network and host defenses

• -Firewalls, IDS, IPS
• -Anti-virus

VPN and BYOD

Vulnerability patching

User awareness and education
–Phishing attack awareness (Phishme)

Question 16

Security Planning: Security Policy

Answer 16

High level articulation of security objectives and goals
–Legal, business or regulatory rationale

Do’s and don’ts for users

• -Password length
• -Web and email policies
• -Response to security events

Address prevention, detection, response and remediation as it concerns/impacts users

Question 17

Cyber Risk Assessment

Answer 17

Investments in cyber security are driven by risk and how certain controls may reduce it

Some risk will always remain

How can risk be assessed?

Question 18

Quantifying Cyber Risk

Answer 18

Risk exposure = Prob. [Adverse securityevent] * Impact [ adverse event]

Question 19

Managing Cyber Risk

Answer 19

Impact
–Expected loss (reputational,recovery and response, legal, loss of business etc.)

Risk management

• -Accept, transfer (insurance) and reduce
• -Reduction via technology solutions, education and awareness training

Question 20

Security Planning and Management

Answer 20

Values at risk
–Assets, reputation etc.

Threats and attack vectors

Plan, implement and manage

• -Deploy appropriate controls
• -Empower people and hold them responsible
• -Plan for response and remediation (do not be surprised)
• -User awareness

Understand and proactively address risk

Question 21

Security compliance

Answer 21

An audit process to review the organization’s security processes

Goal is to verify compliance with security plan