Information security and risk management
Bạn đang xem bản rút gọn của tài liệu. Xem và tải ngay bản đầy đủ của tài liệu tại đây (6.59 MB, 42 trang )
mss
JBP
\
-
.'
•v;
i
i it
}
'-' V
'•
n
i
V-,
!S
nformation Security
:
v;;
and
HttRisk Management
b
i.
‘
(Sj
I®
,u
L lu
:.'*ÿ
IP
-.
SMB!
%
wmn
From the CISSP® CBK®, the definition of this domain—Information Security & Risk Management entails the identifica¬
tion of an organization’s information assets and the development, documentation, and implementation of policies, stan¬
dards, procedures and guidelines that ensure confidentiality, integrity and availability. Management tools such as data
classification, risk assessment, and risk analysis are used to identify the threats, classify assets, and to rate their vul¬
nerabilities so that effective security controls can be implemented.
Risk management is the identification, measurement, control, and minimization of loss associated with uncertain
events or risks. It includes overall security review, risk analysis; selection and evaluation of safeguards, cost benefit
analysis, management decision, safeguard implementation, and effectiveness review.
The candidate will be expected to understand the planning, organization, and roles of individuals in identifying and
securing an organization’s information assets; the development and use of policies stating management views and
position on particular topics and the use of guidelines, standards, and procedures to support the policies; security
awareness training to make aware of the importance of information security, its significance, and the specific secu¬
rity-related requirements relative to their position; the importance of confidentiality, proprietary and private informa¬
tion; employment agreements; employee hiring and termination practices; and risk management practices and tools to
identify, rate, and reduce the risk to specific resources.
i
DOMAIN
;
OBJECTIVES
;
®
Security Planning and Organization
;
3
Roles of Individuals in a Security Program
:
•Differences between Policies, Standards, Guidelines,
Domain Objectives—This slide provides good insight to
what the CISSP candidate should understand and be able to
do at the end of this domain.
and Procedures as related to Security
i
®
Security Awareness throughout the Organization
9
Risk Management Practices and Tools
2
INFORMATION SECURITY TRIAD
Availability
Aw-A
• Availability—The concept of availability refers to the
providing of access to the information system and data
when required by the business. Availability is different
for each organization and, often, for each department
in an organization. Some departments may require
continuous availability where an outage of seconds is
already a crisis, whereas other areas may be content
with a basic level of availability, for example during
normal business hours, where a system failure would
be seen as an inconvenience and not cause a critical
impact on the operations. A complete information
security program must understand and address these
differences.
Integrity
9
Confidentiality
3
AIC TRIAD—The overarching goals of information security
efforts are addressed through the AIC TRIAD. Nearly all infor¬
mation security efforts are based on one or more of the ele¬
ments of the TRIAD. The AIC TRIAD forms the foundation of
what we are trying to accomplish through our security poli¬
cies, standards, procedures, baselines, and guidelines. It’s
important to remember this includes all IT security efforts
including outsourcing.
* Integrity—There are two concepts we will address
through integrity, theproteetioiLofJatajmtfprocesses
from improper modFIciHoiTrahdlhe concept of ensur¬
ing the operations of the information system are reli¬
able and performing as expected. This means that the
system will process transactions correctly and pre¬
serve the confidence of the organization in the quality
of the data and processing.
• Confidentiality—Is the concept of protecting informa¬
tion from improper disclosure and protecting the
secrecy and privacy of sensitive data so that the intel¬
lectual property, and reputation of an organization is
not damaged and that data related to individuals is not
released in violation of regulations or the privacy policy
of the organization.
V/
U
i
14
(ISC)1
—
INFORMATION SECURITY AND RISK MANAGEMENT
J
gr
This fairly basic, but authoritative document provides the
foundations for the security management program within the
organization. From the overarching security policy flows a
rather long list of functional policies. These notes provide a
list of what is normally considered as the minimum functional
policies required in a good security management program.
Naturally they are tailored to the organization and reflect the
organization’s priorities. Additional functional policies may
exist depending on the requirements of the organization.
INTRODUCTION
®
Information Security Management includes:
— Governance Structure
— Policies
— Standards
— Procedures
— Baselines
1
—
v
V. S
It
3
ii
Guidelines
J.
° Introduction—Information security management includes
many areas. It begins with a formal governance structure
which provides authority and responsibility to different staff
members and sections. It also includes an overarching secu¬
rity policy that is endorsed/signed by senior management.
DOMAIN AGENDA
0
Principles and Requirements
3
Policy
0
Organizational Roles and Responsibilities
®
Risk Management and Analysis
3
Information Security Management includes—
0
Governance Structure
0
Policies
8
Standards
8
Procedures
0
Baselines
9
Guidelines
Principles and Requirements—Address the core objectives
of an information security program. Here are the main learn¬
ing points you should get from this section:
8
Describe the two types of requirements for a good secu¬
rity solution.
0
Understand and explain the major concepts of IT Security
Governance.
• Understand and be able to explain differences between key
international IT security standards.
Ethics
8
(ISC)1
—
Understand the types of security blueprints and how they
support a strong security policy.
INFORMATION SECURITY AND RISK MANAGEMENT
i5
i:
1,
Ip
H
the considerations for functional controls. We will talk
aboutlheselrTgreater detail on later slides.
IT SECURITY REQUIREMENTS
* Defines the
Complete Security Solutions
security behavior
of the control
measure
0
8
Provides confidence that security function is
performing as expected
9
Critical part of the security program
6
° Security Solutions—All security solutions should be
designed with two focus areas; the functional requirements of
the solution, and the assurance requirements that the func¬
tional solution is working correctly. No solution is complete
unless it addresses both of these two areas. For example: a
complete “firewall solution" would be having the firewall han¬
dling traffic and denying or permitting access correctly—the
functional requirement—and, the “logging and monitoring”
aspect addressing the assurance requirements of the firewall
solution by ensuring that the firewall is working properly and
providing the expected level of protection in relation to the
risks that the firewall was intended to control.
8
Focus on the mission of the
organization
8
Each type of organization
has differing security
3
Security must make
sense and be cost
3
They should fail safe, that is that, in the event of a
failure, they maintain the security of the systems.
Assurance Requirements—Assurance mechanisms
confirm that security solutions are selected appropri¬
ately, performing as intended, and are having the
desired effect. Many assurance mechanisms will be
reviewed throughout this course within their respec¬
tive domains i.e., IDS’s, Audit logs, BCP Tests, etc.
However, some are applicable especially to the area of
IT security, such as internal and external audits.
3
Internal/External Audit Reports
3
IIA’s Red Book, Yellow Book, etc. (the Institute of
Internal Auditors, www.theiia.org)
3
Security Reviews (Internal), Checklists, Supervision
3
Third Party Reviews
8
Attack and Penetration Tests
3
Policy Review
8
Threat Risk Assessments
Each type of organization has differing security
requirements—Information security requirements differ
greatly between government, military, and commercial ventures.
