0% found this document useful (0 votes)
44 views56 pages

CISSP - 1 Information Security & Risk Management

The document outlines a course syllabus for Information Security and Risk Management, detailing weekly topics such as governance, cryptography, and risk management. It emphasizes the importance of security fundamentals like the C-I-A triad (Confidentiality, Integrity, Availability) and risk management processes. Additionally, it discusses the roles and responsibilities within an organization, security governance frameworks, and the significance of policies and procedures in maintaining security standards.
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPT, PDF, TXT or read online on Scribd
0% found this document useful (0 votes)
44 views56 pages

CISSP - 1 Information Security & Risk Management

The document outlines a course syllabus for Information Security and Risk Management, detailing weekly topics such as governance, cryptography, and risk management. It emphasizes the importance of security fundamentals like the C-I-A triad (Confidentiality, Integrity, Availability) and risk management processes. Additionally, it discusses the roles and responsibilities within an organization, security governance frameworks, and the significance of policies and procedures in maintaining security standards.
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPT, PDF, TXT or read online on Scribd
You are on page 1/ 56

By:

Professor Eric Amankwa (PUG, 2025)


Info. and Comp. Security
Course Syllabus
Week 1: Information Security Governance and
Risk Management
Week 2: Operations Security
Week 3: Cryptography
Week 4: Access Control
Week 5: Physical Security
Week 6: Telecommunications
Week 7: Legal, Ethics and Investigations
Week 8: Software Development Security
Week 9: Business Continuity and Disaster
Recovery Planning
Week 10: Security Architecture and Design
2
Information Security
and Risk Management

4
In this lecture:
 Fundamentals of Security
 Types of Attacks
 Risk Management
 Security Blueprints
 Policies, Standards, Procedures, Guidelines
 Roles and Responsibilities
 SLAs
 Data Classification
 Knowledge Transfer

5
The Role of Information
Security Within an
Organization
 First priority is to support the mission of
the organization
 Requires judgment based on risk
tolerance of organization, cost and
benefit
 Role of the security professional is that
of a risk advisor, not a decision maker.

7
Planning Horizon

Strategic Goals
 Over-arching - supported by tactical goals and operational
Tactical Goals
 Mid-Term - lay the necessary foundation to accomplish Strategic Goals
Operational Goals
 Day-to-day - focus on productivity and task-oriented activities

8
Security Fundamentals

 C-I-A Triad

 Confidentiality

 Integrity

 Availability
Confidentiality

 Prevent unauthorized disclosure


 Social Engineering
 Training, Separation of Duties, Enforce
Policies and Conduct Vulnerability
Assessments
 Media Reuse
 Proper Sanitization Strategies
 Eavesdropping
 Encrypt
 Keep sensitive information off the network
Integrity

 Detect modification of
information
 Corruption
 Intentional or Malicious Modification
 Message Digest (Hash)
 MAC
 Digital Signatures
Availability

 Provide Timely and reliable


access to resources
 Redundancy, redundancy, redundancy
 Prevent single point of failure
 Comprehensive fault tolerance (Data,
Hard Drives, Servers, Network Links,
etc)
Best Practices (to protect C-
I-A)

Separation of Duties (SOD)

Mandatory Vacations

Job rotation

Least privilege

Need to know

Dual control

13
Defense in Depth

 Also Known as layered Defense


 No One Device will PREVENT an
attacker
 Three main types of controls:
 Technical (Logical)
 Administrative
 Physical
Risk

 Every decision starts with looking at risk


 Determine the value of your assets
 Look to identify the potential for loss
 Find cost effective solution reduce risk
to an acceptable level (rarely can we
eliminate risk)
 Safeguards are proactive
 Countermeasures are reactive
Risk Definitions

 Asset: Anything of Value to the company


 Vulnerability: A weakness; the absence of a
safeguard
 Threat: Something that could pose loss to all
or part of an asset
 Threat Agent: What carries out the attack
 Exploit: An instance of compromise
 Risk: The probability of a threat materializing
 Controls: Physical, Administrative, and
Technical Protections
 Safeguards
 Countermeasure
Sources of Risk

 Weak or non-existing anti-virus software


 Disgruntled employees
 Poor physical security
 Weak access control
 No change management
 No formal process for hardening
systems
 Lack of redundancy
 Poorly trained users
Risk Management


Processes of identifying, analyzing, assessing,
mitigating, or transferring risk. It’s main goal
is the reduction of probability or impact of a
risk.

