You are on page 1of 144

CISSP Domain – Information

Security and Risk Management


Milan Vlahović
CISSP, PMP, MCSE, MCSD, MCDBA, ITIL
Privredna komora Beograda

Based on Skillsoft IT Security KC CISSP Roadmap – Only as a course support material


Security Management
• Due to the increasing use of computer and
network technology the risk of exposure to
information system attacks is increasing
• It is important for the enterprise to protect all
its assets, such as resources and information
• It is not possible to ensure complete security
of all assets, but the possibility of an attack
can be reduced by having security measures in
place
• Security management includes
– risk management,
– information security policies,
– procedures, standards, guidelines, baselines,
– information classification,
– security organization, and
– security education
• This components makes the foundation of a
corporation’s security program
• The objective of security, and a security program,
is to protect the company and its assets
Core aspects of security management
• Restricting access to a computer system or
network
• Identifying vulnerability points of the assets of
an organization, possible threats that can
exploit these vulnerabilities, impact of these
threats and strategies that will help mitigate
these threats
• Understanding training needs of all employees
about these strategies
Goal of security management
• To protect the propriety and confidential information
of a company from being unintentionally altered by
trusted individuals or intentionally altered by
unauthorized individuals
• CIA triad - three main objectives of security
management
– Confidentiality
– Integrity
– Availability
• A security program should use a top-down approach,
– the initiation, support, and direction come from top
management, work their way through middle
management, and then reach staff members
Avialability

Security
objectives

Confidentiality
Integrity

The CIA triad


• Security management relies on
– properly identifying and valuing a company’s assets, and
then
– implementing security policies, procedures, standards, and
guidelines to provide integrity, confidentiality, and
availability for those assets.
• Management’s responsibility is to provide protection
for the resources (human, capital, hardware, and
informational) it is responsible for and the company
overall.
• Management must concern itself with ensuring that a
security program is set up that recognizes the threats
that can affect these resources and be assured that the
necessary protective measures are put into effect.
Confidentiality
• Confidentiality ensures that the necessary level of
secrecy is enforced at each junction of data
processing and prevents unauthorized disclosure
• This level of confidentiality should prevail while
data resides on systems and devices within the
network, as it is transmitted, and once it reaches
its destination
• Attackers can thwart confidentiality mechanisms
by network monitoring, shoulder surfing, stealing
password files, and social engineering
Confidentiality (continued)
• Shoulder surfing is when a person looks over another
person’s shoulder and watches their keystrokes or
views data as it appears on a computer screen.
• Social engineering is when one person tricks another
person into sharing confidential information such as by
posing as someone authorized to have access to that
information. Social engineering can take many other
forms.
• Confidentiality can be provided by encrypting data as it
is stored and transmitted, by using network traffic
padding, strict access control, and data classification,
and by training personnel on the proper procedures.
Integrity
• Integrity ensures that the accuracy and
reliability of the information and systems is
provided, and any unauthorized modification
is prevented
• The systems and network should be protected
from outside interference and contamination
• Strict access controls, intrusion detection, and
hashing can combat these threats
Integrity (continued)
• Security should restrict users’ capabilities and
give them only certain choices and functionality
– system-critical files should be restricted from viewing
and access by users
– applications should provide mechanisms that check
for valid and reasonable input values
– databases should let only authorized individuals
modify data, and
– data in transit should be protected by encryption or
other mechanisms
Availability
• Availability ensures that authorized users are able to access
data and resources whenever needed
• The systems and networks should provide adequate
capacity in order to perform with an acceptable level of
performance.
• They should be able to recover from disruptions in a secure
and quick manner so productivity is not negatively affected.
• Single points of failure should be avoided, backup measures
should be taken, redundancy mechanisms should be in
place when necessary, and the negative effects from
environmental components should be prevented.
Availability (continued)
• Threats to availability
– Denial-of-service (DoS)
• refers to attacks by intruders on network resources so that authorized
users are unable to access them
• to protect against such attacks, the network should validate all users
and make available only the necessary resources
– Loss of capabilities
• refers to natural disasters such as flood and earthquake; human
actions such as bombs and strikes; or malicious code that compromise
the data processing capabilities of networks
– Environmental issues
• heat, cold, humidity, static electricity, and contaminants can also affect
system availability
• To ensure availability of data and provide an alternate
means of processing, data should be backed up on a
regular basis and a disaster recovery plan should be in
place
Types of controls
• Confidentiality, integrity, and availability (CIA) are the three main
principles of security
• To meet the CIA triad objectives, three types of controls can be
used:
– administrative
• creating and publishing of security policies, standards, procedures, and
guidelines; educating individuals about these policies and guidelines; risk
management; conducting security-awareness training; implementing change
control procedures and screening all individuals that will use the information
system
– physical
• physically restricting access to a company's resources to only authorized
individuals, protecting a company's assets from environmental factors such as
fire and water, locking systems and removing unnecessary floppy or CD-ROM
drives, protecting the perimeter of the facility and monitoring for intrusion
– technical (or logical)
• restricting access to a company's resources to only authorized individuals by
using passwords, identification and authentication methods, security devices,
configuration of the infrastructure and other logical access control
mechanisms
Physical controls: Facility protection, security guards, locks,
monitoring, environmental controls, intrusion detection

Technical controls: Logical access controls,encryption,


security devices, identification and authentication

Administrative controls: Policies, standards,


procedures, guidelines, screening personnel,
security-awareness training

Company data and assets


Change control management
• Changes in the production phase can occur because of new
requirements of products or systems, or because newly
released patches or upgrades need to be installed
• To avoid any loss of data and ensure smooth functioning of
all tasks, the changes should be approved, documented,
and tested
• This can be achieved by having a change control
management process in place
– help deal with the changes effectively
– ensures that all changes made in production systems, including
system or application software, will be integrated compatibly
Change control management process
• Includes:
– submitting a change request form to the management
– analyzing the validity of the change request
– analyzing the ways to implement the change
– analyzing the cost of implementing the change
– documenting the change recommendations
– obtaining final approval from the change control
board
– making the accepted changes and documenting them
– approving the changes by quality control
Organizational Security Model
• An organizational security model
– framework made up of many entities, protection
mechanisms, logical, administrative, and physical
components, procedures, business processes, and
configurations that all work together to provide a
security level for an environment
• All models work in layers
– one layer provides support for the layer above it, and
protection for the layer below it.
• Companies can use different types of
technologies, methods, and procedures to
accomplish the necessary protection level for
their environment
Business
objectives
Vulnerability Penetration
assessment testing
Quantitative Risks and
Risk
and qualitative threats
risk assessment analysis identification
Protection Data Functionality
requirements classification evaluation
Legal Security System Policy and
liabilities awareness reliability procedures
Cost-effective solutions Safeguards Countermeasures
Data integrity Confidentiality Availability
Total security