Each has a different set of priorities depending on their overall
mission. Even in the commercial world, it’s very unlikely that
two businesses will have exactly the same security require¬
ments. Businesses within the same type of industry may not
have similar requirements since their business flows and
information access requirements may be very different.
Furthermore, their company culture may limit or dictate what
is, or is not acceptable. All these and many other considera¬
tions weigh into the selection of security controls and assur¬
ance mechanisms.
0
effective
Focus on the mission of the organization—IT Security
must focus on and address the requirements of the organiza¬
tion’s mission, goals, and objectives.
16
They should not be depend on another control.
° Periodic Review by Management
requirements
0
0
Some criteria are used to evaluate the operation of security solutions:
Functional Requirements—Functional requirements
are the things most often thought about when consid¬
ering security controls. The risk assessment provides
ORGANIZATIONAL & BUSINESS
REQUIREMENTS
0
They should be layered and meet a specific security
requirement.
A
» Selected based on
risk assessment
8
0
(ISC)a
—
Security must make sense and be cost effective—Security
solutions must be developed with due consideration of the
mission and environment of the business.-Hisk analysis,
determining the value of information systems anffassets, and
cggt-benefit analysis will justify the adoption and implementatiwfoTlecurity controls and risk mitigation efforts.
INFORMATION SECURITY
AND
RISK MANAGEMENT
1
IT SECURITY GOVERNANCE
#
0
Integral Part of Overall Corporate Governance
8
Three Major Parts
3
— Leadership
— Structure
— Processes
W
if
m
m
i
Structure—IT governance occurs at many different levels of
the organization and is a layered approach. The Board of
Directors provide direction to the executives within the com¬
pany. The executives turn that direction into policies.
S;
Managers take those policies and produce standards, base¬
lines, and guidelines. Team leaders take tjjese standards,
baselines, and guidelines and form procedures within their
organizations. The individual workers are critical to this lay¬
ered structure as they are not only the ones that must imple¬
ment these procedures, but are also most likely to be the
ones who first notice violations and unusual events within the
operations of our IT systems.
8
8
IT Security Governance—The bullets on this slide cover the
goals of IT security governance. IT security governance is part
of the overall governance of the company. In years gone by,
many executives considered IT security as being too difficult,
technical, and well below their areas of responsibility.
Therefore, many passed these responsibilities to their already
overworked IT departments who were neither trained nor struc¬
tured for these duties. Often, the end result was not favorable.
J
.
Integral Part of Overall Corporate Governance—IT security
governance must be fully integrated into the overall riskbased threat analysis of the company. It goes well beyond the
traditional threats to the IT assets and actually considers the
potential damage to the information on those IT assets and
the effects that such damage may have on the organization
and its ability to accomplish its goals and objectives.
3
reflected throughout the organization.
3
Processes—The security professional should have a good
understanding of the security principles mentioned below.
3
Processes should follow internationally accepted “Best
Practices."
° Job rotation
°
Separation of duties
9
Least privilege
9
Mandatory, vacations
9
Brewer-Nash model
8
Supervision (logs and monitoring)
Governance ensures that the IT infrastructure of the
company:
0
3
Meets the A.I.C. requirements.
9
Three Major Parts—
Leadership—IT security requires technical skills, but it also
requires much more. It requires the ability to earn the trust
and confidence of the decision makers within the company.
Security leaders must be fully integrated into the company
leadership, where their voices can be heard without filtering
by competing interests. Lastly, the IT security leader must
understand the company—probably better than anyone else.
This is because the IT professional must understand the
information/data, who produces it, where it is stored, who
needs it—when and how, and everything about how the
company operates. If that is true, then the IT security
professionafmust certainly understand everything already
mentioned as well as all the IT networks that provide these
services, their strengths and weaknesses, as well as all the
threats to them. The successful IT security professional
must also understand the networks that connect to theirs
and the risks these connections bring. This quick look at the
requirements for IT security professionals indicates that it
certainly takes a strong, confident, and technically proficient
professional to accomplish this job.
0
(ISC)1
—
INFORMATION SECURITY
Security audits and reviews (including penetration
tests)
Supports the strategies and objectives of the company.
• Includes service level agreements when outsourced.
*
Stakeholders and their values play a key role in the IT gov¬
ernance structure as well. Stakeholders include stockhold¬
ers, managers, employees, customers of the company,
suppliers, and possibly the government and public at large.
The value these individuals place on the trust, confidence,
and security of the company’s IT infrastructure will be
0
I/O controls
3
Antivirus management
The International Organization for Standardization (ISO) and the
International Electrotechnical Commission (IEC) 17799:2005
Code of Practice for Security Information Management pro¬
vides a broad base of security controls that provides a point of
reference for completeness of the components within the blue¬
prints. The ISO/IEC 17799:2005 reference standard does not
however, provide all of the guidance that is' required for an
effective, holistic security architecture.
International Security Standard ISO 27001, titled “Information
Security Management—Specification With Guidance for Use,”
has been launched in replacement of BS7799-2. ISO 27001
provides the foundation for third party audit, and is integrated
with several other ISO management standards such as ISO
9001 and ISO 14001.
On the next slide we will briefly talk about IS017799:2005 and
27001:2005.
AND RISK
MANAGEMENT
1
1
0
ISO I77QQ & ISO 27001
•ISO 17799
— Code of Practice—Guidance and Support
— Management Focus
3
ISO 17799—Is based upon the British Standard 7799-1,
which was published in May 1999. The first version of ISO
17799 was published and adopted in December 2000. The
most current version is ISO 17799:2005.
ISO 27001:2005—Is the first in the new 27000 series of ISO
standards and replaces the older BS 7799-2.
•ISO 27001:2005
— Management System Standard (Certifiable
and Measurable Requirements)
—
Assurance Focus
9
• Technical architecture
SECURITY BLUEPRINTS
* Normally cover several security domains
Used to identify and design security requirements
0
•Infrastructure Security Blueprints
Used to identify and design security requirements—Each
component should directly reflect a policy decision. The
plans should be mutually supportive. All areas should be
considered even if they do not apply to that specific topic.
„
'.
[i
I
An effective security architecture will always be able to “con¬
nect the dots” between the business decisions of the organi¬
zation, how these are reflected in the principles, policies and
standards of the organization, how these have been turned
into requirements, and how the requirements map to the
blueprints.
IO
• eCommerce Solutions
• Data Warehouses
• Supply Chain Management systems
Security Blueprints—Provide a structure for organizing require¬
ments and solutions. They are used to ensure that security is
considered from a holistic view. A holistic security architecture
can only be created by a professional security architect (such as
an Information Systems Security Architecture Professional
(ISSAP®)) after carefully considering a wide range of threats,
vulnerabilities, and organizational requirements.
