CISSP Cert Guide

Module 1

Third Edition

Chapter 1
Security and Risk Management

1
Class Plan

• Security Terms
• Security Governance Principles
• Security Control Frameworks
• Compliance
• Computer Crime Concepts

2
Security Terms

• Confidentiality, Integrity, Availability (CIA) triad

• Confidentiality prevents the disclosure of data or information to
unauthorized entities.
• Integrity ensures that data is protected from unauthorized modification
or data corruption.
• Availability means ensuring that data is accessible when and where it
is needed.

• A balanced security approach ensures that all three facets are

considered when security controls are implemented.

continues

3
Security Terms, cont.

• Auditing and Accounting

• Auditing is the internal process of providing a manual or a systematic
measurable technical assessment of a system or an application.
• Accounting is the logging of access and use of information resources.
• Accountability is the process of tracing actions to the sources.

• Organizations should have a designated party who is

responsible for ensuring that auditing and accounting of
enterprise security are being completed regularly.
• Nonrepudiation is the assurance that a sender cannot deny an
action.

continues

4
Security Terms, cont.

• Default security posture

• An allow-by-default stance permits access to any data unless a need exists to
restrict access.
• A deny-by-default stance is much stricter because it denies any access that is not
explicitly permitted.

• Defense in depth
• The practice of using multiple layers of security between data and the resources on
which it resides and possible attackers.

continues

5
Security Terms, cont.

• Abstraction is the process of taking away or removing

characteristics from something to reduce it to a set of essential
characteristics.
• Data hiding is the principle whereby data about a known entity
is not accessible to certain processes or users.
• Encryption is the process of converting information or data into
a code, especially to prevent unauthorized access.

6
Security Governance Principles

• Organizations often use best practices that are established by

third-party governance organizations, such as the National
Institute of Standards and Technology (NIST) and the
Information Technology Infrastructure Library (ITIL).
• Security governance uses an accountability framework to ensure
appropriate decision making.
• Board Briefing on IT Governance, Second Edition, defines IT
governance as follows:
IT governance is the responsibility of the board of directors and
executive management. It is an integral part of enterprise governance
and consists of the leadership and organizational structures and
processes that ensure that the organization's IT sustains and extends
the organization's strategies and objectives.

continues

7
Security Governance Principles, cont.

• Security Function Alignment

• The security function must align with the goals, missions, and objectives
of the organization.
• An organization's security program must be open-ended (always being
reviewed) and preemptive (proactive, not just reactive).

continues

8
 Security Governance Principles, cont.

• Organizational Roles and Responsibilities

• Board of directors
• Senior officials
• Management
• Chief Executive Officer (CEO)
• Chief Financial Officer (CFO)
• Chief Information Officer (CIO)
• Chief Privacy Officer (CPO)
• Chief Security Officer (CSO)

continues

9
 Security Governance Principles, cont.

• Organizational Roles and Responsibilities (cont.)

• Audit committee
• Data owner
• Data custodian
• System owner
• System administrator
• Security administrator
• Security analyst
• Application owner
• Supervisor
• User
• Auditor

10
 Security Control Frameworks

• ISO/IEC 27000 series

• A security program development standard on how to develop and maintain an
information security management system (ISMS).
• These standards are developed by the ISO/IEC bodies, but certification or
conformity assessment is provided by third parties.
• Zachman Framework
• An enterprise architecture framework.
• Uses a two-dimensional classification system based on six communication
questions (What, Where, When, Why, Who, and How) that intersect with different
views (Planner, Owner, Designer, Builder, Subcontractor, and Actual System).

NOTE: Organizations should select the enterprise architecture

framework that represents the organization in the most useful
manner, based on the needs of the stakeholders.
continues

11
Security Control Frameworks, cont.

• The Open Group Architecture Framework (TOGAF)

• An enterprise architecture framework.
• Based on four interrelated domains: technology, applications, data, and
business.

• Department of Defense Architecture Framework (DoDAF)

• An architecture framework.
• Organizes a set of products under eight views: all viewpoint (required)
(AV), capability viewpoint (CV), data and information viewpoint (DIV),
operation viewpoint (OV), project viewpoint (PV), services viewpoint
(SvcV), standards viewpoint (STDV), and systems viewpoint (SV).

continues

12
Security Control Frameworks, cont.

• British Ministry of Defence Architecture Framework (MODAF)

• An architecture framework.
• Divides information into seven viewpoints: strategic viewpoint (StV), operational viewpoint (OV),
service-oriented viewpoint (SOV), systems viewpoint (SV), acquisition viewpoint (AcV),
technical viewpoint (TV), and all viewpoint (AV).
• Sherwood Applied Business Security Architecture (SABSA)
• An enterprise security architecture framework that is risk-driven.
• Uses the six communication questions (What, Where, When, Why, Who, and How) that
intersect with six layers (operational, component, physical, logical, conceptual, and contextual).

