CISSP DOMAIN 1:

SECURITY AND RISK MANAGEMENT

2021 CYBERSECURITY TRAINING SERIES

 CHECK
• SLIDES • PROGRAMMA
• LIBRO DI TESTO • Lunedì DOM 1 (+ 2 se riusciamo) = 140 + 35
• ASSENZE PIANIFICATE in settimana? • Martedì DOM 3A + 3B = 110 + 130
• SESSIONI ATTIVE Q/A • Mercoledì DOM 4 + 5 = 100 + 50
• WEBCAM ATTIVA = feedback presenza • Giovedì DOM 6 + 7 = 30 + 150
• POSSIBILE INIZIO 9.00, FINE 16 • Venerdì DOM 8 + esercizi = 60
• PAUSA 11, pranzo 13-14.30
 ESAME
• 100-150 domande su templates assegnati a
caso
• Totale 1000 punti, passing mark 700
• 2 ore = 120 minuti = circa 60’’ a domanda
 THREATS TO RISK MANAGEMENT

Unknown Unmeasurable
People
Threats Risks

Unauthorized
Disclosure Destruction
Alterations
Security and Risk Management 4
 THE CYBER THREAT LANDSCAPE
Hacktivist
Botnets VPN
Data at Rest BYOD Spoofing
Cloud Phishing

Ransomware Data in Motion

DDOS
APT PII
Malware
Data
Hacking WIFI Disasters
Rootkits Leakage
VM
Worms Mal-Mining
Covert Physical
Channels Firewalls Cyber Terrorism Social Engineering
Access Sniffing
Insiders Modems
Cellular SQL Mobile Encryption
Injection
Disposal
Asset
Management Skimming Remote
Patch Management Access Destruction

Compliance & Regulations Social Media

1 vs 2 Factor Authentication
5
 SECURITY JARGON

Set and forget

Security by Defense in
Sneakernet - Fire and
Obscurity Depth
forget

Urban Information
DLP Snake Oil
Legends Assurance

Security and Risk Management 6

 1.1 UNDERSTAND, ADHERE TO, AND
PROMOTE PROFESSIONAL ETHICS
• (ISC)² Code of Professional Ethics
• Organizational Code of Ethics

Security and Risk Management 7

 (ISC)2 CODE OF ETHICS
Code of Ethics Preamble:
• The safety and welfare of society and the common good, duty to our
principals, and to each other, requires that we adhere, and be seen to
adhere, to the highest ethical standards of behavior.
• Therefore, strict adherence to this Code is a condition of certification.
Code of Ethics Canons:
• Protect society, the common good, necessary public trust and confidence,
and the infrastructure.
• Act honorably, honestly, justly, responsibly, and legally.
• Provide diligent and competent service to principals.
• Advance and protect the profession.
https://www.isc2.org/ethics/# 8
 ADDITIONAL ETHICAL CODES
• Computer Ethics Institute
– Thou shall not use a computer to harm other people
– Thou shall not interfere with other people’s computer work
– … total of 10 commandments in all
• Internet Architecture Board
– Provides architectural oversight of Internet Engineering Task Force (IETF)
• The IAB considers the following unethical
– Purposely seeking to gain unauthorized access to Internet resources
– Disrupting the intended use of the Internet

Security and Risk Management 9

 1.1 UNDERSTAND AND APPLY
SECURITY CONCEPTS

Confidentiality Integrity Availability

Authenticity Nonrepudiation

Security and Risk Management 10

 CONFIDENTIALITY, INTEGRITY,
& AVAILABILITY (CIA TRIAD)
Controls that prevent
unauthorized disclosure Confidentiality

Controls that Controls that

prevent provide reliable
unauthorized Integrity Availability and timely access
modifications to authorized
personnel
Security and Risk Management 11
THINGS THAT PROVIDE CONFIDENTIALITY

Access Physical
Encryption
Controls Security

Security and Risk Management 12

 THINGS THAT PROVIDE AVAILABILITY

Load
BCP / DR Backups
Balancing

Physical
Redundancy Hardening
Security
Security and Risk Management 13
 THINGS THAT PROVIDE INTEGRITY

Change Access
Hashing
Control Controls

Digital Configuration
Signatures Management
Security and Risk Management 14
 WHEN IN DOUBT….
• Historically, the main focus of Cybersecurity
has been Confidentiality.
– Cryptography
– Secrecy
– Privacy

Security and Risk Management 15

 SECURITY DEFINITIONS

Vulnerability • Weakness in a system that allows a threat to

compromise security

Threat • Potential danger with the exploitation of a

vulnerability (threat agent)

Risk • Likelihood of occurrence

Exposure • Instance of being exposed to losses related to

a particular vulnerability
Security and Risk Management 16
 CONTROL TYPES

• Risk Management
Administrative • Training and Documentation

• FW, AV, IDS, IPS, Encryption

Technical • Authentication Methods

• Guards, Locks
Physical • Fences and lighting
Security and Risk Management 17
 APPLICABLE TYPES OF CONTROLS
Deterrent • Discourage an attacker

