100% found this document useful (1 vote)

78 views251 pages

InfoSec Full

Uploaded by

Ulkar Mammadova

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PDF, TXT or read online on Scribd

100% found this document useful (1 vote)

78 views251 pages

InfoSec Full

Uploaded by

Ulkar Mammadova

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PDF, TXT or read online on Scribd

You are on page 1/ 251

Information, Cyberspace,

Security
Information risk and cyber risk
Ulvi Yusifov
What is information
• Information is a set of data
which is processed in a
meaningful way according to
the given requirement.
Information is processed,
structured, or presented in a
given context to make it
meaningful and useful.
• Data is a raw and unorganized
fact that required to be
processed to make it
meaningful.
Information management
• CDO – Chief Data Officer is a corporate officer responsible for enterprise-
wide governance and utilization of information as an asset, via data
processing, analysis, data mining, information trading and other means
• Data defense - is about minimizing downside risk. Activities include
ensuring compliance with regulations (such as rules governing data privacy
and the integrity of financial reports), using analytics to detect and limit
fraud, and building systems to prevent theft.
• Data offense - focuses on supporting business objectives such as increasing
revenue, profitability, and customer satisfaction. It typically includes
activities that generate customer insights (data analysis and modeling, for
example) or integrate disparate customer and market data to support
managerial decision making through, for instance, interactive dashboards
Information management
Welcome cyberspace
• Cyberspace, supposedly “virtual” world created by links
between computers, Internet-enabled devices, servers, routers, and other
components of the Internet’s infrastructure.
• The same concept as a physical space:
• Place – “where-type” questions – On which server is a particular website located? To
which email address should we send our message?
• Distance – “how far-type” questions – How many hops between how many different
computers will it take for information to reach the desired destination?
• Size – “how big-type” questions – How much information it contains and how many
links to other sites it includes?
• Route – “navigation-type” questions – Which route or set of connections will be used
to access data for our website?
Welcome cyberspace
• Cyberspace, the interdependent network of information technology
infrastructures, and includes the Internet, telecommunications networks,
computer systems, and embedded processors and controllers in critical
industries.
• Cyberspace consists of four different layers:
• Physical layer – The physical layer consists of the physical devices, such as PCs, networks,
wires, grids, and routers.
• Logic layer – The logic layer is where the platform nature of the Internet is defined and
created.
• Information layer – The information layer includes the creation and distribution of
information and interaction between users.
• Personal layer – The top layer consists of people—people who create websites, tweet, blog,
and buy goods online.
Welcome cyberspace
Change of approach toward security
Change of approach toward security
Security means being free from danger. To be secure is to be protected
from the risk of loss, damage, unwanted modification, or other hazards.
Physical
• Physical security- The protection of physical items, security
objects, or areas from unauthorized access and misuse.
• Operations security- The protection of the details of an
organization's operations and activities.
• Communications security- The protection of all Network Operations
security security
communications media, technology, and content.
• Cyber (or computer) security- The protection of Security
computerized information processing systems and the
data they contain and process. The term cybersecurity is
relatively new, so its use might be slightly ambiguous in
coming years as the definition gets sorted out.
• Network security- A subset of communications security Cyber Communications
security
and cybersecurity; the protection of voice and data security
networking components, connections, and content.
Change of approach toward security
• Security is a process, not an end state.
• Security is the process of maintaining an acceptable level of perceived
risk.
• A security procedure is a set sequence of necessary activities that
performs a specific security task or function.
• Procedures are normally designed as a series of steps to be followed
as a consistent and repetitive approach or cycle to accomplish an end
result.
Questions?
Intoruction to Information
Security
Information risk and cyber risk
Ulvi Yusifov
Information security cases
• The first use of the term “hacker” – A group of 6 teenagers using home
computers, phone lines, and default passwords, was able to break into
approximately 60 high-profile computer systems, including those at the Los
Alamos Laboratories and the Memorial Sloan-Kettering Cancer Center in
New York. While the teenagers themselves did no harm, it was easy for the
industry to see that the simple techniques used by the kids could easily be
replicated by others.
• The first internet worm – Robert Morris, released a 99-line self-replicating
program to measure the size of the then nascent Internet. As a result of a
design feature of the program, it brought down many systems it infected,
and achieved several landmarks in the process. In percentage terms, it is
estimated to have brought down the largest fraction of the Internet ever
(10%).
Information security cases
• ILOVEYOU virus – On May 5, 2000, this virus was released by a student in
the Philippines. The virus deleted images on infected computers and
automatically sent itself as an email attachment to the Outlook contacts list
of infected computers. The virus infected millions of computers worldwide,
and caused billions of dollars in damage.
• Sony PlayStation Network (PSN) – Sony announced that an external
intrusion had compromised its PlayStation Network and Qriocity service,
and that hackers had obtained personal information on the 70 million
subscribers of the network. The company could not rule out the possibility
that credit card numbers may also have been stolen. In response, the
company took the network offline while it tried to ensure that all traces of
the offending software had been removed from the network.
Information security cases
• Retailer attacks – T.J.Maxx reported that its computer systems, which
processed credit card payments, had been breached. On
investigation, it was found that the breach had started a year and a
half ago in July 2005 and over 45 million credit card and debit card
numbers had been stolen. The modus operandi of the group was to
drive along US Route 1 in Miami and seek out an insecure store with
wireless networks to enter the corporate networks. Later the group
improved its methodology and used SQL injection attacks to enter the
networks at Hannaford Brothers and Heartland Payment Systems, a
credit card payments processing company. Over 125 million credit
card numbers were estimated to have been stolen from Heartland,
and the company estimated damages at over $12 million.
Information Security
• Information security is defined as
protecting information and
information systems from
unauthorized access, use,
disclosure, disruption, modification,
or destruction in order to provide
integrity, confidentiality and
availability.
Goal of Information Security
• Confidentiality means preserving authorized restrictions on access and
disclosure, including means for protecting personal privacy and
proprietary information.
• Integrity means guarding against improper information modification
or destruction, and includes ensuring information non-repudiation
and authenticity.
• Availability means ensuring timely and reliable access to and use of
information.
Demand drivers of information security
• Increasing criticality of information to individuals and organizations
and the resulting increase in the amounts of information gathered by
organizations and stored in computer systems for easy retrieval.
• Application vulnerabilities, the constant stream of viruses and worms
reaching organizations, regulations, customer expectations of privacy,
and disgruntled employees.
• Most employees preferred to use their personal smart phones and
tablets to do company work rather than the company-issued phones
that did not have web browsers and other desirable features.
Role of information security analyst
• Plan, implement, upgrade, or monitor security measures for the
protection of computer networks and information. May ensure
appropriate security controls are in place that will safeguard digital
files and vital electronic infrastructure. May respond to computer
security breaches and viruses .
• The primary responsibilities of information security professionals are
to anticipate information related problems and to minimize their
impact.
Capabilities information security analyst
Personal guide to maintaining information
security
• Antivirus : Make sure that you are using antivirus software and that its
subscription is current. Many people can get the software and subscription
for free as part of their ISP subscription or from their employers or school.
• Automating software updates : Wherever possible, configure your
operating system and application software to apply updates automatically.
• Passwords : If possible, use a different password at each site that requires a
password. If this is difficult, at the very least, use two passwords – one for
the “fun” sites such as newsletters, email etc and another for financial
organizations such as banks and brokerages. Never share the financial
password anywhere or with anyone.
Questions?
Introduction to Cyber
Security
Information risk and cyber risk
Ulvi Yusifov
What is Cybersecurity?
• Cybersecurity is the ability to protect or defend the cyberspace user
from cyberattacks.
• Cybersecurity is strategy, policy, and standards regarding the security
of and operations in cyberspace, and encompassing the full range of
threat reduction, vulnerability reduction, deterrence, international
engagement, incident response, resiliency, and recovery policies and
activities, including computer network operations, information
assurance, law enforcement, diplomacy, military, and intelligence
missions as they relate to the security and stability of the global
information and communications infrastructure.
What is Cyber Resiliency?
• The main goal of a cyber resiliency program within an organization is
to develop an array of optimal alternatives for meeting the
organization’s mission if a cyberattack is to occur – to become
resilient from the impacts of a cyberattack.
Information security VS Cybersecurity
Information security VS Cybersecurity
Cybersecurity Framework
Three Primary Components
Core
Desired cybersecurity outcomes organized in a hierarchy
and aligned to more detailed guidance and controls

Profiles
Alignment of an organization’s requirements and
objectives, risk appetite and resources using the desired
outcomes of the Framework Core

Implementation Tiers
A qualitative measure of organizational cybersecurity
risk management practices
Cybersecurity Framework
• Principles of the Framework
• Common and accessible language
• Adaptable to many technologies, lifecycle phases,
sectors and uses
• Risk-based
• Based on international standards
• Living document
• Guided by many perspectives – private sector,
academia, public sector
Cybersecurity Framework
A Business Trip to South America Goes South
• SCENARIO: A 10-person consulting firm sent a small team to South America to complete a client project.
During their stay, an employee used a business debit card at a local ATM. A month after returning to the US,
the firm received overdraft notices from their bank. They identified fraudulent withdrawals of $13,000, all
originating from South America. There was an additional $1,000 overdraft fee.
• ATTACK: The criminals installed an ATM skimmer device to record card account credentials. Many false debit
cards were manufactured and used at ATMs in different cities across South America.
• RESPONSE: Realizing they had been defrauded, the firm contacted their bank and closed the impacted
account immediately. Their attempts to pursue reimbursement from the bank were unsuccessful. The
commercial account used at the ATM for local currency had different protections from consumer accounts
and the bank was not required to reimburse them for their losses. The bank went on to deduct the $1,000
overdraft fee from the firm owner’s personal account. The firm severed ties with that bank. The new bank
offered comprehensive fraud protection guarantees. The firm created two business accounts:
• one for receiving funds and making small transfers
• one for small expense payments
• The firm updated travel protocols, banning the use of company-provided debit cards. Employees now prepay
expenses electronically, pay cash, or use a major credit card, as necessary.
• IMPACT: The entire cash reserve for the small business was wiped out, netting losses of almost $15,000.
A Construction Company Gets Hammered by
A Keylogger
• SCENARIO: A small family-owned construction company made extensive use of online banking and
automated clearing house (ACH) transfers. Employees logged in with both a company and user-specific ID
and password. Two challenge questions had to be answered for transactions over $1,000. The owner was
notified that an ACH transfer of $10,000 was initiated by an unknown source. They contacted the bank and
identified that in just one week cyber criminals had made six transfers from the company bank accounts,
totaling $550,000. How? One of their employees had opened an email from what they thought was a
materials supplier but was instead a malicious email laced with malware from an imposter account.
• ATTACK: Cyber criminals were able to install malware onto the company’s computers, using a keylogger to
capture the banking credentials.
• RESPONSE: The bank was able to retrieve only $200,000 of the stolen money in the first weeks, leaving a loss
of $350,000. The bank even drew over $220,000 on the business’ line of credit to cover the fraudulent
transfers. Not having a cybersecurity plan in place delayed the company response to the fraud. The company
also sought a cybersecurity forensics firm to:
• help them complete a full cybersecurity review of their systems
• identify what the source of the incident was
• recommend upgrades to their security software
• IMPACT: The company shut down their bank account and pursued legal action to recover its losses. The
business recovered the remaining $350,000 with interest. No money for time and legal fees was recovered.
Stolen Hospital Laptop Causes Heartburn
• SCENARIO: A health care system executive left their work-issued laptop, which had access to over
40,000 medical records, in a locked car while running an errand. The car was broken into, and the
laptop stolen.
• ATTACK: Physical theft of an unencrypted device.
• RESPONSE: The employee immediately reported the theft to the police and to the health care
system’s IT department who disabled the laptop’s remote access and began monitoring activity.
The laptop was equipped with security tools and password protection. Data stored on the hard
drive was not encrypted – this included sensitive, personal patient data. The hospital had to
follow state laws as they pertain to a data breach. The U.S. Department of Health and Human
Services was also notified. Personally Identifiable Information (PII) and Protected Health
Information (PHI) data require rigorous reporting processes and standards. After the theft and
breach, the health care system began an extensive review of internal policies; they created a
discipline procedure for employees who violate security standards. A thorough review of security
measures with internal IT staff and ancillary IT vendors revealed vulnerabilities.
• IMPACT: The health care system spent over $200,000 in remediation, monitoring, and operational
improvements. A data breach does impact a brand negatively and trust has to be rebuilt
Hotel CEO Finds Unwelcome Guests in Email
Account
• SCENARIO: The CEO of a boutique hotel realized their business had become the
victim of wire fraud when the bookkeeper began to receive insufficient fund
notifications for regularly recurring bills. A review of the accounting records
exposed a serious problem. At some point a few weeks before, the CEO had
clicked on a link in an email that they thought was from the IRS. It wasn’t. When
they clicked the link and entered their credentials, the cyber criminals captured
the CEO’s login information, giving them full access to intimate business and
personal details.
• ATTACK: Social engineering, phishing attack.
• RESPONSE: The hotel’s cash reserves were depleted. The fraudulent transfers
amounted to more than $1 million. The hotel also contacted a cybersecurity firm
to help them mitigate the risk of a repeat attack.
• IMPACT: The business lost $1 million to an account in China. The funds were not
recovered.
A Dark Web of Issues for A Small Government
Contractor
• SCENARIO: The CEO of a government contracting firm was notified that an auction on
the dark web was selling access to their firm’s business data, which included access to
their military clients database. The CEO rapidly established the data being ‘sold’ was
obsolete, and not tied to any government agency clients. How did this happen? The firm
identified that a senior employee had downloaded a malicious email attachment,
thinking it was from a trusted source.
• ATTACK: A phishing attack where malware is in the attachment of the email.
• RESPONSE: The company’s IT management immediately shut off communications to the
affected server and took the system offline to run cybersecurity scans of the network and
identify any additional breaches. The firm’s leadership hired a reputable cybersecurity
forensics firm. Each potentially impacted government agency was notified. The U.S.
Secret Service assisted in the forensics investigation.
• IMPACT: The operational and financial impact from the breach was extensive – costing
more than $1 million: The company was offline for several days disrupting business; new
security software licenses and a new server had to be set up
Questions?
Threats, Vulnerabilities,
Attack methods
Information risk and cyber risk
Ulvi Yusifov
Threats, Vulnerabilities, Attack methods
What is Cyber Threat?
• Threat is any event or circumstance that has the potential to
adversely affect operations and assets with the potential to create
loss.
• Cyber threat – any circumstance or event with the potential to create
loss by damaging or disrupting a computer network or system.
Categories of Threats
Threat actors
• Script kiddies – they are low-level individuals or groups that
partake in hacking for experimentation purposes or for low-
level crimes.
• Hacktivists – they blend the lines between social activism and
for-profit hacking.
• Organized crime – people involved to this are generally highly
skilled and toward the more mature end of the cyber threat
actor spectrum.
• Nation state – people, whose purpose is largely to conduct
cyber warfare against enemy territories or organizations
representative of enemy territories.
• Insider threats – are threats from within the organization.
• AI-Powered threats – AI enables cybercriminals to breach
security systems in a variety of ways being able to mutate itself
as it learns about the environment.
What is Vulnerability?
• A vulnerability a potential weakness in an asset or its defensive
control system(s).
• A vulnerability as a cybersecurity term refers to a flaw in a system that
can leave it open to attack.
• A vulnerability may also refer to any type of weakness in a computer
system itself, in the information system, system security procedure,
internal control, or process, or in anything that leaves information
exposed to a threat.
Categories of Vulnerabilities
• Buffer Overflows
• Example: An attacker sends data to a program, which it stores in an undersized stack buffer. The result is that information on the call
stack is overwritten, including the function’s return pointer. The data sets the value of the return pointer so that when the function
returns, it transfers control to malicious code contained in the attacker’s data.
• Unvalidated Input
• Example: Attacker tampers with any part of an HTTP request, including the URL, query string, headers, cookies, form felds, and
hidden felds, to try to bypass the sites security mechanisms.
• Race Conditions – A faw that produces an unexpected result when the timing of actions impacts other actions.
• Example: When the timing of actions impacts other actions, events may happen out of sequence, resulting in anomalous behavior.
• Access Control Issues – Access control governs decisions and processes of determining, documenting, and managing the
subjects (users, devices, or processes) that should be granted access and the objects to which they should be granted
access; essentially, what is allowed.
• Weakness in Authentication, Authorization, or Cryptographic Practices
• Example: Passwords that can be brute forced (passwords that can be guessed using random word generators and tried repeatedly),
encryption standards that have been proven unreliable.
Relationship Between Threats and
Vulnerability
What is Cyberattack?
• An attack is an intentional or unintentional act that can damage or
otherwise compromise information and the systems that support it.
• A cyber attack is an assault launched by cybercriminals using one or
more computers against a single or multiple computers or networks.
• A cyber attack can maliciously disable computers, steal data, or use a
breached computer as a launch point for other attacks.
Types of Cyberattack
• Malware – a term used to describe any malicious software, including spyware,
ransomware, Trojan horses, viruses, worms, and rootkits. It is specifically
designed to disrupt, damage, or gain unauthorized access.
• Ransomware – a type of malware attack, has been a focus of executives due to
several high-profle attacks. Once ransomware is into a corporate environment, it
spreads from machine to machine corrupting fles and encrypting the contents of
hard drives, thereby rendering the devices useless – a concept known as
“bricking” the device. The interesting aspect about ransomware, as the name
implies, is the opportunity for the perpetrators to pay a ransom.
• Phishing – the practice of sending fraudulent communications that appear to
come from a reputable source, usually through email. The attacker can also
replicate a commonly used website, such as a bank or other service provider. The
objective is to capture the user’s personal information such as passwords, credit
card numbers, etc.
Types of Cyberattack
• Man-in-the-Middle (MitM) attacks – These are also known as
eavesdropping or hijacking. In this case, the attackers insert
themselves into a two party transaction or communication. Once the
attackers interrupt the traffic without detection, they can steal and
alter the communication, relaying bogus information.
• Denial-of-Service (DoS) attack – In a DoS attack, the attacker usually
sends excessive messages asking the network or server to
authenticate requests that have invalid return addresses. In this
manner, the attackers attempt to prevent legitimate users from
accessing the service.
Types of Cyberattack
• Structured Query Language (SQL) injection – A SQL injection occurs
when an attacker inserts malicious code into a server that uses SQL
and forces the server to reveal information it normally would not by
inserting nefarious SQL statements into an entry feld for execution.
• Zero-Day exploit – A zero-day exploit hits after a network vulnerability
is announced but before a patch or solution is implemented by the
developer or vendor. Attackers target the disclosed vulnerability
during this short window of time. It is called a zero-day exploit as the
developers have zero days and zero time to fix the bug.
Questions?
Information Security
Management System
Information risk and cyber risk
Ulvi Yusifov
Components of Information Security
CNSS Security Model
Governance
• The set of responsibilities and practices exercised by the board and
executive management with the goal of providing strategic direction,
ensuring that objectives are achieved, ascertaining that risks are
managed appropriately, and verifying that the enterprise's resources
are used responsibly.
InfoSec Management System
Blueprint for resolving operational problems

Select,
Implement,
Analyze and and Evaluate
Compare
Develop Possible
Possible Solutions
Gather Facts Solutions
and Make
Recognize Assumptions
and Define
the Problem
Feasibilities of Possible Solutions
• Economic feasibility - Comparing the costs and benefits of a possible
solution with other possible solutions.
• Technological feasibility- Assessing the organization's ability to
acquire the technology needed to implement a particular solution.
• Behavioral feasibility - Assessing the likelihood that subordinates will
adopt and support a particular solution rather than resist it.
• Operational feasibility - Assessing the organization's ability to
integrate a particular solution into its current business processes.
The six Ps of InfoSec Management
• Planning – activities necessary to support the design, creation, and
implementation of InfoSec strategies within the planning environments of
all organizational units, including IT.
• Policy – Guidelines that dictate certain behavior within the organization.
• Enterprise Information Security Policy (EISP)- Developed within the context of the
strategic IT plan, this sets the tone for the InfoSec department and the InfoSec
climate across the organization. The CISO typically drafts the program policy, which is
usually supported and signed by the CIO or the CEO.
• Issue -Specific Security Policies {ISSPs)-These are sets of rules that define acceptable
behavior within a specific organizational resource, such as e-mail or Internet usage.
• System-Specific Policies (SysSPs) - A merger of technical and managerial intent,
SysSPs include both the managerial guidance for the implementation of a technology
as well as the technical specifications for its configuration.
The six Ps of InfoSec Management
• Programs – InfoSec operations that are specifically managed as separate
entities are called programs.
• Protection – The protection function is executed via a set of risk
management activities, as well as protection mechanisms, technologies,
and tools.
• People – This area encompasses security personnel (the professional
information security employees), the security of personnel (the protection
of employees and their information), and aspects of the security education
training and awareness (SETA) program.
• Projects – Whether an InfoSec manager is asked to roll out a new security
training program or select and implement a new firewall, it is important
that the process be managed as a project.
Principles of Information Security
Management System
• Awareness of the need for information security;
• Assignment of responsibility for information security;
• Incorporating management commitment and the interests of stakeholders;
• Enhancing societal values;
• Risk assessments determining appropriate controls to reach acceptable levels of
risk;
• Security incorporated as an essential element of information networks and
systems;
• Active prevention and detection of information security incidents;
• Ensuring a comprehensive approach to information security management;
• Continual reassessment of information security and making of modifications as
appropriate.
Organizational structure of information
security management system
Executive Committee
Chaired by the Chief
Executive Officer