continues

13
Security Control Frameworks, cont.

• Control Objectives for Information and Related Technology

(CobiT)
• A security controls development framework.
• Documents five principles.
• Five principles drive control objectives categorized into seven enablers.

continues

14
Security Control Frameworks, cont.

• National Institute of Standards and Technology (NIST)

• Special Publications (SPs) are a set a documents that describe U.S.
federal government computer security policies, procedures, and
guidelines.
• Each SP within the series defines a specific area.
• Throughout this course, specific SPs will be covered based on specific
topics in the CISSP domain objectives.
• HITRUST CSF
• HITRUST, a private company, established the Common Security
Framework (CSF) that can be used by all organizations that create,
access, store, or exchange sensitive and/or regulated data.
• This framework has 14 control categories.

continues

15
Security Control Frameworks, cont.

• CIS Critical Security Controls

• The Center for Internet Security (CIS) released Critical Security Controls version 7 that
lists 20 CIS controls.
• The first five eliminate a vast majority of an organization’s vulnerabilities.
• Committee of Sponsoring Organizations (COSO) of the Treadway
Commission Framework
• A corporate governance framework.
• Consists of five interrelated components: control environment, risk assessment,
control activities, information and communication, and monitoring.
• CobiT was derived from the COSO framework.
• COSO is for corporate governance.
• CobiT is for IT governance.

continues

16
 Security Control Frameworks, cont.

• Operationally Critical Threat, Asset, and Vulnerability Evaluation

(OCTAVE)
• Provides a suite of tools, techniques, and methods for risk-based information-security
strategic assessment and planning.
• OCTAVE Allegro is the most recent version of OCTAVE.

• Information Technology Infrastructure Library (ITIL)

• A process management development standard.
• Has five core publications: ITIL Service Strategy, ITIL Service Design, ITIL Service
Transition, ITIL Service Operation, and ITIL Continual Service Improvement.

continues

17
Security Control Frameworks, cont.

• Six Sigma
• A process improvement standard.
• Six Sigma was designed to identify and remove defects in the
manufacturing process but can be applied to many business functions,
including security.

• Capability Maturity Model Integration (CMMI)

• Process improvement approach.
• Addresses three areas of interest: product and service development
(CMMI for development), service establishment and management
(CMMI for services), and product service and acquisition (CMMI for
acquisitions).

continues

18
Security Control Frameworks, cont.

• CCTA Risk Analysis and Management Method (CRAMM)

• Process improvement approach.
• Three areas of interest: product and service development (CMMI for
development), service establishment and management (CMMI for
services), and product service and acquisition (CMMI for acquisitions).
• Five levels of maturity for processes: Level 1 Initial, Level 2 Managed,
Level 3 Defined, Level 4 Quantitatively Managed, and Level 5
Optimizing.

NOTE: Security professionals should help their organization pick the

framework that best fits the needs of the organization.

continues

19
Security Control Frameworks, cont.

• Top-down versus bottom-up approach

• In a top-down approach, management initiates, supports, and directs
the security program.
• In a bottom-up approach, staff members develop a security program
prior to receiving direction and support from management.

• Security program life cycle

1. Plan and organize.
2. Implement.
3. Operate and maintain.
4. Monitor and evaluate.

20
Compliance

• Compliance involves being in alignment with standards,

guidelines, regulations, and/or legislation. Organizations must
comply with governmental laws and regulations.
• Governance, risk management, and compliance (GRC) is the
overarching term.
• Legal and regulatory compliance: Security professionals must
understand the laws and regulations of the country or countries
in which they work and the industry within which they operate.
• Privacy requirements compliance: Privacy requirements
compliance is primarily concerned with the confidentiality of data,
particularly personally identifiable information (PII).

21
Computer Crime Concepts

• Computer crimes today are usually made possible by a victim's

carelessness.
• Investigating and prosecuting computer crimes is made even
more difficult because evidence is mostly intangible.
• Obtaining a trail of evidence of activities performed on a
computer is hard.

continues

22
Computer Crime Concepts, cont.

• Security professionals must understand the following computer

crime concepts:
• Computer-assisted crime
• Computer-targeted crime
• Incidental computer crime
• Computer prevalence crime
• Hackers versus crackers

continues

23
Computer Crime Concepts, cont.

• White hat, gray hat, and black hat are more easily understood and less
often confused than the terms hackers and crackers.
• A white hat does not have any malicious intent.
• A black hat has malicious intent.
• A gray hat is considered somewhere in the middle of the two. A gray hat will break
into a system, notify the administrator of the security hole, and offer to fix the security
issues for a fee.

continues

24
Computer Crime Concepts, cont.

• Computer crime examples

• Fake or rogue antivirus software is installed on computers because of scare tactics
that are displayed in pop-up boxes.
• Ransomware attempts to extort money from potential victims by either encrypting the
computer's data and asking for payment to fix it, or claiming that the computer has
been used for illegal activities and a fine must be paid to prevent prosecution.
• Scareware locks up a computer and warns that a violation of federal or international
law has occurred, and a fine must be paid.