Preventative • Avoid from happening

Corrective • Fix after an incident

Detective • Identify an incident’s activities

Compensating • Alternative measure of control

Security and Risk Management 18
 DETERMINING TYPES OF CONTROLS
• Preventative Administrative
–Background checks, Security awareness training
• Preventive Physical
–Guards, dogs
• Preventive Technical
–Biometrics, firewalls
• Security Through Obscurity – NOT A CONTROL
Security and Risk Management 19
CONSIDER EACH CONTROL IN TERMS OF CIA

Confidentiality
(fill in the blank)
provides
Integrity Availability C, I, or A?

Security and Risk Management 20

 DISCUSSION: WHAT IS THE
COST FOR EACH CONTROL?

Confidentiality
What do you lose
when you provide
Integrity Availability C, I, or A?

Security and Risk Management 21

CONFIDENTIALITY & AVAILABILITY TRADEOFF

CONFIDENTIALITY
As
Confidentiality
increases
AVAILABILITY Availability
decreases

Security and Risk Management 22

 AUTHENTICITY AND NONREPUDIATION
• Authenticity
– No verification of the sender
– You know what was said
• Nonrepudiation
– Verification of the sender
– You know who said it
Security and Risk Management 23
 1.3 EVALUATE AND APPLY
SECURITY GOVERNANCE PRINCIPLES

Security and Risk Management 24

 ALIGNMENT OF SECURITY FUNCTION
TO BUSINESS STRATEGY, GOALS,
MISSION, AND OBJECTIVES

Goals Mission Business Case Budget

Risk
Risk
Resources Objectives Avoidance
Management
(Adverse)
Security and Risk Management 25
 ORGANIZATION PROCESSES

Acquisitions Divestures Mergers

Governance Regulations Technology

Security and Risk Management 26

ORGANIZATIONAL ROLES
& RESPONSIBILITIES

Security

Business

Management

Security and Risk Management 27

SECURITY CONTROL FRAMEWORKS

NIST
CMMI ITIL
(SP-800)

ISO 27000 /
CoBIT COSO
31000

Security and Risk Management 28

 DUE DILIGENCE VS DUE CARE

Due • Investigated possible vulnerabilities and

Diligence weaknesses

Due • Investigated and took reasonable action to

mitigate threats
Care • IF YOU CARE, THEN YOU WILL DO SOMETHING

Security and Risk Management 29

1.4 DETERMINE COMPLIANCE REQUIREMENTS

Industry
Contractual Legal
Standards

Regulatory Privacy
Requirements Requirements
Security and Risk Management 30
 IS IT CONTRACTUAL? LEGAL? STANDARD?
• Some compliance requirements can span multiple
categories
– Payment Card Industry Data Security Standard (PCI
DSS) is both a contractual obligation and a de-facto
industry standard
– Legal privacy requirements may span jurisdictions –
GDPR applies to the data of EU citizens and
companies that do business within the EU, regardless
of where those companies are located
Security and Risk Management 31
 PRIVACY
• Several approaches to addressing privacy
– Generic approach: rules that stretch across all industry
boundaries
– Regulation by industry: defines requirements for specific
industry verticals, such as financial sector
• Both systems seek to protect citizens’ personally
identifiable information (PII)
• Both seek to balance the needs of organizations to
collect and use PII while considering security issues
Security and Risk Management 32
 WHAT IS PII?
• Depending on the jurisdiction, specific elements my vary but for many (including
GDPR)
• Name, Address, ID numbers (driver license, SS#, passport #, etc.)
• Web data (location, IP, cookies)
• Health, Biometric
• Racial or ethnic data
• Political affiliations
• Sexual orientation or gender identity
• Birthplace
• Genetic information

Security and Risk Management 33

1.5 UNDERSTAND LEGAL AND REGULATORY
ISSUES THAT PERTAIN TO INFORMATION
SECURITY IN A HOLISTIC CONTEXT

Security and Risk Management 34

CYBER CRIMES AND DATA BREACHES

Happen Not If,

Every Day But When

Under
Unknown
Reported
Security and Risk Management
SOCIAL ENGINEERING ATTACKS
• Phishing
• Spear-Phishing
• Pharming
• Whaling
• Identity Theft
• Shoulder Surfing
• Tailgating or Piggybacking
Security and Risk Management 36
 PASSWORD ATTACKS
• Sniffing • Password Cracking
–Capturing network traffic –Brute Force
• Replay –Rainbow Tables
–Retransmitting captured –Dictionary
network traffic –Social Engineering
• Accessing Password File
Security and Risk Management 37
 HACKTIVISM
• Hacking to promote
political or ideological
cause or purpose

Security and Risk Management 38

 PHONE HACKING: PHREAKERS
Ways to get free
• Simulating the sounds of the coins by using
Red Boxing electronic frequencies
long distance and
international calling

Blue Boxing • The Captain Crunch whistle created a 2600Hz

tone into a telephone for free long-distance calls

White Boxing: • Convert a touch-tone keypad into a portable

dialer unit.