Audit Committee Security Committee Risk Committee

Chaired by Head of Chaired by Chief Chaired by Risk
Audit Security Officer CSO Manager

Local Security
Information Security Committees
Manager
One per location

Security Information Asset

Policy & Compliance
Administration Owners (IAOs)

Risk & Contingency Site Security

Security Operations
Management Managers

Facilities
Security Guards
Management
Questions?
Information Security
Regulations
Information risk and cyber risk
Ulvi Yusifov
Ethics in information security
• Ethics – the branch of philosophy that considers nature, criteria, sources, logic,
and the validity of moral judgment.
• Ethics may be seen as the organized study of how humans ought to act a set of
rules we should live by.
• Traditional foundations and frameworks of ethics include the following:
• Normative ethics-The study of what makes actions right or wrong, also known as moral
theory that is, how should people act?
• Meta-ethics-The study of the meaning of ethical judgments and properties that is, what is
right?
• Descriptive ethics-The study of the choices that have been made by individuals in the past
that is, what do others think is right?
• Applied ethics-An approach that applies moral codes to actions drawn from realistic
situations; it seeks to define how we might use ethics in practice.
• Deontological ethics- The study of the rightness or wrongness of intentions and motives as
opposed to the rightness or wrongness of the consequences; also known as duty-based or
obligation-based ethics. This approach seeks to define a person's ethical duty.
Deterring Unethical and Illegal Behavior
• Deterrence – the act of attempting to prevent an unwanted action by threatening punishment or
retaliation on the instigator if the act takes place.
• It is the responsibility of InfoSec personnel to deter unethical and illegal acts, using policy,
education and training, and technology as controls or safeguards, in order to protect the
organization's information and systems.
• Three general categories of unethical behavior:
• Ignorance - Ignorance of the law is no excuse, but ignorance of policies and procedures is. The first method of
deterrence is the security education training and awareness (SETA) program. Organizations must design,
publish, and disseminate organizational policies and relevant laws, and employees must explicitly agree to
abide by them.
• Accident - Individuals with authorization and privileges to manage information within the organization have
the greatest opportunity to cause harm or damage by accident. Careful placement of controls can help
prevent accidental modification or damage to systems and data.
• Intent - Criminal or unethical intent refers to the state of mind of the individual committing the infraction. A
legal defense can be built on whether the accused acted out of ignorance, by accident, or with the intent to
cause harm or damage. Deterring those with criminal intent is best done by means of litigation, prosecution,
and technical controls. Intent is only one of several factors to consider when determining whether a
computer-related crime has occurred.
Deterring Unethical and Illegal Behavior
• Laws and policies and their associated penalties only deter if three
conditions are present.
• Fear of penalty- Threats of informal reprimand or verbal warnings may not
have the same impact as the threat of termination, imprisonment, or
forfeiture of pay.
• Probability of being caught- There must be a strong possibility that
perpetrators of illegal or unethical acts will be caught.
• Probability of penalty being administered- The organization must be willing
and able to impose the penalty.
Standards related to information security
• ISO/IEC 27000 — Information security management systems — Overview and vocabulary
• ISO/IEC 27001 — Information technology - Security Techniques - Information security management systems
— Requirements. The 2013 release of the standard specifies an information security management system in
the same formalized, structured and succinct manner as other ISO standards specify other kinds of
management systems.
• ISO/IEC 27002 — Code of practice for information security controls - essentially a detailed catalog of
information security controls that might be managed through the ISMS
• ISO/IEC 27003 — Information security management system implementation guidance
• ISO/IEC 27004 — Information security management — Monitoring, measurement, analysis and evaluation
• ISO/IEC 27005 — Information security risk management
• ISO/IEC 27006 — Requirements for bodies providing audit and certification of information security
management systems
• ISO/IEC 27007 — Guidelines for information security management systems auditing (focused on auditing the
management system)
• The NIST Cybersecurity Framework (NIST CSF) "provides a high level taxonomy of cybersecurity outcomes
and a methodology to assess and manage those outcomes.
Players of information security guidelines base
• Information Systems Audit and Control Association (ISACA) – is a
professional association with a focus on auditing, control, and
security. ISACA focuses on providing IT control practices and
standards.
• Information Systems Security Association (ISSA) - is a nonprofit
society of InfoSec professionals. Its primary mission is to bring
together qualified practitioners of InfoSec for information exchange
and educational development. ISSA provides conferences, meetings,
publications, and information resources to promote InfoSec
awareness and education.
Players of information security guidelines base
• International Information Systems Security Certification
Consortium, Inc. (ISC)2 - is a nonprofit organization that focuses on
the development and implementation of InfoSec certifications and
credentials. This organization manages a body of knowledge on
InfoSec and administers and evaluates examinations for InfoSec
certifications.
• SANS - Founded in 1989, SANS (www.sans.org) is a professional
research and education cooperative organization. The organization,
which enjoys a large professional membership, is dedicated to the
protection of information and systems.
Standards Versus Law
• A variety of groups have created standards that offer guidance on
how information security could or should be applied to industry
segments or geographic areas. Some industries have security
requirements defined at least in part by government regulations;
banking, health care, and education come to mind, as well as their
regulations‘ acronyms, such as FFIEC, HIPAA, FERPA, and SOX. Other
industries impose binding requirements on themselves that include
significant enforcement mechanisms- for example, the credit card
processing requirements from the Payment Card Industry Security
Standards Council.
Policy Versus Law
• The key difference between policy and law is that while ignorance of
the law is not an excuse (ignorantia juris non excusat), ignorance of
policy is a viable defense, and therefore policies must be:
• Distributed to all individuals who are expected to comply with them
• Read by all employees
• Understood by all employees, with multilingual translations and translations
for visually impaired or low-literacy employees
• Acknowledged by the employee, usually by means of a signed consent form
• Uniformly enforced, with no special treatment for any group (e.g., executives)
Payment Card Industry Data Security Standard
(PCI DSS)
Secure Network and
Systems Development •Firewall installation and operation (protection of cardholder data)
•Modification of default system passwords and configurations
and Maintenance

Cardholder Data •General protection of cardholder data storage

Protection •Use of encryption when transmitting cardholder data across open, public networks

Vulnerability PCI DSS includes three sets of documents:

Management Program •Use of maintained and updated malware and anti-virus protection
•Secure systems and application development and maintenance • PCI DSS Requirements and Security
Maintenance Assessment Procedures {the Standard)
• PCI DSS Self-Assessment (self-administered
Strong Access Control surveys to determine status of
•Use of need-to-know access controls for cardholder data
compliance), and documents for
Measure •Formal access controls for system components emphasizing effective identification and
authentication procedures attestation of compliance
Implementation •Management of physical security for cardholder data access
• PCI DSS support documents, which include
"Navigating PCI DSS: Understanding the
Intent of the Requirements"; the PCI DSS
Network Monitoring •Network resources and cardholder data monitored, tracked, and audited n. Security systems Glossary, Abbreviations, and Acronyms;
and processes periodically tested Information Security Policy Maintenance
and the PCI DSS Quick Reference Guide
and Testing •Effective and comprehensive information security policy developed and implemented for all
personnel
(ISC)2
CISSP Certified Information Systems Security Professional
ISSAP Information Systems Security Architecture Professional

ISSEP Information Systems Security Engineering Professional

ISSMP Information Systems Security Management Professional

SSCP Systems Security Certified Practitioner

CAP Certified Authorization Professional
CCFP Certified Cyber Forensics Professional
CCSP Certified Cloud Security Professional
HCISPP Health Care Information Security and Privacy Practitioner
Associate of (ISC)2 A professional that has passed one of the previous certifications but lacks the experience to receive the
credential
ISACA
CISM Certified Information Security Manager
CGEIT Certified in the Governance of Enterprise IT
CRISC Certified in Risk and Information Systems Control
CISA Certified Information Systems Auditor
SANS Institute
GIAC
GSLC GIAC Security Leadership Certification

GISP GIAC Information Security Professional

GCPM GIAC Certified Project Manager Certification

GLEG GIAC Law of Data Security & Investigations

GSNA GIAC Systems and Network Auditor

GSE GIAC Security Expert
EC-Council
C | CISO Certified CISO
E | ISM Information Security Manager Certification
Questions?
Information Security
Management Procedure
Information risk and cyber risk
Ulvi Yusifov
What is information security program?
• Information security program – the entire set of activities, resources,
personnel, and technologies used by an organization to manage the
risks to its information assets.
Elements of a Security Program
Primary Element Components
Policy Program policy, issue-specific policy, system-specific policy
Program management Central security program, system-level program
Risk management Risk assessment, risk mitigation, uncertainty analys is
Life-cycle planning Security plan, initiation phase, development/acquisition phase,
implementation phase, operation/maintenance phase
Personnel/user issues Staffing, user administration
Preparing for contingencies and Business plan, identify resources, develop scenarios, develop strategies,
disasters test and revise plan
Computer security incident handling Incident detection, reaction, recovery, follow-up
Awareness and training SETA plans, awareness projects, policy and procedure training
Security considerations in computer Help desk integration, defending against social engineering, improving
support and operations system administration
Physical and environmental security Guards, gates, locks and keys, alarms
Identification and authentication Identification, authentication, passwords, advanced authentication
Logical access control Access criteria, access control mechanisms
Audit trails System logs, log review processes, log consolidation and management
Cryptography TKI, VPN, key management, key recovery
An information security program chain
Components of security program
Components of security program
Seven Security work Domains
• Securely provision - Conceptualizes, designs, and builds secure IT systems, with
responsibility for aspects of systems and/or networks development.
• Operate and maintain - Provides the support, administration, and maintenance
necessary to ensure effective and efficient IT system performance and security.
• Investigate - Investigates cybersecurity events or crimes related to IT systems, networks,
and digital evidence.
• Protect and defend - Identifies, analyzes, and mitigates threats to internal IT systems
and/or networks.
• Collect and operate - Provides specialized denial and deception operations and collection
of cybersecurity information that may be used to develop intelligence.
• Analyze - Performs highly specialized review and evaluation of incoming cybersecurity
information to determine its usefulness for intelligence.
• Oversee and govern - Provides leadership, management, direction, or development and
advocacy so the organization may effectively conduct cybersecurity work.
Framework of Security Education, Training,
and Awareness
Awareness Training Education
Attribute Seeks to teach members of the Seeks to train members of the Seeks to educate members of
organization what security is and organization how they should react the organization as to why it has
what the employee should do in anc respond when threats are prepared in the way it has and
some situations encountered in specified situations why the organization reacts in
the ways it does
Level Offers basic information about Offers more detailed knowledge about Offers the background and
threats and responses detecting threats and teaches skills depth of knowledge to gain
needed for effective reaction. insight into how processes are
developed and enables ongoing
improvement
Objective Members of the organization can Members of the organization can Members of the organization
recognize threats and formulate mount effective responses using can engage in active defense and
simple response learned skills use understading of the
organization’s objectives to
make continuous improvement
Teaching methods • Media videos • Formal training • Theoretical instruction
• Newsletters • Workshops • Discussions/seminars
• Posters • Hands-on practice • Background reading
• Informal training
Assessment True/false or multiple choise(identify Problem solving(apply learning) Essay (interpret learning)
learning)

Impact timeframe Short-term Intermediate Long-term

CISO – place in a organizational structure
• In a separate group reporting directly to the CEO/president - In this option,
the CISO and security group would be independent and equally
represented in the top executive's strategic C-level council. Most
commonly seen in larger organizations.
• Under a division/department with no conflict of interest - Here the CISO
and security group are placed into a larger division for administrative
purposes, and selected to ensure there are no conflicts like those described
with IT earlier. Most commonly seen in mid- to-large organizations.
• As an additional duty for an existing manager/executive - Most commonly
seen in smaller organizations; here the CISO or simply the security manager
may also be the IT manager.
Functions Needed to Implement InfoSec
Program
Function Description Comments

Risk assessment Identifies and evaluates the risk present in IT initiatives and/or systems This function includes identifying the sources of risk and may include
offering advice on controls that can reduce risk.
Risk management Implements or oversees use of controls to reduce risk This function is often paired with risk assessment.

Systems testing Evaluates patches used to close software vulnerabilities and acceptance testing of This function is usually part of the incident response and/or risk
new systems to assure compliance with policy and effectiveness management functions.
Policy Maintains and promotes lnfoSec policy across the organization This function must be coordinated with organization-wide policy
processes.
Legal assessment Maintains awareness of planned and actual laws and their impact, and This function is almost always external to the lnfoSec and IT
coordinates with outside legal counsel and law enforcement agencies departments.
Incident response Handles the initial response to potential incidents, manages escalation of actual This function often spans other functions and is drawn from multiple
incidents, and coordinates the earliest responses to incidents and disasters departments. It should include middle management to manage
escalation processes.
Planning Researches, creates, maintains, and promotes lnfoSec plans; often takes a project This function must coordinate with organization-wide policy processes.
management approach to planning as contrasted with strategic planning for the
whole organization
Measurement Uses existing control systems (and perhaps specialized data collection systems) to Managers rely on timely and accurate statistics to make informed
measure all aspect s of the lnfoSec environment decisions.
Functions Needed to Implement InfoSec
Program
Function Description Comments

Compliance Verifies that system and network administrators repair identified This function poses problems for good customer service because it is
vulnerabilities promptly and correctly difficult to be customer focused and enforce compliance at the same
time.
Centralized authentication Manages the granting and revocation of network and system credent This function is often delegated to the help desk or staffed in
ials for all members of the organization conjunction (and colocated) with the help desk function.
Systems security administration Administers the configuration of computer systems, which are often Many organizations may have originally assigned some security
organized into groups by the operating system they run functions to these groups outside of the lnfoSec function. This can be
a source of conflict when organizations
update their lnfoSec programs.
Training Trains general staff in lnfoSec topics, IT staff in specialized technical Some or all of this function may be carried out in conjunction with the
controls, and internal lnfoSec staff in specialized areas of lnfoSec, corporate training department.
including both technical and managerial topics
Network security administration Administers configuration of computer networks; often organized Many organizations may have originally assigned some security
into groups by logical network area (i.e., WAN, LAN, DMZ) or functions to groups outside of the lnfoSec function, which may require
geographic location close coordination or reassignment.
Vulnerability assessment (VA) Locates exposure within information assets so these vulnerabilities VA is sometimes performed by a penetration testing team or ethical
can be repaired before weaknesses are exploited hacking unit. This function is often outsourced to specialists hired as
consultants that test systems controls to find weak spots. They are
sometimes known as "red teams" or "tiger teams."
Grouping functions by responsibilities
1) Functions performed by nontechnology business units outside the IT area of management control, such as:
• Legal
• Training

2) Functions performed by IT groups outside the InfoSec area of management control, such as:
• Systems security administration
• Network security administration
• Centralized authentication

3) Functions performed within the InfoSec department as a customer service to the organization and its external partners, such as:
• Risk assessment
• Systems testing
• Incident response planning
• Disaster recovery planning
• Performance measurement
• Vulnerability assessment

4) Functions performed within the InfoSec department as a compliance enforcement obligation, such as:
• Policy
• Compliance/audit
• Risk management
Questions?
Risk identification and
measurement
Information risk and cyber risk
Ulvi Yusifov
Risk Management Framework
• Enterprise risk management (ERM) – evaluation and reaction to risk
to the entire organization.
• RM framework – overall structure of the strategic planning and design
for the entirety of the organization's RM efforts.
• RM process – identification, analysis, evaluation, and treatment of
risk to information assets, as specified in the RM framework.
• Risk is the likelihood that a loss will occur.
• Losses occur when a threat exposes a vulnerability.
Risk Management Framework
Information Security Risk Management
Framework
Information Security Risk Management
Framework
• Categorize the system and the information processed, stored, and transmitted by that system based on an
impact analysis.
• Select an initial set of baseline security controls for the system based on the security categorization;
tailoring, and supplementing the security control baseline as needed based on organization assessment of
risk and local conditions.
• Implement the security controls and document how the controls are deployed within the system and
environment of operation.
• Assess the security controls using appropriate procedures to determine the extent to which the controls are
implemented correctly, operating as intended, and producing the desired outcome with respect to meeting
the security requirements for the system.
• Authorize system operation based upon a determination of the risk to organizational operations and assets,
individuals, other organizations and the Nation resulting from the operation of the system and the decision
that this risk is acceptable.
• Monitor and assess selected security controls in the system on an ongoing basis including assessing security
control effectiveness, documenting changes to the system or environment of operation, conducting security
impact analyses of the associated changes, and reporting the security state of the system to appropriate
organizational officials.
Risk Management Framework Elements
• Residual risk – risk to information assets that remains even after current
controls have been applied.
• Risk appetite – quantity and nature of risk that organizations are willing to
accept as they evaluate the trade-offs between perfect security and
unlimited accessibility.
• Risk appetite statement – formal document developed by the organization
that specifies its overall willingness to accept risk to its information assets,
based on a synthesis of individual risk tolerances.
• Risk tolerance – assessment of the amount of risk an organization is willing
to accept for a particular information asset, typically synthesized into the
organization's overall risk appetite.
Assessment of risks
Risk Management Framework Elements
• Risk identification – recognition, enumeration, and documentation of risks
to an organization's information assets.
• Information asset – Within the context of risk management, any collection,
set, or database of information or any asset that collects, stores, processes,
or transmits information of value to the organization.
• Data classification scheme – A formal access control methodology used to
assign a level of confidentiality to an information asset and thus restrict the
number of people who can access it.
• Threat assessment – evaluation of the threats to information assets,
including a determination of their likelihood of occurrence and potential
impact of an attack.
Risk identification techniques
• Risk identification begins with the process of self-examination
• Identify the organization's information assets,
• Classify them
• Categorize them into useful groups, and
• Prioritize them by overall importance
Steps for Risk Identification