Integrated pieces of the security model


Security goals
• A security model has various layers, but it also has
different types of goals to accomplish in different
timeframes
• Depending on the length of time that security model
projects into the future, security goals can be broken
into three categories (planning horizon)
– operational goals (short-term goals)
• include daily tasks to ensure proper functioning of the operational
environment (perform security risk assessment, maintain and
implement controls, ...)
– tactical goals (mid-term goals)
• include milestones within a project or projects that need to be
completed within a year
– strategic goals (long-term goals )
• include long-term goals that are generally broad statements
(compliance with laws and regulations, create a maturity
model, ...)
Security Frameworks
• CobiT (Control Objectives for Information and related
Technology)
– framework developed by the Information Systems Audit and
Control Association (ISACA) and the IT Governance Institute
(ITGI)
– It defines goals for the controls that should be used to properly
manage IT and ensure IT maps to business needs
• CobiT is broken down into four domains:
– Plan and Organize,
– Acquire and Implement,
– Deliver and Support, and
– Monitor and Evaluate
• Each category is broken down into subcategories
• CobiT framework provides goals and guidance to
companies when they purchase, install, test, certify, and
accredit IT products
• COSO (developed by the Committee of
Sponsoring Organizations of the Treadway
Commission)
– framework, which was developed in 1985 to deal
with fraudulent financial activities and reporting
– COSO is a model for corporate governance while
CobiT is a model for IT governance
– COSO deals more at the strategic level while CobiT
focuses more at the operational level
• COSO deals with non-IT items also, as in
company culture, financial accounting
principles, board of director responsibility, and
internal communication structures
• The COSO framework is made up of the following
components:
– Control Environment
• Management’s philosophy and operating style
• Company culture as it pertains to ethics and fraud
– Risk Assessment
• Establishment of risk objectives
• Ability to manage internal and external change
– Control Activities
• Policies, procedures, and practices put in place to mitigate risk
– Information and Communication
• Structure that ensures that the right people get the right
information at the right time
– Monitoring
• Detecting and responding to control deficiencies
Standard ISO 17799
• Internationally recognized Information Security
Management Standard that provides high-level
conceptual recommendations on enterprise
security
• Derived from the de facto standard: British
Standard 7799 (BS7799)
• The British Standard actually has two parts:
– BS7799 Part 1, which outlines control objectives and a
range of controls that can be used to meet those
objectives; and
– BS7799 Part II, which outlines how a security program
can be set up and maintained
• BS7799 Part II also served as a baseline that
organizations could be certified against
• An organization would choose to be certified against
the ISO 17799 standard to provide confidence to their
customers and partners and be used as a marketing
tool
• To become certified, an authorized third party would
evaluate the organization against the requirements in
ISO 17799 Part II
• The organization could be certified against all of ISO
17799 Part II or just a portion of the standard
• It is some kind of the benchmark used to indicate a
correct IT infrastructure
• It is made up of ten domains, which are very close to
the CISSP Common Body of Knowledge (CBK)
• ISO 17799 domains
– Information security policy for the organization
– Creation of information security infrastructure
– Asset classification and control
– Personnel security
– Physical and environmental security
– Communications and operations management
– Access control
– System development and maintenance
– Business continuity management
– Compliance
• ISO 27000 Series
– ISO 17799 was renumbered to ISO 27002 in 2005,
to make it consistent with the 27000 series of ISO
security standards
– ISO 27001 is a related standard, formally called
ISO/IEC 27001:2005
– ISO 27001 was based on BS 7799 Part 2
– ISO 27002 describes information security best
practices (techniques), and ISO 27001 describes a
process for auditing (requirements) those best
practices
• ITIL (Information Technology Infrastructure
Library)
– the de facto standard of best practices for IT Service
Management
– framework for providing best services in IT Service
Management
– ITIL was created because of the increased
dependence on information technology to meet
business needs
– ITIL contains five core publications:
• Service Strategy
• Service Design
• Service Transition
• Service Operation
• Continual Service Improvement
Classifying Data
Classifying Data
• Different organizations create and maintain different types
of data. To be able to effectively secure data, without
overspending time and money, you need to understand
each data type and its importance to the organization.
• Data classification
– means identifying the types of data and grouping them into
different categories based on various criteria, such as value and
age
• Data-classification scheme
– enable a company to identify the number of resources needed
to protect the various types of data and identify protection
mechanisms and recovery processes for each type
Objectives of a data-classification
scheme
• Identify measures to ensure CIA for each type of data
– to provide the appropriate level of security to the data in
an organization, it is necessary to classify that data
– data classification organizes data according to its level of
availability and sensitivity to loss or disclosure
• Identify the right protection mechanisms for various
categories of data
– after data is classified, appropriate security controls are
applied to the data, according to its importance
– more expensive measures are used to protect confidential
data and the less expensive measures are used to secure
public information
Objectives of a data-classification
scheme (cont.)
• Each class of data should have unique
characteristics and there should be just the right
number of classes – not too many and not too
few
• After classifying the data, the measures need to
be identified that will secure each type of data
• The data itself can have security identification or
its security level can be defined by the location of
its storage
• Data owners are responsible for defining the
security level of their data
Different organizations -different
security models
• Security models selected by a military
organization will be different from that defined
by a private sector business
– military organization - more concerned with the
confidentiality of data
– private sector business - more concerned with the
integrity and availability of data
• To address these different security concerns,
private sector businesses and military
organizations adopt different data-classification
schemes
Classes that most private-sector
businesses use
• confidential
– information that should be used only within the organization
– disclosure of information outside the organization is not allowed to avoid adverse affects
– examples : trade secrets, source code, competition strategies, and employee information
• private
– personal data of employees
– examples : work history, salary information, and medical information intended for use within
the organization
• sensitive
– data that requires a higher than normal level of integrity, confidentiality, and accuracy to
protect it from unauthorized modifications and loss of data
– examples : project details and financial information, such as profit earnings and forecasts
• public
– data that will not affect an organization adversely if disclosed
– examples : number of people working on a project, information about upcoming projects, ...
Classes that most military
organizations use
• top secret
– highly critical data, the disclosure of which will cause grave damage to national security
– examples : blueprints of new weapons, spy satellite information, and espionage data
• secret
– data that is less critical than that included in the top secret class, but the disclosure of secret
data will also damage national security
– examples : deployment plans of troops and bomb placements
• confidential
– information for use within the organization, and the disclosure of information is not allowed
to avoid adverse affects
– examples : information about military personnel
– private sector uses this class too
• sensitive but unclassified
– minor secret data, the disclosure of which might cause serious damage
– examples : medical data of employees and answers to tests
• unclassified
– data that is not sensitive
– examples : data pertaining to device manuals and recruiting information
Data-classification scheme
requirements
• List of criteria against which data will be checked
• Data can be classified based on the department it belongs
to, the number of projects it caters to, or its validity period
• All stakeholders in an organization need to agree on the
criteria scheme
• After gathering and analyzing the criteria scheme, the
company needs to determine how many classes are
needed, create their definitions, and determine the
controls needed
• After the criteria and classification levels have been
finalized, data owners need to analyze their data and
identify the level it will fit into.
Common data-classification criteria
parameters
• age of data
• data owners or manipulators
• data storage location
• effects of data on national security
• encryption status for the data
• individuals who have permission to backup data
• monetary value of the data
• regulatory laws required for specific data
• repercussion if data was altered or corrupted
• repercussion if data was disclosed
• separation of duties status for the data
• usefulness of data
Data classification controls
• strict and granular access control
• identification and labeling
• encryption of data when stored or in
transmission
• auditing and monitoring
• identifying if separation of duties is required
• providing backup and recovery
• deploying change control procedures
• defining file access permissions
Classification scheme will be effective
only if :
• the scheme has the right number of classes
– too many classes make them confusing and difficult to maintain while
too few classes imply the low value of data
• the classes can be easily distinguished from each other
– classes should be unique and not have any overlapping criteria
• the scheme addresses how both information and software are
handled
– the scheme should outline how applications are controlled and
handled through their life cycles, this helps evaluate the level of
protection applicable to them.