Summary topic that includes all risk-related
actions

Includes Assessment, Analysis, Mitigation, and
Ongoing Risk Monitoring

18
Risk Management

Risk Management

Risk Assessment
• Identify and Valuate Assets
• Identify Threats and Vulnerabilities
• Risk Analysis
• Qualitative
• Quantitative

Risk Mitigation/Response
• Reduce /Avoid
• Transfer
• Accept /Reject

• Ongoing Risk Monitoring


19
Risk Assessment
 Looks at risks for a specific period in time and
must be reassessed periodically
 Risk Management is an ongoing process
 The following steps are part of a Risk
Assessment per NIST 800-30
 System Characterization
 Threat Identification
 Vulnerability Identification
 Control Analysis
 Likelihood Determination
 Impact analysis
 Risk determination
 Control Recommendation
 Results Documentation
Risk Analysis

 Determining a value for a risk


 Qualitative vs. Quantitative
 Risk Value is Probability * Impact
 Probability: How likely is the threat
to materialize?
 Impact: How much damage will
there be if it does?
 Could also be referred to as likelihood
and severity.
Risk Analysis
 Qualitative Analysis (subjective,
judgment-based)
 Probability and Impact Matrix
 Quantitative Analysis (objective, numbers
driven
 AV (Asset Value)
 EF (Exposure Factor)
 ARO (Annual Rate of Occurrence)
 SLE (Single Loss Expectancy)=AV * EF
 ALE (Annual Loss Expectancy) SLE*ARO
 Cost of control should be the same or less
than the potential for loss
Qualitative Analysis


Subjective in Nature

Uses words like “high”
“medium” “low” to
describe likelihood and
severity (or probability
and impact) of a
threat exposing a
vulnerability

Delphi technique is
often used to solicit
objective opinions
23
Quantitative Analysis

More experience required than with
Qualitative

Involves calculations to determine a dollar
value associated with each risk event

Business Decisions are made on this type
of analysis

Goal is to the dollar value of a risk and
use that amount to determine what the
best control is for a particular asset

Necessary for a cost/benefit analysis

24
Mitigating Risk

 Three Acceptable Risk Responses:


 Reduce
 Transfer
 Accept
 Secondary Risks
 Residual Risks
 Continue to monitor for risks
 How we decide to mitigate business
risks becomes the basis for Security
Governance and Policy
Security Governance

The IT Governance Institute in its Board
Briefing on IT Governance, 2nd Edition, defines
Security governance as follows:
“Security governance is the set of
responsibilities and practices exercised by the
board and executive management with the
goal of providing strategic direction, ensuring
that objectives are achieved, ascertaining that
risks are managed appropriately and verifying
that the enterprise's resources are used
responsibly.”

26
Security Blueprints


For achieving “Security
Governance”


BS 7799, ISO 17799, and 27000 Series

COBIT and COSO

OCTAVE

ITIL

27
COBIT and COSO


COBIT (Control Objectives for
Information and related Technology.