25
Licensing and
Intellectual Property

• Intellectual property law is a group of laws that recognizes

exclusive rights for creations of the mind.
• Patent
• Trade secret
• Trademark
• Copyright
• Software piracy and licensing issues

continues

26
Licensing and
Intellectual Property, cont.

• Employees are the greatest threat for any organization.

• Organizations should take measures to protect confidential resources
from unauthorized internal access.
• Any information that is part of a patent, trade secret, trademark, or
copyright should be marked and given the appropriate classification.
• Access controls should be customized for this information, and audit
controls should be implemented that alert personnel should any access
occur.
• Due care procedures and policies must be in place to ensure that any
laws that protect these assets can be used to prosecute an offender.

continues

27
Licensing and
Intellectual Property, cont.

• Digital Rights Management (DRM)

• DRM includes restrictive license agreements and encryption. It protects
computer games, software, documents, eBooks, films, music, and television.
• The primary concern of DRM is the control of documents by using open,
edit, print, or copy access restrictions that are granted on a permanent or
temporary basis.

28
Cyber Crimes and Data Breaches

• A data breach is any incident in which information that is

considered private or confidential is released to unauthorized
parties.
• A cyber crime is any criminal activity that is carried out by
means of computers or the Internet.
• The U.S. Federal Bureau of Investigation (FBI) is the lead
federal agency for investigating cyber attacks by criminals,
overseas adversaries, and terrorists.

29
Session 2

30
Class Plan

• Privacy
• Professional Ethics
• Security Documentation
• Business Continuity
• Personnel Security Policies and Procedures

31
Privacy

• Privacy concerns usually cover three areas:

• Which personal information can be shared with whom
• Whether messages can be exchanged confidentially
• Whether and how one can send messages anonymously

• Personally identifiable information (PII)

• PII is any piece of data that can be used alone or with other information
to identify a single person.
• Examples include full name, identification numbers, date of birth, place
of birth, biometric data, financial account numbers, and digital identities.
• Security professionals must ensure that they understand international,
national, state, and local regulations and laws regarding PII.

continues

32
Privacy, cont.

• Laws and regulations

• Security professionals must be aware of the laws and at a minimum
understand how those laws affect the operations of their organization.
• Sarbanes-Oxley (SOX) Act
• Health Insurance Portability and Accountability Act (HIPAA)
• Gramm-Leach-Bliley Act (GLBA) of 1999
• Computer Fraud and Abuse Act (CFAA) of 1986
• Federal Privacy Act of 1974
• Federal Intelligence Surveillance Act (FISA) of 1978
• Electronic Communications Privacy Act (ECPA) of 1986
• Computer Security Act of 1987

continues

33
Privacy, cont.

• Laws and regulations, cont.

• United States Federal Sentencing Guidelines of 1991
• Communications Assistance for Law Enforcement Act (CALEA) of
1994
• Personal Information Protection and Electronic Documents Act
(PIPEDA)
• Basel II
• Federal Information Security Management Act (FISMA) of 2002
• Economic Espionage Act of 1996
• USA PATRIOT Act of 2001
• Health Care and Education Reconciliation Act of 2010
• USA Freedom Act of 2015

continues

34
Privacy, cont.

• Employee privacy issues must be addressed to ensure that the

organization is protected.
• Give employees proper notice of any monitoring that might be
used.
• Ensure that the monitoring of employees is applied in a
consistent manner.
• Some actions are protected by the U.S. Constitution's Fourth
Amendment.
• Security professionals and senior management should consult
with legal counsel when designing and implementing any
monitoring solution.

continues

35
Privacy, cont.

• European Union
• The EU Principles on Privacy include strict laws to protect private
data.
• The EU's Data Protection Directive provides direction on how to follow
the laws set forth in the principles.
• The EU created the Safe Harbor Privacy Principles to help guide U.S.
organizations in compliance with the EU Principles on Privacy.
• The EU Electronic Security Directive defines electronic signature
principles.
• Beginning on May 25, 2018, the members of the EU should begin
applying the General Data Protection Regulation (GDPR), which
applies to EU-based organizations that collect or process the personal
data of EU residents and to organizations outside the EU that monitor
behavior or offer goods and services to EU residents.

36
Professional Ethics

• Ethics for any profession are the right and wrong actions that are
the moral principle of that occupation.
• Security professionals, particularly those who hold the CISSP
certification, should understand the ethics that are published by
the International Information Systems Security Certification
Consortium (ISC)2, the Computer Ethics Institute, the Internet
Architecture Board (IAB), and the organization that employs
them.

continues

37
Professional Ethics, cont.

• Organizational ethics
• By adopting a formal ethics statement and program, the organization is
stressing to its employees that they are expected to act in an ethical
manner in all business dealings.
• Several laws in the United States can affect the development and
adoption of an organizational ethics program.
• If an organization adopts an ethics program, the liability of the
organization is often limited if the organization ensures that personnel
has been instructed on the organization's ethics.