• the scheme reduces the cost of protecting information


– too much money should not be spent on protecting trivial information
Data classification criteria
• Data classification provides a company with an understanding of the
different types of data the company has and the value the data
holds for the company
• Different companies have different criteria, based on which they
classify data

– value
• valuable data have to be classified and protected
– age
• with the passage of time, the value of data might decrease
– useful life
• outdated data does not usually need protection at all
– personal association
• data that contains the personal information of individuals need to be
classified for situations arising because of court orders, government contracts,
and senior-level approvals
Protection of data - methods
• encryption
– by public or private key algorithms so that the data can be accessed only by
authorized users
• review and approve
– any change in data is reviewed and approved by an authorized person, and
this person should be different from the person who has performed this
change
• backup and recovery
– all data including critical data should be backed up
• separation of duties
– ensures that no individual has complete control over a process, which avoids
fraudulent activities
• access control
– defines different access levels for different processes such as reading,
updating, altering, and deleting data
– administration defines access rights for protected resources
Information classification roles
• Three major roles that are applicable to any type of
organization:
– Owner
– Custodian
– User
• Depending on the type of organization, an individual
may be required to perform the responsibilities of
multiple roles
• In a small organization, an individual may be required
to perform the tasks of an owner as well as a custodian
• For larger organizations, it is advisable to assign a role
with each level of security
Information classification roles (cont.)
• Owner
– usually part of an organization's management and is responsible
for the protection and use of a particular set of data
– responsibile for :
• deciding the classification levels of data and for altering them
according to changing business needs
• defining security controls as per the data classification to ensure data
protection
• defining the access rights applicable to data as per the data
classification and the value of the data
– delegates these tasks:
• approval of access requests
• backup and recovery tasks
• approval for data disclosure
• security violation notification dealings
Information classification roles (cont.)
• Custodian
– an IT person responsible for maintaining the integrity
and availability of data for the data owner
– responsibile for :
• backing up data regularly according to the backup
specifications provided by the data owner
• restoring lost or corrupted data to provide normal
functioning in case of system failure
• ensuring that data is available for performing business
activities
• maintaining records of activity for the analysis of data to
meet security policies and standards for data protection
Information classification roles (cont.)
• User
– an employee or vendor of a company who uses
data to perform work-related tasks
– responsibile for :
• maintaining the confidentiality of passwords and
ensuring the security of the data used by him
• following all security procedures and guidelines and
promptly reporting any security violation to the
company
• using the data only to perform official duties and not
for any personal gain
Policies, Standards, and
Guidelines
Role of a security group
• The objectives of a security management program implemented by
an organization are defined by the CIA triad
• Various threats affect the objectives of the security management
program of an organization
• A security management program consists of policies, standards,
baselines, and guidelines that help the organization lay down
stringent security measures and secure the organization as a whole
• It is necessary for each employee to understand the corporate
security strategies laid down by the organization
• The responsibility of drafting the security management program of
an organization lies with the security group, led by the information
security officer
Duties of security officer
• Duty of loyalty
– ensures that the senior management (including security officer) of an
organization does not reveal or use the organization's protected information
for personal gain
• Duty of care
– ensures that the organization is responsible for taking care of its employees
and resources by developing and implementing security policies, procedures,
and standards
• Some legal concepts associated with the duty of loyalty and the duty of
care
– conflict of interest
– confidentiality
– duty of fairness
– corporate opportunity (requires an individual not to divulge any company
information related to mergers, acquisitions, or patents for personal gain)
Security management program
• The security officer and the top management need to identify and
evaluate the possible threats and risks within the organization and take
proper remedial action. This process of risk assessment forms a part of
due diligence
• To avoid threats and risks, the security officer and the top management
need to specify functions to address these issues
• Basic functions in most security programs

– establishing policies, standards, and guidelines for employees


– educating all employees about these policies, standards, and guidelines
– appointing a high-level manager to ensure that these policies, standards, and
guidelines are complied with by the employees
– adopting appropriate disciplinary measures to enforce the policies, standards,
and guidelines
– verifying that compliance policies are being implemented
– implementing rectification procedures in case of violations
– exercising care when authorizing employees
Security management program
components
• The security management program of an organization needs to be
well defined and documented by the security officer along with the
top management
• It is the duty of the top management to ensure that all the
employees in the organization are aware of the security
management program
• Core components
– Policies
– Standards
– Baselines
– Guidelines
• To implement the security management program effectively within
an organization, each employee should be aware of and be able to
easily access the organization's policies, standards, baselines, and
guidelines
Policies
• A policy contains a company's directives, created by the top
management, to protect the company's assets by implementing
security measures and assigning responsibilities to meet security-
related objectives