9
A comprehensive way to look at security
• Production systems, etc.
• The Security Blueprints provide a method of organizing
the requirements and the resulting components of a secu¬
rity architecture. This approach can be used to address
the security requirements of a specific topic or across the
enterprise. Certainly not all topics will apply equally or
even at all in the different areas of the company. However,
blueprints give us a way to think about them and to make
an informed decision as opposed to having an item over¬
looked by mistake.
Security blueprints are discussed in both ISO 17799:2005
and ISO 27001:2005. However, many vendors are now using
the term “security blueprint” to reference a wide range of
documents relating to their products.
• Normally used by architects when designing an overall lay¬
ered security solution.
• Tailored security best practices that combine to form a com¬
0
prehensive security structure.
Infrastructure Security Blueprints—Reflect:
Security requirements of a specific company/infrastructure
* Policy
*
• Program
• Specific business priorities and decisions
18
(IS C)’
—
INFORMATION SECURITY
AND
RISK MANAGEMENT
#
0
Regulatory requirements
8
All aspects of security across the entire infrastructure
8
The security policy approved by senior management
a policy around e-mail usage; subscribe to news
services that warn of new threats; reevaluate the
network architecture; host best practices seminars
for users; oh, and use virus blocking software, and,
probably, firewalls.”
A definition of Holistic Security Architecture, from the CIO
website, The ABCs of Security, by Scott Berinato and Sarah
Scalet, would be:
“Holistic security means making security part of
everything and not making it its own thing. It "
means security isn’t a~ddedTolhe“enterprise; it’s
woven into the fabric of the application. Here’s an
example. The nonholistic thinker sees a virus threat
and immediately starts spending money on virus¬
blocking software. The holistic security guru will set
»
DOMAIN AGENDA
®
Principles and Requirements
0
Policy
®
Organizational Roles and Responsibilities
Policy—Here are the objectives for our next section:
8
Describe the purpose of organizational policy.
8
List the supporting elements of policy implementation.
8
Understand the purpose and differences of guidelines,
policies, procedures, baselines and standards.
* Describe the environment within which the security
•
policy exists.
Risk Management and Analysis
•Ethics
II
t
(ISC)1
—
INFORMATION SECURITY AND RISK MANAGEMENT
19
POLICY OVERVIEW
THE “ENVIRONMENT”
Regulations
.
/
,
Organizational
Goals
Overarching
Organizational
Policy
Laws
Security
Statement)
Organizational
Objectives
Shareholders’
Interests
Policy Overview—The environment within which every com¬
pany operates is a complex web of laws, regulations, require¬
ments, competitors, and partners. These are changing
frequently and interact with each other; often in unpredictable
ways. In addition to these outside forces, senior management
must consider those within the organization such as morale,
labor relations, productivity, cost, cash flow, and many oth¬
ers. Within this environment, management must develop and
publish the overall security statement and directives. From
the security team perspective, these directives should be
addressed through security policies and their- supporting ele¬
ments such as standards, baselines and guidelines, to ensure
a proper implementation of a security program.
12
—
Policy Overview Standards, baselines, procedures, and
guidelines will be discussed in the next few slides.
POLICY OVERVIEW
(CONT.
.
.)
..
Dverarching Organizational Policy
(Management’s Security Statement)
I
Functional Implementing Policies
(Management’s Security Directives)
0
Standards
Guidelines
Baselines Procedures
13
20
(ISC)a
—
INFORMATION SECURITY
AND
RISK MANAGEMENT
understood. If its too generic, it may be meaningless and
irrelevant. The length and content of this critical document is
as unique as the company itself, and must be created with
that in mind. One size does not fit all—or even two.
MANAGEMENT’S SECURITY
POLICY
* Provides Management’s Goals and Objectives in
#
8
Writing
O
Documents compliance
•Creates security culture
Security
• Policies are of no value if not read, available, and current.
Poticyj
I
Policies must be posted in a location that is available to
every employee for review. They must be current, and
reflect new laws and regulations. All employees must be
kept aware of the policies through an annual review. A
record of this review with each employee should be
maintained.
“Security is essential to this
company and its future ”
J.T. Lock, CEO
14
° Provides Management’s Goals and Objectives in
Writing—The organizational policy mandates the security
needs within the company. One policy does not fit every com¬
pany’s requirements. Although two firms may be similar, as
we discussed earlier—they are unique and then also are their
security requirements. The overarching security policy should
be kept “high-level” and short. If it is too complex, it will be
difficult to get staffed and approved and it may not be read or
It is good to introduce an appendix outlining the “terms of
reference.” This is an authoritative document and as such
will be referenced frequently if written properly. Therefore,
anything we can do that reduces confusion without adding
complexity is an advantage.
0
Documents compliance—Policy documents how the company
is complying with laws, regulations, and standards of due care.
0
Creates security culture Policy establishes the internal
environment for the security program. Explains what assets
and principles the organization considers valuable.
—
\
MANAGEMENT’S SECURITY
POLICY (CONT.
$
.
• Establishes the security activity/function—It should also
establish a security group within the company and grant it
appropriate levels of responsibility. One must be careful not
to get too specific to address every detail. One problem with
being too detailed is that if a situation arises later and it is
not clearly stated in the policy, then many will assume that it
is not covered by the intent of the policy and do what they
will. Therefore, it is normally a good proactive measure to
include a “catch all clause” that explains how issues not
specifically addressed in the policy will be adjudicated.
.)
•Anticipates and protects from surprises
3
Establishes the security activity/function
•Holds individuals personally responsible/accountable
* Addresses potential future conflicts
Holds individuals personally responsible/accountable
A good security policy makes each employee accountable for
their actions, from top management to the new hire. It's
important for senior management to set a good example and
follow their own policies. After all, if they are unwilling to
follow the policy then maybe no one else is either.
s
Addresses potential future conflicts—A well thought-out
security policy anticipates situations and provides guidance
to protect the organization. It should establish provisions for
resolving conflicts between competing interests or people
wondering what is, or is not, permitted.
j
J
0
Anticipates and protects from surprises—Anticipates
situations and protects the company and employees from
'surprises’ caused by lack of awareness of management
expectations or ethical guidelines.
—
8
§
(ISC)3
—
INFORMATION SECURITY
AND
RISK MANAGEMENT
21
I
employment. The security policy is a key document that must
be read/re-read as part of the awareness training.
MANAGEMENT’S SECURITY
POLICY (CONT.
®
Ensures employees and
contractors are aware of
.
.)
0
Mandates an incident response plan—Generically covers
incident response and mandates the authority for, and devel¬
opment of, a detailed incident response plan. The security
policy should also contain overall information/instructions on
how incidents will be handled.