Black Boxing: • Manipulated line voltage to for free long-

distance
39
 ADVANCED PERSISTENT THREAT (APT)

Purpose built code or attack that

patiently waits for vulnerability to
gain access to a specific system with a
specific goal in mind.

Security and Risk Management 40

 EVOLUTION OF ATTACKS
• Historically, hacking was for the fun of discovery or thrill of
vandalism
– Often sought the spotlight
– All about bragging rights
• Organized crime realized the potential for monetization of
these activities
– Seek to avoid notice
– Usually profit oriented
Security and Risk Management 41
 COMMON SCHEMES
• Auction Fraud
• Debit elimination
• Employment/business opportunities
• Investment Fraud
• Nigerian letter of 419 call scams
• Ponzi/pyramid
Security and Risk Management 42
 OTHER ATTACK TYPES
• Salami – (Fractional Currencies)
• Data Diddling
• IP Spoofing
• Dumpster Diving
• Wiretapping
• Cybersquatting
Security and Risk Management 43
 INTERNAL VS EXTERNAL CRIMES
• Internal Cyber
crimes are always
under reported Unreported
Internal Internal

External

Security and Risk Management 44

 COMPUTER CRIME LAWS
• Computer-assisted vs computer-targeted crimes
vs computer incidental.
–Unauthorized access
–Unauthorized modification or destruction
–Unauthorized disclosure
–Unauthorized use of resources (crypto jacking)
Security and Risk Management 45
 TYPES OF COMPUTER CRIMES
• Computer Assisted Crime – computer is used
as a tool to carry out a crime (hacktivism,
breach of customer information databases)
• Computer-Targeted Crime – concerns incidents
where a computer was the victim of an attack
crafted to harm it specifically. (buffer overflow,
DDoS, password capturing)
Security and Risk Management 46
 PERSONALLY IDENTIFIABLE INFORMATION
(PII)
• Data that can be used to uniquely identify,
contact, or locate an individual
• Best way to protect PII is not to collect it

Security and Risk Management 47

LICENSING AND INTELLECTUAL PROPERTY (IP)

Trademarks Patents

Trade
Copyrights
Secrets
Security and Risk Management 48
 TRADE SECRET LAW
• Trade secret is something that is proprietary to a company
and is important for it’s survival and profitability.
– Formula for Coca Cola
– Source code of a program
– Method for making something
– Trade secret has no expiration
• Employees often required to sign Non-Disclosure
Agreements (NDA) to protect trade secrets

Security and Risk Management 49

 PATENT
• Given to individuals or companies to grant legal ownership of, and
enable them to exclude others from using or copying the invention
covered by the patent.
• Once granted, the patent grants limited property right to exclude
others from making, using, or selling the invention for a specific
period of time.
– Example: Drugs – 20 years
• Patent Troll (non-practicing entity): person or company who
obtains patents not to protect their inventions, but to aggressively
and opportunistically go after another entity who tries to create
something based upon their ideas.
Security and Risk Management 50
 TRADEMARK
• Slightly different than copyright
• Used to protect a word, name, symbol, sound, shape,
color, or combination of these
– Curved shape of Coca-Cola bottle
– Nike “swoosh”
• Establishes “brand identity”
• Cannot trademark a number or common word (486)

Security and Risk Management 51

 COPYRIGHT LAW
• Protects the right of an author to control the public
distribution, reproduction, display, and adaptation of his/her
original work.
• Protection does not extend to any method of operation,
process, concept, or procedure
• Protects form of expression rather than subject matter
• Lifetime of creator plus 50 years
• Can apply to computer code
– Protects both source code and object code

Security and Risk Management 52

 IMPORT / EXPORT CONTROLS
• Wassenaar Arrangement: Export Controls for Conventional Arms and
Dual-Use Goods and Technologies
– Category 1: Special Materials/Related Equipment
– Category 2: Materials Processing
– Category 3: Electronics
– Category 4: Computers
– Category 5: Part 1: Telecommunications
– Category 5: Part 2 Information Security
– Category 6: Sensors and Lasers (smart phone components fall here)
– Category 7: Navigation and Avionics
– Category 8: Marine
– Category 9: Aerospace and Propulsion

Security and Risk Management 53

 ORGANIZATION FOR ECONOMIC
CO-OPERATION AND DEVELOPMENT (OECD)
• Guidelines on the Protection of Privacy and Transborder Flow of Personal
Data established principals that laws should reflect
– Collection Limitation
– Data Quality
– Purpose Specification
– Use Limitation
– Security Safeguards
– Openness
– Individual Participation
– Accountability