• Effective security policy should be


– based on the business objectives of the company
– clear and acceptable to all the employees
– aimed to integrate security with all business processes
– upgraded regularly to include all parameters related to organizational
changes
– dated and have a version number for every change
– aimed to eliminate the need of reading the entire policy material
– accurately defined to outline resources and assign organizational
responsibilities and authorities
Policy types
• Advisory
– define the behavioral requirements of employees and state
ramifications in case of noncompliance
– example : a banking organization expects its employees to not
disclose any bank account details to any person other than the
particular customer - if the employees do so, they will be held
accountable for their actions
• Informative
– are not enforceable and are meant for information purposes
only
• Regulatory
– include laws, bills, and regulations, specific to a type of industry,
which are enforced to meet compliance with local, state, and
federal laws
Standards
• Standards
– mandatory rules and actions that support and
reinforce a policy
• Policies state measures, without providing
solutions to implement those measures.
Standards define solutions to implement the
measures stated in the policy.
• Policies remain relevant until they need to be
updated in case of changes in an organization's
operations. Standards are mandatory regulations
that support a policy
Baselines
• Baselines
– define the minimum level of security measures
required by an organization to protect itself from
internal and external threats
• Baselines are established before standards are
developed
• Baselines provide platform-specific
implementations for the standards
Guidelines
• Guidelines
– general statements that recommend actions to be
followed in case a standard does not apply
• Guidelines are the recommended actions to
be followed when a specific standard does not
apply
• Guidelines are general approaches while
standards are specific mandatory activities
Security management program
components
Components of a security framework
• People
– this deals with roles and responsibilities, skills and training,
organization, attitudes, and culture
• Technology
– this includes applications, tools, hardware, and software
• Processes
– this includes procedures, standards, metrics, and
performance monitoring
• Successful security framework requires all the
components – people, processes, and technology – to
work together to achieve optimal levels of security
Employment Policies and
Practices
Securing your workplace
• Basic steps
– Background checks
• the first line of defense in securing the workplace
• checking the background of an employee ensures that the employee is qualified and reliable
– Security clearance
• procedure to authorize access to classified information
• can be issued to individuals or groups working in the government, private industry, or
information technology
• there can be multiple levels of security clearance in some organizations, based on the types of
information
• different levels of security clearance have different access requirements, which become more
stringent for higher levels
– Signing the employee agreement document
• an employee agreement document clearly outlines the expectation of the organization from its
employees, details of the job description, rules, regulations, and the security policy
• when an employee joins an organization, the employee needs to sign the employee agreement
document
• this document ensures that the employee will not violate the rules and regulations that affect
the interest of the organization
Background check of an employee
Employee agreement document
Hiring and terminating
• All the rules and guidelines related to hiring and
terminating an employee should be approved by
the top management
• An organization should thoroughly evaluate a
candidate's credentials to ensure that the
candidate is appropriate for a particular job
• After terminating an employee, the organization
should ensure that it has revoked the employee's
access to all company information and resources
Good security practices after hiring a
new employee
• Provide the end-user document
– what is expected from all the employees for a particular role
– lists all the schemes, rules, and policies related to security and behavior
– includes the acceptable-use policy (an outline of the access privileges, rules for behavior, and
any possible consequence of breaking rules when dealing with network resources, computers,
or any other company resources)
• Inform about the need to know security policies
– this helps the organization safeguard its information from potential threats, such as loss or
misrepresentation of business data or damaging or removing business assets, intentionally or
accidentally
• Educate about the security program
– security awareness program (the organization needs to ensure that all new employees are
trained and educated on the security policies drafted by the top management)
• Inform about password creation and access rights
– the IT security officer should inform the employees about ways to create strong passwords
and about access rights
– information on how to create strong passwords and about the access rights is specified in the
security policy document of the organization
– access rights are granted based on job description
Security awareness program
Good security practices after hiring a
new employee (cont.)
• The organization needs to explain roles and responsibilities to the
new employee
• This is done by providing a job description to the employee
• Based on the job description, the security department assigns
appropriate permissions and grants access rights to employees
• Job descriptions help the human resources department advertise
for jobs with similar roles and responsibilities
• Periodic audit check for monitoring users need to be followed by
an organization to validate the access controls for various roles and
responsibilities based on job descriptions
• To ensure information security, a job description should always be
formally and officially changed
• Any change in the job description should be accompanied by
relevant changes to the access control requirements and
mechanisms defined for that role
Good security practices when
terminating an employee
• restrict employees who will be terminated from
accessing sensitive information
• revoke the access of terminated employees to the
network
• disable the accounts of terminated employees
• delete terminated employees after a specific period of
time
• make terminated employees surrender all the keys and
company supplies they were using
• ensure that terminated employees immediately leave
the facility
Roles and job rotations
• Every organization should define distinct roles
and assign responsibilities pertaining to each role
• Based on roles and the security policies set by the
organization for these roles, restrictions and
permissions should be granted for each role
• This ensures that each employee is responsible
for maintaining the security of information that
the employee has the right to access and use
Typical roles and responsibilities
• senior management
– has the overall and ultimate responsibility for security
• infosec officer
– responsible for the functional aspect of security
• owner
– classifies information for implementing security
• custodian
– helps preserve the CIA of information
• user
– performs according to the security policy defined by the
organization
• auditor
– examines if security is implemented properly in the organization
Separation of duties
• To implement security effectively in an organization, it
is important to define a structure that helps in the
separation of duties and responsibilities
• Separation of duties assigns access to information
according to job role
• Benefits
– introduces transparency in an organization (making it clear
who does what in a situation)
– ensures that no individual is solely responsible for a critical
task (this prevents collusion and reduces the possibility of
mistakes)
– restricts access to information by job role (this helps
prevent computer crimes)
Job rotation
• purpose - to limit the time spent by an individual
on a task so that the individual does not have
complete control over it
• helps protect against frauds and misuse of
information
• benefits
– a person does not have complete control over a task
(reduces the security risk to information)
– people working in sensitive areas are forced to take
vacations (helps detect any fraudulent activities)
Risk Management
Risk management principles
• Risk management is the process of identifying
and assessing risk, identifying the cost of securing
the environment, and implementing appropriate
risk-reducing measures
• The risk manager should be able to foresee risks
and take appropriate measures to reduce those
risks to a level that is acceptable by the
organization
• This can be achieved by following risk
management principles
Principles of risk management
• identify risks
• analyze the damage that can occur
• plan and implement security measures to
mitigate risk to an acceptable level
• analyze the cost of implementing the security
measures for mitigating risk
Risk categories
• Risks are categorized based on various risk factors
• Categorizing risks helps the risk manager identify, monitor, and calculate the
impact of the potential loss that might occur due to a risk factor
• Risk categories
– application errors (computing errors, input errors, and buffer overflows,
causing an application or operating system to fail)
– damage (physical damage caused to an asset because of natural disasters, fire,
water, sabotage, or power failure)
– disclosure (disclosure of critical information to unauthorized users)
– equipment malfunctions (to system, network, or peripheral failure)
– human errors (intentional or accidental human actions that adversely affect
output)
– internal and external attacks (misuse of data by hackers or crackers or
unauthorized data access by internal users)
– loss of data (permanent or temporary data loss or the data inaccessibility
occurring due to unauthorized modifications)
Security Definitions
• Vulnerability
– software, hardware, or procedural weakness that may
provide an attacker the open door to enter a
computer or network and have unauthorized access
to resources within the environment
– a vulnerability characterizes the absence or weakness
of a safeguard that could be exploited
– examples:
• a service running on a server,
• unpatched applications or operating system software,
• unrestricted modem dial-in access,
• an open port on a firewall,
• lax physical security that allows anyone to enter a server
room, or
• nonenforced password management on servers and
workstations
• Threat
– any potential danger to information or systems
– the threat is that someone, or something, will identify
a specific vulnerability and use it against the company
or individual
• Threat agent
– the entity that takes advantage of a vulnerability
– examples:
• an intruder accessing the network through a port on the
firewall,
• a process accessing data in a way that violates the security
policy,
• a tornado wiping out a facility, or
• an employee making an unintentional mistake that could
expose confidential information or destroy a file’s integrity
• Risk
– the likelihood of a threat agent taking advantage of a
vulnerability and the corresponding business impact
– example:
• if a firewall has several ports open, there is a higher
likelihood that an intruder will use one to access the network
in an unauthorized method
• if users are not educated on processes and procedures,
there is a higher likelihood that an employee will make an
intentional or unintentional mistake that may destroy data
• if an intrusion detection system (IDS) is not implemented on
a network, there is a higher likelihood an attack will go
unnoticed until it is too late
– Risk ties the vulnerability, threat, and likelihood of
exploitation to the resulting business impact
• Exposure
– an instance of being exposed to losses from a
threat agent
– a vulnerability exposes an organization to possible
damages
• if password management is lax and password rules are
not enforced, the company is exposed to the possibility
of having users’ passwords captured and used in an
unauthorized manner
• if a company does not have its wiring inspected and
does not put proactive fire prevention steps into place,
it exposes itself to potentially devastating fires
• Countermeasure (safeguard)
– is put into place to mitigate the potential risk
– may be
• a software configuration,
• a hardware device, or
• a procedure that eliminates a vulnerability or reduces the
likelihood a threat agent will be able to exploit a vulnerability
– examples
• strong password management,
• a security guard,
• access control mechanisms within an operating system,
• the implementation of basic input/output system (BIOS)
passwords, and
• security-awareness training.
Gives rise to
Threat
agent Exploits
Threat
Leads to
Vulnerability