9
Establishes processes for exception handling, rewards,
discipline—A policy provides the authority for the security
and human resources areas to enforce good practice and dis¬
ciplinary action if necessary. Naturally, this should be a last
resort because good employees are expensive to hire and
hard to find in most cases. However, the policy should pro¬
vide the H.R. department and management that final option.
A policy of this nature is a reference point for other persons
and agencies to know the intent of management—this can be
important in a legal setting which could certainly occur for a
variety of reasons.
Security
Violation
Reprimand
organizational policy
and changes
TO: I.M. Wrong
FOR: Falling to
follow established
policies
Mandates an incident
response plan
•Establishes processes for exception
handling, rewards, discipline
9
16
Ensures employees and contractors are aware of organi¬
zational policy and changes—Establishes a process that
ensures all employees and contractors are aware of organiza¬
tional policy and changes as they occur. The security awareness
program must begin the day an individual is hired and contin¬
ually provide refresher training throughout the period of
POLICY INFRASTRUCTURE
®
Functional Policies
•Implement and interpret
the high level security
policies of the
organization
Functional Policies
Functional Policies
:
Management's
Security Policy
Policy Infrastructure—The high level policies of the organiza¬
tion are then interpreted into a number of functional policies
that assist in the implement of the intent of the overall policy.
Depending on the culture and the risks faced by the organization, there may be numerous functional policies.
9
"Security is
essential to this
company andits
future"
J.T. Lock
Functional Policies—Flow from the overarching policy of
the organizations and create the foundation for the proce¬
dures, standards, and baselines to accomplish the security
objectives. Functional policies gain their credibility from sen¬
ior management’s signature on the overarching policy that
established the goal or objective.
CEO
9
Examples of functional policies could include:
8
17
Data Classification
• Certification and Accreditation
Access Control
• Outsourcing
• Remote Access
* internet and Acceptable Use
• Privacy
33
(ISC)3
—
INFORMATION SECURITY
AND
RISK MANAGEMENT
POLICY IMPLEMENTATION
©
From policies come the supporting elements
These enforce the
security policy
principles on every
business process
and system
."Standards
.."Procedures |
."Baselines |
. " Guidelines
It
Policy Implementation—Standards, procedures, baselines, and
guidelines turn the objectives and goals established by manage¬
ment in the overarching and functional policies into “actionable”
and enforceable actions for the employees. We will talk about
each of these in more detail on the next few slides, but it is
important to note that in daily interactions within organizations,
these are what cause the most challenges for the IT security
staff. Few will directly challenge the policy that senior manage¬
ment has created. However, many will challenge how policy is
interpreted in the standards, procedures, baselines, and guide¬
lines implemented. Therefore, it is wise to be careful in selec¬
tions and interpretations to ensure the full support of the policy
(and thereby senior management). Several times an aggressive
individual has over-stepped their authority with an aggressive
(but well-intentioned) standard and caused the entire security
program to be re-evaluated.
;
Standards—Refer to hardware or software solutions that are
selected to address a security risk being standardized through¬
out the enterprise. For instance, a specific anti-virus product or
password generation token that has been chosen for use
throughout the organization. This often reduces cost of owner¬
ship by allowing for large blank purchase agreements with ven¬
dors and allows for standardized training further reducing
costs. Standards can also be guidelines created by govern¬
ment, industrial or other organizations that have been formally
adopted as a standard.
STANDARDS
«
0
Adoption of common
hardware and software
mechanisms and
products
<
8
Desktop
Firewall
Anti-Virus
19
A
j
Standards are essential so that a common basis can be
established and implemented. Having a common basis for the
overall organization is better than having each individual
department operating under their own separate (and in some
cases non-compliant) environment. This helps reduce the
seams that can develop between sections, departments, and
subordinate organizations. However, it’s also useful to note
that if a vulnerability to the selected target is exploited by a
threat agent, the entire organization is at risk. This needs to
be considered by the security designers when designing the
network and build in places to control this risk.
§
:
(ISC)’
—
INFORMATION SECURITY
AND
RISK MANAGEMENT
23
Procedures—Are the way to ensure that the intent of policy is
enforced through a mandated series of steps that must be fol¬
lowed to accomplish a task.
PROCEDURES
8
Required Step-by-step Actions
5
Snq
srlal
notion
.V
Corporate
Procedures
Required Step-by-step Actions—Procedures are statements
of step-by-step actions to be performed to accomplish a
security requirement, process, or objective. They are one of
the most powerful tools available in security arsenals and
must be used wisely. For instance, password changing,
incident response, and BCP procedures.
• Reduce mistakes in a crisis.
50
8
Ensure important steps are not missed.
8
Provides for places within the process to do assurance
checks.
Procedures, like policies are considered to be mandatory
requirements.
Baselines—Are the benchmarks used to ensure that a mini¬
mum level of security configuration is provided across multiple
implementations of the systems and many different products.
BASELINES
* Establish cgnsi§ten1ÿ
• Establish consistent implementation of security
implementation of
security mechanisms
0
mechanisms—Baselines are descriptions of how to imple¬
ment security mechanisms to ensure that implementations
result in a consistent level of security throughout the organi¬
zation. Different systems (platforms) have different methods
of handling security issues. Baselines are created to inform
user groups about how to set-up the security for each plat¬
form so that the desired level of security is achieved
consistently.
ISfsl
Platform unique
VPN Setup
T
Passwor
d Rules
IDS
Configuration
a
51
24
(ISC)3
—
Platform unique—Baselines are the great “leveier” of secu¬
rity levels between different security products, including from
different vendors. This is becoming more important as more
and more “hybrid” products are entering the security market,
combining services into “multi-functional” devices, and defy¬
ing many of our current definitions such as the roles of a
switch and router.
INFORMATION SECURITY
AND
RISK MANAGEMENT
GUIDELINES
®
.i
8
Guidelines will remain as recommended actions unless
mandated by company policy and adopted as a standard.
They are white papers, best practices, or formats for a secu¬
rity program that may be used by an organization. However,
care must be used to ensure that careless use of words in
policies don’t move a guideline from a best practice into the
realm of a company standard unless that is the intent. For
example, an overarching statement in a security policy signed
by the CEO stating that “this company will follow the recom¬
mendations of the ISO 17799 guideline” just made ISO 17799
mandatory within that organization.
8
Guidelines are often used to help provide structure to a secu¬
rity program, to outline recommendations for procurement
and deployment of acceptable products and systems. |
0
Three levels of Security Planning—Security planning is
conducted at the three levels.
A
Recommendations
for security product
implementations,
procurement and
planning, etc.
Guidelines
w
——
—
*ÿ
I
::
::
Guidelines—Guidelines-ace-Fe&ommBfldatiaaF;!!!