Security and Risk Management 54

 INDUSTRY AND INTERNATIONAL SECURITY
IMPLEMENTATION GUIDELINES
• ISO 27001 and 27002
• Inspired BS 7799 (British Standard) and ISO 17799
• 27001
– Standards for information security management systems
• 27002
– Guidelines
• COBIT developed by ISACA
Security and Risk Management 55
 LEGAL SYSTEMS

https://www.reddit.com/r/MapPorn/comments/1u71ne/a_map_of_the_legal_systems_in_the_world_1400x736/ 56
 LAWS, DIRECTIVES, AND REGULATIONS
• If you’re not a lawyer, you’re not a lawyer
• But increasingly it is important for information
security professionals to understand their legal
environment

Security and Risk Management 57

 PRIVACY LAWS AND REGULATIONS
• GDPR
• HIPAA
• HI-TECH Act
• GLBA
• PCI-DSS

Security and Risk Management 58

GENERAL DATA PRIVACY REGULATION (GDPR)
• Data subject: who the data pertains to
• Data controller: organization that collects the data
• Data processor: processes data for the controller
• The regulation applies if any one of the three
entities is based in the EU, but also applies if a
data controller or processor has data that pertains
to an EU citizen
Security and Risk Management 59
 GDPR KEY PROVISIONS
• Consent – opt in, not opt out
• Right to be informed – how is, will, or could data
be used?
• Right to restrict processing – subjects can allow
storage of their data, but opt out of processing
• Right to be forgotten
• Data Breaches – 72 hours
Security and Risk Management 60
 HEALTH INSURANCE PORTABILITY AND
ACCOUNTABILITY ACT (HIPAA)
• Standards for storage, use, and transmission of
personal medical information
• HIPAA guidelines are given the first time you are
new patient, are posted on the wall and are
available upon request
• Also Known As: Kennedy–Kassebaum Act
• “Covered Entities”
Security and Risk Management 61
 HEALTH INFORMATION TECHNOLOGY FOR
ECONOMIC AND CLINICAL HEALTH ACT
• HI-TECH Act
• Intended to promote adoption and meaningful
use of health information technology

Security and Risk Management 62

 GRAMM-LEACH-BLILEY ACT OF 1999
• GLBA
• Requires financial institutions to develop
privacy policies, provide opt out of information
sharing of customer data

Security and Risk Management 63

 PAYMENT CARD INDUSTRY (PCI)
DATA SECURITY STANDARD (DSS)
• While not a statute, this contractual obligation
between the credit card companies and
companies that accept and process card
payments has broad implications
Visa, Master Card, Discover, American Express

Security and Risk Management 64

 EMPLOYEE PRIVACY ISSUES
• Organization must clearly establish an employees
Reasonable Expectation of Privacy through
annual Information Security Training, Acceptable
Use Policies, Rules of Behavior, banner
notifications, etc.
–Email scanning
–Network monitoring
–System logs
Security and Risk Management 65
 EXAM NOTE
• While the CISSP exam in theory does not cover
specific laws i.e. FISMA, SOX, GDPR – but
questions about these laws appear even in the
practice questions from (ISC)2
• The exam does cover security control model
frameworks such as ISO/IEC 27000, COBIT, etc.
–Historically more emphasis is placed upon CMMI
compared to ITIL and Six Sigma
Security and Risk Management 66
LICENSING AND INTELLECTUAL
PROPERTY REQUIREMENTS

Trade
IP Law Patents
Secrets

Copyright
Trademarks
Law

Security and Risk Management 67

 INTELLECTUAL PROPERTY (IP) LAW
• How a company or individual can protect what they
rightfully own from unauthorized duplication or use.
– Company must demonstrate due care (reasonable acts of
protection) in its efforts to protect those resources
– Divided into two categories
• Industrial property – patents, industrial designs, trademarks
• Copyright – literary and artistic works

Security and Risk Management 68

 IMPORT / EXPORT CONTROLS
• Wassenaar Arrangement – export controls for
“Conventional Arms and Dual-Use Goods and
Technologies”
– The same sensors in your smartphone could be
implemented as part of a missile guidance system, that’s
what is meant by “dual use”
• It’s not just export: some countries have cryptographic
import controls
– China, Russia, Iran, Iraq, etc.
Security and Risk Management 69
TRANS-BORDER DATA FLOW