Risk
Directly affects

Asset
Can damage

Exposure
And causes an

Safeguard
Can be countermeasured by a

The relationships among the different security components


Threat analysis
• Threat is an event that causes harm to an
organization's assets
• Threat analysis
– the process of identifying threats and developing a
cost-effective mitigation strategy for the identified
threat to lower the risk level in an organizational
environment
– should be conducted during early system
developmental stages and continually through the
development lifecycle to facilitate change and
problem management
Threat analysis (cont.)
• Threat analysis involves
– mapping assets
• involves identifying all the assets of the company and
mapping them to their business functions
• assets whose business functions are more critical, are given
priority.
– threat modeling
• involves identifying the assets an application uses to
evaluate the possible threats to that application, reducing
vulnerability.
– developing a mitigation plan
• involves developing appropriate security measures to reduce
the risk level
Vulnerabilities and asset valuation
• Vulnerability - A point of weakness in a system, caused by a loophole or
an error, exposing the system to threats
• An organization needs to conduct a vulnerability analysis because most
computer crimes are committed by people working in the organization
• The use of the Internet within the organization exposes the organization
to more attackers
• Once the company's assets and relevant threats and vulnerabilities have
been identified, the risk manager needs to determine the value of those
assets to determine the replacement cost and how best to safeguard them
• Asset valuation process
– determines the value of an asset
– asset can be valued as high, medium, or low (considering the
organization's total cost incurred for the life cycle of the asset in
terms of production, research and development, and criticality to
the tangibles and intangibles in a business)
Vulnerability analysis techniques
• validating network access control rules
• using hacker tools
• testing platform misconfiguration
• using security penetration report
Risk Analysis and Evaluation
• Risks are associated with potential loss and cannot be eliminated
from any business
• Risk analysis - method of identifying risks and assessing the
possible damage that could be caused in order to justify security
safeguards
• Goals of risk analysis
– Identify assets and their values
– Identify vulnerabilities and threats
– Quantify the probability and business impact of these potential
threats
– Provide an economic balance between the impact of the threat and
the cost of the countermeasure
• Risk analysis provides a cost/benefit comparison, which compares
the annualized cost of safeguards to the potential cost of loss.
– A safeguard, in most cases, should not be implemented unless the
annualized cost of loss exceeds the annualized cost of the safeguard
itself
Risk assessment
• Process of measuring risk by assigning value to
assets, calculating annualized threat
frequency, consequence, and other elements
of chance
• Techniques to assess risks
– Quantitative
– Qualitative
Methodologies for Risk Assessment
• NIST SP 800-30 and 800-66
– methodologies that can be used by the general public, but
their initial creation was designed to be implemented in
the healthcare field (HIPAA clients ) or other regulated
industries
• The NIST SP 800=30 Risk Management methodology is
commonly used by security consultants, security
officers and internal IT departments, and focuses
mainly on computer systems
• An individual or small team collects data from network
and security practice assessments, and from people
within the organization. This data is used as input
values to the risk analysis steps
• The NIST approach is specific to IT threats and
how they relate to information security risks
• The steps of NIST approach:
– System characterization
– Threat identification
– Vulnerability identification
– Control analysis
– Likelihood determination
– Impact analysis
– Risk determination
– Control recommendations
– Results documentation
• FRAP (Facilitated Risk Analysis Process)
– Designed with the intention of exploring a qualitative
risk assessment process in a manner that allows for
tests to be conducted on different aspects and
variations of the methodology
– The intent of this methodology is to provide an
organization with the means of deciding what course
and actions must be taken in specific circumstances to
deal with various issues (not only for IT)
– This will allow, through the use of a prescreening
process, users to determine the areas that really
demand and need risk analysis within an organization
• OCTAVE
– created by Carnegie Mellon University’s Software
Engineering Institute
– methodology that is intended to be used in
situations where people manage and direct the
risk evaluation for information security within
their company
– the people are able to make the decisions
regarding what is the best approach for evaluating
the security of their organization
– idea
• the people working in these environments best
understand what is needed and what kind of risks they
are facing
• AS/NZS 4360
– takes a much broader approach to risk management
(both the NIST and OCTAVE methodologies focus on
IT threats and information security risks)
– can be used to understand a company’s financial,
capital, human safety, and business decisions risks
– although it can be used to analyze security risks, it
was not created specifically for this purpose
• Spanning Tree Analysis
– methodology that develops a tree of all the potential
threats and faults that can disrupt a system
– each of the branches is a general topic or category,
and as the risk analysis is conducted, the branches
that do not apply can be removed
• FMEA (Failure and Fault Analysis)
– method for determining functions, identifying
functional failures, and assessing the causes of failure
and their failure effects through a structured process
– the application of this process to a chronic failure
enables the determination of where exactly the
failure is most likely to occur
– FMEA was first developed for systems engineering
– its purpose is to examine the potential failures in
products and the processes involved with them
– this approach proved to be successful and has been
more recently adapted for use in evaluating of risk
management priorities and mitigating known threat-
vulnerabilities
• Fault tree analysis
– a more useful approach to identifying failures that
can take place within more complex environments
and systems
– follows this general process
• first, an undesired effect is taken as the root or top
event of a tree of logic.
• then, each situation that has the potential to cause that
effect is added to the tree as a series of logic
expressions.
• fault trees are then labeled with actual numbers
pertaining to failure probabilities.
• this is typically done by using computer programs that
can calculate the failure probabilities from a fault tree.
Top-level failure event is
Failure Event A broken down into possible
contributory failure events
OR