Estimate the
Identify likelihood of a
Identify threats
vulnerabilities threat exploiting
a vulnerability
Threats Organization Faces
• Five types of threats that nearly every organization faces:
• Unauthorized access – This can be both adversarial and non adversarial in nature,
potentially occurring from an attack, malware or even just employee error.
• Misuse of information by authorized users – This is typically an insider threat that
can occur when data is altered, deleted, or used without approval.
• Data leaks/accidental exposure of PII – Personal Identifying Information (PII) is
considered breached anytime it is altered, deleted, or disclosed to an
unauthorized party.
• Loss of data – It occurs when an organization loses or accidentally deletes data as
a result of a botched backup or poor replication.
• Service/productivity disruptions – It occurs when services and operations are
interrupted.
Sources of Loss
• Loss of confidentiality—Someone sees your password or a company’s “secret formula.”
• Loss of integrity—An e-mail message is modified in transit, a virus infects a file, or someone
makes unauthorized changes to a Web site.
• Loss of availability—An e-mail server is down and no one has e-mail access, or a file server is
down so data files aren’t available.
• Categories of threats:
• External or internal - External threats are outside the boundary of the organization. They can also be thought
of as risks that are outside the control of the organization. Internal threats are within the boundary of the
organization. They could be related to employees or other personnel who have access to company resources.
Internal threats can be related to any hardware or software controlled by the business.
• Natural or man-made—Natural threats are often related to weather such as hurricanes, tornadoes, and ice
storms. Earthquakes and tsunamis are also natural threats. A human or manmade - threat is any threat from a
person. Any attempt to sabotage resources is a manmade threat. Fire could be manmade or natural
depending on how the fi re is started.
• Intentional or accidental—Any deliberate attempt to compromise confidentiality, integrity, or availability is
intentional. Employee mistakes or user error are accidental threats. A faulty application that corrupts data
could be considered accidental.
Sources to Identify Vulnerabilities
• Audits—Many organizations are regularly audited. Systems and processes are checked to verify a company complies with existing
rules and laws. At the completion of an audit, a report is created. These reports list findings which directly relate to weaknesses.
• Certification and accreditation records—Several standards exist to examine and certify IT systems. If the system meets the
standards, the IT system can be accredited. The entire process includes detailed documentation. This documentation can be
reviewed to identify existing and potential weaknesses.
• System logs—Many types of logs can be used to identify threats. Audit logs can determine if users are accessing sensitive data.
Firewall logs can identify traffic that is trying to breach the network. Firewall logs can also identify computers taken over by
malware and acting as zombies. DNS logs can identify unauthorized transfer of data.
• Prior events—Previous security incidents are excellent sources of data. As evidence of risks which already occurred, they help
justify controls. They show the problems that have occurred and can show trends. Ideally, weaknesses from a security incident will
be resolved right after the incident. In practice, employees are sometimes eager to put the incident behind them and forget it as
soon as possible. Even if documentation doesn’t exist on the incident, a few key questions can uncover the details.
• Trouble reports—Most companies use databases to document trouble calls. These databases can contain a wealth of information.
With a little bit of analysis, you can use them to identify trends and weaknesses.
• Incident response teams—Some companies have incident response teams. These teams will investigate all the security incidents
within the company. You can interview team members and get a wealth of information. These teams are often eager to help
reduce risks.
Threat and Vulnerability Pairs
Risk identification techniques
Risk identification techniques
Risk identification techniques
Assessment of risks
• Impact – understanding of the potential consequences of a successful
attack on an information asset by a threat.
• Likelihood – probability that a specific vulnerability within an
organization will be attacked by a threat.
• Risk analysis – determination of the extent to which an organization's
information assets are exposed to risk.
• Uncertainty – state of having limited or imperfect knowledge of a
situation, making it less likely that organizations can successfully
anticipate future events or outcomes.
Risk Management Framework
Risk Likelihood and Impact
Risk Rating Worksheet and Risk Rating Matrix
Tools for risk measurement
Threats – Vulnerabilities – Assets
Assessment Controls
Tools for risk measurement
Questions?
Risk identification and
measurement
Information risk and cyber risk
Ulvi Yusifov
Risk Management Framework
• Enterprise risk management (ERM) – evaluation and reaction to risk
to the entire organization.
• RM framework – overall structure of the strategic planning and design
for the entirety of the organization's RM efforts.
• RM process – identification, analysis, evaluation, and treatment of
risk to information assets, as specified in the RM framework.
• Risk is the likelihood that a loss will occur.
• Losses occur when a threat exposes a vulnerability.
Risk Management Framework
Information Security Risk Management
Framework
Information Security Risk Management
Framework
• Categorize the system and the information processed, stored, and transmitted by that system based on an
impact analysis.
• Select an initial set of baseline security controls for the system based on the security categorization;
tailoring, and supplementing the security control baseline as needed based on organization assessment of
risk and local conditions.
• Implement the security controls and document how the controls are deployed within the system and
environment of operation.
• Assess the security controls using appropriate procedures to determine the extent to which the controls are
implemented correctly, operating as intended, and producing the desired outcome with respect to meeting
the security requirements for the system.
• Authorize system operation based upon a determination of the risk to organizational operations and assets,
individuals, other organizations and the Nation resulting from the operation of the system and the decision
that this risk is acceptable.
• Monitor and assess selected security controls in the system on an ongoing basis including assessing security
control effectiveness, documenting changes to the system or environment of operation, conducting security
impact analyses of the associated changes, and reporting the security state of the system to appropriate
organizational officials.
Risk Management Framework Elements
• Residual risk – risk to information assets that remains even after current
controls have been applied.
• Risk appetite – quantity and nature of risk that organizations are willing to
accept as they evaluate the trade-offs between perfect security and
unlimited accessibility.
• Risk appetite statement – formal document developed by the organization
that specifies its overall willingness to accept risk to its information assets,
based on a synthesis of individual risk tolerances.
• Risk tolerance – assessment of the amount of risk an organization is willing
to accept for a particular information asset, typically synthesized into the
organization's overall risk appetite.
Assessment of risks
Risk Management Framework Elements
• Risk identification – recognition, enumeration, and documentation of risks
to an organization's information assets.
• Information asset – Within the context of risk management, any collection,
set, or database of information or any asset that collects, stores, processes,
or transmits information of value to the organization.
• Data classification scheme – A formal access control methodology used to
assign a level of confidentiality to an information asset and thus restrict the
number of people who can access it.
• Threat assessment – evaluation of the threats to information assets,
including a determination of their likelihood of occurrence and potential
impact of an attack.
Risk identification techniques
• Risk identification begins with the process of self-examination
• Identify the organization's information assets,
• Classify them
• Categorize them into useful groups, and
• Prioritize them by overall importance
Steps for Risk Identification

Upon completion of this material, you should be able to:

Discuss the strategy options used to treat risk and be prepared to select
from them when given background information

Evaluate control alternatives under the defense risk treatment strategy

and formulate a cost-benefit analysis (CBA) using existing conceptual
frameworks

Explain how to maintain and perpetuate controls

Describe popular methodologies used in the industry to manage risk

. Case Opener
Iris went into the manager's lounge to get a soda. As she was leaving, she saw Jane
Harris- the accounting supervisor at Random Widget Works, Inc. (RWW)- at a table, poring
over a spreadsheet that Iris recognized.
"Hi, Jane," Iris sa id. "Can I join you?"
"Sure, Iris," Jane said. "Perhaps you can help me with this form Mike wants us to fi ll out."
Jane was working on the asset valuation worksheet that Iris had designed to be
completed by a II RWW managers. The worksheet listed all of the information assets in Jane's
department. Mike Edwards had asked each manager to provide three values for each item: its
tota l cost of ownership (including creation and maintenance costs), its estimated replacement
value, and its ranked criticality to the company's m ission, with the most important item being
ranked number one. Mike hoped that Iris and the rest of the risk management team could
use the data to build a consensus about the relative importance of various assets.
CHAPTER 7 Risk Management: Treating Risk

"What's the problem?'' Iris asked.

"I understand these first two columns. But how am I supposed to decide what's the most
important?''
"Well," Iris began, "with your accounting background, you could base your answers on
some of the data you collect about each of these information assets. For this quarter, what's
mo re important to senior management-revenue or profitability?"
"Profitability is almost always more important," Jane replied. "We have some projects that
generate lots of revenue but operate at a loss."
"Well, there you go," Iris said. "Why not calculate the profitability margin for each listed
item and use that to rate and rank them?"
"Okay, Iris. Thanks for the idea," Jane said. She then started making notes on her copy of
the form .

Introduction to Risk Treatment

In the early days of information technology (IT), corporations used IT systems to
gain advantages over their competition. Managers discovered that establishing a
competitive business model, method, or technique based on superior IT allowed an
organization to provide a product or service that was superior in some decisive way,
thus creating a competitive advantage. But this is seldom true today. The current IT
industry has evolved from this earlier model to one in which almost all competitors
operate using similar levels of automation. Because competitive technology is now
readily available, almost all organizations are willing to make the investment to react
quickly to changes in the market. In today's highly competitive environment, managers
realize that investing in IT systems at a level that merely maintains the status quo is
no longer sufficient to gain a competitive advantage. In fact, even the implementation
of new technologies does not necessarily enable an organization to gain or maintain
a competitive lead. Instead, the concept of competitive disadvantage has emerged
as a critical factor as organizations strive not to fall behind technologically. Effective
IT- enabled organizations now quickly absorb emerging technologies, not to gain or
maintain th e traditional competitive advantage, but to avoid the possibility of losing
market share when faltering systems make it impossible to maintain the current
standard of service.
In 2.003, the Harvard Business Review published a widely discussed article by
Nicholas Carr titled "IT Doesn't Matter:· After almost 15 years of discussion following
a firestorm of initial controversy, many think his fundamental premise has been
vindicated. The argument he proposed was that the strategic value of IT to businesses
was not as significant as most would believe because IT capability was becoming
increasingly commoditized. Carr reportedly assessed his own efforts as getting some
of it right and some of it wrong.' He correctly anticipated the commoditization of basic
service-witness the cloud computer services that are now widely used. He was not
I
CHAPTER 7 Risk Management: Tr eati ng Risk 367

quite as prescient when forecasting the declining role of IT staff and management, who
are as busy as ever addressing cloud strategies, mobility issues, the Internet of things
(IoT), and the challenge of harnessing social media.
To remain competitive, rather than simply deploying and managing their
computing infrastructure, organizations must design and create a secure environment
in which business processes and procedures can function and evolve effectively. This
environment must maintain confidentiality and privacy and assure the integrity and
availability of organizational data. These objectives are met via the application of the
principles of risk management.
As shown in Figure 7-1, after the risk management (RM) process team has
identified, analyzed, and evaluated the level of risk currently inherent in its
information assets (risk assessment), it then must treat the risk that is deemed
unacceptable when it exceeds its risk appetite. As risk treatment begins, the
organization has a list of information assets with currently unacceptable levels of
risk; the appropriate strategy must be selected and then applied for each asset. In this
chapter, you will learn how to assess risk treatment strategies, estimate costs, weigh
the relative merits of the available alternatives, and gauge the benefits of various
treatment approaches.

+ I
Process preparation - "

~------ - - - - - -,
I Risk I
I assessment I .,;:
..,c
0 I
Risk identif ication I ·-.,>
I I ~

"'c
v
::,
I
I
I
I "'c
·.::
"'
E
Framework - E .' Risk analysis ' - 0
team 0
v I I ·-c ~

0
~ I I E
I I ~
~ Risk evaluation
~
~
a. l I
~

I _ _____ j I a.
L-----
I
Risk treatment I
..
Figure 7-1 The risk management process: r isk treatment

Treating risk begins with an understanding of what risk treatment strategies are
and how to formulate them. The chosen strategy may include applying additional
or newer controls to some or all of the assets and vulnerabilities found in the tables
prepared in Chapter 6. This chapter explores a variety of treatment approaches and
CHAPTER 7 Risk Management: Treating Risk

then discusses how such approaches can be categorized. It also explains the critical
concepts of cost-benefit analysis (CBA) and treatment strategy assessment and
maintenance.

Risk Treatment Strategies

When an organization's general management team determines that risks from
information security (InfoSec) threats are creating a competitive disadvantage, it
empowers the InfoSec and IT communities of interest to treat those risks. Once the
project team for InfoSec development has identified the information assets with
unacceptable levels of risk (see Chapter 6), the team must choose one of five basic
strategies to treat the risks for those assets:
• Defense- Applying controls and safeguards that eliminate or reduce the
remaining uncontrolled risk
• Transference- Shifting risks to other areas or to outside entities
• Mitigation- Reducing the impact to information assets should an attacker
successfully exploit a vulnerability
• Acceptance- Understanding the consequences of choosing to leave an
information asset's vulnerability facing the current level of risk, but only
after a formal evaluation and intentional acknowledgment of this decision
• Termination-Removing or discontinuing the information asset from the
organization's operating environment

Defense

Key Terms

avoidance strategy See defense risk treatment strategy.

defense risk treatment strategy The risk treatment strategy that attempts to eliminate or
reduce any remaining uncontrolled risk through the application of additional controls and
safeguards in an effort to change the likelihood of a successful attack on an information
asset. Also known as the avoidance strategy.

The defense risk treatment strategy attempts to prevent the exploitation of the
vulnerability. This is the preferred approach and is accomplished by means of
countering threats, removing vulnerabilities in assets, limiting access to assets,
and adding protective safeguards. This approach is sometimes referred to as the
avoidance strategy. In essence, the organization is attempting to improve the security
of an information asset by reducing the likelihood or probability of a successful attack.
I
CHAPTER 7 Risk Management: Tr eati ng Risk 369

There are three common approaches to implement the defense risk treatment
strategy:
• Application of policy- As discussed in Chapter 4, the application of policy
allows all levels of management to mandate that certain procedures always be
followed. For example, if the organization needs to control password use more
tightly, it can implement a policy requiring passwords on all IT systems. But
policy alone may not be enough. Effective management always couples changes
in policy with the training and education of employees, or an application of
technology, or both.
• Application of security education, training, and awareness (SETA) programs -
Simply communicating new or revised policy to employees may not be
adequate to assure compliance. Awareness, training, and education are essential
to creating a safer and more controlled organizational environment and to
achieving the necessary changes in end-user behavior.
• Implementation of technology - In the everyday world of InfoSec, technical
controls and safeguards are frequently required to effectively reduce risk. For
example, firewall administrators can deploy new firewall and !DPS technologies
where and how policy requires them and where administrators are both aware of
the requirements and trained to implement th em.
Risks can be avoided by countering the threats facing an asset or by minimizing
the exposure of a particular asset. Eliminating the risk posed by a threat is virtually
impossible, but it is possible to reduce the residual risk to an acceptable level in
alignment with the organization's documented risk appetite.

Transference

Key Term
transference risk treatment strategy The risk treatment strategy that attempts to shift risk
to other assets, other processes, or other organizations.

The transference risk treatment strategy attempts to shift risk to another entity. This
goal may be accomplished by rethinking how services are offered, revising deployment
models, outsourcing to other organizations, purchasing insurance, or implementing
service contracts with providers.
In their best-selling book In Search of Excellence, management consultants Thomas
Peters and Robert Waterman presented case studies of high-performing corporations.
One of the eight characteristics of excellent organizations is that
CHAPTER 7 Risk Ma nageme nt : Treating Risk

they "stick to their knitting;' the authors wrote. "They stay reasonably close to
the business they know."' What does this mean? It means that Nabisco focuses on
the manufacture and distribution of foodstuffs, while General Motors focuses on the
design and manufacture of cars and trucks. Neither company spends strategic energies
on the technology for securing Web sites. They focus energy and resources on what
they do best while relying on consultants or contractors for other types of expertise.
Organizations should consider this whenever they begin to expand their
operations, including information and systems management, and even InfoSec.
When an organization does not have adequate security management and
administration experience, it should consider hiring individuals or organizations
that provide expertise in those areas. For example, many organizations want Web
services, including Web presences, domain name registration, and domain and Web
hosting. Rather th an implementing their own servers and hiring their own Web
developers, Web systems administrators, and even specialized security experts,
savvy organizations hire Web services organizations. This approach allows them to
transfer the risks associated with the management of these complex systems to other
organizations with more experience in dealing with those risks.
The key to an effective transference risk treatment strategy is the implementation
of an effective service level agreement (SLA). In some circumstances, an SLA is the only
guarantee that an external organization will implement the level of security the client
organization wants for valued information assets.
According to the Federal Deposit Insurance Corporation (FDIC) in their document
"Tools to Manage Technology Provider's Performance Risk: Service Level Agreements," a
typical SLA should contain the following elements:
• Service category (e.g., system availability or response time)
• Acceptable range of service quality
• Definition of what is being measured
• Formula for calculating the measurement
• Relevant credits/penalties for achieving/Jailing performance targets
• Frequency and interval of measurement3
The FDIC also suggests that organizations use the following four steps to create
a successful SLA. While originally written for InfoSec and IT departments within
financial institutions, th ese recommendations are equally applicable and easily
adaptable to virtually any organization:
• Determining objectives- Reviewing the strategic business needs of the financial
institution includes evaluating its day-to-day operating environment, risk
factors, and market conditions. Consideration should be given to how the
outsourced service fits into the bank's overall strategic plan.
I
CHAPTER 7 Risk Management: Tr eati ng Risk 371

• Defining requirements- Identifying the operational objectives (e.g., the need to

improve operating efficiency, reduce costs, or enhance security) will help the
institution define performance requirements. It will also help identify the levels
of service the bank needs from the service provider to meet its strategic goals
and objectives for the outsourced activity.
• Setting measurements- Clear and impartial measurements, or metrics, can be
developed once the strategic needs and operating objectives have been defined.
The metrics are used to confirm that the necessary service levels have been
achieved and the objectives and strategic intent have been met.
• Establishing accountability - It is useful to develop and adopt a framework
that ensures accountability after the metrics have been clearly defined. The
service provider rarely has full accountability and responsibility for all tasks.
Establishing this accountability usually includes a clear statement of the
outcome if the level of service is exceeded or if the expected service fails to meet
the stated standard.•
Of course, outsourcing is not without its own risks. It is up to the owner of
the information asset, IT management, and the InfoSec team to ensure that the
requirements of the outsourcing contract are sufficient and have been met before they
are needed.

Mitigation

Key Term
mitigation risk treatment strategy The risk treatment strategy that attempts to reduce
the impact of the loss caused by an incident, disaster, or attack th rough effective contingency
planning and preparation.

The mitigation risk treatment strategy is the treatment approach that focuses
on planning and preparation to reduce the impact or potential consequences of an
incident or disaster. This approach includes four types of plans, which you will learn
about in Chapter 10: the incident response (IR) plan, the disaster recovery (DR) plan, the
business continuity (BC) plan, and the crisis management (CM) plan. Mitigation derives
its value from its ability to detect and respond to an attack as quickly as possible.
Table 7- 1 summarizes the four types of mitigation plans, including descriptions
and examples of each.
CHAPTER 7 Risk Management: Treating Risk

~1,1r.. Summary of Mitigation Plans

When
Plan Description Example Deployed Time Frame
Incident Act ions an • List of steps to be As an incident Immediate
response organization takes taken during an or disaster and real-t ime
(IR) plan during incidents incident unfolds reaction
(attacks or • Intelligence
accidental data loss) gat hering
• Information analysis
Disaster • Preparations • Procedures for t he Immediately Short-term
recovery f or recovery recovery of lost data after t he recovery
(DR) p lan should a • Procedures for t he incident is
disaster reestablishment labeled a
occur of lost technology disaster
• Strategies to infrastructure and
limit losses services
before and • Shut down
during a procedures to
disaster protect systems and
• Step-by-step data
instructions
to regain
normalcy
Business Steps to ensure • Preparation steps Immediately Long-term
continuity continuation of t he for activation of after the organizational
(BC) plan overall business alternate dat a disaster is stability
when the scale of centers determined
a disaster exceeds • Establishment of to affect the
the DR plan's ability critical business continued
to quickly restore funct ions in an operations
operations alternate location of the
organization
Crisis Steps to ensure t he • Procedures for Immediately Both short·
management safety and we lfare the notificati on of after t he ter m safety
(CM) plan of the people personnel in t he incident or and long-term
associated with an event of an incident disaster is personnel
organ ization in the or disaster deemed to welfare
event of an incident • Procedures for threaten stability
or disaster that commun ication personnel
threatens their well with associated safety
being emergency services
• Procedures for
reacting to and
recovering from
personnel safety
threats
I
CHAPTER 7 Risk Management: Tr eati ng Risk 373

Acceptance

Key Term
acceptance risk treatment strategy The risk treatment strategy that indicates
the organization is willing to accept the current level of residual risk. As a result, the
organization makes a conscious decision to do nothing else to protect an information
asset from risk and to accept the outcome from any resulting exploitation.

As described earlier, mitigation is a treatment approach that attempts to reduce

the effects of an exploited vulnerability by preparing to react if and when it occurs.
In contrast, the acceptance risk treatment strategy is the decision to do nothing
beyond the current level of protection to protect an information asset from risk, and
to accept the outcome from any resulting exploitation. While the selection of this
treatment strategy may not be a conscious business decision in some organizations,
the unconscious acceptance of risk is not a productive approach to risk treatment.
Acceptance is recognized as a valid strategy only when the organization has:
• Determined the level of risk posed to the information asset
• Assessed the probability of attack and the likelihood of a successful exploitation
of a vulnerability
• Estimated the potential impact (damage or loss) that could result from a
successful attack
• Evaluated potential controls using each appropriate type of feasibility
• Performed a thorough risk assessment, including a financial analysis such
as a CBA
• Determined that the costs to treat the risk to a particular function, service,
collection of data, or information asset do not justify the cost of implementing
and maintaining the controls
This strategy assumes that it can be a prudent business decision to examine the
alternatives and conclude that the cost of protecting an asset does not justify the
security expenditure. Suppose an organization has an older Web server that only
provides information related to legacy products. All information on the server is
considered public and is only provided for the benefit of legacy users. The information
has no significant value and does not contain any information it has a legal obligation
to protect. A risk assessment and an evaluation of treatment options determine that
it would cost a substantial amount of money to update the security on this server.
The management team is unwilling to remove it from operation but determines it is
not feasible to upgrade the existing controls or add new controls. They may choose to
make a conscious business decision to accept the current level of residual risk for this
information asset, in spite of any identified vulnerabilities. Under those circumstances,
CHAPTER 7 Risk Ma nageme nt : Treating Risk

management may be satisfied with taking its chances and saving the money that
would otherwise be spent on protecting this particular asset.
An organization that decides on acceptance as a strategy for every identified
risk of loss may be unable to conduct proactive security activities and may have an
apathetic approach to security in general. It is not acceptable for an organization to
plead ignorance and thus abdicate its legal responsibility to protect employees' and
customers' information. It is also unacceptable for management to hope that if they do
not try to protect information, the opposition will believe it can gain little by an attack.
In general, unless the organization has formally reviewed an information asset and
determined the current residual risk is at or below the organization's risk appetite, the
risks far outweigh the benefits of this approach.