Security and Risk Management 70

 ENFORCEMENT COMPLEXITIES
• Attribution (hacking back)
• Jurisdiction
• Botnets
• Multiple enforcement agencies with overlapping mandates
• When sensitive data is copied, it is not lost
– Many organizations do not want to publicize the fact that an
attack was successful, even when legally required to do so
Security and Risk Management 71
 JURISDICTION
• Who’s case is it?
–Ukrainian hacker targets a bank in France,
pivoting from servers in Russia
–Chinese attacker uses a US based cloud
infrastructure to crack password on your mobile
phone while you are traveling in EU and empties
your crypto wallet
Security and Risk Management 72
 SOFTWARE PIRACY
• Not every country recognizes software piracy as a crime
• Freeware: publically available free of charge
• Shareware (trialware): used by vendors to market their
software – try before you buy
• Commercial software: sold for commercial purposes
(COTS)
• Academic software: provided for academic purposes at
reduced cost

Security and Risk Management 73

 1.6 UNDERSTAND REQUIREMENTS
FOR INVESTIGATION TYPES

Administrative Criminal Civil

Industry
Regulatory
Standards

Security and Risk Management 74

 ADMINISTRATIVE
• Laws that regulate government agencies and
their activities
• Neither civil nor criminal

Security and Risk Management 75

 CIVIL
• Civil (Code) Law System
– System of law used in continental Europe (unlike common
law system in US and UK)
– Rule base rather than precedent based
– Based on codified (written) law
– Do not confuse with civil legal system (or tort) laws found
in US
– Can be subdivided into French civil law, German civil law,
etc.
Security and Risk Management 76
 COMMON LAW
• Developed in England
• Based on previous interpretations of laws
• 12th century in England, Henry II imposed a unified
legal system that was “common” to entire country.
• Led to creation of lawyers who actively participate in
litigation
• Use judges and jury pf peers for determination after
presentation of evidence and arguments.

Security and Risk Management 77

 CRIMINAL
• Based on common law, statutory law, or both –
depends of jurisdiction

Security and Risk Management 78

 CIVIL / TORT
• Offshoot of criminal law
• Defendant owes legal duty to victim – i.e.
defendant is obligated to standard of conduct –
defined by ”reasonableness”
• Breach of duty causes some injury

Security and Risk Management 79

 PROXIMATE CAUSE
• An act or omission that naturally and directly
produces a consequence.
• Superficial or obvious cause for an occurrence.
• Refers to a cause that leads directly, or in an
unbroken sequence, to a particular result.
• It can be seen as an element of negligence in a
court of law.
Security and Risk Management 80
 LIABILITY
• While you didn’t hack the system, it was you’re
responsibility to see that it did not get hacked
• Organizations are expected to develop
preventative, detective, and corrective approaches
– but also to develop liability and responsibility
approaches
• BYOD?
Security and Risk Management 81
 CIVIL CATEGORIES

Wrongs
Wrongs
Intentional against Negligence
against person
property

Dignitary Economic
Nuisance Strict liability
wrongs wrongs

Security and Risk Management 82

 OTHER CATEGORIES

Customary Religious Mixed Law

Nuisance
Law Law Systems

Dignitary Economic Strict

Wrongs Wrongs Liability

Security and Risk Management 83

1.7 DEVELOP, DOCUMENT, AND IMPLEMENT …
Regulatory • Industry (PCI-DSS) Gov. (SOX, HIPAA)
Advisory • Should and should not do
Informative • Not enforceable – teaching
Standards • Mandatory actions or rule
Guidelines • Recommended actions
Procedures • Step by Step
Security and Risk Management 84
 1.8 IDENTIFY, ANALYZE, AND PRIORITIZE
BUSINESS CONTINUITY (BC) REQUIREMENTS
Disaster
•Broad Recovery
Business •Technology
Focus Focus
Business
Continuity INCLUDES

Security and Risk Management 85

 BUSINESS IMPACT ANALYSIS (BIA)
• Absolute requirement for development of BC and
DR plans
• Identifies critical business process and IT systems
necessary to support them
• Defines order of precedence for recovery efforts
• Functional analysis: team collects data through
interviews, document review, etc.
Security and Risk Management 86
 BIA CONTINUED

•Maximum tolerable
Identify downtime (MTD)
threats •Define operational disruption
and map •Financial considerations
•Regulatory responsibilities
them to •Reputation impacts
Security and Risk Management 87
 BIA STEPS Know
Order
1.Select individuals to interview for data gathering
2.Create data-gathering techniques (surveys, questionnaires,
qualitative and quantitative approaches)
3.Identify critical business functions
4.Identify resource dependencies
5.Calculate how long these functions can survive without resources
6.Identify vulnerabilities and threats to these functions
7.Calculate the risk for each
8.Document findings and report to management
Security and Risk Management 88
 RISK ASSESSMENT AS PART OF BIA
• Determine organizations tolerance for continuity risk
• Make use of data gathered in BIA
• Identify, evaluate and record
– Vulnerabilities
– Threats and hazards
– Mitigating or compensating controls
– Single points of failure
– Critical skill concentrations or shortages
– Continuity risk
• accepted or handled elsewhere