Failure Event B Failure Event D

Failure Event C AND

Failure Event E Failure Event F

Fault tree and logic components


Quantitative risk assessment
• Is done by assigning real numbers to
– the cost of countermeasures
– the amount of damage caused by the risk
– all other elements of risk assessment
• Advantages
– the CIA of information and loss are better understood because
of statistical data
– a cost/benefit assessment of countermeasures can be done,
which helps decide the security budget
– the evaluation and tracking of the risk management process can
be performed
– the analyst need not be an expert but can use his basic
knowledge and formulae to identify the financial loss
Quantitative risk assessment (cont.)
• Disadvantages
– calculations are complex and need to be explained to
understand the results
– an automated risk assessment tool is required
because manual calculations are time consuming
– a lot of information regarding the object and its
environment needs to be collated to decipher risk
points
– there is no standard threat knowledgebase; as a result
users need to entirely depend on their threat research
Qualitative risk assessment
• Is a subjective analysis of risk, which is not based on assigning
monetary values but is done by ranking threats, countermeasures,
and damage caused
• Qualitative risk assessment determines risk relative to its
environment, based on surveys, interviews, and group discussions
• Advantages
– calculations are simple and easily understood
– the monetary values of the CIA of information are usually not required
– threat frequency and impact of threat do not need quantification
– the cost of countermeasures does not need to be calculated because
the process is not quantitative; so a cost/benefit analysis is not
required
– information about significant risk areas is provided
Qualitative risk assessment (cont.)
• Disadvantages
– there is a high degree of guesswork because the
assessment data is subjective and based on the opinion of
experts
– the subjective interpretation of risk may not reveal the
actual value of the risk to assets
– a cost/benefit analysis of risk mitigation measures cannot
be done; and as a result, determining the cost of
countermeasures required to safeguard is not possible
– the objective tracking of the risk management process
cannot be done because of subjective processes and
metrics
Risk Analysis Matrix
• The Risk Analysis Matrix uses a quadrant to map the likelihood of a
risk occurring against the consequences (or impact) that risk would
have
• The Risk Analysis Matrix allows you to perform Qualitative Risk
Analysis based on likelihood (from “rare” to “almost certain”) and
consequences (or impact), from “insignificant” to “catastrophic”
• The resulting scores are
– Low (L), Medium (M), High (H), and Extreme Risk (E)
• Low risks are handled via normal processes; moderate risk require
management notification; high risks require senior management
notification, and extreme risks require immediate action including a
detailed mitigation plan (and senior management notification)
• The goal of the matrix is to identify high likelihood/high
consequence risks (upper right quadrant of Table), and drive them
down to low likelihood/low consequence risks (lower left quadrant
of Table)
Risk Analysis Matrix
Consequences
Insignificant Minor Moderate Major Catastrophic
1 2 3 4 5

H H E E E
5. Almost Certain

M H H E E
4. Likely
Likelihood

L M H E E
3. Possible

L L M H E
2. Unlikely

L L M H H
1. Rare
Performing risk assessment
• Terms
– Exposure Factor (EF)
• expressed as a percent
• represents the magnitude of asset loss caused by the identified
threat
– Single Loss Expectancy (SLE)
• represents the amount of loss incurred because of a single type of
identified threat
– Annualized Rate of Occurrence (ARO)
• represents the annual frequency of the occurrence of a threat
– Annualized Loss Expectancy (ALE)
• gives the value of loss that will be incurred annually in case of a
threat
• this value helps an organization decide the amount it needs to
spend on protection against the threat
Performing risk assessment -
Calculations
• Exposure Factor (EF) (%)
– exposure factor = percentage of asset loss caused by the identified
threat
• Single Loss Expectancy (SLE) ($)
– single loss expectancy = asset value * exposure factor
• Annualized Rate of Occurrence (ARO)
– annualized rate of occurrence = annual frequency of occurrence of a
threat
– The range can be from 0.0 (never) to 1.0 (at least once a year) to
greater than one (several times a year) and anywhere in between
• Annualized Loss Expectancy (ALE)
– annualized loss expectancy = single loss expectancy * annualized rate
of occurrence
Example 1
• Data warehouse has the asset value of $150,000;
it was estimated that if a fire were to occur, 25
percent of the warehouse would be damaged
(and not more, because of a sprinkler system and
other fire controls, proximity of a firehouse, and
so on).
What is the value of single loss expectancy (SLE) ?
• If the frequency of a fire taking place has an
annualized rate of occurrence (ARO) value of 0.1
(indicating once in ten years), then what is the
value of annualized loss expectancy (ALE) ?
Answer
• SLE = asset value * EF
• SLE = $150,000 * 0.25 = $37,500

• SLE * annualized rate of occurrence (ARO) = ALE


• ALE = $37,500 * 0.1 = $3750

• The ALE value tells the company that if it wants to put


in controls or safeguards to protect the asset from this
threat, it can sensibly spend $3750 or less per year to
provide the necessary level of protection
Delphi method
• Group discussion technique that requires each member to
express his honest comments about a particular risk on a
piece of paper
• All these anonymous comments are then handed over to
the analysis group and are compiled and redistributed again
for further comments until consensus is reached
• Can be used to
– assess the impact of company growth
– educate participants on all the different aspects of a topic
– explore assumptions and discrete information, which leads to
different judgments
– develop a number of alternatives
– gather information for forming the basis of future agreements
Modified Delphi technique
• Silent form of brainstorming
• Participants develop ideas individually and
silently with no group interaction
• The ideas are submitted to a group of decision
makers for consideration and action
Selecting countermeasures
• The outcome of risk assessment helps the risk manager find
countermeasures to safeguard the organization from identified risks
• The risk manager needs to ensure that the cost incurred to safeguard
the company from the identified risks is not greater than the potential
loss
• Cost/benefit analysis (CBA)
• process of finding out the most cost-effective countermeasures
• compares the ALE without the countermeasure, with the cost of
protection, to the ALE after installing the countermeasure
• the formula to find the cost of a countermeasure :

– Value of countermeasure = ALE (without countermeasure)


– (annual) Cost (safeguard) - ALE (with countermeasure)
Example 2
• If the ALE of the threat of a hacker bringing down a
web server is $12,000 prior to implementing the
suggested safeguard
• the ALE is $3000 after implementing the safeguard
• the annual cost of maintenance and operation of the
safeguard is $650
• Value of countermeasure = ALE (without
countermeasure) – (annual) Cost (safeguard) - ALE
(with countermeasure
• $12,000 - $650 - $3000 = $8350
• the value of this safeguard to the company is $8350
each year
Full cost of a countermeasure
• Product costs
• Design/planning costs
• Implementation costs
• Environment modifications
• Compatibility with other countermeasures
• Maintenance requirements
• Testing requirements
• Repair, replacement, or update costs
• Operating and support costs
• Effects on productivity
• Subscription costs
• Extra man-hours for monitoring and responding to alerts
Total Risk and Residual Risk
• Total risk
– the risk a company faces if it chooses not to implement any type of safeguard
– a company may choose to take on total risk if the cost/benefit analysis results
indicate this is the best course of action
– total risk = threats * vulnerability * asset value
• Residual risk
– the value of the risk after implementing a countermeasure
– a company implements countermeasures to reduce its overall risk to an
acceptable level
– there is always some risk left over to deal with
– controls gap
• protection the control cannot provide
– residual risk = total risk * controls gap
• Conceptual formulas
– f( threats, vulnerability, and asset value ) = total risk
– total risk – countermeasures = residual risk
Risk handling
• After completing the risk assessment process and finding the cost of
countermeasures to safeguard the organization from the risks, it is
time to decide how to handle identified risks
• Options for handling the identified risk
– risk acceptance
• accept the risk and the loss incurred due to the risk and will
not act at all to protect against the risk
– risk reduction
• adopt countermeasures to reduce the risk
– risk transfer
• purchase insurance policies against the risk to transfer the loss
incurred due to damage to the insurance company
– risk avoidance
• terminate the activity that is introducing the risk
PLAN COLLECT INFORMATION DEFINE RECOMMENDATIONS
1.Identify team 1.Identify assets 1.Risk mitigation
2.Identify scope 2.Assign value to assets 2.Risk transference
3.Identify method 3.Identify vulnerabilities 3.Risk acceptance
4.Identify tools and threats 4.Risk avoidance
5.Understand acceptable 4.Calculate risks
risk level 5.Cost/benefit analysis
6.Uncertainty analysis