IS017799
Common Criteria
ITIL
25
i
LEVELS OF SECURITY
PLANNING
3
Three levels of Security
Planning
r
— Strategic Planning
— Tactical Level Planning
—
0
Operational Planning
our overarching security policy.
A
:
V'..
i
m
5
%
•77.:/-
3
These plans must be integrated
19
Seamless transition between levels
Strategic Planning—Focuses on the high-level, longrange requirements of the organization and are part of
the company’s long-term plan. Examples of this are
0
23
J
8
Tactical Level Planning—Are more mid-term and
focus on events that will affect the entire organization.
Many of our functional plans fit into this category.
Operational Planning—Focuses on “fighting fires” at
the keyboard level. This is planning for the near-term
that directly affects the ability of the organization to
accomplish its Objectives.
These plans must be integrated—Plans and actions from all
three levels must work together. That occurs with detailed
planning.
Seamless transition between levels—Actions must seam¬
lessly transition between the different levels.
:
(ISC)’
—
INFORMATION SECURITY AND RISK MANAGEMENT
25
0
DOMAIN AGENDA
Principles and Requirements
Organizational Roles and Responsibilities—The main
learning points of this section include:
9
•Policy
Organizational Roles and Responsibilities
O
9
Explain the importance of personnel security to a good
IT security program.
9
Be able to explain key considerations of a good per¬
sonnel security program.
Risk Management and Analysis
•Ethics
Understand and be able to explain the various roles
and responsibilities of all people in an organization as
related to security.
,AV
24
° if Everyone has a role and responsibility—Security is not
ORGANIZATIONAL ROLES
AND RESPONSIBILITIES
®
Everyone has a role
and responsibility
Q
Specific security
functions must be
assigned
-
•
;! a function of a single person nor of one group or team.
Everyone must be aware of their responsibility and role in
creating a secure environment. A security program contains
many important elements as seen earlier. Each must be
addressed through the security program and not overlooked
or forgotten. They must be clearly communicated and must
be clearly understood by all.
—
:
'
9
J
\
?
Specific security functions must be assigned—Specific
security functions must be assigned to designated security
professionals as their primary duty such as:
• Email security
35
26
(ISC)1
—
9
Violation report review
9
Awareness training
INFORMATION SECURITY
AND
RISK MANAGEMENT
!
I
SPECIFIC ROLES
AND RESPONSIBILITIES
0
guidelines.
a
Executive Management
3
Information Systems Security Professionals
0
* Owners
9
Custodians
|
1126
mmu
m
[
-1
ORGANIZATIONAL ROLES
AND RESPONSIBILITIES
•Information Systems Auditor
° Users
9
1
Owners—Individual data and system owners play a key role
in the security program. They are the best qualified people to
perform tasks essential to our security efforts; such asinformation classification, set user access conditions, and decide
on business continuity priorities.They authoffze appropriate
security programs consistent with the organization’s security
policy, determine appropriate sensitivity or classification lev¬
els based on established classification criteria, and determine
access privileges based on need to know and other criteria.
• Custodians—Responsible for ensuring the security of the
information entrusted to them by the information owners.
Custodians have care of information that does not belong to
them directly—such as email servers and data backups. A cus¬
todian must be aware of the risks to information and espe¬
cially the threat of social engineering.
Executive Management —Publish and endorse security pol¬
icy establishing goals, objectives, and overall responsibility
for asset protection. Senior management sets the tone for the
information security program and bears ultimate responsibility
for any security breaches and acceptance of risk mitigation
strategies.
3
Information Systems Security Professionals—Information
security professionals are responsible for the design, imple¬
mentation, management, and review of the organization’s
security policies, standards, baselines, procedures, and
8
Information Systems Auditor—The information systems
auditor plays a key role in the assurance of our networks and
our security programs. They provide independent assurance
that the right controls and being used in the right manner, for
the right purpose, and if they are having the desired outcome.
* Users—Responsible to use resources appropriately and in
L
IS/IT Function
'
• IS/IT Function—Responsible for implementing and adhering
to security policies as well as building the systems and
networks that incorporate security best practices.
J
(ISC)a
—
INFORMATION SECURITY
•
compliance with procedures, and to preserve the availability,
integrity, and confidentiality of assets.
AND
RISK MANAGEMENT
37
-V,
PERSONNEL SECURITY; HIRING
OF NEW STAFF
3
Background Checks/Security Clearances—Normally there
are legal concerns when it comes to background checks. It
is important to respect the rights of individuals and the laws
of the country where people are hired—but it is a good prac¬
tice to check as much as possible into the background of a
potential employee to prevent hiring the wrong person into a
trusted role.
a
Follow-up on References and Educational Records—
Naturally, laws supersede any company policy and individual’s
rights must be protected. However, it is important that efforts
be made to verify the information provided by prospective
employees including following-up with references, verifying
educational records, etc.
0
Sign Employment Agreements—Non-disclosure agree¬
ments; business ethics, including telephone and Internet
acceptable usage policies, etc., should be a part of the hiring
process and must begin with security awareness training on
the first day of employment. This should include having
them read appropriate policies and procedures and sign
NDAs and acceptable use policies. Care must be taken to
ensure that this doesn’t become so difficult or time consum¬
ing that management finds ways to get around the policy.
\
°
9
Background Checks/Security
Clearances
Follow-up on References and
Educational Records
•Sign Employment Agreements
3$
i'y-
0
PERSONNEL SECURITY
•Low Level Checks
° Termination Procedures—Termination and disciplinary
•Consult the Human Resources
(H.R.) department
i
•Termination Procedures
'•
\
\r
7:
*
29
0
Low Level Checks—If someone comes in at a low-level job
then subsequently moves to a higher level position, there should
be further checks done. The appropriateness of background
checks may have to follow legal statutes, i.e., Privacy laws, etc.
0
Consult the Human Resources (H.R.) department—To
protect management and the company, all personnel actions
should be processed through the H.R. department using
established procedures. A single manager should not be
allowed to control the process to avoid possible security
concerns. Procedures should:
0
Cover points such as keys, ID card, passwords,
equipment loaned out to employee (laptops, cell
phones, pagers).
Include approved company standard checklists for hir¬
ing interviews.
actions are always difficult for everyone involved. Managers
often feel sympathy for the individuals and sometimes make
decisions that place our information and assets at unnecesi1
.v
sary risk. Therefore, all termination and disciplinary actions
must be pre-coordinated within a confidential circle that
includes the H.R. and IT security personnel. When a termination is occurring, the individual’s access to the network,
information, and assets must be stopped. This is best done
by the IT security personnel while the individual is being
informed of the action. However, one must be careful to
follow local laws in these matters.