38
Security Documentation

• Strategic plans guide the organization's long-term security

activities (3–5 years or more). Tactical plans achieve the goals of
the strategic plan and are shorter in length (6–18 months).
• Management approval must be obtained as part of the first step
in forming and adopting an information security policy.
• Senior management must:
• Define the scope of the security program.
• Identify all the assets that need protection.
• Determine the level of protection that each asset needs.
• Determine personnel responsibilities.
• Develop consequences for noncompliance with the security policy.

continues

39
Security Documentation, cont.

• High-level policies are statements that indicate senior

management's intention to support security.
• After senior management approval has been obtained, the first
step is to adopt an organizational information security statement.
• The organization's security policy comes from this organizational
information security statement.

continues

40
Security Documentation, cont.

• Information security governance components include the

following:
• Policies
• Processes
• Procedures
• Standards
• Guidelines
• Baselines

continues

41
Security Documentation, cont.

• A security policy dictates the role of security as provided by

senior management and is strategic in nature, meaning it
provides the end result of security.
• Policies are defined in two ways:
• The level in the organization at which they are enforced
• The category to which they are applied

continues

42
 Security Documentation, cont.

• Policies are broad and provide the foundation for development of

standards, baselines, guidelines, and procedures, all of which provide the
security structure.

continues

43
Security Documentation, cont.

• An organizational security policy is the highest security policy

adopted by an organization and is steered by the business goals.
• It must be supported by all stakeholders and should have high
visibility for all personnel and be discussed regularly.
• Each version of the policy should be maintained and
documented with each new release.
• A system-specific security policy addresses security for a
specific computer, network, technology, or application. It outlines
how to protect the system or technology.
• An issue-specific security policy addresses specific security
issues.

continues

44
Security Documentation, cont.

• Regulatory security policies address specific industry

regulations, including mandatory standards.
• Advisory security policies provide instruction on acceptable and
unacceptable activities.
• Informative security policies provide information on certain
topics and act as an educational tool.
• A process is a series of actions or steps taken to achieve a
particular end.
• Procedures embody all the detailed actions that personnel are
required to follow and are the closest to the computers and other
devices.

continues

45
Security Documentation, cont.

• Standards describe how policies will be implemented within an

organization.
• They are mandatory actions or rules that are tactical in nature, meaning
they provide the steps necessary to achieve security.

• Guidelines are recommended actions that are much more

flexible than standards, thereby providing allowance for
circumstances that can occur.
• A baseline is a reference point that is defined and captured to
be used as a future reference.
• Baselines should be captured when a system is properly configured and
fully updated.
• When updates occur, new baselines should be captured and compared
to the previous baselines.

46
Business Continuity

• Disruption: Any unplanned event that results in the temporary

interruption of any organizational asset, including processes,
functions, and devices.
• Three main categories
• Non-disasters
• Disasters
• Catastrophes

continues

47
Business Continuity, cont.

• Disaster: An emergency that goes beyond the normal response

of resources.
• A disaster usually affects a wide geographical area and results in
severe damage, injury, loss of life, and loss of property.
• A disaster is officially over when all business elements have returned to
normal function at the original site.
• The primary concern during any disaster is personnel safety.

continues

48
Business Continuity, cont.

• The causes of disasters are categorized into three main areas

according to origin.
• Technological disasters occur when a device fails.
• Human-caused disasters occur through human intent or error.
• Natural disasters occur because of a natural hazard.

• Disaster recovery minimizes the effect of a disaster and

includes the steps necessary to resume normal operation.
• Each organizational function or system will have its own disaster
recovery plan (DRP).

continues

49
Business Continuity, cont.

• The DRP is implemented when the emergency occurs and

includes the steps to restore functions and systems.
• The goal of the DRP is to minimize or prevent property damage
and prevent loss of life.
• Continuity planning deals with identifying the impact of any
disaster and ensuring that a viable recovery plan for each
function and system is implemented.
• The business continuity plan (BCP) lists and prioritizes the
services that are needed, particularly the telecommunications
and IT functions.

continues

50
Business Continuity, cont.

• A business impact analysis (BIA) is a functional analysis that

occurs as part of business continuity and disaster recovery.
• The contingency plan provides instruction on what personnel
should do until the functions and systems are restored to full
functionality.
• A contingency plan, along with the BCP and DRP, should be
reviewed at least once a year.
• Version control should be maintained.
• Copies should be provided to personnel for storage both onsite
and offsite.

continues

51
Business Continuity, cont.

• Availability is a main component of business continuity

planning. The organization must determine the acceptable level
of availability for each function or system.
• Reliability is the capability of a function or system to
consistently perform according to specifications.

continues

52
Business Continuity, cont.

• The most important personnel in the development of the BCP

are senior management.
• A business continuity coordinator should be named by senior
management and leads the BCP committee.
• The committee develops, implements, and tests the BCP and DRP.
• The BCP committee must work with business units to ultimately
determine the priorities.
• The BCP committee should regularly review the plans to ensure they
remain current and viable.
• To ensure that the development of the BCP is successful, senior
management must define the BCP scope, which often means
dividing the business continuity project into smaller, more
manageable pieces.
continues