Termination

Key Term
term ination risk treatment strategy The risk treatment strategy that eliminates all risk
associated with an information asset by removing it from service.

Like acceptance, the termination risk t rea tment strategy is based on the
organization's intentional choice not to protect an asset. Here, however, the
organization does not wish th e information asset to remain at risk and so removes it
from the operating environment.
Sometimes, the cost of protecting an asset outweighs its value. In other cases,
it may be too difficult or expensive to protect an asset, compared to the value or
advantage that asset offers th e company. In either case, termination must be a
conscious business decision, not simply the abandonment of an asset, which would
technically qualify as acceptance.

Managing Risk
As described in Chapter 6, risk appetite is the quantity and nature of risk that
organizations are willing to accept as they evaluate the trade -offs between perfect
security and unlimited accessibility. For instance, a financial services company,
regulated by government and conservative by nature, seeks to apply every reasonable
control and even some invasive controls to protect its information assets. Other less
closely regulated organizations may also be conservative and th us seek to avoid
the negative publicity and perceived loss of integrity caused by the exploitation of
a vulnerability. A business executive might direct the installation of a set of firewall
I
CHAPTER 7 Risk Management: Tr eati ng Risk 375

rules that are far more stringent than necessary, simply because being hacked would
jeopardize his or her organization's reputation in the market. Other organizations may
take on dangerous risks because of ignorance. The reasoned approach to risk is one
that balances the expense (in terms of finance and the usability of information assets)
against the possible losses, if exploited.
James Anderson, Enterprise Security Architect at Blue Cross of North Carolina,
believes that InfoSec in today's enterprise should strive to be a well-informed sense
of assurance that the information risks and controls are in balance :•sThe key is for
the organization to find balance in its decision-making processes and in its feasibility
analyses, thereby assuring that its risk appetite is based on experience and facts, not
on ignorance or wishful thinking.
When vulnerabilities have been controlled to the degree possible, there is often
remaining risk that has not been completely removed, shifted, or planned for- in
other words, residual risk. Figure 7- 2 illustrates how residual risk persists even after
safeguards are implemented to reduce the levels of risk associated with threats,
vulnerabilities, and information assets.

Risk Facing an Information Asset's Value

Residual risk- the risk that

has not been covered by
one of the safeguards

-.. ,.. Amount of vulnerability

..-
~
-<:
..:
reduced by safeguards

g>
"iij Amount of threat
~

~
reduced by safeguards •
·"'
"'
-l9
,2

,.. Amount of asset value

protected by safeguards

Figure 7-2 Residua l risk

Although it might seem counterintuitive, the goal of InfoSec is not to bring

residual risk to zero; rather, it is to bring residual risk in line with an organization's risk
appetite. If decision makers have been informed of uncontrolled risks and the proper
authority groups within the communities of interest decide to leave residual risk in
place, then the InfoSec program has accomplished its primary goal.
CHAPTER 7 Risk Ma nageme nt: Treating Risk

Figure 7-3 illustrates the process by which an organization chooses from among
the risk treatment strategies. As shown in this diagram, after the information system
is designed, you must determine whether the system has vulnerabilities that can
be exploited. If a viable threat exists, determine what an attacker will gain from a
successful attack. Then, estimate the expected loss the organization will incur if the
vulnerability is successfully exploited. If this loss is within the range of losses the
organization can absorb, or if the attacker's gain is less than the likely cost of executing
the attack, the organization may choose to accept the risk. Otherwise, it must select
one of the other treatment strategies.

Threat
source 1 - - - - - - - - - - - - - - - - - - - - - - ,

Yes Yes Asset is Threat and

Asset
Vulnerable? Exploitable? vulnerable vulnerability
assessment
to attack exist
No No

( No risk ) No risk

Unacceptable risk:
Risk Yes Is th• Yes requires further
l.s attachr's gain expected loss great~r . df
of loss ,__.,., greater than than th• organization's >-+1treatme<11 v,a e ense,
exists costs of attack? ability toabsorb? transference, or
mitigation; or asset
No No must be terminated

Risk can Risk can

be accepted be accepted

Figure 7-3 Risk-handl ing action points

Here are some rules of thumb for selecting a strategy (keeping in mind that the
level of threat and the value of the asset should play major roles in treatment strategy
selection):
• When a vulnerability {flaw or weakness) exists in an important asset- Implement
security controls to reduce the likelihood of a vulnerability being exploited.
• When a vulnerability can be exploited- Apply layered protections, architectural
designs, and administrative controls to minimize the risk or prevent the
occurrence of an attack.
I
CHAPTER 7 Risk Management: Tr eati ng Risk 377

• When the attacker's potential gain is greater than the costs of attack- Apply
protections to increase the attacker's cost or reduce the attacker's gain by using
technical or managerial controls.
• When the potential loss is substantial- Apply design principles, architectural
designs, and technical and nontechnical protections to limit the extent of the
attack, thereby reducing th e potential for loss.•
Once a treatment strategy has been selected and implemented, controls should be
monitored and measured on an ongoing basis to determine their effectiveness and to
maintain an ongoing estimate of the remaining risk. Figure 7-4 shows how this cyclical
process ensures that risks are controlled.

Identify
.
Implement Plan for
information
controls maintenance
assets

Assess and Measure risk to

evaluate risk Assess
information -
controls
to assets asset

Develop Are Yes Yes

- treatment
strategy and plan
the controls Acceptable
adequate? risk?
No No

Figure 7-4 Risk treatm ent cycle

At a minimum, each information threat/vulnerability/asset {TVA) triplet

that was developed in th e risk assessment described in Chapter 6 should have a
documented treatment strategy that clearly identifies any residual risk that remains
after the proposed strategy has been executed. This approach must articulate
which of the fundamental risk-reducing strategies will be used and how multiple
strategies might be combined. This process must justify the selection of the chosen
treatment strategies by referencing the feasibility studies. Organizations should
document th e outcome of the treatment strategy selection process for each TVA
combination in an action plan. This action plan includes concrete tasks, with
accountability for each task being assigned to an organizational unit or to an
CHAPTER 7 Risk Ma nageme nt : Treating Risk

individual. It may include hardware and software requirements, budget estimates,

and detailed timelines.
As shown in the Clearwater Compliance Information Risk Management
(CC IIRM) application in Figures 7-5 and 7-6, once the organization has decided
on a risk treatment strategy, it must then re -estimate the effect of the proposed
strategy on the residual risk that would be present after the proposed treatment
was implemented. For situations in which the organization has decided to adopt
the defense risk treatment strategy (which CCIIRM refers to as mitigation), the
software provides recommendations for the implementation of general controls of all
categories (policy, training and awareness, and technology) for the reduction of th e
likelihood and impact of an attack. The software then requires the RM process team
to specify the estimated effectiveness and feasibility of the proposed changes and a
recommendation to add new controls, enhance existing controls, or omit a proposed
control if it is ineffective or infeasible. The team then specifies the level of residual
risk that would exist after the proposed changes are made and any modifications
to the current level of controls and safeguards are implemented. The comparison of
the pre- and post-risk treatment assessments provides a foundation for the actual
purchasing and implementation of proposed controls based on further assessment of
feasibility and cost-benefit analysis.

• Risk Treat and Evaluate Form .......

--·
........ _ l ..... J

.............
-- --- -.-
-- --· --.....
_____
... -~- ---
- ....-
-...-
_,,_
--..,
-
---
__ .._..__...
--·--
.._ ....
c ,c .. - - -

---·--
.,.._ ...._...,.__ ,_.,.
--
-
_ _ .._ _ _ S o . _ .....

..
• ri '
®
• '
•

--
-- .. ---- oe
·-
•
•
•
-·
-·--- •
... - •
Figure 7-5 Clearwater Compl iance IRM-risk treatment
Source: Clearwater Compliance /RM.
I
CHAPTER 7 Risk Management: Tr eating Risk 379

• @ .~ a lltlll....,.. ....,. ..........

" Risk Treat and Evatuata Fenn _..,.._ ... ' - - -....,-

__ ., .......... .
--
_ ___
__
...- ....... _ -- -- -
..........• o-... , ....., .. _
.,__.....,_ • -e..-- ----
- ______ _-· .. -- -=::::- -·--
._..._
.
_
.,_
............. ---
..,._ ...-.-
....._
,..._._ ,...._.,..._,_ ....__ .._,...

..
-·- - -- -· -- ·-· - -·· • •
-
'w

-- cc
• CII
II

--· I
- --·
II

-· ID
Ii

® a
•
•

--- -- -- •• 0 ----

-·-
. . 1-· ..
oe -·- 0

a
..•
-·--
- --·
--- 0
Ell
0
- a

Figure 7-6 Clearwater Compliance !RM-residual risk selection

Source: Clearwater Compliance /RM.

Feasibility and Cost-benefit Analysis

Key Terms
annualized loss expectancy (ALE) In a cost-benefit analysis, the product of the annualized
rate of occurrence and single loss expectancy.
annualized rate of occurrence (ARO) In a cost-benefit ana lysis, the expected frequency of
an attack, expressed on a per-year basis.
asset val uation The process of assigning financial value or worth to each information asset.
cost avoidance The financial savings from using the defense risk treatment strategy to
implement a control and elim inate the financial ram ifications of an incident .
cost-benefit analysis (CBA) Also known as an economic feasibility study, the formal
assessment and presentation of the economic expenditures needed for a particular security
control, contrasted with its projected value to the organization.
single loss expectancy (SLE) In a cost-benefit analysis, the calculated value associated with
the most likely loss from an attack (impact). The SLE is the product of t he asset's value and
the exposure factor.
CHAPTER 7 Risk Ma nageme nt: Treating Risk

Before deciding on the treatment strategy for a specific TVA triplet, an organization
should explore all readily accessible information about the economic and
noneconomic consequences of an exploitation of the vulnerability, when the threat
causes a loss to the asset. This exploration attempts to answer the question, "What
are the actual and perceived advantages of implementing a control as opposed to
the actual and perceived disadvantages?" In other words, the organization is simply
trying to answer the question, "Before we spend any more time, money, or resources
on additional protection mechanisms to protect this asset, is it worth it?" The costs
associated with the various risk treatment strategies may help the organization
decide which option to choose. The only overriding factor may be a legal or regulatory
requirement to protect certain sensitive information, regardless of the cost- such as
with customer financial information under Gramm-Leach-Bliley or patient healthcare
information under HIPAA.
While the advantages of a specific strategy can be identified in a number of ways,
the primary way is to determine the value of the information assets it is designed
to protect. There are also many ways to identify the disadvantages associated with
specific risk treatment options. The following sections describe some of the more
commonly used techniques for making these choices. Some of these techniques use
dollar-denominated expenses and savings from economic cost avoidance, while
others use noneconomic feasibility criteria.
The criterion most commonly used when evaluating a strategy to implement
InfoSec controls and safeguards is economic feasibility. While any number of
alternatives may solve a particular problem, some are more expensive than others.
Most organizations can spend only a reasonable amount of time and money
on InfoSec, although the definition of reasonable varies from organization to
organization, even from manager to manager. Organizations can begin this type of
economic feasibility analysis by valuing the information assets and determining
the loss in value if those information assets became compromised. Common sense
dictates that an organization should not spend more to protect an asset than it is
worth. This decision-making process is called a cost-benefit a na lysis (CBA) or an
economic feasibility study.

Cost
Just as it is difficult to determine the value of information, it is difficult to determine
the cost of safeguarding it. Among the items that affect the cost of a particular risk
treatment strategy, including implementing new or improved controls or safeguards
under the defense option, are the following:
• Cost of development or acquisition (hardware, software, and services)
• Training fees (cost to train personnel)
• Cost of implementation (installing, configuring, and testing hardware, software,
and services)
I
CHAPTER 7 Risk Management: Treating Risk 381

• Service costs (vendor fees for maintenance and upgrades or from outsourcing
the information asset's protection and/or insurance)
• Cost of maintenance {labor expense to verify and continually test, maintain,
train, and update)
• Potential cost from the loss of the asset, either from removal of service
(termination) or compromise by attack

Benefit
Benefit is the value to th e organization of using controls to prevent losses
associated with a specific vulnerability. It is usually determined by valuing th e
information asset or assets exposed by the vulnerability and then determining how
much of that value is at risk and how much risk exists for the asset. This result is
expressed as the annualized loss expectancy (ALE), which is defined later in this
chapter.

Asset Valuation
As you learned in Chapter 6, the value of information differs within organizations
and between organizations. Some argue that it is virtually impossible to accurately
determine the true value of information and information-bearing assets, which
is perhaps one reason why insurance underwriters currently have no definitive
valuation tables for information assets. Asset va luat ion can draw on the assessment
of information assets performed as part of the risk identification process you learned
about in Chapter 6.
Asset valuation involves the estimation of real or perceived costs. These costs
can be selected from any or all of those associated with the design, development,
installation, maintenance, protection, recovery, and defense against loss or litigation.
Some costs are easily determined, such as the cost of replacing a network switch
or the cost of the hardware needed for a specific class of server. Other costs are
almost impossible to determine, such as the dollar value of the loss in market share
if information on a firm's new product offerings is released prematurely and the
company loses its competitive edge. A further complication is that over time some
information assets acquire value that is beyond their intrinsic value. This higher
acquired value is the more appropriate value in most cases.
Asset valuation is a complex process. While each organization must decide
for itself how it wishes to value its information assets, the more commonly used
quantitative approaches include the following:
• Value retained from the cost of creating the information asset- Information is
created or acquired at a cost, which can be calculated or estimated. For example,
many organizations have developed extensive cost-accounting practices to
capture the costs associated with collecting and processing data as well as the
costs of developing and maintaining software. Software development costs
CHAPTER 7 Risk Ma nageme nt: Treating Risk

include the efforts of the many people involved in the systems development life
cycle for each application and system. Although this effort draws mainly on IT
personnel, it also includes the user and general management community and
sometimes the InfoSec staff. In today's marketplace, with high programmer
salaries and even higher contractor expenses, the average cost to complete even
a moderately sized application can quickly escalate. For example, multimedia-
based training software that requires 350 hours of development for each hour of
content will require the expenditure of as much as $10,000 per hour of content
produced.
• Value retained from past maintenance of the information asset- It is estimated
that between 60 and So percent of the total cost of acquiring and operating an
information asset is incurred in the maintenance phase. That typically means
for every dollar spent on developing an application or acquiring and processing
data, another $4 to $5 will be spent after the software is in use. If actual costs
have not been recorded, the cost can be estimated in terms of the human
resources required to continually update, support, modify, and service the
applications and systems.
• Value implied by the cost of replacing the information- The costs associated with
replacing information should include the human and technical resources needed
to reconstruct, restore, or regenerate the information from backups, independent
transaction logs, or even hard copies of data sources. Most organizations rely
on routine media backups to protect their information. When estimating
recovery costs, keep in mind that you may have to hire contractors to carry out
the regular workload that employees will be unable to perform during recovery
efforts. To restore this information, the various information sources may have
to be reconstructed, with the data reentered into the system and validated for
accuracy.
• Value from providing the information- Separate from the cost of developing or
maintaining the information is the cost of providing the information to those
users who need it. Such costs include the values associated with the delivery
of the information through databases, networks, and hardware and software
systems. They also include the cost of the infrastructure necessary to provide
access to and control of the information.
• Value acquired from the cost of protecting the information- The value of an asset
is based in part on the cost of protecting it, and the amount of money spent
to protect an asset is based in part on the value of th e asset. While this is a
seemingly unending circle, estimating the value of protecting an information
asset can help you better understand the expense associated with its potential
loss. The values listed previously are easy to calculate with some precision. This
value and those that follow are likely to be estimates of cost.
• Value to owners- How much is your Social Security number worth to you?
Or your telephone number? Placing a value on information can be quite a
I
CHAPTER 7 Risk Management: Tr eati ng Risk 383

daunting task. A market researcher collects data from a company's sales figures
and determines that a new product offering has a strong potential market
appeal to members of a certain age group. While the cost of creating this
new information may be small, how much is the new information actually
worth? It could be worth millions if it successfully captures a new market
share. Alth ough it may be impossible to estimate th e value of information
to an organization or what portion of revenue is directly attributable to
that information, it is vital to understand the overall cost that could be a
consequence of its loss so as to better realize its value. Here again, estimating
value may be th e only method possible.
• Value of intellectual property- The value of a new product or service to a
customer may ultimately be unknowable. How much would a cancer patient pay
for a cure? How much would a shopper pay for a new flavor of cheese? What is
the value of a logo or advertising slogan? Related but separate are intellectual
properties known as trade secrets. Intellectual information assets are the
primary assets of some organizations.
• Value to adversaries - How much is it worth to an organization to know
what the competition is doing? Many organizations have established
departments tasked with the assessment and estimation of the activities of
their competition. Even organizations in traditionally nonprofit industries can
benefit from knowing what is going on in political, business, and competitive
organizations. Stories of industrial espionage abound, including th e urban
legend of Company A encouraging its employees to hire on as janitors at
Company B. As custodial workers, th e employees could snoop through
open terminals, photograph and photocopy unsecured documents, and rifle
through internal trash and recycling bins. Such legends support a widely
accepted concept: Information can have extraordinary value to th e right
individuals. Similarly, stories are circulated of how disgruntled employees,
soon to be terminated, steal information and present it to competitive
organizations to curry favor and achieve new employment. Those who
hire such applicants in an effort to gain from their larceny should consider
wheth er benefiting from such a tactic is wise. After all, such thieves could
presumably repeat their activities when th ey become disgruntled with their
new employers.
• Loss of productivity while the information assets are unavailable- When a power
failure occurs, effective use of uninterruptible power supply (UPS) equipment
can prevent data loss, but users cannot create additional information. Although
this is not an example of an attack that damages information, it is an instance in
which a threat (deviations in quality of service from service providers) affects an
organization's productivity. The hours of wasted employee time, the cost of using
alternatives, and the general lack of productivity will incur costs and can severely
set back a critical operation or process.
CHAPTER 7 Risk Ma nageme nt : Treating Risk