• The only way to ensure that all company property is
returned is to keep an accurate inventory of all equipment
given to a user—remote access tokens, keys, ID cards,
cell-phones, pagers, credit cards, laptops, software, etc.
This makes it easy to account for these assets and recover
them upon termination.
° An Individual’s access to the network should be sus¬
pended during all periods of suspension from duties and
considered when serious disciplinary actions are pending.
Individuals faced with these situations often feel trapped
and lash-out at the company using their access to the net¬
work as the only weapon with which to fight back.
Suspension/disciplinary procedures can often create secu¬
rity concerns similar to termination—procedures should
address these risks/concerns.
28
(ISC)3
—
INFORMATION SECURITY
AND
RISK MANAGEMENT
THIRD PARTY CONSIDERATIONS
®
Vendors/Suppliers
®
Contractors
0
Temporary Employees
0
Customers
Third Party Considerations—All of these groups create differ¬
ent, but equally challenging situations for our security efforts.
Establish procedures that address these groups on an individ¬
ual basis to ensure that EVERYONE with access to systems,
information, assets, network, etc. complies with the same (or
more) stringent security as do fulltime employees.
9
MmI
4
Vendors/Suppliers—Often need access to systems, but have
little control over their practices unless it is in the contract.
The granting of temporary IDs or access should be coordi¬
nated to ensure that the access is appropriate and removed at
the completion of the project.
* Contractors—May work at the facility and be “just another
30
employee.” However, much like vendors, the organization
have little control over their company’s practices.
0
0
PERSONNEL GOOD PRACTICES
9
Job Descriptions and Defined Roles and
Responsibilities
0
Job Descriptions and Defined Roles and
Responsibilities—Clearly defined job descriptions and
defined roles and responsibilities helps ensure that everyone
knows what an individual should be doing and aids in detect¬
ing unusual behavior.
3
Least Privilege/Need to Know—The principle of least privi¬
lege and the requirement for need to know should always be
executed to minimize access to information and assets.
Separation of Duties
° Job Rotation
j
0
Mandatory Vacations
|
0
3i
\IA
.Vu&v'X $
Separation of Duties—Forces collusion in order to manipu¬
late the system for unauthorized purposes.
° Job Rotation—(When possible) Breaks up collusion and pro¬
vides opportunities to review authorizations and actions taken
by the individual. If our other security measures have failed,
this gives us an opportunity to find the breach in security
before it gets worse or goes on excessively long. Job rotation
also provides trained backups.
i
4w.
Customers—Are demanding more and more online services.
This increases security challenges.
Personnel Good Practices—Must be applied appropriately in
our information security program based on the culture and
risks in the organization.
•Least Privilege/Need to Know
0
Temporary Employees—By their nature they pose increased
risks. They have no vested interest in, or loyalty to, the
organization.
r>'
0
Mandatory Vacations—Much like job rotation, mandatory
vacations provide the opportunity to detect fraud. Also, when
people are on vacation, their access to the site should sus¬
pended. This prevents working from home (possibly covering
their tracks) and provides the much needed vacation they
have earned.
r
(ISC)a
—
INFORMATION SECURITY
AND
RISK MANAGEMENT
39
1
situations. One could easily use real events within
organizations on almost any day without violating
privacy or exposing material weaknesses.
SECURITY AWARENESS
TRAINING. AND EDUCATION
• Topics include items such as:
• Policies, standards, procedures, baselines, and
•Awareness Training
9
Job Training
guidelines
£
» Professional Education
• Errors, accidents, and omissions
.
1
* Physical and environmental hazards -
32
Security Awareness, Training and Education—These are three
different concepts applying to the development of staff.
Awareness programs start from the first day of employment
and address the requirements of policy, social engineering, and
security requirements. Training and education are often expen¬
sive programs required to ensure staff has adequate skills to
maintain a security posture, maintain equipment, manage proj¬
ects, and other key business operations. Such programs are
often delivered just in time as required to use training budgets
effectively.
9
9
Malicious code/logic
0
Media handling responsibilities
9
Incident reporting
9
Social engineering
•
approaches.
• Job Training—Provides skills needed to perform the security
functions in their jobs. Training time and money is always
limited and IT professionals almost always want more train¬
ing to stay professionally current in this ever-changing field.
Therefore, training must focus on skills needed in the work¬
place for their current job unless management is specifically
trying to train them for another position. Be careful to ensure
that training programs are not directed at staff that merely
uses this as an avenue to a better paying job elsewhere.
—
Variety of methods are available
9
Videos
9
Newsletters
9
Focus on security-related job skills.
9
Posters
9
9
Briefings
Specifically address security requirements of the
organization.
9
9
Key-chains, trinkets, etc.
Increase the ability to hold employees accountable
for their actions.
9
Provide specialized or technical training as needed
for specific personnel, such as configuring firewalls
or conducting audits.
9
9
The objective is to ~~
motivate personnel to comply with
requirements.
9
The campaign must be creative, and the depth and
type of topics should target the audiences appropri¬
ately, and frequently change.
9
Reward practices such as protecting the physical area
and equipment, protecting passwords, and reporting
security violations.
9
Awareness Training efforts can quickly become stale,
mundane, and routine. At some point, it loses its
effectiveness and the returns for the cost and effort are
marginal. To avoid this problem, vary the topics as
well as the approach. Try to select a topic that is in the
news to maximize the learning opportunity. Try to
“spark conversations" around the office of events that
are happening NOW. Current events and real world
examples are much more interesting than hypothetical
30
Continuity Planning
• These topics lend themselves to a variety of
Awareness Training Provides employees with a reminder
of their security responsibilities.
9
9
(ISC)2
—
9
Training should:
—
Professional Education Provides decision-making, and
security management skills that are important for the success
of an organization’s security program. Whereas training is
often focused on specific skills, education focuses on the
decision making capability and processes to obtain expertise
in decision making. Therefore, education is normally provided
to management personal and those moving into the manage¬
ment ranks to improve their ability to excel at these levels.
A variety of education methods should be used and provided
to different individuals within the organization to bring the
maximum talent to bear on a given problem when it arises.
Additionally, training depth must be considered, It doesn’t
make sense to send a management trainee to advanced enter¬
prise decision making. The same thought process must be
used when selecting training for IT Security professionals.
INFORMATION SECURITY
AND
RISK MANAGEMENT
GOOD TRAINING PRACTICES
•Address the audience
0
Address the audience—Each group has different interests
and the material you present will be filtered through their
personal bias.
0
—
— Data Owner and Custodian
— Operations Personnel
— User
— Support Personnel
Management
Management— Overall costs savings (a Risk Analysis
will yield this type of information), the need to protect
information, and the need for efficient and effective
security.
'r~:
/ -
-
0
Data Owner and Custodian—Easy to follow
r. :
instructions.
•
0
Operations Personnel—Non-intrusive security.