53
Business Continuity, cont.

• An organization might want to split the BCP into pieces based on

geographic location or facility.
• However, an enterprisewide BCP should be developed that
ensures compatibility of the individual plans.
• One of the most popular business continuity and disaster
recovery planning standards is Special Publication (SP) 800-34
Revision 1 (R1) from NIST.

continues

54
Business Continuity, cont.

• The BCP development depends most on the development of the

BIA.
• The BIA consists of four main steps:
1. Identify critical processes and resources.
2. Identify outage impacts and estimate downtime.
3. Identify resource requirements.
4. Identify recovery priorities.

• The BIA relies heavily on any vulnerability analysis and risk

assessment that is completed.

continues

55
Business Continuity, cont.

• Identify critical processes and resources.

• Identify the organization's business units or functional areas.
• Select which individuals will gather all the needed data, and select how
to obtain the data.
• Use a variety of techniques, including questionnaires, interviews, and
surveys.
• Document the organization's business processes and functions and the
resources upon which these processes and functions depend.

continues

56
Business Continuity, cont.

• Identify outage impacts and estimate downtime.

• Determine the criticality level of each resource.
• As part of this process, you need to understand the following terms:
• Maximum tolerable downtime (MTD)
• Mean time to repair (MTTR)
• Mean time between failure (MTBF)
• Recovery time objective (RTO)
• Work recovery time (WRT)
• Recovery point objective (RPO)

continues

57
Business Continuity, cont.

• Identify outage impacts and estimate downtime, cont.

• Develop documented criticality levels, like the following examples:
• Critical resources should be restored within minutes or hours of the
disaster or disruptive event.
• Urgent resources should be restored in 24 hours.
• Important resources should be restored in 72 hours.
• Normal resources should be restored in 7 days.
• Nonessential resources should be restored within 30 days.
• Define the criticality level of each process, function, and resource.
• If critical priority levels are not defined, a DRP might not be operational
within the timeframe the organization needs to recover.

continues

58
Business Continuity, cont.

• Identify resource requirements.

• Determine all the resource requirements for each function and
resource.
• Resource requirements should also consider any Human Resources
requirements.
• Document the resource requirements for every resource that would
need to be restored when the disruptive event occurs.

continues

59
Business Continuity, cont.

• Identify recovery priorities.

• After identifying resource requirements, identify recovery priorities.
• Establish recovery priorities by considering the following:
• Process criticality
• Outage impacts
• Tolerable downtime
• System resources
• Three main levels of recovery priorities: high, medium, and low.
• The BIA stipulates the recovery priorities but does not provide the
recovery solutions. Those are given in the DRP.

continues

60
Business Continuity, cont.

• Recoverability is the capability of a function or system to be

recovered in the event of a disaster or disruptive event.
• Fault tolerance is provided when a backup component begins
operation when the primary component fails.

61
Personnel Security Policies and
Procedures

• Personnel are responsible for the vast majority of security issues

within an organization. Personnel security policies should include
screening, hiring, and termination policies.
• Candidate screening and hiring
• Employment agreement and policies
• Employment onboarding and offboarding policies
• Vendor, consultant, and contractor agreements and controls
• Compliance policy requirements
• Privacy policy requirements

continues

62
Personnel Security Policies and
Procedures, cont.

• Job rotation
• Ensures that more than one person can perform job tasks, thereby
providing redundancy.

• Separation of duties
• Ensures that one person cannot compromise organizational security.
• There are two variations of this principle:
• Split knowledge ensures that no single employee knows all the details to
perform a task.
• Dual control requires that two employees must be available to complete a
specific task to complete the job.

63
Session 3

64
Class Plan

• Risk Management Concepts

• Access Control Categories and Types
• Risk Frameworks
• NIST
• ISO/IEC 27005:2011
• Geographic Threats
• SLAs
• Security Education, Training, and Awareness

65
Risk Management Concepts

• Asset: Any resource, product, process, system, or other thing

that has value to an organization and must be protected.
• Physical or tangible assets
• Intangible assets
• All assets must be assessed for their value to the organization.
• Vulnerability: An absence or weakness of a countermeasure
that is in place.
• Threat: Occurs when a vulnerability is identified or exploited by
an attacker.
• Threat agent: The entity that carries out the threat.
• Exploit: When a threat agent successfully takes advantage of a
vulnerability.
continues

66
Risk Management Concepts, cont.

• Risk: The probability that a threat agent will exploit a

vulnerability and the impact if the threat is carried out.
• Exposure: Occurs when an organizational asset is exposed to
losses.
• Countermeasure: A control or mechanism that reduces the
potential risk.
• Risk appetite: The level of risk an organization is prepared to
accept.
• Attack: Any event that violates an organization’s security or
privacy policies. Also referred to as incident.
• Breach: An attack that has been successful in reaching its goal.

continues

67
Risk Management Concepts, cont.

• The risk management policy is a formal statement of senior

management's commitment to risk management.
• A risk management policy must include the overall risk
management plan, list the risk management team, and
specifically list the following:
• Risk management team's objectives.
• Responsibilities and roles.
• Acceptable level of risk.
• Risk identification process.
• Risk and safeguards mapping.

continues

68
Risk Management Concepts, cont.

• Risk management policy contents, cont.