COSO (Committee of Sponsoring
Organizations)

28
ITIL

Information Technology Infrastructure Library (ITIL) is
the de facto standard for best practices for IT service
managmenet

5 Service Management Publications:

Strategy

Design

Transition

Operation

Continual Improvement
**While the Publications of ITIL are not testable, it's purpose
and comprehensive approach are testable. It provides best
practices for organization and the means in which to
implement those practices

29
OCTAVE

Operationally Critical Threat, Asset and Vulnerability
Evaluation

Self Directed risk evaluation developed by Carnegie
Mellon. People within an organization are the ones
who direct the risk analysis

A suite of tools, techniques, and methods for risk-
based information security strategic assessment and
planning.
1. Identify Assets
2. Identify Vulnerabilities
3. Risk Analysis and Mitigation

30
BS 7799, ISO 17799, 27000
Series

BS 7799-1, BS 7799-2

Absorbed by ISO 17799

Renamed ISO 27002 to fit into the ISO
numbering standard

31
ISO 27000 Series

ISO 27001: Establishment, Implementation,
Control and improvement of the ISMS. Follows the
PDCA (Plan, Do, Check, Act)

ISO 27002: Replaced ISO 17799. Provides
practical advice for how to implement security
controls. Uses 10 domains to address ISMS.

ISO 27004: Provides Metrics for measuring the
success of ISMS

ISO 27005: A standards based approach to risk
management

ISO 27799: Directives on protecting personal
health information
32
The Plan Do Check Act (PDCA) Model

INTERESTED INTERESTED
PARTIES PARTIES

Information Managed
Security Information
Requirements Security
And
Expectations

33
Approach to Security
Management
Top-Down Approach Bottom-Up Approach
Security practices are directed and The IT department tries to
supported at the senior implement security
management level

Senior Management Senior Management

Middle Management Middle Management

Staff Staff

34
Information Security
Management Program

Senior management's Involvement

Governance

Policies/Standards/Procedures/Guidelines

Roles and Responsibilities

SLA's Service Level
Agreements/Outsourcing

Data Classification/Securitiy

C&A (Certification and Accreditation

Auditing

35
Senior Management Role


CEO, CSO, CIO, etc

Ultimately responsible for Security within
an organization

Development and Support of Policies

Allocation of Resources

Decisions based on Risk

Prioritization of business processes

36
Liabilities

Legal liability is an important consideration for risk
assessment and analysis.

Addresses whether or not a company is responsible for
specific actions or inaction.

Who is responsible for the security within an organization?

Senior management

Are we liable in the instance of a loss?

Due diligence: Continuously monitoring an organizations
practices to ensure they are meeting/exceeding the security
requirements.

Due care: Ensuring that “best practices” are implemented and
followed. Following up Due Diligence with action.

Prudent man rule: Acting responsibly and cautiously as a
prudent man would

Best practices: Organizations are aligned with the favored
practices within an industry
37
Organizational Security
Policy

aka Program Policy

Mandatory

High level statement from management

Should support strategic goals of an
organization

Explain any legislation or industry specific
drivers

Assigns responsibility

Should be integrated into all business
functions

Enforcement and Accountability
38
Issue and System Specific
Policy

Issue Specific policy, sometimes called
Functional Implementation policy would
include company's stance on various
employee issues. AUP, Email, Privacy
would all be covered under issue specific

System Specific policy is geared toward
the use of network and system
resources. Approved software lists, use
of firewalls, IDS, Scanners,etc

39
Other Types of Policies


Regulatory

Advisory

Informative

40
Security Policy Document Relationships

Laws, Regulations ers


iv
and Best Practices Dr
ement
Stat
ec urity
Program or nt ’sS
ageme
Organizational Policy Man

Functional (Issue and Management’s


System Specific) Policies Security Directives

Standards Procedures Baselines Guidelines

41
Standards


Mandatory

Created to support policy, while
providing more specifics.

Reinforces policy and provides direction

Can be internal or external

42
Procedures


Mandatory

Step by step directives on how to
accomplish an end-result.