• User—Productivity, easy compliance, understanding
requirements.
33
i
Jj
\
c
0
Support Personnel—Their role, cost-effective
compliance.
•'>
>
a
Principles and Requirements
Risk Management and Analysis—A sound approach to IT
security is based on sound risk analysis and good risk man¬
agement. A CISSP must have mastery of the concepts and
methods addressed here.
9
Policy
9
®
Organizational Roles and Responsibilities
DOMAIN AGENDA
j
• Define the key risk management terms.
• Describe the importance of a risk analysis.
• List examples of potential threats.
• Describe some types of risk analysis.
° Risk Management and Analysis
®
Here are the objectives in this section:
Ethics
9
Describe safeguard selection principles.
34
I
(ISC)a
—
INFORMATION SECURITY AND RISK MANAGEMENT
3i
L
DEFINITION OF RISK FROM
NIST SP 800-qo
0
Risk is a function of the likelihood
of a given threat-source's
exercising a particular potential
vulnerability, and the resulting
impact of that adverse event on the
organization
0
9
o e!
9
Common threat sources are natural, human or environ¬
mental. NOTE: The ‘threat source’ is also called the 'threat
A threat-source is either:
Threat—The potential for a threat-source to exercise (acci¬
dentally trigger or intentionally exploit) a specific vulnerability.
Vulnerability—A flaw or weakness in system security proce¬
dures, design, implementation or internal controls that could be
exercised (accidentally triggered or intentionally exploited) and
could result in a security breach or a violation of a system’s
security policy.
5
Likelihood—The probability that a potential vulnerability may
be exercised within the construct of an associated threat
environment.
9
Countermeasure—A control to reduce risk—may be jecfint_
cal, operational or.manaqement controls or a combination of
these types.
0
Risk Management Concept Flow—This overview shows
the relationships among the key components. Threats,
Vulnerabilities, and Asset values are used to identify the over¬
all risk to an organization’s assets. The understanding of this
slide is important and demonstrates several concepts related
to Risk and Countermeasures. One key point is the recogni¬
tion that safeguards may also contain new vulnerabilities that
the information security professional must be aware of.
Definitions from SP800-30
9
A situation and method that may accidentally trigger a
vulnerability.
agent.’
SP800-30
9
0
Intent and method targeted at the intentional exploitation
of a vulnerability.
3
•n
RISK MANAGEMENT
CONCEPT FLOW
wish to minimize
i
impose
Lj
Safeguards
that may
possess
may i
reduced byj
[hat
may be aware of
that
>mm.
leading to
| give rise to
that
wish to 1
1f-drth-
1
Rtefc
u
\s
.
11 36
tj\y
X- \
\
32
(ISC)1
—
INFORMATION SECURITY
AND
RISK MANAGEMENT
° Asset—Something that is valued by the organization to
RISK MANAGEMENT
DEFINITIONS
#
accomplish its goals and objectives.
* Threat—Any potential danger to information or an informa¬
tion system.
®
Asset
®
Threat
a
Threat Agent
* Unauthorized access
a
Exposure
* Hardware failure
0
Examples of threats include, but are not limited to:
* Utility failure
• Loss of key personnel
21
Risk Management Definitions—To understand risk analysis,
the organization must work from a common set of terms.
Understanding and using terminology correctly is important
especially when presenting risk analysis efforts to senior man¬
agement. This and the next slide provides the key terms used
in this section. Learn them well, how they are used, and when
each term is appropriate.
9
Human errors
0
Neighboring hazards
* Tampering
Disgruntled employees
9
• Threat Agent—Anything that has the potential of causing a
threat.
0
Exposure—An opportunity for a threat to cause loss.
A
0
®
Vulnerability
I
•Attack
Safeguards
JK
S/»
r u.
about.
•Risk
0
h
importance of understanding the correct terminology. As
security professionals, CISSPs are the experts and are
expected to use precise, correct terminology. Otherwise it
may affect their reputations and listeners start to wonder if
the security professional really knows what he/she is talking
_
* Countermeasures and
1
y
'
* Attack—An intentional action trying to cause harm. An attack
is an effort by a threat agent to launch a threat by exploiting a
vulnerability in an information system. That explains the
RISK MANAGEMENT TERMS
#
$ -t f- C
9
Residual Risk
9
• Vulnerability—Is any weakness that could be exploited.
Vulnerabilities exist in every IT system, product and applica¬
tion. A security program will address vulnerabilities by imple¬
menting safeguards or countermeasures to prevent the
exploitation of a vulnerability, however the security person
must always be aware of the risk of new vulnerabilities and the
inability to completely remove all vulnerabilities from a system.
Countermeasures and Safeguards—Are those measures
and actions that are taken to try and protect systems. They
could be one of several types of controls which we will talk
about later.
Risk—Is a “likelihood” or probability that some unwanted
event could occur. Possibility that a particular threat will
adversely impact an information system by exploiting a par¬
ticular vulnerability.
Several times throughout this course we will say
that we cannot reduce risk to zero. The next term
answers that issue.
8
Residual Risk—Is the amount of risk remaining after coun¬
termeasures and safeguards are applied.
j
C1
/J L J it, A
\
j
(ISC)’
—
INFORMATION SECURITY
AND
RISK MANAGEMENT
33
II
0
RISK MANAGEMENT
•The purpose of Risk Management is to identify
potential problems
Purpose of Risk Management—Is a pjrgastjye activity
designed to prevent possible breaches or incidents through
the ide.ntification_oLpo ssible threats, the,selection of appro¬
priate risk control cMhtirmeasures 04 safeguards, and the
continuous monitoring of the risk environment.
— Before they occur
— So that risk-handling activities may be planned
—
4
JL
and invoked as needed
v
r :s*
39
„
\
\
Risk Assessment
Identification of
risks
Evaluation of risks
Risk Impact
Recommendation
of risk-reducing
measures
Risk
Management
.
-
s
x.
L
;
Note that Risk Management is a continuous, ongo¬
ing effort and includes the periodic re-evaluation of
risk and risk assessment in all three phases of the
Risk Management effort:-
Evaluation &
Assessment
Ongoing risk
assessment
Periodic
evaluation
Regulatory
compliance
r
Risk Mitigation
Risk Avoidance
Risk Mitigation
Risk Acceptance
Risk Transference
Evaluation of risks
£
JO
The Risk Equation—Risk Management is comprised of Risk
Assessment, Risk Mitigation and Evaluation and Assurance.
THE RISK EQUATION
tr>
'
M
Across the life of the product or project
jj-
c,
£
Ref: NIST SP800-30
0-
40
/
.c
\v b /- Aÿ lh
r
A
7
•
r.~i
-
0*
•(-:
RISK FACTORS
;
A/'-1
,a‘
\.C-L
*)
.1,
>5
W5
!