Management

RISK MITIGATION
•Control selection
RISK AVOIDANCE
•Implementation
•Discontinue activity
•Monitoring

RISK TRANSFERENCE RISK ACCEPTANCE


•Purchase insurance •Do nothing

Risk management program


Roles and Responsibilities
• The management is not only responsible for creating
security policies but also for educating employees
about the security policies
• Security awareness training
– educates employees on the importance of security policies
and makes them aware of their roles and responsibilities in
securing the organization as a whole
– should be realistic and achievable
– communication plays a crucial role in the security
awareness training program
– a trainer should be appointed who can clearly understand
the security policies of the organization and cen
communicate them to the employees with ease
Roles and Responsibilities (cont.
1)
• Examples of different types of security awareness
training programs
– advanced infosec training for information system
security officers and auditors
– awareness training for employees holding security-
sensitive positions or for training employees on new
applications
– security-related job training for security personnel
– security training for senior, functional, and business
managers
– technical support training for IT personnel
Roles and Responsibilities (cont.
2)
• Organizational roles
– security awareness training program should be
first targeted at three specific groups of
employees within the organization because these
groups are often present in every organization

• Individuals
• Stewards (Application owners)
• Custodians
Individuals
– Each individual in an organization is responsible for
protecting the organization's assets
– An individual can perform different roles within the
organization
– data owner
• usually part of the senior management who is responsible
for
– classifying data
– reviewing data to meet changing business needs
– ensuring the implementation of security controls
– determining access rights, security, and backup requirements for
data
– acting on security violation notifications
Individuals (cont.)
• security administrator
– responsible for
• configuring security access controls according to data environments
• creating or deleting system user accounts and issuing passwords
• assigning access control privileges
• implementing and testing security software and patches

• security professional
– holds the functional responsibility of security and performs the sensitive operations stated by
his immediate manager
• security analyst
– is not part of the implemention team for security but determines the strategies and guidelines
for the overall security design of the organization
• senior manager
– holds the responsibility of multiple departments for protecting the company's assets by
performing a cost/benefit analysis of the security practices followed by the company.
Stewards
• The user is any person who uses data for performing job-related
activities
• The user is responsible for protecting the data by adhering to the
security policies and maintaining the confidentiality, integrity, and
availability of data
• Steward
– senior business managers responsible for the creation, maintenance,
and performance of information systems related to specific business
units
– responsibilities
• categorizing data based on the data-classification scheme
• classifying critical data effectively to meet contingencies
• defining validation rules for correct data input
• ensuring the training of data users
• understanding the uses and risks associated with data in order to provide
appropriate data access permissions
Custodians
• Custodian
– IT personnel responsible for the security and maintenance
of the information provided to them by stewards
• Responsibilities
– protecting information from unauthorized access and
modifications
– performing backups or restoring data according to the
requirements specified by the organization
– monitoring information systems to ensure compliance with
company policies and standards
– providing stewards with reports about information system
usage
Other roles in an organization
• change control analyst
– takes care of all the changes that take place in the organization's information
system
– responsibilities
• approving or rejecting change requests
• analyzing the impact of changes
• ensuring that changes do not lead to vulnerabilities
• testing all changes before they are rolled out

• data analyst
– ensures that an organization's data is properly structured and comprehensible
– responsibilities
• designing data structures and data models in compliance with business objectives
• designing the physical database structure
• helping the data owner develop data architectures
• recording metadata to manage databases
Other roles in an organization (cont.)
• process owner
– ensures that all processes in an organization are well defined to meet business
needs
– responsibilities
• defining data requirements and improving data quality for business processes
• defining, improving, and monitoring processes to make the processes effective
• resolving the data issues related to complex processes and the processes associated with
different application types

• product line manager


– ensures that all products meet the business requirements of the organization
– responsibilities
• translating business requirements into product requirements
• evaluating the need for product enhancement
• planning and implementing new releases
• ensuring that products comply with license agreements
• monitoring production performance per business objectives
• analyzing product usage and the technology required for product usage
Other roles in an organization (cont.)
• solution provider
– works with the business managers to develop and deploy
solutions for improving business processes or solving problems
– responsibilities
• ensuring that applications and data work together to meet business
needs
• giving technical requirements to improve the process
• system owner
– incorporates security considerations into applications, purchase
decisions, and projects
– responsibilities
• assessing systems for vulnerabilities
• ensuring that proper security measures are adopted
• reporting security incidents to the data owner
Other roles in an organization (cont.)
• supervisor
– also called the user manager
– holds the complete responsibility of employee activities and the assets
used by the employees
– also takes care of nonemployee activities and the company assets
used by these individuals
– responsibilities
• informing the security administration for revoking the user IDs of terminated
employees
• informing the administration about the transfer of an employee
• reporting security violation incidents
• receiving and assigning user IDs to new employees
• ensuring that the user ID and account information of an employee are
synchronized
• educating the employees about the security policies they are accountable for
Questions
• 1. Who has the primary responsibility of
determining the classification level for
information?
– A. The functional manager
– B. Senior management
– C. The owner
– D. The user

C. A company can have one specific data owner or different data owners who
have been delegated the responsibility of protecting specific sets of data. One
of the responsibilities that goes into protecting this information is properly
classifying it.
• 2. Which group causes the most risk of fraud
and computer compromises?
– A. Employees
– B. Hackers
– C. Attackers
– D. Contractors

A. It is commonly stated that internal threats comprise 70–80 percent of


the overall threat to a company. This is because employees already have
privileged access to a wide range of company assets. The outsider who wants
to cause damage must obtain this level of access before she can carry out
the type of damage internal personnel could dish out. A lot of the damages
caused by internal employees are brought about by mistakes and system
misconfigurations.
• 3. If different user groups with different security
access levels need to access the same
information, which of the following actions
should management take?
– A. Decrease the security level on the information to
ensure accessibility and usability of the information.
– B. Require specific written approval each time an
individual needs to access the information.
– C. Increase the security controls on the information.
– D. Decrease the classification label on the
information.

C. If data is going to be available to a wide range of people, more granular


security should be implemented to ensure that only the necessary people
access the data and that the operations they carry out are controlled. The
security implemented can come in the form of authentication and
authorization technologies, encryption, and specific access control
mechanisms.
• 4. What should management consider the
most when classifying data?
– A. The type of employees, contractors, and
customers who will be accessing the data.
– B. Availability, integrity, and confidentiality.
– C. Assessing the risk level and disabling
countermeasures.
– D. The access controls that will be protecting the
data.
B. The best answer to this question is B, because to properly classify data,
the data owner must evaluate the availability, integrity, and confidentiality
requirements of the data. Once this evaluation is done, it will dictate which
employees, contractors, and users can access the data, which is expressed in
answer A. This assessment will also help determine the controls that should
be put into place.
• 5. Who is ultimately responsible for making
sure data is classified and protected?
– A. Data owners
– B. Users
– C. Administrators
– D. Management

D. The key to this question is the use of the word “ultimately.” Though
management can delegate tasks to others, it is ultimately responsible for
everything that takes place within a company. Therefore, it must continually
ensure that data and resources are being properly protected.
• 6. What is a procedure?
– A. Rules on how software and hardware must be
used within the environment
– B. Step-by-step directions on how to accomplish a
task
– C. Guidelines on how to approach security
situations not covered by standards
– D. Compulsory actions

B. Standards are rules that must be followed; thus, they are compulsory.
Guidelines are recommendations, while procedures are step-by-step
instructions.
• 7. Which factor is the most important item
when it comes to ensuring security is
successful in an organization?
– A. Senior management support
– B. Effective controls and implementation methods
– C. Updated and relevant security policies and
procedures
– D. Security awareness by all employees

A. Without senior management’s support, a security program will not receive


the necessary attention, funds, resources, and enforcement capabilities.
• 8. When is it acceptable to not take action on an
identified risk?
– A. Never. Good security addresses and reduces all
risks.
– B. When political issues prevent this type of risk from
being addressed.
– C. When the necessary countermeasure is complex.
– D. When the cost of the countermeasure outweighs
the value of the asset and potential loss.