Security and Risk Management 89

Security and Risk Management 90
Security and Risk Management 91
Security and Risk Management 92
 BUSINESS CONTINUITY PLANNING
• Goal is to provide methods and procedures for
dealing with medium and long term disruptions
• Takes a broader approach
• Business process focused

Security and Risk Management 93

 BUSINESS CONTINUITY PLANNING
• Protect lives and ensure safety
• Reduce impact of incident
• Reduce confusion
• Enables immediate and appropriate response to
emergency
• Resume critical business processes
• Work with externals during recovery period
• Enhance chances of business survivability
Security and Risk Management 94
 DISASTER RECOVERY PLANNING
• Goal is to minimize the effects of disaster or
disruption
• Disaster Recovery Plan is focused on getting
critical systems back on line ASAP
• Technology focused
• Covered in Domain 7
Security and Risk Management 95
 INTERDEPENDENCIES
• Define essential functions and supporting departments
• Identify interdependencies between these functions and
departments
• Document possible disruptions to dependent systems
• Gather quantitate and/or qualitative information
• Identify alternative methods of meeting requirements

Security and Risk Management 96

CRITICAL SUCCESS FACTORS

Things you must

have to succeed
and function

Security and Risk Management 97

 TYPES OF LOSSES
Violation of
Competitive
Public confidence contract
advantage
agreements / SLA

Violation of legal Revenue /

and regulatory Increased cost
requirements productivity loss

Security and Risk Management 98

 BCP CRITICAL STEPS
1. Develop the continuity planning policy statement
Scope of effort
2. Conduct Business Impact Analysis (BIA)
Identify and prioritize recovery of critical functions
3. Identify preventive controls
Manage identified risk Know
4. Develop recovery strategies Order
5. Develop contingency plan
6. Test and train
7. Maintain the plan (at least once a year)
Manage change: personnel change, vendor churn (change), etc.
Security and Risk Management 99
 BCP STANDARDS
• NIST SP 800-34 (free from nist.gov)
–Contingency Planning Guide for Federal Information
Systems
• ISO 22301:2012 Societal security – Business
continuity management systems
• ISO/IEC 27031:2011 Guidelines for information and
communications technology readiness for business
continuity
Security and Risk Management 100
 BCP INITIATION
• Must be “top down” effort
– Executive champion
– Budget and personnel assignments
– Skills training may be required for team members
– Support of data collection efforts
• Quick wins may be important to demonstrate improvement in
readiness
• Define scope
– Enterprise wide? Division or business unit? Individual
department?
Security and Risk Management 101
 BCP PROJECT COMPONENTS
BCP Coordinator BCP Committee
• Individual with strong • Business units
project management
skills • Senior management
• Oversee development, • IT and Security
implementation, and • Communications
testing • Legal
Security and Risk Management 102
 BCP POLICY
• Supplies framework and
governance
• Project Management is critical
Development steps
• Identify and document BCP
policy components
• Identify existing policies that
might be impacted
• Identify pertinent laws,
regulations, standards
Security and Risk Management
• Identify best practice within your
industry
• Perform gap analysis
– where you are vs where you want to
be
• Prepare draft, get internal
stakeholders review
• Revise to reflect stakeholder
comments
• Get management approval of draft
103
 BUSINESS CONTINUITY MANAGEMENT
• Holistic (total) approach to both DR and BCP
• Should consider confidentiality, integrity, and
availability in alignment with regular business
practices

Security and Risk Management 104

 BCP STRUCTURE
Initiation Activation Recovery
• Goals, roles, task • Notification, damage • Alt site, restore
definitions assessment, plan processes, recovery
activation procedures

Reconstitution Appendixes
• Restore facility, test, move • Calling tree, OEP, DR, etc., system
operations back home requirements, schematics

Security and Risk Management 105

1.9 CONTRIBUTE TO & ENFORCE PERSONNEL
SECURITY POLICIES & PROCEDURES
Candidate Employment Onboarding and
screening and agreements and termination
hiring policies processes

Vendor, consultant,
& contractor Compliance policy Privacy policy
agreements and requirements requirements
controls
Security and Risk Management 106
 1.10 UNDERSTAND AND APPLY
RISK MANAGEMENT CONCEPTS

Vulnerability • Weakness in a countermeasure

• Danger associated with the exploitation of a

Threat vulnerability

• Likelihood of the threat exploiting the

Risk vulnerability

Security and Risk Management 107

 RISK ASSESSMENT AND ANALYSIS
• Risk Assessment Team – ideally includes representatives from all
stakeholder groups, not just Info Sec and IT personnel.
• Ask the right questions
– What could occur? (Threat)
– What would be the impact? (Risk)
– How often could it happen? (Frequency)
– What level of confidence do we have in the first 3 answers? (Certainty)
– Usually results in a “risk score” so that apples-apples comparisons can
be made between various threat-risk pairs to prioritize responses
Security and Risk Management 108
 RISK RESPONSE

?
What is the value of the asset or information?