• Safeguard effectiveness.
• Monitoring process and targets.
• Future risk analysis plans and tasks.

• The risk management team might be an actual team of

employees or might consist of only a single team member.
• The team's goal is to protect the organization and its assets from
risk in the most cost-effective way.

continues

69
Risk Management Concepts, cont.

• Senior management must

• Specifically put a resource allocation measure in place to ensure the
success of the risk management process.
• Ensure that the members of the risk management team, particularly the
team leader, be given the necessary training and tools for risk
management.

• The risk analysis team must consist of representatives from as

many departments and as many employment levels as possible.
• If the risk analysis team cannot contain members from all
departments, the members must interview each department to
understand all the threats encountered by that department.

continues

70
Risk Management Concepts, cont.

• A risk assessment identifies vulnerabilities and threats,

assesses the impact of those vulnerabilities and threats, and
determines which controls to implement.
• Risk assessment or analysis has four main goals:
• Identify assets and asset value.
• Identify vulnerabilities and threats.
• Calculate threat probability and business impact.
• Balance threat impact with countermeasure cost.

continues

71
Risk Management Concepts, cont.

• The risk assessment team must provide a report to management

on the value of the assets considered.
• Management can review and finalize the asset list, adding and
removing assets as it sees fit, and then determine the budget of
the risk assessment project.
• If a risk assessment is not supported and directed by senior
management, it will not be successful.
• Management must define the risk assessment's purpose and
scope and allocate the personnel, time, and monetary resources
for the project.

continues

72
Risk Management Concepts, cont.

• Tangible assets include computers, facilities, supplies, and

personnel.
• Intangible assets include intellectual property, data, and
organizational reputation.
• Six factors determine the asset's value:
• Value to owner.
• Work required to develop or obtain the asset.
• Costs to maintain the asset.
• Damage that would result if the asset were lost.
• Cost that competitors would pay for the asset.
• Penalties that would result if the asset were lost.

continues

73
Risk Management Concepts, cont.

• Threat agents can be grouped into the following six categories:

• Human
• Natural
• Technical
• Physical
• Environmental
• Operational

• Identify vulnerabilities and threats.

• Determine the loss potential for each threat.

continues

74
Risk Management Concepts, cont.

• Different types of risk analysis, including quantitative risk

analysis and qualitative risk analysis, should be used to
ensure that the data that is obtained is maximized.
• A quantitative risk analysis assigns monetary and numeric values
to all facets of the risk analysis process, including asset value,
threat frequency, vulnerability severity, impact, safeguard costs,
and so on.

continues

75
Risk Management Concepts, cont.

• Equations are used to determine total and residual risks. The

most common equations are for single loss expectancy (SLE)
and annual loss expectancy (ALE).
• To determine the SLE, you must know the asset value (AV) and the
exposure factor (EF).
• The EF is the percent value or functionality of an asset that will be lost
when a threat event occurs.
• The calculation for obtaining the SLE is as follows:
SLE = AV × EF

continues

76
Risk Management Concepts, cont.

• Equations, cont.
• The ALE is the expected risk factor of an annual threat event.
• The annualized rate of occurrence (ARO) is the estimate of how often
a given threat might occur annually.
• The calculation for obtaining the ALE is as follows:
ALE = SLE × ARO

• Using the ALE, the organization can decide whether to

implement controls.

continues

77
Risk Management Concepts, cont.

• An advantage of quantitative over qualitative risk analysis is that

quantitative uses less guesswork than qualitative.
• Disadvantages of quantitative risk analysis include the difficulty
of the equations, the time and effort needed to complete the
analysis, and the level of data that must be gathered for the
analysis.
• Qualitative risk analysis techniques include intuition, experience,
and best practice techniques, such as brainstorming, focus
groups, surveys, questionnaires, meetings, interviews, and
Delphi.
• Each member of the group who has been chosen to participate
in the qualitative risk analysis uses his experience to rank the
likelihood of each threat and the damage that might result.
continues

78
Risk Management Concepts, cont.

• After each group member ranks the threat possibility, loss

potential, and safeguard advantage, data is combined in a report
to present to management.
• Advantages of qualitative over quantitative risk analysis:
qualitative prioritizes the risks and identifies areas for immediate
improvement in addressing the threats.
• Disadvantages of qualitative risk analysis: all results are
subjective, and a dollar value is not provided for cost-benefit
analysis or budget help.
• The most common criterion for choosing a safeguard is the cost-
effectiveness of the safeguard or control.