• Loss of revenue while information assets are unavailable- Have you ever been
purchasing something at a retail store and your credit card would not scan?
How many times did the salesperson rescan the card before entering the
numbers manually? How long did it take to enter the numbers manually in
contrast to th e quick swipe? What if the credit card verification process was
offline? Did the organization have a manual process to validate or process
credit card payments in the absence of the familiar approval system? Many
organizations have all but abandoned manual backups for automated
processes. The Federal Emergency Management Agency {FEMA) estimates that
40 percent of businesses do not reopen after a disaster and another 25 percent
fail within one year. 7 Imagine, instead of a grocery store, an online book retailer
such as Amazon.com suffering a power outage. The entire operation is instantly
closed. Even if Amazon's offering system were operational, what if the payment
systems were offline? Customers could make selections but could not complete
their purchases. Most organizations would be unable to conduct business if
certain pieces of information were unavailable.
• Total cost of ownership- Ultimately, th e single value that best reflects all costs
associated with an information asset is known as th e total cost of ownership
(TCO). This is the sum total of the elements of th e previous categories,
encompassing all expenses associated with acquiring, operating, and
disposing of the asset. It is critical to the economics of project management to
understand that th e cost to an organization of a software application or data
management project includes much more th an the cost of the development
and implementation of the project. TCO includes both direct and indirect
costs, most of which have been described here. However, th e TCO becomes
more complicated when you factor in the breadth of the indirect costs. For
a new software application, th e organization will need a server to run it
on, possibly a separate database application to store and manage th e data,
networking hubs, cables, power conditioning and protection (UPS), electricity,
heating and cooling equipment, lighting to view th e console, perhaps a
separate keyboard, video, and mouse (KVM) switch, space in a server cabinet,
location in a data storage closet, insurance, software programmers, network
engineers, database developers, and project managers- all of which have
salary, benefits, training, and equipment requirements, unless of course the
project will leverage cloud-based resources, thus trading off direct hardware
and operating costs for th e indirect costs of managed services. And, all
of this is just to develop, install, and run th e application. Users must be
trained to use the application, so their salaries and benefits are part of TCO.
Training facilities require space, power, heating and cooling, insurance,
and networking. Once th e application requires maintenance, updates,
I
CHAPTER 7 Risk Management: Tr eati ng Risk 385

improvements, enhancements, and an entire host of security expenses-

similar to the development requirements - the web of indirect costs required
to keep a software application becomes increasingly difficult to track. The true
TCO may never be fully understood; what the organization must do is devise
a meth od of estimating TCO that management can live with and that makes
sense to them.
A traditional model of calculating quantitative cost-benefit analyses involves
estimating the likelihood of an attack based on an annualized rate of occurrence
and the impact of an attack based on loss expectancy. Once an organization has
estimated the worth of various assets, it can begin to calculate the potential loss
from the successful exploitation of vulnerability; this calculation yields an estimate
of potential loss per risk. The questions that must be asked at this stage include the
following:
• What damage could occur, and what financial impact would it have?
• What would it cost to recover from the attack, in addition to the financial impact
of damage?
• What is the single loss expectancy for each risk?
A single loss expectancy { SLE) is the calculated value associated with the most
likely loss from a single occurrence of a specific attack (impact). It takes into account
both the value of the asset and the expected percentage of loss that would occur from a
particular attack. In other words:
SLE = asset value (AV) x exposure factor {EF)
Where:
EF = the percentage loss that would occur from a given vulnerability being exploited
For example, say a Web site has an estimated value of $ 1 million, as determined
by asset valuation, and a sabotage or vandalism scenario shows that 10 percent
of the Web site's value would be damaged or destroyed in such an attack (the EF).
In this case, the SLE for the Web site would be $1,000,000 x 0.10 = $100,000. This
estimate is then used to calculate anoth er value, ALE, which is discussed later in this
section.
As difficult as it is to estimate the value of information, estimating th e
probability of a threat occurrence or attack {likelihood) is even more difficult . There
are not always tables, books, or records that indicate the frequency or probability
of any given attack, alth ough some sources are available for certain asset/ threat
pairs. For instance, the likelihood of a tornado or thunderstorm destroying a
building of a specific type of construction within a specified region of the country
is available to insurance underwriters. In most cases, however, an organization
can rely only on its internal information to calculate the security of its information
CHAPTER 7 Risk Ma nageme nt : Treating Risk

assets. Even if the network, systems, and security administrators have been
actively and accurately tracking th ese threat occurrences, the organization's
information will be sketchy at best. As a result, this information is usually
estimated.
Usually, the probability of a threat occurring is depicted as a table that indicates
how frequently an attack from each threat type is likely to occur within a given time
frame (e.g., once every 10 years). This value is commonly referred to as the annualized
rate of occurrence {ARO). For example, if a successful act of sabotage or vandalism
occurs about once every two years, then the ARO would be 50 percent (0.5). A network
attack that can occur multiple times per second might be successful once each month
and would have an ARO of 12.
Once you determine th e loss from a single attack and the likely frequency of
successful attacks, you can calculate the overall loss potential per risk expressed as
an annualized loss expectancy (ALE) using the values for the ARO and SLE from the
previous sections.
ALE = SLE X ARO
To use our previous example, ifSLE = $100,000 and ARO= 0.5, then
ALE = $ 100,000 X 0.5
ALE = $50,000
Thus, the organization could expect to lose $50,000 per year unless it increases
its Web security. Now, armed with a figure to justify its expenditures for controls
and safeguards, the InfoSec design team can deliver a budgeted value for planning
purposes. Sometimes, noneconomic factors are considered in this process, so even
when ALE amounts are not large, control budgets can be justified.
The CBA determines whether the benefit from a control alternative is worth the
associated cost of implementing and maintaining the control. Such analyses may
be performed before implementing a control or safeguard, or they can be performed
after controls have been in place for a while. Observation over time adds precision to
the evaluation of the benefits of the safeguard and the determination of whether the
safeguard is functioning as intended.
Although many CBA techniques exist, the easiest way to calculate it is by using the
ALE from earlier assessments:
CBA = ALE(precontrol) - ALE(postcontrol) - ACS
Where:
ALE(precontrol) ALE of the risk before the implementation of the control
ALE(postcontrol) ALE examined after the control has been in place for a period of time
ACS annualized cost of the safeguard
I
CHAPTER 7 Risk Management: Treati ng Risk 387

Once the controls are implemented, it is crucial to examine their benefits

continuously to determine when they must be upgraded, supplemented, or replaced.
As Frederick Avolio states in his article "Best Practices in Network Security":

Security is an investment, not an expense. Investing in computer and network security

measures that meet changing business requirements and risks makes it possible to satisfy
changing business requirements without hurting the business's viability.•

Other Methods of Establishing Feasibility

Key Terms
behavioral feasibility See operational feasibility.
operational feasibility An examination of how well a particular solution fits within the
organization's culture and the extent to which users are expected to accept the solution.
Also known as behavioral feasibility.
organizational feasibility An examination of how well a particular solution fits with in the
organization's strategic plann ing objectives and goals.
political feasib il ity An examination of how well a particular solution fits within the
organization's political environment-for example, the working relationship within the
organization's communities of interest or between the organization and its external
environment.
technical feasibility An examination of how well a particular solution is supportable
given the organization's current technological infrastructure and resources, which include
hardware, software, networking. and personnel.

Earlier in this chapter, the concept of economic feasibility was employed to justify
proposals for InfoSec controls. The next step in measuring how ready an organization
is for the introduction of these controls is to determine the proposal's organizational,
operational, technical, and political feasibility.

Organizational Feasibility
Organizatio nal feasibi lity examines how well the proposed InfoSec alternatives will
contribute to the efficiency, effectiveness, and overall operation of an organization.
In other words, the proposed control approach must contribute to the organization's
strategic objectives. Does the implementation align well with the strategic planning for
the information systems, or does it require deviation from the planned expansion and
management of the current systems? The organization should not invest in technology
CHAPTER 7 Risk Ma nageme nt: Treating Risk

that changes its fundamental ability to explore certain avenues and opportunities. For
example, suppose that a university decides to implement a new firewall. It takes a
few months for the technology group to learn enough about the firewall to configure
it completely. A few months after the implementation begins, it is discovered that
the firewall as configured does not permit outgoing Web-streamed media. If one of
the goals of the university is the pursuit of distance-learning opportunities, a firewall
that prevents that type of communication has not met the organizational feasibility
requirement and should be modified or replaced.

Operational Feasibility
Operational feasibility refers to user acceptance and support, management acceptance
and support, and the system's compatibility with the requirements of the organization's
stakeholders. Operational feasibility is also known as behavioral feasibility. An
important aspect of systems development is obtaining user buy-in on projects. If the
users do not accept a new technology, policy, or program, it will inevitably fail. Users
may not openly oppose a change, but if they do not support it, they will find ways to
disable or otherwise circumvent it. One of the most common methods of obtaining
user acceptance and support is via user engagement. User engagement and support
can be achieved by means of three simple actions: communicate, educate, and involve.
Organizations should communicate with system users, sharing timetables and
implementation schedules, plus the dates, times, and locations of upcoming briefings
and training. Affected parties must know the purpose of the proposed changes and
how they will enable everyone to work more securely.
In addition, users should be educated and trained in how to work under the
new constraints while avoiding any negative performance consequences. A major
frustration for users is the implementation of a new program that prevents them from
accomplishing their duties, with only a promise of eventual training.
Finally, those making changes should involve users by asking them what they want
and what they will tolerate from the new systems. One way to do this is to include
representatives from the various constituencies in the development process.
Communication, education, and involvement can reduce resistance to change and
can build resilience for change- that ethereal quality that allows workers not only to
tolerate constant change but also to understand that change is a necessary part of the job.

Technical Feasibility
Unfortunately, many organizations rush to acquire new safeguards without thoroughly
examining what is required to implement and use them effectively. Because the
implementation of technological controls can be extremely complex, the project team
must consider th eir technical feasibility - that is, determine whether the organization
already has or can acquire the technology necessary to implement and support them.
For example, does the organization have the hardware and software necessary to
support a new firewall system? If not, can it be obtained?
Technical feasibility analysis also examines whether the organization has the
technological expertise to manage the new technology. Does the staff include individuals
I
CHAPTER 7 Risk Management: Tr eati ng Risk 389

who are qualified (and possibly certified) to install and manage a new firewall system?
If not, can staff be spared from their current obligations to attend formal training and
education programs to prepare them to administer the new systems, or must personnel
be hired? In the current environment, how difficult is it to find qualified personnel?

Political Feasibility
Politics has been defined as the art of the possible. Political feasibility analysis
considers what can and cannot occur based on the consensus and relationships among
the communities of interest. The limits imposed by the InfoSec controls must fit within
the realm of the possible before they can be effectively implemented, and that realm
includes the availability of staff resources.
In some organizations, the InfoSec community is assigned a budget, which
they then allocate to activities and projects, making decisions about how to spend
the money using their own judgment. In other organizations, resources are first
allocated to the IT community of interest, and the InfoSec team must compete for
these resources. Sometimes, the CBA and other forms of justification discussed in
this chapter are used to make rational decisions about the relative merits of proposed
activities and projects. Unfortunately, in other settings, these decisions are politically
charged and do not focus on the pursuit of the greater organizational goals.
Another methodology for budget allocation requires the InfoSec team to propose
and justify use of the resources for activities and projects in the context of the entire
organization. This approach requires that arguments for InfoSec spending articulate
the benefit of the expense for the whole organization, so that members of the
organizational communities of interest can understand and perceive their value.

Alternatives to Feasibility Analysis

Rather than using CBA or some other feasibility reckoning to justify risk treatments, an
organization might look to alternative models. These models will be discussed in detail
in Chapter 9. A short list of alternatives is provided here:
• Benchmarking is the comparison of organizational effectiveness, efficiency,
and productivity against an established measure. External benchmarking is the
process of seeking out and studying the practices used in other organizations
that produce the results you desire in your organization. Internal benchmarking,
also known as baselining, involves comparing measured past performance (the
baseline) against actual performance for the assessed category. In both external
and internal benchmarking, th e comparison of the two performance states may
reveal shortfalls in the organization's performance (known as the gap). A gap
analysis allows the organization to create a plan for moving the organization
closer to the ideal level of performance. When benchmarking, an organization
typically uses either metrics-based or process-based measures.
• Due care and due diligence describe an organization's actions when it adopts a
certain minimum level of security- th at is, what any prudent organization would
do in similar circumstances.
CHAPTER 7 Risk Management : Treat ing Risk

• Best business practices are considered those thought to be among the best in the
industry, bal ancing the need to access information w i th adequate protection .
• The gol d st an dard i s for those ambitious organizations in which the best
business practices are not sufficient. Th ey aspire to set the standard for their
industry and are thus sai d to be in pursuit of the gol d standard.
• Government recommendati ons and b est practices are useful for organizations
that operate in industries regul ated by governmental agencies. Government
recommendations, whi ch are, i n effect, requirements, can al so serve as excellent
sources for information about what some organi zati ons m ay be doing, or are
required to do, to control InfoSec risks.

Cybersecurity and Cyber Risk Management

By Tim Callahan, Global Chief Security Officer, Aflac

There have been increasing conversations about the need for effect ive cyber risk
management. This was evident recently when U.S. financial regulatory bodies released
an advance notice of proposed rulemaking (ANPR) regarding enhanced cyber risk
management standa rds (enhanced standards) for large and interconnected entities. For
years, the information security profession has held responsibility for cybersecurity and at
times w restled w ith how risk management principles integrated w it h information secu rity
pri nciples. Th is discussion explores the complementary nature of cybersecu rity and risk
management, and suggest s t hey are t ruly one and the same.
For the purpose of this discussion, t he following is a wo rking definition of each term.
Cybersecurity involves protecting t he confidentia lity, integrity, and availability of information,
which includes systems, hardware, and networks t hat process, store, and t ransmit the
information. Risk management involves underst anding "risk" and applying the appropriate
cont rols commensurate with the mission and goals of the organization. like security, risk
management involves governance, management, consideration of internal and external risks,
and incident response.
At face value, we may see a paradox, or seeming contradict ion, between the two
concept s. One implies full protection w ith less rega rd for cost or mission, wh ile the
other implies knowledge, decision making, and j udgment of controls appropriate for the
mission. A security purist may say we need to protect information at any cost, whereas a
risk management mindset wou ld look more at benefit, reward, and practicality of controls
weighed against business objectives.
However, there is no cont radiction. The security profession has matured significa nt ly
in the last decade; it now encompasses aspects of cyber, physica l, personal, data,
communications, and network security. The security professional now sees these disciplines
CHAPTER 7 Risk Management: Treating Risk I 391
'

as interconnected, where a wea kness in one impacts the other. So, the inclination is to ensure
all are "bolted" down. This premise is correct; they are all interconnected and should be
locked down. However, over the course of t he last few years, we have seen the reality of cost
and benefit discussions as well as the proliferation of security tools influence t he practice. It
is not practica l to have one of every security tool ava ilable. This rea lity has brought about the
merging of risk management practices with security practice.
Most security professiona ls have embraced this concept and, in fact, many would argue the
risk-based approach was always a part of the profession. There is truth to that; however, this
merging has brought about a need for greater discipline in documenting risk practices. Solid risk
management programs provide a formal process to understand risk, document risk, determine
the organization's risk tolerance, and decide on the appropriate risk mit igation strategy.
Understanding risk begins with an "organizational" risk assessment. A good risk assessment
will document the company profile- the purpose of the company, mission and objectives,
the risks found in the industry, risks particular to the company based on internal and external
threat, and the risk tolerance of the organ ization. In doing the assessment, risk should be
considered in terms of threat (criminal or otherwise), regulatory compliance, and reputation.
These are generally industry-specific. A bank, for instance, would have concerns in all three
areas. Being secure in one does not mean being secure in all. One could be solid in addressing
the threat, but may not be regulatory-compliant. One could be solid in meeting the threat and all
regulatory compliance, but have a negative reputation with the public. All should be addressed.
Therefore, the risk assessment should define controls that may be in place that reduce or
m it igate the risk. The assessment should also document the strategy for risk management in
terms of elim ination, acceptance, mitigation, or t ransference. Within security, there are places
where the strategy should be one of elimination. For instance, technology is employed that
detects a t hreat and seeks to elim inate the threat. A simple example may be the elim ination
of all malware. In other instances, there cou ld be a strategy of risk acceptance if the risk is
deemed low or if the protection cost far outweighs the pena lty.
You may be wondering, 'Why should I go to all t his trouble? I just want to secure
the environment! " Well, the goal of a formal risk management program is to employ a
governance framework to achieve a known and consistent state- a state that can be
measured, discussed, and continuously improved in an organized manner over time.
Additionally, a formal program provides an avenue to ensure that corporate governance
entities such as corporate risk comm ittees or the board of directors has sufficient awareness
of risk and what the program is doing to address risk. One can then align the security
program to manage agreed-upon risk and help prioritize security initiatives. The program, in
essence, provides a form of corporate agreement on what the security professiona l should be
wo rking toward. It is actually liberating in that sense.
In summary, the key to solid risk management is to understand you r company objectives,
risk tolerance, and risk profile, and then make risk-based decisions that meet the company's
m ission and objective. The most successful programs combine t hese concepts and principles
into the security program and operate as a risk management program.
CHAPTER 7 Risk Ma nageme nt: Treating Risk

Recommended Alternative Risk Treatment Practices

Assume that a risk assessment has determined it is necessary to protect a particular
asset's vulnerabilities from a particular threat, at a cost of up to $50 ,000 . Unfortunately
most budget authorities focus on the up to and then try to cut a percentage off the
total figure to save the organization money. This tendency underlines the importance
of developing strong justifications for specific action plans and of providing concrete
estimates in those plans.
Consider also that each control or safeguard affects more than one TVA
combination. If a new $50,000 firewall is installed to protect the Internet connection
infrastructure from hackers launching port-scanning attacks, the same firewall may
also protect other information assets from other threats and attacks. The final choice
may call for a balanced mixture of controls that provides the greatest value for as
many asset/threat pairs as possible. This example reveals another facet of the problem:
InfoSec professionals manage a dynamic matrix covering a broad range of threats,
information assets, controls, and identified vulnerabilities. Each time a control is added
to the matrix, it undoubtedly changes the ALE for the information asset vulnerability
for which it has been designed, and it may also change the ALE for other information
asset vulnerabilities. To put it more simply, if you put in one safeguard, you may
decrease the risk associated with all subsequent control evaluations. To complicate
matters still more, the action of implementing a control may change the values
assigned or calculated in a prior estimate.
Between the difficult task of valuing information assets and the dynamic nature
of the ALE calculations, it is no wonder that organizations typically look for a more
straightforward method of implementing controls. This preference has prompted an
ongoing search for ways to design security architectures that go beyond the direct
application of specific controls for specific information asset vulnerability. The
following sections cover some of these alternatives.

Qualitative and Hybrid Asset Valuation Measures

Many of the approaches to asset valuation described previously attempt to use actual
values or estimates to create a quantitative assessment . In some cases, an organization
might be unable to determine these values. Fortunately, risk assessment steps can
be executed using estimates based on a qualitative assessment, as mentioned in
Chapter 6. For example, instead of placing a value of once every 10 years for the ARO,
the organization might list all possible attacks on a particular set of information
and rate each in terms of its probability of occurrence- high, medium, or low. The
qualitative approach uses labels to assess value rather than numbers.
A more granular approach, the semi-qualitative or hybrid assessment, tries
to reduce some of the ambiguity of qualitative measures without resorting to th e
unsubstantiated estimations used for quantitative measures. Hybrid assessment uses
scales rather than specific estimates. For example, the scales discussed for likelihood
and impact in Chapter 6 use ordinal rankings from o (not applicable threat) to 5
I
CHAPTER 7 Risk Management: Tr eati ng Risk 393

(almost certain) for likelihood and o (not applicable) to s (severe) for impact. Of course,
organizations may prefer other scales, such as 1- 10 or 1- 100. These same scales can be
used in any situation requiring a value, even in asset valuation. For example, instead
of estimating that a particular piece of information is worth $1 million, you might value
information on a scale of 1- 100, where 1 indicates relatively worthless information and
100 indicates extremely critical information, such as a certain soda manufacturer's
secret recipe or th e 11 herbs and spices of a popular chicken vendor.

Delphi Technique
How do you calculate the values and scales used in qualitative and quantitative
assessment? An individual can pull the information together based on personal
experience, but, as the saying goes, "two heads are better than one" - and a team of
heads is better than two. The Delphi technique, named for the oracle at Delphi that
predicted the future (in Greek mythology), is a process whereby a group rates or ranks
a set of information. The individual responses are compiled and then returned to the
group for another iteration. This process continues until the entire group is satisfied
with the result. This technique can be applied to the development of scales, asset
valuation, asset or threat ranking, or any scenario that can benefit from the input of
more than one decision maker.

Alternative Risk Management Methodologies

Until now, this text has presented a general treatment of risk management,
synthesizing information and methods from many sources to present the customary
or usual approaches that organizations use to manage risk. This and the following
sections present alternative approaches to risk management, including international
and national standards and methodologies from industry-leading organizations.

The OCTAVE Methods

The Operationally Critical Threat, Asset, and Vulnerability Evaluation (OCTAVE) Method
is an InfoSec risk evaluation methodology that allows organizations to balance the
protection of critical information assets against the costs of providing protective
and detection controls. This process, which is illustrated in Figure 7-7, can enable an
organization to measure itself against known or accepted good security practices and
then establish an organization-wide protection strategy and InfoSec risk mitigation plan.
The OCTAVE process is promoted by the Computer Emergency Response Team
(CERT) Coordination Center (www.cert.org ). The process has three variations:
• The original OCTAVE Method, which forms the basis for the OCTAVE body of
knowledge and which was designed for large organizations (300 or more users)
• OCTAVE-S, for smaller organizations of about 100 users
• OCTAVE-Allegro, a streamlined approach for InfoSec assessment and assurance9
CHAPTER 7 Risk Ma nageme nt: Treating Risk

Phase 1: Build Phase 2: ID Phase 3:

asset -based infrastructu re Develop security
t hreat profiles vu lnerabilities strategy & plans
1. ID senior
management
knowledge

2. ID op area
5. ID key 7. Conduct
management risk analysis
components
knowledge

Prepare
6. Evaluate 8. Develop
3. ID staff
selected protection
knowledge
components strategy

4. Create
threat profiles

Figure 7-7 OCTAVE overview

Note@
For more information about the OCTAVE Method, visit CERr s Web site at www.cert.org/
resilience/products-services/octave/.

Microsoft Risk Management Approach

Microsoft has recently updated its Security Risk Management Guide, which provides
the company's approach to the risk management process. Because this version is
comprehensive, easily scalable, and repeatable, it is summarized here.1°
Microsoft asserts that risk management is not a stand-alone subject and should be
part of a general governance program to allow the organizational general-management
community of interest to evaluate the organization's operations and make better, more
informed decisions. The purpose of the risk management process is to prioritize and
manage security risks. Microsoft presents four phases in its security risk management
process:
1. Assessing risk
2. Conducting decision support
I
CHAPTER 7 Risk Management: Treating Risk 395

3. Implementing controls
4. Measuring program effectiveness
These four phases, which are described in detail in the online appendix and
illustrated in Figure 7-8, provide an overview of a program that is similar to the
methods presented earlier in the text, including the OCTAVE Method. Microsoft,
however, breaks the phases into fewer, more manageable pieces.