Uncertainty

What is the real threat?

What are all of the vulnerabilities?

Disruptive changes

Non adoption of security & shadow IT

109
 RISK CAN BE

Transferred Avoided Reduced Accepted

Risk can
never be
IGNORED ignored!
 DISCUSSION QUESTION: RISK
1. Give examples of each risk strategy:

Transferred Avoided

Reduced Accepted

Security and Risk Management 114

WHICH IS MORE IMPORTANT?

You cannot protect against every threat

Impact Probability

Security and Risk Management 115

 RISK CATEGORIES

Inherent •Risk with no controls

Control •Risk that controls will not work

Detection •Risk that attacks will not be found

Residual •Risk left over after controls

Security and Risk Management 116
 RISK ASSESSMENT METHODOLOGIES
• NIST Special Publications (NIST SP 800-37, etc.)
– Wholistic approach across enterprise – mainly focused on technology and operations. Very top down
• Facilitated Risk Analysis Process (FRAP)
– Focused on systems that “really need assessing” – intended for use on a single system, business
process, or application at a time. Intended to control scope and cost of assessment.
• Operationally Critical Threat, Asset, and Vulnerability Evaluation (OCTAVE).
– Carnegie Mellon University’s Software Engineering Institute developed methodology where people
manage and direct the risk evaluation for information security within their organization. More bottom –
up
• ISO 27005 Information Technology – Security Techniques – Information Security Risk
Management
– Deals with IT and documentation, personnel, security training, etc.
• Failure Modes and Effect Analysis (FMEA) –
– Method for identifying functions, functional failures, and assessing causes through structured process
• Fault tree analysis
Security and Risk Management 117
RISK MANAGEMENT FRAMEWORK
Architecture Description

Organizational Inputs
Step 6 Step 1
MONITOR CATEGORIZE

RMF Steps Described in NIST SP 800-37

Step 5 Step 2 Revision 1
AUTHORIZE SELECT

Information
Step 4 Step 3
ASSESS IMPLEMENT
Systems

Security Controls

Security and Risk Management 118

 QUANTITATIVE VS QUALITATIVE
• Quantitative
– Uses numbers, monetary numbers
– Not always easy to put a number on a problem
– Easier to automate
• Qualitative
– Uses labels, High, Medium, Low
– Subjective
– Cannot do cost / benefit analysis

Security and Risk Management 119

 RISK ASSESSMENT COMPONENTS
• Construct numerical scoring system for probability and impacts
– Qualitative or Quantitative
• Use scoring system to gauge
– Impact of threats
– Probability of threat
• Risk = impact * probability
• Get sponsor to sign off on risk priority rankings
• Weigh appropriate measures
• Ensure planned measures do not heighten other risk
• Present findings to management
Security and Risk Management 120
 QUANTITATIVE RISK ASSET VALUATION
EF (Exposure Factor)
• How much of the asset do you loose?

SLE (Single Loss Expectancy)

• Asset Value * Exposure Factor

ARO (Annual Rate of Occurrence)

• How may times per year does it happen?

ALE (Annual Loss Expectancy)

• SLE*ARO=ALE

Security and Risk Management 121

 CONTROL SELECTION
• Based upon cost/benefit analysis, appropriate
controls for implementation can be selected
• Annual Loss Expectancy
–Single loss expectancy (SLE) = Asset Value (AV) *
Exposure Factor (EF)
–ALE = SLE * Annualized Rate of Occurrence (ARO)
Security and Risk Management 122
 STUDY TIP: PERSONALIZE
QUANTITATIVE RISK
• Pick the last piece of electronics you bought personally?
Should you protect it? Item: Flat screen TV
• You do cost / benefit analysis in you head all the time
• You know whether the insurance is worth it or not
• If the TV will be outside the risk is greater than if inside
– Adding a weather proof cover would be a mitigating control

Security and Risk Management 123

 DISCUSSION: ASSET VALUATION
• EF =100% (When the TV breaks, 100% is lost)
• SLE = $1000*100% = 1000 (TV cost $1000)
• ARO = .2 (The TV will last 5 years 1/5=.2)
– If the TV is outside it will break sooner, so ARO increases
• ALE = 1000*.2 = 200 (ALE=ARO*SLE)
If it costs more than $200 then you should not protect the
asset
Security and Risk Management 124
TANGIBLE AND INTANGIBLE ASSETS

Tangible Intangible
Quantifiable Unquantifiable
Computers Data
Facilities Intellectual Property
Networking Reputation