D. Companies may decide to live with specific risks they are faced with if the
cost of trying to protect themselves would be greater than the potential loss
if the threat were to become real. Countermeasures are usually complex to a
degree, and there are almost always political issues surrounding different
risks, but these are not reasons to not implement a countermeasure.
• 9. What are security policies?
– A. Step-by-step directions on how to accomplish
security tasks
– B. General guidelines used to accomplish a specific
security level
– C. Broad, high-level statements from the
management
– D. Detailed documents explaining how security
incidents should be handled
C. A security policy captures senior management’s perspectives and
directives
on what role security should play within the company. Security policies are
usually general and use broad terms so they can cover a wide range of items.
• 10. Which is the most valuable technique
when determining if a specific security control
should be implemented?
– A. Risk analysis
– B. Cost/benefit analysis
– C. ALE results
– D. Identifying the vulnerabilities and threats
causing the risk
B. Although the other answers may seem correct, B is the best answer here.
This is because a risk analysis is performed to identify risks and come up with
suggested countermeasures. The ALE tells the company how much it could
lose if a specific threat became real. The ALE value will go into the
cost/benefit analysis, but the ALE does not address the cost of the
countermeasure and the benefit of a countermeasure. All the data captured
in answers A, C, and D are inserted into a cost/benefit analysis.
• 11. Which best describes the purpose of the
ALE calculation?
– A. Quantifies the security level of the environment
– B. Estimates the loss possible for a
countermeasure
– C. Quantifies the cost/benefit result
– D. Estimates the loss potential of a threat in a span
of a year
D. The ALE calculation estimates the potential loss that can affect one asset
from a specific threat within a one-year time span. This value is used to figure
out the amount of money that should be earmarked to protect this asset
from this threat.
• 12. Tactical planning is:
– A. Midterm
– B. Long term
– C. Day-to-day
– D. Six months

A. Three types of goals make up the planning horizon: operational, tactical,


and strategic. Tactical goals are midterm goals that must be accomplished
before the overall strategic goal is accomplished.
• 13. What is the definition of a security
exposure?
– A. An instance of being exposed to losses from a
threat
– B. Any potential danger to information or systems
– C. An information security absence or weakness
– D. A loss potential of a threat

A. An exposure is an instance of being exposed to losses from a threat agent.


A vulnerability can cause an organization to be exposed to possible damages.
For example, if password management is lax and password rules are not
enforced, the company can be exposed to the possibility of having users’
passwords captured and used in an unauthorized manner.
• 14. An effective security program requires a
balanced application of:
– A. Technical and nontechnical methods
– B. Countermeasures and safeguards
– C. Physical security and technical controls
– D. Procedural security and encryption

A. Security is not defined by a firewall, an access control mechanism, a


security policy, company procedures, employee conduct, or authentication
technologies. It is defined by all of these and how they integrate together
within an environment. Security is neither purely technical nor purely
procedural, but rather a mix of the two.
• 15. The security functionality defines the
expected activities of a security mechanism, and
assurance defines:
– A. The controls the security mechanism will enforce
– B. The data classification after the security mechanism
has been implemented
– C. The confidence of the security the mechanism is
providing
– D. The cost/benefit relationship

C. The functionality describes how a mechanism will work and behave. This
may have nothing to do with the actual protection it provides. Assurance
is the level of confidence in the protection level a mechanism will provide.
When systems and mechanisms are evaluated, their functionality and
assurance should be examined and tested individually.
• 16. Which statement is true when looking at security
objectives in the private business sector versus the
military sector?
– A. Only the military has true security.
– B. Businesses usually care more about data integrity and
availability, whereas the military is more concerned with
confidentiality.
– C. The military requires higher levels of security because
the risks are so much higher.
– D. The business sector usually cares most about data
availability and confidentiality, whereas the military is
most concerned with integrity.

B. Although answer C may seem correct to you, it is a subjective answer.


Businesses will see their threats and risks as being more important than
another organization’s threats and risks. The military has a rich history
of having to keep its secrets secret. This is usually not as important in the
commercial sector relative to the military.
• 17. How do you calculate residual risk?
– A. Threats × risks × asset value
– B. (Threats × asset value × vulnerability) × risks
– C. SLE × frequency = ALE
– D. (Threats × vulnerability × asset value) × controls
gap

D. The equation is more conceptual than practical. It is hard to assign a


number to a vulnerability and a threat individually. This equation enables
you to look at the potential loss of a specific asset, as well as the controls gap
(what the specific countermeasure cannot protect against). What remains
is the residual risk, which is what is left over after a countermeasure is
implemented.
• 18. Which of the following is not a purpose of
doing a risk analysis?
– A. Delegating responsibility
– B. Quantifying the impact of potential threats
– C. Identifying risks
– D. Defining the balance between the impact of a
risk and the cost of the necessary countermeasure

A. The other three answers are the main reasons to carry out a risk analysis.
An analysis is not carried out to delegate responsibilities. Management will
take on this responsibility once the results of the analysis are reported to it
and it understands what actually needs to be carried out.
• 19. Which of the following is not a
management role in the process of
implementing and maintaining security?
– A. Support
– B. Performing risk analysis
– C. Defining purpose and scope
– D. Delegating responsibility

B. The number one ingredient management must provide when it comes to


security is support. Management should define the role and scope of security
and allocate the funds and resources. Management also delegates who does
what pertaining to security. It does not carry out the analysis, but rather is
responsible for making sure one is done and that management acts on the
results it provides.
• 20. Why should the team that will perform and review the
risk analysis information be made up of people in different
departments?
– A. To make sure the process is fair and that no one is left out.
– B. It shouldn’t. It should be a small group brought in from
outside the organization because otherwise the analysis is
biased and unusable.
– C. Because people in different departments understand the risks
of their department. Thus, it ensures the data going into the
analysis is as close to reality as possible.
– D. Because the people in the different departments are the ones
causing the risks, so they should be the ones held accountable.

C. An analysis is only as good as the data that goes into it. Data pertaining to
risks the company faces should be extracted from the people who
understand
best the business functions and environment of the company. Each
department understands its own threats and resources, and may have
possible solutions to specific threats that affect its part of the company.