Date post: | 07-Jul-2015 |
Category: |
Education |
Upload: | pierluigi-falcone |
View: | 103 times |
Download: | 7 times |
DOMAIN 3: Information Security Governance and Risk Management
# 3.04
CISSPills Table of Contents
Security Management
Risk Management
Risk Assessment
Risk Analysis
Information Risk Management Policy
Risk Assessment Methodologies
Risk Analysis Approaches
Steps of a Quantitative Risk Analysis
Control Selection
Total Risk vs Residual Risk
Risk Handling
CISSPills Security Management
Security management includes all the activities needed to both keep a
Security Program running and maintain it.
It aims at continuously protecting organisation’s assets and resources and
incorporates processes, procedures, risk management, security controls and
awareness.
Security management ensures that policies, standards and guidelines are
implemented in a way which assures business to be conducted within an
acceptable risk level.
CISSPills Risk Management
Risk refers to the likelihood a damage can occur and impact it can have. Risk
Management is the process of identifying, assessing and minimising risks to
an acceptable level.
Risk can be never fully reduced, there will always be a residual risk. Risk
management focuses to cope with risks to that they are reduced to a level
tolerated by the organisation.
Organisations operating in regulated environments (e.g. Financial or
Healthcare industries) or subject to laws, need to take into account this
requirements with regards to Risk Management and Security Governance.
Risk Management is split in two steps:
Risk Assessment
Risk Analysis
CISSPills Risk Assessment
Risk assessment is a method to identify vulnerabilities and threats,assessing then their possible impact in order to determine the securitycontrols to put in place.
Once the threats and the vulnerabilities have been identified, theramifications deriving from their exploitation shall be investigated.Risks canhave:
Loss potential: what the company can lose if thethreat agent manages to exploit a vulnerability;
Delayed loss: a secondary consequence notdirectly related to the vulnerability being exploited,but equally impacting the organisation and itsbusiness (e.g. bad reputation after a breach).
CISSPills Risk Analysis
Risk Analysis helps to priorities risks, so that the most critical are addressed first. It
also show the amount of resources needed to protect against a specific risk.
It provides a cost/benefit analysis, which compares the cost
deriving from the occurrence of a threat and the annualised
cost of the safeguard to implement.
A proper analysis allows to understand if a countermeasure is
worth to be implemented. Typically, in fact, it makes no sense
implementing a controls that costs more than the loss derived
by the occurrence of a threat.
Ideally, the Risk Analysis team should include people coming from
different departments of the organisation, in order to have a
comprehensive picture of the risks within the enterprise.
Alternatively, the team needs to interview people working in
other department to make sure other standpoints are captured.
CISSPills Information Risk Management Policy
To be successful, a Risk Management process needs to be supported by the
executive management, needs a documented process, an information risk
management (IRM) team and an IRM policy.
The information risk management policy is very important, as it’s a tool providing IRM
team with the guidance on how to carry out a proper risk management activity within
the organisation. For example, the policy describes:
the objective of the IRM team;
The acceptable level of risk for the organisation;
The risk identification process;
Responsibilities of the IRM team;
The metric used to measure the effectiveness of the controls.
CISSPills Risk Assessment Methodologies
There are a number of risk assessment methodologies, each of them having
specific characteristics. There isn’t a ‘one size fits all’ approach and the
choice really depends on the particular requirements an organisation.
For example, organisations implementing a security program compliant with
the ISO 27001 standard, should use the ISO 27005 standard, which
describes how risk management should be undertaken within an ISMS.
NIST 800-30, mainly focusing on IT, it’s instead considered a U.S. federal
standard and fits better in governmental organisation.
CISSPills Risk Analysis Approaches
Risk analysis can be carried out following two different approaches:
Quantitative analysis: this analysis assign numeric value to the loss, to
the likelihood of a threat to occur and to the extent of the damage in the
event of a loss. These figures are entered into equations to determine total
and residual risk;
Qualitative analysis: this analysis doesn’t use numeric values. It assigns
rating to the risk (e.g. High, Medium, Low) to relay the criticality.
The team members rely on scenarios to determine the different risks and
their severity and make use of brainstorming sessions, checklists,
questionnaires, storyboards, etc. to walk through the risk analysis.
The analysis relies a lot on the experience, intuition and judgement of the
people involved in the assessment.
CISSPills Steps of a Quantitative Risk Analysis
The most used equation used in a quantitative risk analysis are Single Loss
Expectancy (SLE) and Annualized Loss Expectancy (ALE).
SLE provides a dollar amount for a threat which has taken place.
SLE ($$$) = Asset Value (AV) x Exposure Factor (EF)
AV= value of the asset
EF = It’s the percentage of damage involving the asset when the threat takes place.
ALE ($$$) = SLE x Annualized Rate of Occurrence (ARO)
ARO= likelihood that the threat takes place over a period of one year. It can from 0.0
(never) to 1.0 (once a year), with any value in between (e.g. once in 10 years is 0.1 -
1/10=0.1).
With the ALE a company knows how much it can spend to protect the asset to protect
it against a specific threat.
CISSPills Control Selection
A control must be cost-effective, that is its cost shall not exceed the value of
the loss derived by the threat it’s trying to address.
A cost/benefit analysis allows to estimate if the cost of the control is
outweighing its benefits. An equation typically used is:
ALE pre control implementation - ALE post control implementation –
annualized cost of the control
The cost of the control needs to include all the expenses related to its
purchase, implementation, maintenance, etc. For example, if the control was
a firewall, the cost shouldn’t take into account only its price, but also the cost
of the training, the cost of the license, the cost of the people implementing the
solution and so forth.
CISSPills Total Risk vs Residual Risk
As said before, a control is not able to completely eliminate a risk. Even if a safeguard
is put in place, a Residual Risk will still exist. The important thing is that such risk
doesn’t exceed the level of risk the organisation deems acceptable.
Total Risk = Threats x Vulnerability x Asset Value
Residual Risk = Threats x Vulnerability x Asset Value x Control Gap
Control Gap = it is the protection that the control can’t provide
An alternative way to describe the Residual Risk is:
Residual Risk = Total Risk – Countermeasure
The formulas above are only conceptual representation of the relationship occurring
between the entities making up risk and are useful to understand the items involved in
Total and Residual Risk.
CISSPills Risk Handling
An Organisation can choose to handle a risk in the following way:
Accept: the organisation decides it can ‘live’ with the identified risk
and further action is taken;
Transfer: the risk is deemed to high or to costly to be mitigated
using a control and for this reason is transferred to another entity
(e.g. an insurance company);
Avoid: the organisation decides to eliminate the element that poses
the risk, in order to consequently avoid the risk;
Mitigate: the organisation decides to implement a control, which
allows to reduce the risk to an acceptable level.
Organisation can choose one of the four option seen above
depending on the context. All but rejecting/ignoring the risk is
a way to cope with it.
CISSPills That’s all Folks!
We are done, thank you for the interest! Hope you have enjoyed these pills as much
as I have had fun writing them.
For comments, typos, complaints or whatever your want, drop me an e-mail at:
cisspills <at> outlook <dot> com
More resources:
Stay tuned on for the next issues;
Join ”CISSP Study Group Italia” if you are preparing your exam.
Brought to you by Pierluigi Falcone. More info about me on
Contact Details