CISSP - 1 Information Security & Risk Management
CISSP - 1 Information Security & Risk Management
4
In this lecture:
Fundamentals of Security
Types of Attacks
Risk Management
Security Blueprints
Policies, Standards, Procedures, Guidelines
Roles and Responsibilities
SLAs
Data Classification
Knowledge Transfer
5
The Role of Information
Security Within an
Organization
First priority is to support the mission of
the organization
Requires judgment based on risk
tolerance of organization, cost and
benefit
Role of the security professional is that
of a risk advisor, not a decision maker.
7
Planning Horizon
Strategic Goals
Over-arching - supported by tactical goals and operational
Tactical Goals
Mid-Term - lay the necessary foundation to accomplish Strategic Goals
Operational Goals
Day-to-day - focus on productivity and task-oriented activities
8
Security Fundamentals
C-I-A Triad
Confidentiality
Integrity
Availability
Confidentiality
Detect modification of
information
Corruption
Intentional or Malicious Modification
Message Digest (Hash)
MAC
Digital Signatures
Availability
13
Defense in Depth
Processes of identifying, analyzing, assessing,
mitigating, or transferring risk. It’s main goal
is the reduction of probability or impact of a
risk.
Summary topic that includes all risk-related
actions
Includes Assessment, Analysis, Mitigation, and
Ongoing Risk Monitoring
18
Risk Management
Risk Management
•
Risk Assessment
• Identify and Valuate Assets
• Identify Threats and Vulnerabilities
• Risk Analysis
• Qualitative
• Quantitative
•
Risk Mitigation/Response
• Reduce /Avoid
• Transfer
• Accept /Reject
•
19
Risk Assessment
Looks at risks for a specific period in time and
must be reassessed periodically
Risk Management is an ongoing process
The following steps are part of a Risk
Assessment per NIST 800-30
System Characterization
Threat Identification
Vulnerability Identification
Control Analysis
Likelihood Determination
Impact analysis
Risk determination
Control Recommendation
Results Documentation
Risk Analysis
Subjective in Nature
Uses words like “high”
“medium” “low” to
describe likelihood and
severity (or probability
and impact) of a
threat exposing a
vulnerability
Delphi technique is
often used to solicit
objective opinions
23
Quantitative Analysis
More experience required than with
Qualitative
Involves calculations to determine a dollar
value associated with each risk event
Business Decisions are made on this type
of analysis
Goal is to the dollar value of a risk and
use that amount to determine what the
best control is for a particular asset
Necessary for a cost/benefit analysis
24
Mitigating Risk
26
Security Blueprints
For achieving “Security
Governance”
BS 7799, ISO 17799, and 27000 Series
COBIT and COSO
OCTAVE
ITIL
27
COBIT and COSO
COBIT (Control Objectives for
Information and related Technology.
COSO (Committee of Sponsoring
Organizations)
28
ITIL
Information Technology Infrastructure Library (ITIL) is
the de facto standard for best practices for IT service
managmenet
5 Service Management Publications:
Strategy
Design
Transition
Operation
Continual Improvement
**While the Publications of ITIL are not testable, it's purpose
and comprehensive approach are testable. It provides best
practices for organization and the means in which to
implement those practices
29
OCTAVE
Operationally Critical Threat, Asset and Vulnerability
Evaluation
Self Directed risk evaluation developed by Carnegie
Mellon. People within an organization are the ones
who direct the risk analysis
A suite of tools, techniques, and methods for risk-
based information security strategic assessment and
planning.
1. Identify Assets
2. Identify Vulnerabilities
3. Risk Analysis and Mitigation
30
BS 7799, ISO 17799, 27000
Series
BS 7799-1, BS 7799-2
Absorbed by ISO 17799
Renamed ISO 27002 to fit into the ISO
numbering standard
31
ISO 27000 Series
ISO 27001: Establishment, Implementation,
Control and improvement of the ISMS. Follows the
PDCA (Plan, Do, Check, Act)
ISO 27002: Replaced ISO 17799. Provides
practical advice for how to implement security
controls. Uses 10 domains to address ISMS.
ISO 27004: Provides Metrics for measuring the
success of ISMS
ISO 27005: A standards based approach to risk
management
ISO 27799: Directives on protecting personal
health information
32
The Plan Do Check Act (PDCA) Model
INTERESTED INTERESTED
PARTIES PARTIES
Information Managed
Security Information
Requirements Security
And
Expectations
33
Approach to Security
Management
Top-Down Approach Bottom-Up Approach
Security practices are directed and The IT department tries to
supported at the senior implement security
management level
Staff Staff
34
Information Security
Management Program
Senior management's Involvement
Governance
Policies/Standards/Procedures/Guidelines
Roles and Responsibilities
SLA's Service Level
Agreements/Outsourcing
Data Classification/Securitiy
C&A (Certification and Accreditation
Auditing
35
Senior Management Role
CEO, CSO, CIO, etc
Ultimately responsible for Security within
an organization
Development and Support of Policies
Allocation of Resources
Decisions based on Risk
Prioritization of business processes
36
Liabilities
Legal liability is an important consideration for risk
assessment and analysis.