continues

79
Risk Management Concepts, cont.

• To calculate a cost-benefit analysis, use the following equation:

(ALE before safeguard) – (ALE after safeguard) – (annual cost of
safeguard) = safeguard value

• To complete this equation, you must know the revised ALE after
the safeguard is implemented.
• A legal liability exists if the cost of the safeguard is less than the
estimated loss that would occur if the threat is exploited.
• Organizations should fully research the costs of maintaining
safeguards.
• The cost of a safeguard must include the actual cost to
implement plus any training costs, testing costs, labor costs, and
so on.

continues

80
Risk Management Concepts, cont.

• Total risk is the risk that an organization could encounter if it

decides not to implement any safeguards.
• Residual risk is risk that is left over after safeguards have been
implemented.
• Residual risk is represented using the following equation:
Residual risk = Inherent risk – countermeasures
• Four basic methods are used to handle risk:
• Risk avoidance
• Risk transfer
• Risk mitigation
• Risk acceptance

continues

81
Risk Management Concepts, cont.

• After the risk assessment is complete, the organization must

implement and maintain the safeguards.
• Risk analysis should be carried out on a regular basis.
• The goal of any risk countermeasure implementation is to
improve the organization's security without negatively impacting
performance.
• All organizational personnel should be involved in the
deployment of countermeasures and controls for risk
management.
• Documentation and communication across all areas will ensure
that each individual business unit's risk management and
implementation is as complete as possible.

82
Access Control
Categories and Types

• Access control mechanisms that you can use are divided into
seven main categories:
• Compensative: Substitutes for a primary access control and mainly
acts as a mitigation to risks.
• Corrective: Reduces the effect of an attack or other undesirable event.
• Detective: Detects an attack while it is occurring to alert appropriate
personnel.
• Deterrent: Deters or discourages an attacker. Deterrent controls often
trigger preventive and corrective controls.
• Directive: Specifies acceptable practice within an organization.

continues

83
Access Control
Categories and Types, cont.

• Access control mechanisms, cont.

• Preventive: Prevents an attack from occurring.
• Recovery: Recovers a system or device after an attack has occurred.

• Any access control that you implement can fit into one or more
access control categories.
• There are three types of access controls:
• Administrative (management) controls: Implemented to administer
the organization's assets and personnel.
• Logical (technical) controls: Used to restrict access.
• Physical controls: Protect an organization's facilities and personnel.
Personnel concerns should take priority over all other concerns.

84
Risk Frameworks

• Risk frameworks can serve as guidelines to any organization that

is involved in the risk analysis and management process.
• Organizations should use these frameworks as guides but
should also feel free to customize any plans and procedures they
implement to fit their needs.

85
NIST

• NIST Risk Management Framework

86
NIST Framework for Improving Critical
Infrastructure Cybersecurity

• The NIST Framework for Improving Critical Infrastructure Cybersecurity

provides a cybersecurity risk framework.
• The framework is based on five framework core functions:
• Identify (ID)
• Protect (PR)
• Detect (DE)
• Respond (RS)
• Recover (RC)
• Within each of these functions, security professionals should define
cybersecurity outcomes closely tied to organizational needs and particular
activities.
• Each category is then divided into subcategories that further define specific
outcomes of technical and/or management activities.

continues

87
NIST Framework for Improving Critical
Infrastructure Cybersecurity, cont.
• Framework implementation tiers describe the degree to which an
organization’s cybersecurity risk management practices exhibit the
characteristics defined in the framework.
• The following four tiers are used:
• Tier 1: Partial
• Tier 2: Risk Informed
• Tier 3: Repeatable
• Tier 4: Adaptive
• Finally, a framework profile is the alignment of the functions, categories, and
subcategories with the business requirements, risk tolerance, and resources
of the organization.

88
ISO/IEC 27005:2011

• According to ISO/IEC 27005:2011, the risk management process consists of

the following steps:
1.Context Establishment: Defines the risk management’s boundary.
2.Risk Analysis (Risk Identification & Estimation phases): Evaluates the risk level.
3.Risk Assessment (Risk Analysis & Evaluation phases): Analyzes the identified risks
and takes into account the objectives of the organization.
4.Risk Treatment (Risk Treatment & Risk Acceptance phases): Determines how to
handle the identified risks.
5.Risk Communication: Shares information about risk between the decision makers and
other stakeholders.
6.Risk Monitoring and Review: Detects any new risks and maintains the risk
management plan.