• Develop Security Risk Scorecard • Gather Plan Data

• Measure Control Effectiveness • Gather Risk Data
• Prioritize Risks
Measuring
Assessing
Program
Risk
Effectiveness

Conducting
Implementing
Decision
Controls
Support
• Seek Holistic Approach • Define Functional Requirements
• Organize by Defense in Depth • Select Possible Control Solutions
• Review Solution
• Estimate Risk Reduction
• Estimate Solution Cost
• Select Mitigation Strateqy

Figure 7-8 Microsoft's security risk management guide

Note@
For more informatio n on Microsoft's approach to risk management, visit their Web site and
download their Security Risk Management Guide at https:l/technet.microsoft.comlen-us/libraryl
cc163143.aspx.

FAIR
Factor Analysis of Information Risk (FAIR), a risk management framework developed
by Jack A. Jones, can help organizations understand, analyze, and measure information
risk. The outcomes are more cost-effective information risk management, greater
credibility for the InfoSec profession, and a foundation from which to develop a
CHAPTER 7 Risk Ma nageme nt: Treating Risk

scientific approach to information risk management. The FAIR framework, as shown in

Figure 7-9, includes:
• A taxonomy for information risk
• Standard nomenclature for information risk terms
• A framework for establishing data collection criteria
• Measurement scales for risk factors
• A computational engine for calculating risk
• A modeling construct for analyzing complex risk scenarios
Basic FAIR analysis comprises 10 steps in four stages:
Stage 1- Identify Scenario Components
1.Identify the asset at risk.
2. Identify the threat community under consideration.
Stage 2- Evaluate Loss Event Frequency (LEF)
3. Estimate the probable Threat Event Frequency (TEF).
4. Estimate the Threat Capability (TCap).
5. Estimate Control Strength (CS).
6. Derive Vulnerability (Vuln).
7. Derive Loss Event Frequency (LEF).
Stage 3- Evaluate Probable Loss Magnitude (PLM)
8. Estimate worst-case loss.
9. Estimate probable loss.
Stage 4- Derive and Articulate Risk
10. Derive and articulate risk. 11

robable Loss
Magnitude

Threat Event Secondary

Vulnerability
Frequency Loss Factors

Action
Control Threat As.set Loss Threat Loss Organizational Extema1
Contact
Strength Capability Factors Factors Loss Factors Loss Factors

Figure 7-9 Facto r Analysis of Information Risk (FAIR)

I
CHAPTER 7 Risk Management: Tr eati ng Risk 397

Unlike other risk management frameworks, FAIR relies on the qualitative

assessment of many risk components, using scales with value ranges - for example,
very high to very low.
In 2011, FAIR became the cornerstone of a commercial consulting venture, CXOWARE,
which built FAIR into an analytical software suite called RiskCalibrator. In 2014, FAIR
was adopted by the Open Group as an international standard for risk management and
rebranded as Open FAIR™. Shortly thereafter, the publicly viewable information on the
FAIR Wiki site was taken down and all Web links to the archival material were redirected
to the Fair Institute Web site or the Open Group Standards e-commerce site. In 2015,
CXOWARE was rebranded as RiskLens, and the FAIR Institute was established."

ISO Standards for lnfoSec Risk Management

The International Organization for Standardization (ISO) has a number of standards
related to information security, and two that specifically focus on risk management.

ISO 27005:2011 Information Technology-Security Techniques-

Information Security Risk Management
The ISO 27000 series includes a standard for the performance of risk management: ISO
27005 (www.27000.org/ iso-27005.htm), which includes a five -stage risk management
methodology, as shown in Figure 7-10 :
1. Risk assessment- Within the definition of risk assessment are stages similar to
those discussed in Chapter 6; risk assessment encompasses risk analysis and
risk evaluation. Risk analysis is further broken down into risk identification and
risk estimation (based on likelihood and impact). The tasks performed in each
step are essentially identical to those described in Chapter 6, with risk estimation
from ISO 27005 encompassing the same tasks as risk analysis in this text.
2. Risk treatment- As discussed earlier in this chapter, the standard strategies to deal
with unacceptable levels of residual risk, such as risk reduction (defense), risk
retention (acceptance), risk avoidance (termination), and risk transfer (transference).
3. Risk acceptance - A review of the proposed risk treatment strategies and
recommendations between the RM process team and the organization's
governance group. For items for which the residual risk is at or below the
organization's risk appetite, the groups confirm that they will live with
(accept) the current level of risk.
4. Risk communication- Discussion between the RM process team and the gover-
nance group as to the effectiveness of the RM process, the implementation of
other selected treatment strategies, and communication of the implementation
plans to other stakeholders.
5. Risk monitoring and review - The ongoing evaluation of the internal and external
environments and other factors that may influence the RM process.
CHAPTER 7 Risk Ma nageme nt: Treating Risk

--
- - - -: Context establishment
• I
-~

I--------------,
Risk assessment I
I I Risk analysis I I
.§ : : I Risk identification I : :
'.i -- ,1 l II
·~ I I I Risk estimation I I I
~ : L _ -i _I :
8 I I Risk evaluation I I
~ I -I· J
a: Risk decision point 1 A No
Assessment satisfactory <./>-Y-e-s _ _ _ __,

I I
Risk treatment
'
Risk decision point 2
- ;- Treatment satisfactory
,
(\ No
t;-v-e-s - - - - -
I
--'
' - - - - -, Risk acceptance I

End of first or subsequent iterations

Figure 7-10 ISO 27005 info rmation security

risk management process
Source: /SOI/EC 27005."

ISO 31000
The ISO has another standard that addresses risk management: ISO 31000, which was
used in the formalization of the risk management methodology presented elsewhere in
this text. ISO 31000 was developed using the Australian/New Zealand standard AS/ NZS
4360:2004 as a foundation. This approach to risk management is illustrated in Figure 7 - 11.
While more generic than the standard for information security risk management,
ISO 31000 nonetheless provides a structured methodology for evaluating threats
to economic performance in an organization (see www.iso.org/iso/home/ standards/
iso31000.htm). What is the difference between ISO 27005 and ISO 31000? ISO 27005 was
originally published in 2008 with an update in 2011, and was designed from the start to
focus on information security risk management. ISO 31000 was originally published in
2009 and was targeted toward any type of risk management, including enterprise risk
management, financial risk management, and environmental risk management.'•
There is a good deal of overlap between the two standards, as the heart of any good
risk management program involves the same basic steps, much like the heart of any
good systems development life cycle involves th e same basic steps. They may have
different names (unlike the case with ISO risk management) and the steps may be a bit
different, but in general, good process is good process.
Other related standards include ISO Guide 73: 2009 Risk management-Vocabulary
and ISO/ IEC 31010: Risk Management- Risk Assessment Techniques. 16
I
CHAPTER 7 Risk Management: Tr eati ng Risk 399

principles
(Clause 3)
Mandate and
commitment (4.2) •
Establishing the context (5.3) -
I

! -
N
.,.;
r - - - - - - ------,
Risk

-
Design of
framework
-
~

c
·~..
0
I Assessment
I (5.4)
I
I -"'
--
.,.;
fo r managing I ~

(
Continual
risks (4. 3)
\ ::,
~

c
0
v
:
I
I
Risk Identification (5.4.2)
I
I
I
;:
.!!/
>

"'"'c
improvement
of the fr amework
Implement ing risk
management
(4.4)
-
-0
c
c
.. I

I
Risk Analysis (5.4.3)
I

I
..
-0

0)
c
·~.. I I
-
(4.6) 0
·;:
I I 0

~
·-c
\_ Monitoring and
review of the ,.....
.!./
c
::,
E
E
•
I
Risk Evaluation (5.4.4)

I- - - - - -- - - - - - -I
I

I ~
0

0
framework (4.5) u

Risk Treatment (5.5)

...
Framework (Clause 4) Process (Clause 5)

Figure 7-11 ISO 31000 risk management framework and process

Source: ISO 31000: 2009."

NIST Risk Management Framework (RMF)

The National Institute of Standards and Technology {NIST) has modified its
fundamental approach to systems management and certification/accreditation to one
that follows the industry standard of effective risk management. Two key documents
describe the RMF: Special Publications (SP) 800- 37, Rev. 1, and SP 800- 39. You can find
both at http://csrc.nist.gov/publications/PubsSPs.html.

NIST SP 800-39: "Managing Information Security Risk: Organization,

Mission, and Information System View" 17
As discussed in SP 800- 39:

This NIST document describes a process that organizations can use to frame risk
decisions, assess risk, respond to risk when identified, and then monitor risk
for ongoing effectiveness and continuous improvement to the risk management
process. The intent is to offer a complete and organization-wide approach that
integrates risk management into all operations and decisions.
Framing risk establishes the organization's context for risk-based decision making
with the intent of establishing documented processes for a risk management
strategy that enables assessing, responding to, and monitoring risk. The risk frame
identifies boundaries for risk responsibilities and delineates key assumptions about
the threats and vulnerabilities found in the organization's operating environment.
CHAPTER 7 Risk Ma nageme nt : Treating Risk

Assessing risk within the context of the organizational risk frame requires the
identification of threats, vulnerabilities, consequences of exploitation leading to
losses, and the likelihood of such losses. Risk assessment relies on a variety of
tools, techniques, and underlying factors. These factors include organizational
assumptions about risk, a variety of constraints within the organization and its
environment, the roles and responsibilities of the organization's members, how and
where risk information is collected and processed, the particular approach to risk
assessment in the organization, and the frequency of periodic reassessments of risk.
Organizations will respond to risk once it is determined by risk assessments.
Risk response should provide a consistent and organization-wide process based
on developing alternative responses, evaluating those alternatives, selecting
appropriate courses of action consistent with organizational risk appetites, and
implementing the selected course(s) of action.
Risk monitoring over time requires the organization to verify that planned risk
response measures are implemented and that the ongoing effectiveness of risk
response measures has been achieved. In addition, organizations should describe how
changes that may impact the ongoing effectiveness of risk responses are monitored.
SP 800-39 provides the "Framework level" of the NIST risk management
framework, as illustrated in Figure 7 - 12.

ASSESS

Information and Information and

communications flom communications flom

FRAME

MONITOR RESPOND

Figure 7-12 NIST risk management fram ewo rk overview

I
CHAPTER 7 Risk Management: Tr eati ng Risk 401

NIST SP 800-37, Rev. 1: Guide for Applying the Risk Management

Framework to Federal Information Systems: A Security Life Cycle
Approach18
NIST SP 800-37, Rev. 1 uses the framework level described in SP 800-39 and
proposes processes for implementation called the Risk Management Framework
(RMF). Those processes emphasize the building of InfoSec capabilities into
information systems using managerial, operational, and technical security
controls. The RMF promotes the concept of timely risk management and robust
continuous monitoring and encourages the use of automation to make cost-
effective, risk-based decisions.
NIST's RMF follows a three -tiered approach. Most organizations work from the top
down, focusing first on aspects that affect the entire organization, such as governance
(tier 1). Then, after the more strategic issues are addressed, they move toward more
tactical issues around business processes (tier 2). The most detailed aspects are
addressed in tier 3, dealing with information systems (and information security). This
relationship is shown in Figure 7-13.

- Multitier organization-w ide risk management

- Implemented by the risk executive (function) Strategic risk
- Tightly coupled to enterprise architecture
and information security architecture TIER 1
- Systems development life cycle focus Organi zation
- Disciplined and structured process (Governance)
- Flexible and agile implement ation fa-------------..
TI ER 2
Mission/b usiness process
(Inf ormation and infor matio n f low s) Tactical r isk

TIER 3
Information system
(Environment of operation)

Figure 7-13 Ti ered risk management approach

Source: NIST, "SP 800·37 Revision 1: Gwde for Applying the Risk Monogement Framework to Federal Information
Systems-A Secur,ty Life Cycle Approach.•

The RMF processes, shown in Figure 7-14, apply this multi-tiered approach to a
six-step process, with the framework from 800-39 at the core.
CHAPTER 7 Risk Ma nageme nt: Treating Risk

Architecture Description Risk Management Organizational Inputs

Mission/Business Processes Strategy Laws, . . P . G .d
0 irect.1ves, o1icy u1 ance

0 0
FEA Reference Models Strategic Goals and Objectives
Segment and Solution Architectures Starting Information Security Requirements
Information System Boundaries Point Priorities and Resource Availability

Step 1
Repeat as CATEGORIZE
necessary lnforma1ion Systems

FIPS 199/SP 800·60

Step 6 Step 2
MONITOR SELECT
Security Controls Security Controls

SP 800·53A FIPS 200/SP 800·53

RISK
MANAGEMENT
FRAMEWORK
Step 5 Security Life Cycle Step 3
AUTHORIZE (NIST SP 800-39) IMPLEMENT
Information Systems Security Controls

SP 800-37 SP 800 Series

Step 4
ASSESS
Security Controls

SP 800·53A

Figure 7-14 NIST RMF process

Source: NIST, "SP 800·39: Manogmg Information Security Risk: Organization, M1ss1on, and Information System View."

According to NIST SP 800-37, Rev. 1:

The RMF operates primarily at Tier 3 in the risk management hierarchy but can
also have interactions at Tiers 1 and z (e.g., providing feedback from ongoing
authorization decisions to the risk executive {function], dissemination of updated
threat and risk information to authorizing officials and information system owners).
The RMF steps include:
• Categorize the information system and the information processed, stored, and
transmitted by that system based on an impact analysis.
I
CHAPTER 7 Risk Management: Tr eati ng Risk 403

• Select an initial set of baseline security controls for the information system based on
the security categorization; tailoring and supplementing the security control baseline
as needed based on an organizational assessment of risk and local conditions.
• Implement the security controls and describe how the controls are employed within
the information system and its environment of operation.
• Assess the security controls using appropriate assessment procedures to determine
the extent to which the controls are implemented correctly, operating as
intended, and producing the desired outcome with respect to meeting the security
requirements for the system.
• Authorize information system operation based on a determination of the risk to
organizational operations and assets, individuals, other organizations, and the
Nation resulting from the operation of the information system and the decision
that this risk is acceptable.
• Monitor the security controls in the information system on an ongoing basis,
including assessing control effectiveness, documenting changes to the system
or its environment of operation, conducting security impact analyses of the
associated changes, and reporting the security state of the system to designated
organizational officials.'9

Other Methods
The few methods described in this section are by no means all of the available methods.
In fact, many other organizations compare methods and provide recommendations for
risk management tools that the public can use. A few are listed here:
• Mitre- Mitre is a nonprofit organization designed to support research and
development groups that have received federal funding. In their systems
engineering guide, Mitre presents a risk management plan that uses a four-
step approach of (1) risk identification, (2) risk impact assessment, (3) risk
prioritization analysis, and (4) risk mitigation planning, implementation, and
progress monitoring. For more details, see www.mitre.org/ publications/ systems-
engineering- guide/a bout -the-seg.
• European Network and Information Security Agency (ENISA)-This agency of the
European Union ranks 12 tools using 22 different attributes. It also provides a
utility on its Web site that enables users to compare risk management methods
or tools (www.enisa.europa.eu/activities/ risk -management/ current-risk/
risk-management-inventory). The primary risk management process
promoted by ENISA is shown in Figure 7 - 15.
• New Zealand's IsecT Ltd. - An independent governance, risk management,
and compliance consultancy, IsecT maintains the ISO 27001 Security Web site
at http://iso27001security.com. This Web site describes a large number of risk
management methods (www.iso27001security.com/htrnl/risk_ mgmt.html).
CHAPTER 7 Risk Ma nageme nt: Treating Risk

I
RM lifecycle I Interface to other operational and product processes
• • > •
Corporate risk •
management strategy
' ' •
Risk assessment
..- - - Risk treatment

--- I
Definition of scope and
I -
framework for the
management of risks I Identification of risks
I Identification of o ptions

I Definition of external enviro nment I Analysis of relevan t risks

I I Develo pment o f action plan

I D efinit ion of intemal environment I I Evaluation of risks

I I A pproval o f action plan

Gen eration of risk I Imp lementation of action plan

management context
~
Identification of residual risks
I Formulation o f risk criteria
I
• • ' •
- Risks communication
.
. Risks awareness consulting Risk :Ot,/o.
. ,
acceptance ·, y "
~
(all aspects included in th e interface
with oth er operational or product processes)

Recurrence
Dlongterm

D M idd le term
~ Monitor and review (plans, events, quality)
D Short term

Figure 7-15 EN ISA risk management process'°

Selecting the Best Risk Management Model

Most organizations already have a set of risk management practices in place. The
model followed is often an adaptation of a model mentioned earlier in this chapter. For
organizations that have no risk management process in place, starting such a process
may be somewhat intim idating. A recommended approach is that the people assigned
to implement a risk management program should begin by studying the models
presented earlier in this chapter and identifying what each offers to the envisioned
process. Once the organization understands what each risk management model offers,
it can adapt one that is a good fit for the specific needs at hand.
Oth er organizations may hire a consulting firm to provide or even develop a
proprietary model. Many of th ese firms have made an effort to adapt approaches
I
CHAPTER 7 Risk Management: Tr eati ng Risk 405

based on popular risk management models and have gained expertise in

customizing them to suit specific organizations. This approach is most certainly
not the least expensive option, but it guarantees that the organization can obtain a
functional risk management model as well as good advice and training for how to
put it into use.
When faced with the daunting task of building a risk management program from
scratch, it may be best to talk with other security professionals, perhaps through
professional security organization meetings like ISSA, to find out how others in the
field have approached this problem. Not only will you learn what models they prefer,
you may also find out why they selected a particular model. While your peers may not
disclose proprietary details about their models and how they use them, they may at
least be able to point you in a direction. No two organizations are identical, so what
works well for one organization may not work well for others.

Additional Reading
• To help define IT risk in terms of business • For an enterprise approach to treating
risk associated with the use, ownership, cyber risks, see The Cyber Risk Handbook:
operation, involvement, influence, and Creating and Measuring Effective
adoption of IT within an enterprise, see Cybersecurity Capabilities by Domenic
COBIT sfor Risk, a book published by Antonucci, published by John Wiley &
ISACA. Sons.

Chapter Summary
• Once vulnerabilities are identified and ranked, a strategy to treat uncontrolled risks must
be chosen. Five treatment strategies are defense, transference, mitigation, acceptance, and
termination.
• Economic feasibility studies determine and compare costs and benefits from potential
treatments (often called a cost-benefit analysis). Other forms of feasibility analysis include
analyses based on organizational, operational, technical, and political factors.
• An organization must be able to place a dollar value on each collection of information and the
information assets it owns. There are several methods an organization can use to calculate
these values.
• Single loss expectancy (SLE) is calculated from the value of the asset and the expected
percentage of loss that would occur from a single successful attack. Annualized loss
expectancy (ALE) represents the potential loss per year.
CHAPTER 7 Risk Ma nageme nt: Treating Risk

• Cost-benefit analysis (CBA) determines whether a control alternative is worth its associated
cost. CBA calculations are based on costs before and after controls are implemented and
the cost of the controls. Other feasibility analysis approaches can also be used.
• Organizations may choose alternatives to feasibility studies to justify applying InfoSec
controls, including: benchmarking with either metrics-based measures or process-based
measures; due care and/or due diligence; best security practices up to and including the
near-mythic gold standard; and/or baselining.
• Risk appetite defines the quantity and nature of risk that organizations are willing to accept as
they evaluate the trade-offs between perfect security and unlimited accessibility. Residual risk
is the amount of risk unaccounted for after the application of controls.
• It is possible to repeat risk analysis using estimates based on a qualitative assessment. The
Delphi technique can be used to obtain group consensus on risk assessment values.
• Once a control strategy has been implemented, the effectiveness of controls should be
monitored and measured.

Review Questions
1. What is competitive advantage? How 12 . What conditions must be met to ensure
has it changed in the years since the IT that risk acceptance has been used
industry began? properly?
2. What is competitive disadvantage? Why 13. What is risk appetite? Explain why risk
has it emerged as a factor? appetite varies from organization to
3. What are the five risk treatment organization.
strategies presented in this 14. What is a cost-benefit analysis?
chapter? 15. What is the difference between intrinsic
4. Describe the strategy of defense. value and acquired value?
s. Describe the strategy of 16 . What is single loss expectancy? What is
transference. annualized loss expectancy?
6. Describe the strategy of mitigation. 17. What is the difference between
7. Describe the strategy of acceptance. benchmarking and baselining?
8. Describe the strategy of termination. 18 . What is the difference between
9. Describe residual risk. organizational feasibility and
10 . What are the three common approaches operational feasibility?
to implement the defense risk treatment 19. What is a qualitative risk assessment?
strategy? 20. How does Microsoft define risk
11. Describe how outsourcing can be used management ? What phases are
for risk transference. used in its approach?
'
CHAPTER 7 Risk Management: Treati ng Risk 407
'

Exercises
1. Using the following table, calculate the SLE, ARO, and ALE for each threat category listed.