V
u
"
1
17-
Threats
Assets
ijb 0
l>
(-
_
&
t
t
§
L
Vulnerabilities
s
41
I
34
(ISC)a
—
INFORMATION SECURITY
AND
u
RISK MANAGEMENT
RISK FACTORS (CONT, . .)
•
i
l!
Threats
Assets
m
°Q
X
%
mi
wmm
%
43
Risk Management—The definition of risk management is the
effort applied to manage exposure before a threat could take
advantage of a vulnerability. Notice that the calculation of total
risk is comprised of the factors of threats, vulnerabilities, and
current value of the asset.
RISK MANAGEMENT
Risk Management identifies and reduces
Total Risks (Threats, Vulnerabilities, &
Asset Value)
0
i
0
Mitigating controls: Safeguards &
Countermeasures reduce risk
3
Residual Risk should be set to
an acceptable level
Risk should be reduced to a residual level of risk
acceptable to the seniorjnanager responsible for
the system. If risk management is properly accom¬
plished, residual risks will not create an unaccept¬
able risk to the organization.
43
I
PURPOSE OF RISK ANALYSIS
•Identifies and justifies risk
mitigation efforts
9
analysis should remain focused on the objectives set, on “what
does this mean to the company” and “what is the value of this
to the company?”
mm
Identifies and justifies risk mitigation efforts—
• Identifies the threats to business processes and infor¬
Describes current security
mation systems.
posture
° Justifies the implementation of specific countermea¬
•Conducted based on risk to
sures to mitigate risk.
the organization’s objectives/mission
44
J
7
Purpose of Risk Analysis—A good risk analysis should pro¬
vide data to explain the company's risk environment to
management in terms they understand. The process of risk
0
Describes current security posture—Risk analysis helps us
explain the current security posture to management in terms
they understand.
‘
Conducted based on risk to the organization’s objectives/
mission—Risk analysis is much more than just a risk to the
IT Systems. It is primarily concerned with the inability of the
organization to accomplish its business mission.
A k' Tj
J
(ISC)3
—
INFORMATION SECURITY
AND RISK
J-
kx}>
MANAGEMENT
35
• Identifies areas with specific requirements—Some areas
BENEFITS OF RISK ANALYSIS
®
Focuses policy and resources
®
Identifies areas with specific risk requirements
under the influence of specific regulations include financial
sections, those involved with stock, privacy, and often health¬
care (in some countries this is covered by the privacy laws).
You will need to determine if any of these apply before begin¬
ning your risk analysis. As we discussed earlier, this should be
part of identifying the environment that your company oper¬
ates in and a routine part of your IT Governance program.
•Part of good IT Governance
®
Supports
With limited personnel, budgets and tools, risk
analysis ensures that the resources of the organization
are targeted at the areas of greatest risk and in the
meantime making sure that there are no gaps in the
security process.
— Business continuity process
— Insurance and liability decisions
— Legitimizes security awareness programs
;
• Part of good IT Governance—Risk analysis is a key part of
45
good IT Governance.
Focuses policy and resources—Risk Analysis ensures that
the resources and policy of an organization are directed
appropriately. Risk analysis is not a cookie-cutter approach
it requires an in-depth look at the organization as a whole and
at each functional area. Risk is different from one area to
another and risk analysis and management must reflect those
differences. Functional experts from each area should be part
of the process to help assess value and impacts to the com¬
pany. After all, they should know their area better than any¬
one else.
Sometimes, security professionals can get compla¬
cent if they have not had an incident for a period of
time. This “sunny day period” can be dangerous as
professionals start to relax. Many have said that a
fresh risk analysis project sharpens their skills and
generates new-found excitement for their work.
—
• Supports—A risk analysis effort also supports many other
associated activities, such as the business continuity plan¬
ning project and business impact analysis; it provides infor¬
mation for corporate insurance premium calculation and
lends legitimacy to security awareness programs.
0
EMERGING THREATS FACTOR
•Risk Assessment must
9
also address emerging
threats
x
• Unauthorized use of technology (i.e., wireless technolo¬
gies, rogue modems, PDAs, unlicensed software, iPods)
j
different areas
May be discovered by
periodic risk assessments
'C
-W
Vi
Emerging Threats Factor—Are always looming on the horizon.
The slide lists a few of these that you should be aware of and
pay attention to in your organizations. The threat from PDA’s
includes theft of corporate data, poor controls over wireless
transmission and interception of wireless traffic, and risk of
having multiple copies or versions of data if not updated
correctly.
(ISC)3
9
Changes in regulations and laws
9
Changes in business practices (i.e., outsourcings,
globalization)
i
• Can come from many different areas—As seen above, from
both internal and external sources.
j
®
36
New technology
• Change in culture of the organization or environment
A
•Can come from many
*
Risk Assessment must also address emerging
threats—
May be discovered by periodic risk assessments—Properly
done, a new risk assessment will continue to pick up these
new threats as they appear.
— INFORMATION SECURITY
AND
RISK MANAGEMENT
Sources to Identify Threats—This slide lists some of the
sources that can provide information about threats.
SOURCES TO IDENTIFY
THREATS
®
• Users—Users may be the first ones to notice that something §
is not right on their systems. They must know who to contact |
Users
to report possible problems.
•System Administrators
3
Security Officers
®
Auditors
3
• Security Officers—Should oversee the security program and
Operations
perform tests of the information systems infrastructure and
incident response programs to determine the source and
frequency of threats.
* Facility Records
•Community and Government Records
0
Vendor/Security Provider Alerts
I
Systems Administrators—Systems administrators and help
desk personnel must be trained to identify and report possi¬
ble attacks on the network and systems, and not destroy
evidence as part of their troubleshooting.
ti !~'if E Ic-'
®
47
9
i
)
0
\
Auditors—While performing audits, the auditors will often
notice gaps in security or lack of compliance with procedures
that can be considered weaknesses or possible threats.
Operations—Operations personnel will often become aware
of incidents through job errors, systems failures, and unex¬
plained changes in systems performance that may indicate an
ongoing threat.
Facility Records—Will often contain valuable information
about the trends and performance of the system that can be
used to observe repeated errors or unresolved problems.
9
Community and Government Records—May alert to possible
weather or other environmental (human) conditions that
could affect the secure operation of the organization.
0
Vendor/Security Provider Alerts—Professional organizations
and mailing lists should be monitored to become aware of
new threats or vulnerabilities.
!
Other types of threats that could be considered:
• Natural disasters—Flood, tornado, earthquake, forest fire,
lightning
• Environment—Overcrowding or poor morale
• Facility—Physical security or location of building
• Access Controls—Logical and physical access control
• Data processing controls—Prevention of improper
modification
J
(ISC)1 — INFORMATION SECURITY AND RISK MANAGEMENT
37