89
Geographic Threats

• Internal versus External Threats

• Natural Threats
• Hurricanes/tropical storms
• Tornadoes
• Earthquakes
• Floods
• Volcanoes
• System Threats
• Electrical
• Communications
• Utilities

continues

90
Geographic Threats, cont.

• Human-caused Threats
• Explosions
• Fire
• Vandalism
• Fraud
• Theft
• Collusion

continues

91
Geographic Threats, cont.

• Politically Motivated Threats

• Strikes
• Riots
• Civil disobedience
• Terrorist acts
• Bombing

92
Threat Modeling

• Threat modeling allows an organization to use a structured

approach to security and to address the top threats that have the
greatest potential impact to the organization first.
• Threat modeling identifies and rates the threats that are most
likely to impact the organization.
• Three different perspectives:
• Application-centric threat modeling
• Asset-centric threat modeling
• Attacker-centric threat modeling

• Identifying threats and threat actors in threat modeling resembles

identifying threats and vulnerabilities as part of risk management.

continues

93
Threat Modeling, cont.

• STRIDE Model
• Developed by Microsoft, STRIDE is a threat classification model used to
assess the threats in an application.
• It covers the following six categories:
• Spoofing of user identity
• Tampering
• Repudiation
• Information disclosure (privacy breach or data leak)
• Denial of Service (DoS)
• Elevation of privilege
• This method usually requires subject matter experts (SMEs) to
determine the threats, threat classifications, and relevance of security
properties to the elements of a threat model.

continues

94
Threat Modeling, cont.

• Process for Attack Simulation and Threat Analysis (PASTA)

Methodology
• The PASTA methodology provides a seven-step process for analyzing
applications to align business objectives and technical requirements.
• The steps in the process are as follows:
1. Business objectives definition
2. Technical scope definition
3. Application decomposition
4. Threat analysis
5. Vulnerability detection
6. Attack enumeration
7. Risk and impact analysis

continues

95
Threat Modeling, cont.

• Trike Methodology
• Trike is both a methodology and a tool with its basis in a requirements model
designed to ensure that the level of risk assigned to each asset is classified
as acceptable by stakeholders.
• With this methodology, an implementation model is created and then
analyzed to produce a threat model.
• Risk values are assigned to the identified threats.
• Mitigating controls are assigned to the vulnerabilities that lead to the
identified threats.
• The main difference between Trike and STRIDE is that Trike uses a risk-
based approach.

continues

96
Third-Party Assessment and Monitoring

• A third party performs analysis of organizational operations and

any other area dictated by the certifying or regulating
organization, reporting all results of its findings to the certifying or
regulating organization.
• A member of high-level management usually manages this
process so that the third party is given access as needed. As
part of this analysis, the third party might need to perform the
following:
• Onsite assessment
• Document exchange
• Process/policy review

continues

97
Third-Party Assessment and Monitoring,
cont.

• Governance may apply when an organization employs third

parties to provide services to an organization.
• A security professional must help the organization to ensure that
the third party implements appropriate due diligence in all
aspects that affect the organization.
• This assurance can be provided only by inspection, review, and
assessment of the third-party provider.
• A security professional should be aware of any countries,
organizations, or individuals that may have jurisdiction over the
third party's systems.

98
Minimum Service-Level and Security
Requirements

• Minimum service-level requirements document the minimum

level of service that a provider must maintain and are typically
spelled out in a service-level agreement (SLA).
• Security professionals should define the minimum security
requirements for any acquisitions made by the organization.
• For each different acquisition type, it may be necessary to define
separate security policies.
• The security controls vary just as much as the acquisition types.

99
Service-Level Requirements

• Service-level agreements (SLAs) help a support system

respond to problems within a certain time frame while providing
an agreed level of service.
• SLAs can be internal (between departments) or external (with
service providers).
• Before an SLA can be written and signed, the organizations must
negotiate the service-level requirements.
• Carefully documented requirements are necessary to ensure that
a vendor’s SLA will fulfill the organization’s needs.
• Security professionals need to work with business unit managers
when services must be obtained from a third party, to ensure that
the service-level requirements are documented.

100
Security Education,
Training, and Awareness

• Security awareness training, security training, and security

education are three terms that are often used interchangeably,
but they are actually three different things.
• Awareness training reinforces the fact that valuable resources must be
protected by implementing security measures.
• Security training teaches personnel the skills to enable them to
perform their jobs in a secure manner.
• Awareness training and security training are usually combined as
security awareness training, which improves user awareness of
security and ensures that users can be held accountable for their
actions.
• Security education is more independent and is targeted at security
professionals who require security expertise to act as in-house experts
for managing the security programs.

continues

101
Security Education,
Training, and Awareness, cont.

• Security awareness training should be developed based on the audiences,

including high-level management, middle management, technical personnel,
and regular staff.
• Personnel should sign a document that indicates they have completed the
training and understand all the topics.
• Although the initial training should occur when personnel are hired, security
awareness training should be considered a continuous process, with future
training sessions occurring annually at minimum.
• Security education and training can be delivered in a variety of ways.
• Digital
• Live or video-on-demand

continues

102
Security Education,
Training, and Awareness, cont.

• Technical personnel training must be up to date with the latest

issues and vulnerability testing and penetration testing
techniques.
• Technical personnel must receive training in the tools that they
will regularly use.
• Security professionals should review all the security awareness
training and ensure that it is updated to address new security
issues and threats.
• Reviews should occur at regular intervals and after any changes.

103