Addresses whether or not a company is responsible for
specific actions or inaction.
Who is responsible for the security within an organization?
Senior management
Are we liable in the instance of a loss?
Due diligence: Continuously monitoring an organizations
practices to ensure they are meeting/exceeding the security
requirements.
Due care: Ensuring that “best practices” are implemented and
followed. Following up Due Diligence with action.
Prudent man rule: Acting responsibly and cautiously as a
prudent man would
Best practices: Organizations are aligned with the favored
practices within an industry
37
Organizational Security
Policy
aka Program Policy
Mandatory
High level statement from management
Should support strategic goals of an
organization
Explain any legislation or industry specific
drivers
Assigns responsibility
Should be integrated into all business
functions
Enforcement and Accountability
38
Issue and System Specific
Policy
Issue Specific policy, sometimes called
Functional Implementation policy would
include company's stance on various
employee issues. AUP, Email, Privacy
would all be covered under issue specific
System Specific policy is geared toward
the use of network and system
resources. Approved software lists, use
of firewalls, IDS, Scanners,etc
39
Other Types of Policies
Regulatory
Advisory
Informative
40
Security Policy Document Relationships
41
Standards
Mandatory
Created to support policy, while
providing more specifics.
Reinforces policy and provides direction
Can be internal or external
42
Procedures
Mandatory
Step by step directives on how to
accomplish an end-result.
Detail the “how-to” of meeting the
policy, standards and guidelines
43
Guidelines
Not Mandatory
Suggestive in Nature
Recommended actions and guides to
users
“Best Practices”
44
Baselines
Mandatory
Minimum acceptable security
configuration for a system or process
The purpose of security classification is
to determine and assign the necessary
baseline configuration to protect the
data
45
Personnel Security Policies
(examples)
Hiring Practices and Procedures
Background Checks/Screening
NDA's
Employee Handbooks
Formal Job Descriptions
Accountability
Termination
46
Roles and Responsibilities
Senior/Executive Management
CEO: Chief Decision-Maker
CFO: Responsible for budgeting and finances
CIO: Ensures technology supports company's objectives
ISO: Risk Analysis and Mitigation
Steering Committee: Define risks, objectives and
approaches
Auditors: Evaluates business processes
Data Owner: Classifies Data
Data Custodian: Day to day maintenance of data
Network Administrator: Ensures availability of network
resources
Security Administrator: Responsible for all security-related
tasks, focusing on Confidentiality and Integrity
47
Responsibilities of the
ISO
Responsible for providing C-I-A for all
information assets.
Communication of Risks to Senior
Management
Recommend best practices to influence
policies, standards, procedures, guidelines
Establish security measurements
Ensure compliance with government and
industry regulations
Maintain awareness of emerging threats
48
Auditing Role
Objective Evaluation of controls and
policies to ensure that they are being
implemented and are effective.
If internal auditing is in place, auditors
should not report to the head of a
business unit, but rather to legal or
human resources--some other entity
with out direct stake in result
49
Data Classification
Development of sensitivity labels for
data and the assignment of those
labels for the purpose of configuring
baseline security based on value of
data
Cost: Value of the Data
Classify: Criteria for Classification
Controls: Determining the baseline
security configuration for each
50
Considerations for Asset
Valuation
What makes up the value of an asset?
Value to the organization
Loss if compromised
Legislative drivers
Liabilities
Value to competitors
Acquisition costs
And many others
51
Assessment
Identify and Valuate Assets
Identify Threats and Vulnerabilities
Methodologies:
OCTAVE: an approach where analysts identify assets
and their criticality, identify vulnerabilities and
threats and base the protection strategy to reduce
risk
FRAP: Facilitated Risk Analysis Process. Qualitative
analysis used to determine whether or not to proceed
with a quantitative analysis. If likelihood or impact is
too low, the quantitative analysis if foregone.
NIST 800-30: Risk management Guide for
Information Technology systems
52
Risk Analysis
Qualitative
Subjective analysis to help prioritize probability and
impact of risk events.
May use Delphi Technique
Quantitative:
Providing a dollar value to a particular risk event.
Much more sophisticated in nature, a quantitative
analysis if much more difficult and requires a
special skill set
Business decisions are made on a quantitative
analysis
Can't exist on its own. Quantitative analysis
depends on qualitative information
53
Knowledge Transfer
54
Being Aware of the Rules
55
Awareness/Training/
Education Benefits
Overriding Benefits:
Modifies employee behavior and improves
attitudes towards information security
Increases ability to hold employees
accountable for their actions
Raises collective security awareness level
of the organization
56
Awareness/Training/
Education Implement
Implementation:
Basic security training should be required for all
employees.
Advanced training may be needed for managers.
Specialized training is necessary for system
administrators and information systems
auditors.
Specialized training is normally delivered
through external programs.
Should be regarded as part of career
development.
57
Information Security
Governance and Risk Management
Review
Fundamentals of Security
Types of Attacks
Risk Management
Security Blueprints
Policies, Standards, Procedures,
Guidelines
Roles and Responsibilities
SLAs
Data Classification
Certification Accreditation and Auditing
Knowledge Transfer
58