Security and Risk Management 125

 QUALITATIVE RISK MATRIX EXAMPLE
Severity/ Negligible Marginal (2) Critical (3) Catastrophic
Probability (1) (4)
Improbable (1) Low Medium Medium Medium
Judgment and
Remote (2) Low Medium Medium Serious Expertise
Occasional (3) Low Medium Serious High Needed
Probable (4) Medium Serious High High
Frequent (5) Medium Serious High High
Eliminated (0)
Severity * Probability = Impact
Risk managers would assign resources based on risk acceptance of the organization –
i.e. accept “Low”, prioritize “High” before “Serious” or “Medium”

Security and Risk Management 126

 QUALITATIVE METHODS
Delphi Technique
• Anonymous Group Decision Technique

Brainstorming

Interviews and Questionnaires

Focus Groups and Surveys

Storyboarding
127
 SECURITY CONTROL ASSESSMENT (SCA)

Conducted before Use NIST

Revaluate after
system rollout and SP-800-53 as a
system changes
annually thereafter guide

Security and Risk Management 128

 RISK MANAGEMENT IS NEVER COMPLETED
• Total Risk vs Residual Risk
– Threats x vulnerabilities x asset value = total risk
– Total risk – countermeasures = residual risk
• Some inherent risk will always remain, and must be accepted as
part of doing business
• Part of continuous improvement process
• Monitoring, measurement, and reporting of findings should be
included as part of the risk management process

Security and Risk Management 129

 RISK MANAGEMENT FRAMEWORKS
• NIST RMF (SP 800-37r1)
• ISO 31000:2018
• ISACA Risk IT
• COSO Enterprise Risk Management – Integrated
Framework

Security and Risk Management 130

 COMMON ELEMENTS ACROSS FRAMEWORKS
• Categorize information system
• Select security controls
• Implement selected controls
• Assess security controls
• Authorization to Operate Information System
– Formal acceptance by senior management
• Monitor security controls
– Annual reassessment and reauthorization

Security and Risk Management 131

 1.11 UNDERSTAND AND APPLY THREAT
MODELING CONCEPTS & METHODOLOGIES
• Identify Threats
–People: trusted and untrusted
• Determine Potential Attacks
–Social Engineering, Spoofing
• Performing Reduction Analysis
• Technologies and Processes to Remediate Threats
Security and Risk Management 132
Security and Risk Management 133
 THREAT MODELING
• Process of describing feasible adverse effects on
assets by threat sources
–What do we have that can be disrupted, degraded,
or destroyed?
–Who would want to exploit? Why?
–How would such an exploit impact C, I, A?
Security and Risk Management 134
 INFORMATION STATES
• Data at rest
• Data in motion
• Data in use
ISO 27000 defines a threat as ‘’a potential cause of an unwanted
incident, which may result in harm to a system or organization”
Each information state represents a different threat profile, or a
different set of vulnerabilities and potential threat actors.
Typically different threat modeling would be required for each
state.

Security and Risk Management 135

 THREAT MODELING APPROACHES
Attach Trees Reduction Analysis
• Multiple ways to • Strives to reduce the
accomplish a goal number of attacks
under consideration,
or identify control /
countermeasures
that can map to
multiple attacks
Risk Assessment and
Analysis
• Prioritizing
responses to threats
by measuring
potential impacts of
a threat relative to
the cost
effectiveness of a
control

Security and Risk Management 136

 1.12 DEVELOP, DOCUMENT, AND IMPLEMENT
SECURITY POLICY, STANDARDS,
PROCEDURES, AND GUIDELINES
• Methods and techniques to present awareness
and training
• Periodic content reviews
• Program effectiveness evaluation

Security and Risk Management 137

 SECURITY PROGRAM DESIGN
Security Strategic
Program
should be a Tactical
top down
design Operational

Security and Risk Management 138

 1.12 APPLY SUPPLY CHAIN RISK
MANAGEMENT (SCRM) CONCEPTS

•Hardware, Software, and Services

•Third Part Reviews
Examine •Minimum Security Requirements
•Service Level Agreements (SLA)

Security and Risk Management 139

 SUPPLY CHAIN RISK MANAGEMENT
• In an increasingly “Just In Time” world, supply chain
risk have increase in visibility
–Upstream and down steam suppliers
–Hardware
–Software
–Services
• Service Level Agreements

Security and Risk Management 140

 THIRD - PARTY RISK
• Cloud computing is an example of third parties
providing core functionality to organizations.
• While operational responsibility is transferred, it is
still the organization’s responsibility to manage
identified risk.
–ISO/IEC 27002:2005, Reference 6.2.1 Identify Risks
Related to the Use of External Parties can be used to
help identify some of these issues.
Security and Risk Management 141
 1.13 ESTABLISH AND MAINTAIN A
SECURITY AWARENESS, EDUCATION,
AND TRAINING PROGRAM
• Methods and techniques to present awareness and
training (e.g., social engineering, phishing, security
champions, gamification)
• Periodic content reviews
• Program effectiveness evaluation
Security and Risk Management 142