XYZ Software Company (Asset value: $1,200,000 in projected revenues)

Threat Category Cost per Incident Frequency of Occurrence
Programmer mistakes $5,000 1 per week
Loss of intellectual property $75,000 1 per year
Software piracy $500 1 per week
Theft of info rmation (hacker) $2,500 1 per quarter
Theft of info rmation (employee) $5,000 1 per 6 months
Web defacement $500 1 per month
Theft of equipment $5,000 1 per year
Viruses, worms, Trojan horses $1,500 1 per week
Denial-of-service attack $2,500 1 per quarter
Earthquake $250,000 1 per 20 years
Flood $250,000 1 per 10 years
Fire $500,000 1 per 10 years

2. How did the XYZ Software Company is easier for determining the SLE: a
arrive at the values shown in the table percentage of value lost or cost per
that is included in Exercise 1? For each incident?
row in the table, describe the process of 4. Assume a year has passed and XYZ
determining the cost per incident and has improved its security. Using
the frequency of occurrence. the following table, calculate the
3. How could we determine EF if there is SLE, ARO, and ALE for each threat
no percentage given? Which method category listed.

XYZ Software Company (Asset value: $1,200,000 in projected revenues)

Cost per Frequency of Cost of
Threat Category Incident Occu rrence Controls Type of Control
Programmer mistakes $5,000 1 per month $20,000 Training
Loss of intell ectual $75,000 1 per 2 years $15,000 Firewall/1DS
property
Software piracy $500 1 per month $30,000 Firewall/IDS
Theft of information $2,500 1 per 6 months $15,000 Firewall/IDS
(hacker)
(continues)
CHAPTER 7 Risk Ma nageme nt : Treating Risk

XYZ Software Company (Asset value: $1,200,000 in projected revenues) (continued)

Cost per Frequency of Cost of
Threat Category Incident Occurrence Controls Type of Control
Theft of information $5,000 1 per yea r $15,000 Physical secu rity
(employee)
Web defacement $500 1 per quarter $10,000 Firewall
Theft of equipment $5,000 1 per 2 yea rs $15,000 Physical security
Viruses, worms, $1 ,500 1 per month $15,000 Antivirus
Trojan horses
Den ia I-of-service $2,500 1 per 6 months $10,000 Firewall
attack
Ea rthquake $250,000 1 per 20 years $5,000 Insura nce/backu ps
Flood $50,000 1 per 10 years $10,000 Insura nce/backu ps
Fire $100,000 1 per 1O years $10,000 Insura nee/backups

S. Why have some values changed in the when implemented by a firm with 1,000
following columns: Cost per Incident and employees and 100 servers:
Frequency of Occurrence? How could a • Managed antivirus software (not
control affect one but not the other? open source) licenses for 500
6. Assume that th e costs of controls workstations
presented in the table for Exercise 4 • Cisco firewall (other than
were unique costs directly associated residential models from
w ith protecting against that threat. LinkSys)
In other words, do not worry about • Tripwire host-based IDS for
overlapping costs between threats. 10 servers
Calculate the CBA for each control. Are • Java programming continuing
they worth the costs listed? education training program for
7. Using the Web, research the costs 10 employees
associated with the following items • Checkpoint Firewall solutions

· Closing Case
Mike and Iris were reviewing the asset valuation worksheets that had been co llected from all
the company managers.
"Iris," Mike said after a few minutes, ''the problem, as I see it, is that no two managers
gave us answers that can be co mpared to each other's. Some gave only one value, and so me
didn't actua lly use a rank order for the last part In fact, we don't know what criteria were
used to assess the ranks or even where they got the cost or replacement values."
'
CHAPTER 7 Risk Management: Treating Risk 409

"I agree," Iris said, nodding. "These values and ranks are really inconsistent. This makes
it a rea l challenge to make a useful comprehensive list of information assets. We're going to
have to visit all the managers and figure out where they got their values and how the assets
were ranked."

Discussion Questions
1 . If you could have spoken to Mike Edwards before he distributed the asset valuation
worksheets, what advice would you have given him to make the consolidation process
easier?
2. How would you advise Mike and Iris to proceed with the worksheets they already have
in hand?

Ethical Decision Making

Suppose Mike and Iris make a decision to simply take the higher of each of the va lues w ithout
regard to how the values were determined by the person who made the initial assessment.
Then, they determine their own rankings among all of the compiled assets. When the list
is later included in the plann ing process, they represent it as being authoritative because it
came from "all of the managers."
Is this method, even if it is faster and easier, an ethica l way to do business? Why or
why not?

Endnotes
1. Bednarz, Ann. "Nick Carr's 'IT Doesn't Matter' Still Matters:· Network World, May 14, 2013.
Accessed 8/2/2017 from www.networkworld.com/article/2166249/cloud-computing/nick-carr-s
it-doesn -t-matter still-matters.html.
2. Peters, Th omas, and Robert Waterman. In Search of Excellence: Lessons from America's Best-
Run Companies. New York: Harper and Row, 2004.
3. FDIC. Tools to Manage Technology Providers' Performance Risk: Service Level Agreements.
2014. Accessed 8/2/2017 from https://wwwfdic.gov/news/news/financial/2014/tools-to -
ma nage-technology-providers.pd/
4 . Ibid.
5. Anderson, James. "Panel Comments at 2002 Garage Technol ogy Venture's State of the Art
Conference." 2002.
6. "Special Publication 800- 30, Revision 1: Gui de for Conducting Ri sk Assessments." National
Institute of Standards and Technology (NIST). September 2012. Accessed 8/2/2017 from
http://csrc.nist.gov/publications/PubsSPs.html.
7. "Ready Business Mentoring Guide: Working with Small Busi nesses to Prepare for
Emergencies." FEMA. Accessed 8/2/2017 from https://wwwfema.gov/media-library-
data/1392217307183 -56ed30008abd809cac1a3027488a4c24/2014_ business_ user_ guide.pd/
CHAPTER 7 Risk Management: Treat ing Risk

8. Avolio, Frederick. "Best Practices in Network Security." Network Computing, 11(5), March 20,
2000, pp. 60 72.
9. CERT. Carnegie Mellon University Software Engineering Institute. "OCTAVE Allegro
Guidebook." Accessed 8/2/2017 from www.cert.org/resilience/products-services/octavej.
10. "Microsoft Security Risk Management Guide." Microsoft.com, March 15, 2006. Accessed
8/2/2017 from http://technet.microsoft.com/en-us/library/cc163143.aspx.
11. RiskLens. "CXOWARE Becomes RiskLens:· Accessed 8/2/2017 from www.risklens.com/
press-release-cxoware-becomes-risk/ens.
12. Ibid.
13. BS ISO/IEC 27005:2008. "Information technology - Security techniques - Information
security risk management." Page 5.
14. Gerreira, G. "Comparing ISO 31000 and ISO 27005:• The Risk Management Academy. 2013.
Accessed 8/1/2017 from http://theriskacademy.org/iso-31000-iso-27005/.
15. AS/NZS ISO 31000: 2009. "Joint Australian New Zealand International Standard Risk
management- Principles and guidelines." Page vi.
16. Ibid
17. "SP 800 -39: Managing Information Security Risk: Organization, Mission, and Information
System View." National Institute of Standards and Technology. March 2011. Accessed 8/1/2017
from http://csrc.nist.gov/publications/PubsSPs.html.
18. "SP 800 -37 Revision 1: Guide for Applying the Risk Management Framework to Federal
Information Systems- A Security Life Cycle Approach." National Institute of Standards
and Technology. February 2010. Accessed 8/1/2017 from http://csrc.nist.gov/publications/
nistpubs/800-37-rev1/sp800 -37-rev1-final .pdf.
19. Ibid.
20. ENISA. "The Risk Management Process." Accessed 8/2/2017 from www.enisa.europa.eu/
activities/risk-management/current-risk/risk -management-inventory/rm-process.
Risk mitigation and control
Information risk and cyber risk
Ulvi Yusifov
Introduction to risk treatment
Risk-handling action points
Risk treatment cycle
Risk Treatment Strategies
• Defense- Applying controls and safeguards that eliminate or reduce the
remaining uncontrolled risk
• Transference- Shifting risks to other areas or to outside entities
• Mitigation- Reducing the impact to information assets should an attacker
successfully exploit a vulnerability
• Acceptance- Understanding the consequences of choosing to leave an
information asset's vulnerability facing the current level of risk, but only
after a formal evaluation and intentional acknowledgment of this decision
• Termination-Removing or discontinuing the information asset from the
organization's operating environment
Defense
• Defense risk treatment strategy – The risk treatment strategy that
attempts to eliminate or reduce any remaining uncontrolled risk
through the application of additional controls and safeguards in an
effort to change the likelihood of a successful attack on an
information asset. Also known as the avoidance strategy.
Transference
• Transference risk treatment strategy – The risk treatment strategy
that attempts to shift risk to other assets, other processes, or other
organizations.
Mitigation
• Mitigation risk treatment strategy – The risk treatment strategy that
attempts to reduce the impact of the loss caused by an incident,
disaster, or attack th rough effective contingency planning and
preparation.
Acceptance
• Acceptance risk treatment strategy – The risk treatment strategy that
indicates the organization is willing to accept the current level of
residual risk. As a result, the organization makes a conscious decision
to do nothing else to protect an information asset from risk and to
accept the outcome from any resulting exploitation.
Termination
• Termination risk treatment strategy – The risk treatment strategy
that eliminates all risk associated with an information asset by
removing it from service.
Factor Analysis of Information Risk (FAIR)
Cost-benefit analysis
• Cost-benefit analysis – Also known as an economic feasibility study,
the formal assessment and presentation of the economic
expenditures needed for a particular security control, contrasted with
its projected value to the organization.
Key Risk Indicators
• Risk indicators are used to measure risk levels in comparison to
defined risk thresholds, so that the organization receives an alert
when a risk level approaches an unacceptable level.
• Mistakes in selection
• Are not linked to specific risk
• Are incomplete or inaccurate due to unclear specifications
• Are difficult to measure, aggregate, compare and interpret
• Provide results that cannot be compared over time
• Are not linked to goals
KRI Selection
• Good metrics are SMART:
• Specific—Based on a clearly understood goal; clear and concise
• Measureable—Able to be measured; quantifiable (objective), not subjective
• Attainable—Realistic; based on important goals and values
• Relevant—Directly related to a specific activity or goal
• Timely—Grounded in a specific time frame
• Factors that can influence the selection of KRIs include:
• Balance—Risk indicators should be balanced and cover:
• Lag indicators (indicating risk after events have occurred)
• Lead indicators (indicating which controls are in place to prevent events from occurring)
• Trends (analyzing indicators over time or correlating indicators to gain insights)
• Root cause—Selected indicators should drill down to the root cause of events, not
just the symptoms.
KRI Effectiveness
• KRI effectiveness takes into consideration the following criteria:
• Impact—Indicators of risk with high business impact are more likely to be
KRIs.
• Effort—For different indicators that are equivalent in sensitivity, the one that
is easier to measure and maintain is preferred.
• Reliability—The indicator must possess a high correlation with the risk and be
a good predictor or outcome measure.
• Sensitivity—The indicator must be representative of risk and capable of
accurately indicating risk variances.
• Repeatable—A KRI must be repeatable and able to be measured on a regular
basis to show trends and patterns in activity and results.
KRI Optimization
Monitoring Controls
• Monitoring controls is a process that has six steps:
• Identify and confirm risk control owners and stakeholders.
• Engage with stakeholders and communicate the risk and information security
requirements and objectives for monitoring and reporting.
• Align and continually maintain the information security monitoring and
evaluation approach with the IT and enterprise approaches.
• Establish the information security monitoring process and procedure.
• Agree on a life cycle management and change control process for information
security monitoring and reporting.
• Request, prioritize and allocate resources for monitoring information security.
Monitoring Controls
• Monitoring controls is a process that has six steps:
• Identify and confirm risk control owners and stakeholders.
• Engage with stakeholders and communicate the risk and information security
requirements and objectives for monitoring and reporting.
• Align and continually maintain the information security monitoring and
evaluation approach with the IT and enterprise approaches.
• Establish the information security monitoring process and procedure.
• Agree on a life cycle management and change control process for information
security monitoring and reporting.
• Request, prioritize and allocate resources for monitoring information security.
Questions?
Penetration Testing
Information risk and cyber risk
Ulvi Yusifov
Introduction to penetration testing
• Penetration testing is a comprehensive method to test the complete,
integrated, operational, and trusted computing base that consists of
hardware, software and people. The process involves an active analysis of
the system for any potential vulnerabilities, including poor or improper
system configuration, hardware and software flaws, and operational
weaknesses in the process or technical countermeasures.
• Penetration testing is different from security functional testing. The latter
demonstrates the correct behavior of the system’s security controls while
penetration testing determines the difficulty for someone to penetrate an
organization’s security controls against unauthorized access to its
information and information systems. It is done by simulating an
unauthorized user attacking the system using either automated tools or
manual method or a combination of both.
Penetration testing strategies
• In black box penetration testing, the testers have no knowledge about the test target. They have to figure
out the loopholes of the system on their own from scratch. This is similar to the blind test strategy in [2],
which simulates the actions and procedures of a real attacker who has no information concerning the test
target.
• On the contrary, in white box penetration testing, the testers are provided with all the necessary information
about the test target. This strategy is referred to in [2] as targeted testing where the testing team and the
organization work together to do the test, with all the information provide to the tester prior to test.
• Partial disclosure of information about the test target leads to gray box penetration testing. Testers need to
gather further information before conducting the test.
• Based on the specific objectives to be achieved, there are two penetration testing strategies which include
external and internal testing.
• External testing refers to any attacks on the test target using procedures performed from outside the
organization that owns the test target [2]. The objective of external testing is to find out if an outside
attacker can get in and how far he can get in once he has gained access.
• Internal testing is performed from within the organization that owns the test target. The strategy is useful for
estimating how much damage a disgruntled employee could cause. Internal testing is centred on
understanding what could happen if the
Types of penetration testing
• There are three areas to test in penetration testing: the physical structure of the system, the
logical structure of the system, and the response or workflow of the system [6]. These three areas
define the scope and the types of penetration testing which are network, application, and social
engineering.
• Network penetration testing is an ethical and safe way to identify security gaps or flaws in the
design, implementation or operation of the organization’s network. The testers perform analysis
and exploits to assess whether modems, remote access devices and maintenance connections
can be used to penetrate the test target.
• Application penetration testing is an attack simulation intended to expose the effectiveness of an
application's security controls by highlighting risks posed by actual exploitable vulnerabilities [7].
Although organizations use firewall and monitoring systems to protect information, security can
still be compromised since traffic can be allowed to pass through the firewall.
• Social engineering preys on human interaction to obtain or compromise information about an
organization and its computer systems [8]. It is used to determine the level of security awareness
among the employees in the organization that owns the target system. This is useful to test the
ability of the organization to prevent unauthorized access to its information and information
systems [2]. Thus, this is a test focused on the workflow of the organization.
Penetration testing Phases
Different types of attackers
Different types of attackers
• Black Hat Hacker ‐ Black hat hackers are the evil guys who want to use their technical skills to defraud and blackmail
others. They usually have the expertise and knowledge to break into computer networks without the owners’ permission,
exploit security vulnerabilities, and bypass security protocols. To make money, they are ready to do all illegal activities such
as:
• Sending phishing emails and SMS messages.
• Writing, distributing, and selling malware like viruses, worms, trojan horses, etc.
• Deploying cyber attacks like distributed denial of service (DDoS) to slow down or crash the websites.
• Finding and exploiting leaky databases and software vulnerabilities.
• Selling financial and personally identifiable information on the Dark Web.
• Executing financial fraud and identity theft‐related crimes.
• White Hat Hacker ‐ White hat hackers (also known as ethical hackers) are the polar opposite of their black hat
counterparts. They use their technical skills to protect the world from bad hackers. Companies and government agencies
hire white hats as information security analysts, cybersecurity researchers, security specialists, penetration testers, etc.
White hat hackers hack to:
• Find and fix vulnerabilities in the system before black hat hackers exploit them.
• Develop tools that can detect cyberattacks and mitigate or block them.
• Strengthen the overall security posture of the software and hardware components.
• Build security software like antivirus, anti‐malware, anti‐spyware, honeypots, firewalls, etc.
Different types of attackers
• Grey Hat Hacker ‐ These hackers fall somewhere between white hat and black hat hackers. Grey
hat hackers’ intentions are often good, but they don’t always take the ethical route with their
hacking technics. For example, they may penetrate your website, application, or IT systems to
look for vulnerabilities without your consent. But they typically don’t try to cause any harm. Grey
hat hackers sometimes charge a fee to:
• Fix bugs or vulnerabilities,
• Strengthen the organization’s security defenses, or
• Provide recommendations, solutions, or tools to patch vulnerabilities.
• Red Hat Hacker ‐ Much like white hat hackers, red hat hackers also want to save the world from
evil hackers. But they choose extreme and sometimes illegal routes to achieve their goals. Red hat
hackers use all types of tactics to do this, including:
• Infecting the bad hackers’ systems with malware,
• Launching DDoS attacks,
• Using tools to gain remote access to the hacker’s computer to demolish it.
Different types of attackers
• Blue Hat Hacker Definition 1: Revenge Seekers ‐ These hackers don’t necessarily care
about money or fame. They hack to take personal revenge for a real — or perceived —
sleight from a person, employer, institution, or government. Blue hat hackers use
malware and deploy various cyber attacks on their enemies’ servers/networks to cause
harm to their data, websites, or devices.
• Blue Hat Hacker Definition 2: Outside Security Professionals ‐ Blue hat hackers are
security professionals that work outside of the organization. Companies often invite
them to test the new software and find security vulnerabilities before releasing it.
Sometimes, companies organize periodic conferences for blue hat hackers to find the
bugs in their crucial online systems.
• Green Hat Hacker ‐ These are the “newbies” in the world of hacking. Green hat hackers
are not aware of the security mechanism and the inner workings of the web, but they
are keen learners and determined (and even desperate) to elevate their position in the
hacker community. Although their intention is not necessarily to cause harm
intentionally, they may do so while “playing” with various malware and attack
techniques. As a result, green hat hackers can also be harmful because they often are not
aware of the consequences of their actions — or, worst, how to fix them.
Firewall
• A firewall is a network security device that monitors incoming and
outgoing network traffic and permits or blocks data packets based on
a set of security rules. Its purpose is to establish a barrier between
your internal network and incoming traffic from external sources
(such as the internet) in order to block malicious traffic like viruses
and hackers.
Firewall
VPN
VPN stands for "Virtual Private
Network" and describes the
opportunity to establish a
protected network connection
when using public networks.
VPNs encrypt your internet traffic
and disguise your online identity.
This makes it more difficult for
third parties to track your
activities online and steal data.
The encryption takes place
in real time.
Types of Firewalls
• Firewalls can either be software or hardware, though it’s best to have
both. A software firewall is a program installed on each computer and
regulates traffic through port numbers and applications, while a
physical firewall is a piece of equipment installed between your
network and gateway.
• Packet‐filtering firewalls, the most common type of firewall, examine
packets and prohibit them from passing through if they don’t match
an established security rule set. This type of firewall checks the
packet’s source and destination IP addresses. If packets match those
of an “allowed” rule on the firewall, then it is trusted to enter the
network.
Questions?
Information security
continuity
Information risk and cyber risk
Ulvi Yusifov
Maintenance of the information security
program
• Information Security Governance
• Systems Development Life Cycle
• Awareness and Training
• Capital Planning and Investment Control
• Interconnecting Systems
• Performance Measurement
• Security Planning
• Information Technology Contingency Planning
• Risk Management
• Certification, Accreditation, and Security Assessments
• Security Services and Products Acquisition
• Incident Response
• Configuration and Change Management
Ongoing Monitoring Activities of Information
Security Governance
Ongoing Monitoring Activities of Information Security Governance