Detail the “how-to” of meeting the
policy, standards and guidelines

43
Guidelines


Not Mandatory

Suggestive in Nature

Recommended actions and guides to
users

“Best Practices”

44
Baselines


Mandatory

Minimum acceptable security
configuration for a system or process

The purpose of security classification is
to determine and assign the necessary
baseline configuration to protect the
data

45
Personnel Security Policies
(examples)

Hiring Practices and Procedures

Background Checks/Screening

NDA's

Employee Handbooks

Formal Job Descriptions

Accountability

Termination

46
Roles and Responsibilities

Senior/Executive Management

CEO: Chief Decision-Maker

CFO: Responsible for budgeting and finances

CIO: Ensures technology supports company's objectives

ISO: Risk Analysis and Mitigation

Steering Committee: Define risks, objectives and
approaches

Auditors: Evaluates business processes

Data Owner: Classifies Data

Data Custodian: Day to day maintenance of data

Network Administrator: Ensures availability of network
resources

Security Administrator: Responsible for all security-related
tasks, focusing on Confidentiality and Integrity
47
Responsibilities of the
ISO
 Responsible for providing C-I-A for all
information assets.
 Communication of Risks to Senior
Management
 Recommend best practices to influence
policies, standards, procedures, guidelines
 Establish security measurements
 Ensure compliance with government and
industry regulations
 Maintain awareness of emerging threats
48
Auditing Role


Objective Evaluation of controls and
policies to ensure that they are being
implemented and are effective.

If internal auditing is in place, auditors
should not report to the head of a
business unit, but rather to legal or
human resources--some other entity
with out direct stake in result

49
Data Classification


Development of sensitivity labels for
data and the assignment of those
labels for the purpose of configuring
baseline security based on value of
data

Cost: Value of the Data

Classify: Criteria for Classification

Controls: Determining the baseline
security configuration for each

50
Considerations for Asset
Valuation

What makes up the value of an asset?

Value to the organization

Loss if compromised

Legislative drivers

Liabilities

Value to competitors

Acquisition costs

And many others

51
Assessment

Identify and Valuate Assets

Identify Threats and Vulnerabilities

Methodologies:

OCTAVE: an approach where analysts identify assets
and their criticality, identify vulnerabilities and
threats and base the protection strategy to reduce
risk

FRAP: Facilitated Risk Analysis Process. Qualitative
analysis used to determine whether or not to proceed
with a quantitative analysis. If likelihood or impact is
too low, the quantitative analysis if foregone.

NIST 800-30: Risk management Guide for
Information Technology systems
52
Risk Analysis

Qualitative

Subjective analysis to help prioritize probability and
impact of risk events.

May use Delphi Technique

Quantitative:

Providing a dollar value to a particular risk event.

Much more sophisticated in nature, a quantitative
analysis if much more difficult and requires a
special skill set

Business decisions are made on a quantitative
analysis

Can't exist on its own. Quantitative analysis
depends on qualitative information
53
Knowledge Transfer

Awareness, Training, Education


“People are often the weakest link in securing information.
Awareness of the need to protect information, training in the
skills needed to operate them securely, and education in
security measures and practices are of critical importance for
the success of an organization’s security program.”

The Goal of Knowledge Transfer is to modify employee


behavior

54
Being Aware of the Rules

Security Awareness Training


Employees cannot and will not follow the
directives and procedures, if they do not
know about them
Employees must know expectations and
ramifications, if not met
Employee recognition award program
Part of due care
Administrative control

55
Awareness/Training/
Education Benefits
Overriding Benefits:
Modifies employee behavior and improves
attitudes towards information security
Increases ability to hold employees
accountable for their actions
Raises collective security awareness level
of the organization

56
Awareness/Training/
Education Implement
Implementation:
Basic security training should be required for all
employees.
Advanced training may be needed for managers.
Specialized training is necessary for system
administrators and information systems
auditors.
Specialized training is normally delivered
through external programs.
Should be regarded as part of career
development.

57
Information Security
Governance and Risk Management
Review
 Fundamentals of Security
 Types of Attacks
 Risk Management
 Security Blueprints
 Policies, Standards, Procedures,
Guidelines
 Roles and Responsibilities
 SLAs
 Data Classification
 Certification Accreditation and Auditing
 Knowledge Transfer
58

You might also like