Activities Description of Activities

Plans of Action and Milestones POA&Ms assist in identifying, assessing, prioritizing, and monitoring the progress of corrective
(POA&Ms) efforts for security weaknesses found in programs and systems. The POA&M tracks the
measures implemented to correct deficiencies and to reduce or eliminate known vulnerabilities.
POA&Ms can also assist in identifying performance gaps, evaluating an agency's security
performance and efficiency, and conducting oversight.
Measurement and Metrics Metrics are tools designed to improve performance and accountability through the collection,
analysis, and reporting (measurement) of relevant performance data. Information security
metrics monitor the accomplishment of goals and objectives by quantifying the implementation
level of security controls and their efficiency and effectiveness, by analyzing the adequacy of
security activities, and by identifying possible improvements. The terms metric and
measurement seem to have some overlap in their meanings. A metric is usually meant to be a
more abstract, higher-level, or subjective value, while measures tend to be more objective and
concrete.
Continuous Assessment (CA) The CA process monitors the initial security accreditation of an information system to track
changes to it, analyzes the security impact of those changes, makes appropriate adjustments to
the security controls and the system's security plan, and reports the system's security status to
appropriate agency officials.
Ongoing Monitoring Activities of Information
Security Governance
Ongoing Monitoring Activities of Information Security Governance

Activities Description of Activities

Configuration Management (CM) CM is an essential component of monitoring the status of security controls and identifying
potential security problems in information systems. This information can help security managers
understand and monitor the evolving natu re of vulnerabilities that appear in a system under
their responsibil ity, thus enabling managers to direct appropriate changes as required.
Network Monitoring Information about network performance and user behavior on the network helps security
program managers identify areas in need of improvement and point out potential performance
improvements. This information can be correlated with other sources of information, such as
the POA&M and CM, to create a comprehensive picture of the security program.
Incident and Event Statistics Incident statistics are valuable in determining the effectiveness of implemented security policies
and procedures. Incident statistics provide security program managers with further insights into
the status of security programs under their purview, help them observe performance trends in
program activities, and inform them about the need to change policies and procedures.
Information security services life cycle
Maintenance Model
External monitoring domain
• External monitoring
domain - The
component of the
maintenance model
that focuses on
evaluating external
threats to the
organization's
information assets.
Internal monitoring domain
• Internal monitoring
domain - The
component of the
maintenance model
that focuses on
identifying.
assessing. and
managing the
configuration and
status of
information assets
in an organization.
Planning and risk assessment domain
• Planning and risk
assessment domain -
The component of
the maintenance
model that focuses
on identifying and
planning ongoing
information security
activities and
identifying and
managing risks
introduced through
IT information
security projects.
Vulnerability assessment and remediation
domain
• Vulnerability
assessment and
remediation
domain - The
component of the
maintenance model
focused on
identifying specific,
documented
vulnerabilities and
remediating them
in a timely fashion.
The primary goal of the readiness and review
domain
• The primary goal of
the readiness and
review domain is to
keep the
information security
program
functioning as
designed and
improve it
continuously over
time.
Configuration and change management
• Configuration and change management - An approach to
implementing system change that uses policies, procedures,
techniques, and tools to manage and evaluate proposed changes,
track changes through completion, and maintain systems inventory
and supporting documentation.
Configuration management
NIST SP 800-53, Rev. 4, Configuration Management Control Family

Identifier Title Control

CM-1 Configuration Management The organization:

Policy and Procedures a. Develops, documents, and disseminates a CM policy that addresses purpose,
scope, roles, responsibilities, management commitment, coordination among
organizational entities, and compliance; and develops, documents, and
disseminates procedures to facilitate the implementation of the CM policy and
associated CM controls
b. Reviews and updates the current CM policy and CM procedures
CM-2 Baseline Configuration Under configuration control, the organization develops, documents, and mainta
ins a current baseline configuration of the information system.
CM-3 Configuration Change Control The organization:
a. Determines the types of changes to the information system that are
configuration-controlled
b. Reviews proposed configuration-controlled changes to the information system
and approves or disapproves such changes with explicit consideration for security
impact analyses
c. Documents configuration change decisions associated with the information
system
d. Implements approved configuration-controlled changes to the information
system
e. Retains records of configuration-controlled changes to the information system
for a specified time period
f. Audits and reviews activities associated with configuration-controlled changes to
the information system
g. Coordinates and provides oversight for configuration change control activities
through the organization's configuration change control committee or board
Configuration management
NIST SP 800-53, Rev. 4, Configuration Management Control Family

Identifier Title Control

CM-4 Security Impact Analysis The organization analyzes changes to the information system to determine potential
security impacts prior to change implementation.
CM-5 Access Restrictions for Change The organization defines, documents, approves, and enforces physical and logical
access restrictions associated with changes to the information system.
CM-6 Configuration Settings The organization establishes and documents configuration settings for information
technology products employed within the information system, using security
configuration checklists that reflect the most restrictive mode consistent with
operating requirements; implements the configuration settings; identifies,
documents, and approves any deviat ions from established configuration settings
for the organization's information system components based on operating
requirements; and monitors and controls changes to the configuration settings in
accordance with the organization's policies and procedures.
CM-7 Least Functionality The organization configures the information system to provide only essential
capabilities, and prohibits or restricts the use of certain functions, ports, protocols,
and services.
Questions?
Business continuity and
Disaster recovery
Information risk and cyber risk
Ulvi Yusifov
Contingency Planning
• The overall process of preparing for unexpected adverse events is
called contingency planning (CP). During CP, the IT and InfoSec
communities of interest position their respective organizational units
to prepare for, detect, react to, and recover from events that threaten
the security of information resources and assets, including human,
information, and capital. The main goal of CP is to restore normal
modes of operation with minimal cost and disruption to normal
business activities after an adverse event- in other words, to make
sure things get back to the way they were within a reasonable period
of time. Ideally, CP should ensure the continuous availability of
information systems to the organization even in the face of the
unexpected.
Components of Contingency Planning
• Business impact analysis (BIA)
• Incident response plan (IR plan)
• Disaster recovery plan (DR plan)
• Business continuity plan (BC plan)
Contingency Planning Life Cycle
Business Impact Analysis
• Business impact analysis (BIA) – An investigation and assessment of adverse events that can affect the
organization, conducted as a preliminary phase of the contingency planning process, which includes a
determination of how critical a system or set of information is to the organization's core processes and its
recovery priorities.
• Business process – A task performed by an organization or one of its units in support of the organization's
overall mission.
• Maximum tolerable downtime (MTD) – The total amount of time the system owner or authorizing official is
willing to accept for a business process outage or disruption. The MTD includes all impact considerations.
• Recovery point objective (RPO) – The point in time before a disruption or system outage to which business
process data can be recovered after an outage, given the most recent backup copy of the data.
• Recovery time objective (RTO) – The maximum amount of time that a system resource can remain
unavailable before there is an unacceptable impact on other system resources, supported business
processes, and the MTD.
• Work recovery time (WRT) – The amount of effort (expressed as elapsed time) needed to make business
functions work again after the technology element is recovered. This recovery time is identified by the RTO.
Business Impact Analysis
Incident response
• Incident – An adverse event that could result in a loss of information
assets, but does not threaten the viability of the entire organization.
• Incident response (IR) – An organization's set of planning and
preparation efforts for detecting, reacting to, and recovering from an
incident.
• Incident classification – The process of examining an adverse event or
incident candidate and determining whether it constitutes an actual
incident
• Incident detection – The identification and classification of an
adverse event as an incident, accompanied by the CSIRT’s notification
and the implementation of the IR reaction phase.
Incident response
• Database shadowing - A backup strategy to store duplicate online
transaction data along with duplicate databases at the remote site on a
redundant server. This server combines electronic vaulting with remote
journaling by writing multiple copies of the database simultaneously to two
locations.
• Electronic vaulting - A backup method that uses bulk batch transfer of data
to an off-site facility; this transfer is usually conducted via leased lines or
secure Internet connections.
• Incident response procedures (IR procedures) - Detailed, step-by-step
methods of preparing. detecting. reacting to, and recovering from an
incident.
• Remote journaling - The backup of data to an off-site facility in close to
real time based on transactions as they occur.
Incident response life cycle
Disaster recovery
• Disaster recovery – An organization's set of planning and preparation
efforts for detecting, reacting to, and recovering from a disaster.
• These teams may have multiple responsibilities in the recovery of the
primary site and the reestablishment of operations:
• Recover information assets that are salvageable from the primary facility after
the disaster.
• Purchase or otherwise acquire replacement information assets from
appropriate sources.
• Reestablish functional information assets at the primary site if possible or at a
new primary site, if necessary.
Disaster recovery
• Disaster classification – The process of examining an adverse event or
incident and determining whether it constitutes an actual disaster.
• Rapid-onset disasters – Disasters that occur suddenly, with little
warning, taking people's lives and destroying the means of
production. Examples include earthquakes, floods, storm winds,
tornadoes, and mud flows.
• Slow-onset disasters – Disasters that occur over time and gradually
degrade the capacity of an organization to withstand their effects.
Examples include droughts, famines, environmental degradation,
desertification, deforestation, and pest infestation.
Business continuity
• Business continuity (BC) – An organization's set of efforts to ensure
its long-term viability when a disaster precludes normal operations at
the primary site. The organization temporarily establishes critical
operations at an alternate site until it can resume operations at the
primary site or select and occupy a new primary site.
Business continuity
• In general, there are three types of usage strategies in which the organization has the
right to the exclusive use of a facility and access is not shared with other organizations:
• Hot site - A hot site is a fully configured computing facility that includes all services,
communications links, and physical plant operations. It duplicates computing resources,
peripherals, phone systems, applications, and workstations. Essentially, this duplicate
facility needs only the latest data backups and the personnel to function.
• Worm site - A warm site provides many of the same services and options as the hot site,
but typically software applications are not included or are not installed and configured. A
warm site frequently includes computing equipment and peripherals with servers but
not client workstations.
• Cold site- A cold site provides only rudimentary services and facilities. No computer
hardware or peripherals are provided. All communications services must be installed
after the site is occupied. A cold site is an empty room with standard heating, air
conditioning, and electrical service. Everything else is an added-cost option.
Business continuity
• Likewise, there are three strategies in which an organization can gain shared use of a facility when
needed for contingency options:
• Timeshare- A timeshare operates like one of the three sites described previously, but is leased in
conjunction with a business partner or sister organization. It allows the organization to provide a
DR/BC option while reducing its overall costs.
• Service bureau- A service bureau is a service agency that provides a service for a fee. In the case
of DR/BC planning, this service is the provision of physical facilities in the event of a disaster. Such
agencies also frequently provide off-site data storage for a fee. Contracts with service bureaus can
specify exactly what the organization needs under what circumstances. A service agreement
usually guarantees space when needed; the service bureau must acquire additional space in the
event of a widespread disaster.
• Mutual agreement- A mutual agreement is a contract between two organizations in which each
party agrees to assist the other in the event of a disaster. It stipulates that each organization is
obligated to provide the necessary facilities, resources, and services until the receiving
organization is able to recover from the disaster. This arrangement can be a lot like moving in with
relatives or friends- it does not take long for an organization to wear out its welcome.
Crisis management
• Crisis management (CM) – An organization's set of planning and
preparation efforts for dealing with potential human injury, emotional
trauma, or loss of life as a result of a disaster.
• The CMPT is charged with three primary responsibilities:
• Verifying personnel status- Everyone must be accounted for, including individuals
who are on vacations, leaves of absence, and business trips.
• Activating the alert roster- Alert rosters and general personnel phone lists are used
to notify individuals whose assistance may be needed or simply to tell employees not
to report to work until the disaster is over.
• Coordinating with emergency services- If someone is injured or killed during a
disaster, the CM response team will work closely with fire officials, police, medical
response units, and the Red Cross to provide appropriate services to all affected
parties as quickly as possible.
Crisis management
• The following strategies can be used to test contingency plans:
• Desk check – The CP testing strategy in which copies of the appropriate plans are distributed to
all individuals who will be assigned roles during an actual incident or disaster; each individual
reviews the plan and validates its components.
• Full-interruption testing – The CP testing strategy in which all team members follow each
IR/DR/BC procedure, including those for interruption of service, restoration of data from backups,
and notification of appropriate individuals.
• Simulation – The CP testing strategy in which the organization conducts a role-playing exercise as
if an actual incident or disaster had occurred. The CP team is presented with a scenario in which
all members must specify how they would react and communicate their efforts.
• Structured walk-through – The CP testing strategy in which all involved individuals walkthrough a
site and discuss the steps they would take during an actual CP event. A walk-through can also be
conducted as a conference room talk-through.
• Talk-through – A form of structured walk-through in which individuals meet in a conference room
and discuss a CP plan rather than walking around the organization.
Contingency Planning Implementation
Timeline
Questions?

CIPM Outline
No ratings yet
CIPM Outline
51 pages
Incident Response Plan Template
100% (1)
Incident Response Plan Template
51 pages
Vendor Attestation Policy PDF
No ratings yet
Vendor Attestation Policy PDF
9 pages
2 - Iso 19011-2018
0% (1)
2 - Iso 19011-2018
32 pages
Information Security
100% (5)
Information Security
44 pages
Taxonomy of Information Security Risk Assessment (ISRA)
No ratings yet
Taxonomy of Information Security Risk Assessment (ISRA)
20 pages
Security
No ratings yet
Security
149 pages
ISMS-102 - Technical Controls Standards v1.0
No ratings yet
ISMS-102 - Technical Controls Standards v1.0
6 pages
Fundamentals of Information Systems Security
100% (1)
Fundamentals of Information Systems Security
34 pages
Accounts Assistant Using Tally Final ACLP
No ratings yet
Accounts Assistant Using Tally Final ACLP
180 pages
ST 14 4 1 12 PDF
No ratings yet
ST 14 4 1 12 PDF
13 pages
CST805 Computer and Network Security
No ratings yet
CST805 Computer and Network Security
167 pages
Certified Ethical Hacker v9
100% (1)
Certified Ethical Hacker v9
9 pages
CSBS Cybersecurity 101 Resource Guide FINAL PDF
No ratings yet
CSBS Cybersecurity 101 Resource Guide FINAL PDF
40 pages
CISA Chapter 5 Practice
No ratings yet
CISA Chapter 5 Practice
66 pages
Asset Management
No ratings yet
Asset Management
7 pages
Unit 7-10
No ratings yet
Unit 7-10
47 pages
Unit 6 Ethics, Privacy, and Security: Topic 1: Ethics in Health Informatics
No ratings yet
Unit 6 Ethics, Privacy, and Security: Topic 1: Ethics in Health Informatics
22 pages
Active, Proactive or Reactive?: Assessing Your Cyber Security Posture
No ratings yet
Active, Proactive or Reactive?: Assessing Your Cyber Security Posture
6 pages
CH1 Introduction To Information Assurance and Security
No ratings yet
CH1 Introduction To Information Assurance and Security
37 pages
International Standard: Iso/Iec 21827
No ratings yet
International Standard: Iso/Iec 21827
154 pages
Pre 5 Chapter 1
No ratings yet
Pre 5 Chapter 1
4 pages
MODULE1-Cyber and Information Security F-W-Fresh
No ratings yet
MODULE1-Cyber and Information Security F-W-Fresh
45 pages
Social Engineering Awareness Policy: 1. Overview
No ratings yet
Social Engineering Awareness Policy: 1. Overview
3 pages
CHAPTER 4. Information Security
No ratings yet
CHAPTER 4. Information Security
44 pages
Lecture 02 - The Need For Security-2
No ratings yet
Lecture 02 - The Need For Security-2
48 pages
Itil
No ratings yet
Itil
125 pages
Chapter 1 InfoSec
No ratings yet
Chapter 1 InfoSec
60 pages
Endian Iec-62443-Compliance Whitepaper en
No ratings yet
Endian Iec-62443-Compliance Whitepaper en
5 pages
CompTIA Security Study Guide
No ratings yet
CompTIA Security Study Guide
44 pages
What Is Information Security?
No ratings yet
What Is Information Security?
47 pages
Securing Information
No ratings yet
Securing Information
57 pages
Cyber Security
100% (1)
Cyber Security
55 pages
Information Security
100% (1)
Information Security
28 pages
Chapter 1
No ratings yet
Chapter 1
31 pages
Mid Exam Sri Lasya Priya Annambhatla 4216903
No ratings yet
Mid Exam Sri Lasya Priya Annambhatla 4216903
19 pages
Chapter 1
No ratings yet
Chapter 1
57 pages
Is Unit1
No ratings yet
Is Unit1
38 pages
Risk Management Dissertation Ideas
100% (2)
Risk Management Dissertation Ideas
8 pages
NYMITY PMAF Poster
No ratings yet
NYMITY PMAF Poster
1 page
Sampujan Goswami 1234
No ratings yet
Sampujan Goswami 1234
8 pages
UNIT 1 - Information Security
No ratings yet
UNIT 1 - Information Security
64 pages
3 Topics Remaining
No ratings yet
3 Topics Remaining
119 pages
Unit 1
No ratings yet
Unit 1
30 pages
What Is Information Security
No ratings yet
What Is Information Security
36 pages
Lesson 1 Introduction To Information Security
No ratings yet
Lesson 1 Introduction To Information Security
42 pages
Dis Notes
No ratings yet
Dis Notes
40 pages
1st Unit Cyber Secuirty
No ratings yet
1st Unit Cyber Secuirty
49 pages
ISO27k Security Presentation v1.0
No ratings yet
ISO27k Security Presentation v1.0
63 pages
IS Chapter 1
No ratings yet
IS Chapter 1
44 pages
Lecture 1 - Introduction To Security
No ratings yet
Lecture 1 - Introduction To Security
26 pages
Cyber Security
No ratings yet
Cyber Security
544 pages
Information Security Chapter 1
No ratings yet
Information Security Chapter 1
44 pages
Notes
No ratings yet
Notes
15 pages
Dis Notes
No ratings yet
Dis Notes
39 pages
IAS - Week 1
No ratings yet
IAS - Week 1
8 pages
Information Protection and Security - 1
No ratings yet
Information Protection and Security - 1
20 pages
Ais 7 - Reviewer - Midterm
No ratings yet
Ais 7 - Reviewer - Midterm
17 pages
Chapter 1 - Introduction To Information Security
No ratings yet
Chapter 1 - Introduction To Information Security
13 pages
GAR Arbitration and The Advent of New Technologies
No ratings yet
GAR Arbitration and The Advent of New Technologies
23 pages
Information Systems Security
No ratings yet
Information Systems Security
5 pages
Information Security - Awareness
No ratings yet
Information Security - Awareness
50 pages
DIS 5 Unit Notes, QB, Univ Ques
No ratings yet
DIS 5 Unit Notes, QB, Univ Ques
129 pages
Cyber Security Intro1
No ratings yet
Cyber Security Intro1
19 pages
1-Computer Security EENG-524 Lecture-01
No ratings yet
1-Computer Security EENG-524 Lecture-01
25 pages
Ias Reviewer
No ratings yet
Ias Reviewer
28 pages
Week#01.... Lecture#01
No ratings yet
Week#01.... Lecture#01
24 pages
Intro To Info Security
No ratings yet
Intro To Info Security
58 pages
Lecture 1 & 2
No ratings yet
Lecture 1 & 2
52 pages
Cyber Security Notes Unit 1
100% (1)
Cyber Security Notes Unit 1
9 pages
Chapter 1
No ratings yet
Chapter 1
64 pages
Lecture 1
No ratings yet
Lecture 1
29 pages
Introduction To Information Security (Lesson1) : Mary Joy M. Velasco, MIT, LPT, DIT (CAR)
No ratings yet
Introduction To Information Security (Lesson1) : Mary Joy M. Velasco, MIT, LPT, DIT (CAR)
26 pages
Chapter1 221122094930 Ea188277
No ratings yet
Chapter1 221122094930 Ea188277
44 pages
Info Security Chapter 1 CYS
No ratings yet
Info Security Chapter 1 CYS
8 pages
Lecture 01 Chapter 01 Whiteman
No ratings yet
Lecture 01 Chapter 01 Whiteman
81 pages
CHP1
No ratings yet
CHP1
44 pages
Lecture 1 - Information Security Basics
No ratings yet
Lecture 1 - Information Security Basics
7 pages
Security Threats in Information System
No ratings yet
Security Threats in Information System
26 pages
Cybersecurity 2
No ratings yet
Cybersecurity 2
29 pages
InfoSec Lect2
No ratings yet
InfoSec Lect2
49 pages
1-Introduction To Information Security
No ratings yet
1-Introduction To Information Security
35 pages
Information Security Management Prelim Module1
No ratings yet
Information Security Management Prelim Module1
18 pages
AbdulrahmanSabbagh UnitedArabEmirates 12.03 Yrs
No ratings yet
AbdulrahmanSabbagh UnitedArabEmirates 12.03 Yrs
4 pages
INF 806 - Information Security Lecture Slide 1
No ratings yet
INF 806 - Information Security Lecture Slide 1
27 pages
Information Security Reviewer Midterm
No ratings yet
Information Security Reviewer Midterm
7 pages
Module 2
No ratings yet
Module 2
52 pages
Module II Part A
No ratings yet
Module II Part A
16 pages