Information Security Governance and Risk Management.

Information Security

Governance

and

Risk Management

2

Domain Objectives

• Security Planning and Organization

• Roles of Individuals in a Security Program

• Differences between Policies, Standards, Guidelines, and Procedures as related to Security

• Security Awareness throughout the Organization

• Risk Management Practices and Tools

3

Information Security TRIAD

Availability

ConfidentialityIntegrity

Information Security

4

Introduction

• Information Security Management includes:

• Governance Structure

• Policies

• Standards

• Procedures

• Baselines

• Guidelines

5

Domain Agenda

• Principles and Requirements

• Policy

• Organizational Roles and Responsibilities

• Risk Management and Analysis

• Ethics

6

IT Security Requirements

•Provides confidence that security function is performing as expected

•Critical part of the security program

•Defines the security behavior of the control measure

•Selected based on risk assessment

Assurance Requiremen

tsFunct

ional

Requir

em

ent

s

Complete Security Solutions

7

Organizational & Business Requirements

• Focus on the mission of the organization

• Each type of organization has differing security requirements

• Security must make sense and be cost effective

8

• Integral Part of Overall Corporate Governance

• Three Major Parts

• Leadership

• Structure

• Processes

IT Security Governance

9

• ISO 17799

• Code of Practice - Guidance and Support

• Management Focus

• ISO 27001:2005

• Management System Standard (Certifiable and Measurable Requirements)

• Assurance Focus

ISO 17799 & ISO 27001

10

Security Blueprints

• Used to identify and design security requirements

• Infrastructure Security Blueprints

11

Domain Agenda


• Policy



• Ethics

12

Policy Overview

THE “ENVIRONMENT”

Overarching Organizational

Policy

(Management’s Security

Statement)

Regulations

Organizational Objectives

Laws

Organizational Goals

Shareholders’ Interests

13

Policy Overview

Overarching Organizational Policy

(Management’s Security Statement)

Overarching Organizational Policy

(Management’s Security Statement)

Functional Implementing Policies

(Management’s Security Directives)

Standards Baseline

s

GuidelinesProcedures

14

Management’s Security Policy

“Security is essential to this company and its

future”


•Provides Management’s Goals and Objectives in Writing

•Documents compliance

•Creates security culture

J.T. Lock, CEO

15


•Anticipates and protects from surprises

•Establishes the security activity/function

•Holds individuals personally responsible/accountable

•Addresses potential future conflicts

16


• Ensures employees and contractors are aware of organizational policy and changes

• Mandates an incident response plan

• Establishes processes for exception handling, rewards, discipline

Security Violation ReprimandTO: I.M. Wrong

FOR: Failing to follow established policies

17

Policy Infrastructure

• Functional Policies

• Implement and interpret the high level security policies of the organization

Functional Policies

Management’sSecurity Policy

“Security is essential to

this company and its future”

J.T. LockCEO

Functional Policies

18

Policy Implementation

• From policies come the supporting elements

These enforce the security policy principles on

every business process and

system

StandardsProcedures

BaselinesGuidelines

19

Standards

• Adoption of common hardware and software mechanisms and products

Corporate Standard Product

Corporate Standard Product

Desktop

Anti-Virus

Firewall

20

Procedures

•Required Step-by-step Actions

IntrusionTampering

Material Destruction

Corporate Procedures

21

Baselines• Establish consistent

implementation of security mechanisms

• Platform unique

BaselineCorporate

Configuration

BaselineCorporate

Configuration

VPN Setup IDS

Configuration

Password Rules

22

TCSEC

TCSEC

Guidelines

• Recommendations for security product implementations, procurement and planning, etc.

Guidelines

ISO 27001

SOX, HIPAA

ITIL

23

Levels of Security Planning

• Three levels of Security Planning

• Strategic Planning

• Tactical Level Planning

• Operational Planning

• These plans must be integrated

• Seamless transition between levels

24

Domain Agenda


• Policy



• Ethics

25

Organizational Roles and Responsibilities

• Everyone has a role and responsibility

• Specific security functions must be assigned

26

Specific Roles and Responsibilities

• Executive Management

• Information Systems Security Professionals

• Owners

• Custodians

27

Organizational Roles and Responsibilities

• Information Systems Auditor

• Users

• IS/IT Function

28

Personnel Security: Hiring of New Staff

• Background Checks/Security Clearances

• Follow-up on References and Educational Records

• Sign Employment Agreements

29

Personnel Security

• Low Level Checks

• Consult the Human Resources (H.R.) department

• Termination Procedures

30

Third Party Considerations

• Vendors/Suppliers

• Contractors

• Temporary Employees

• Customers

31

Personnel Good Practices

• Job Descriptions and Defined Roles and Responsibilities

• Least Privilege / Need to Know

• Separation of Duties

• Job Rotation

• Mandatory Vacations

32

Security Awareness, Training, and Education

• Awareness Training

• Job Training

• Professional Education

33

Good Training Practices

• Address the audience

• Management

• Data Owner and Custodian

• Operations Personnel

• User

• Support Personnel

34

Domain Agenda


• Policy



• Ethics

35

Definition of Risk from NIST SP 800-30

• Risk is a function of the likelihood of a given threat-source’s exercising a particular potential vulnerability, and the resulting impact of that adverse event on the organization

SP800-30

36

Risk Management Concept Flow

37

Risk Management Definitions

• Asset

• Threat

• Threat Agent

• Exposure

38

Risk Management Terms

• Vulnerability

• Attack

• Countermeasures and Safeguards

• Risk

• Residual Risk

39

Risk Management

• The purpose of Risk Management is to identify potential problems

• Before they occur

• So that risk-handling activities may be planned and invoked as needed

• Across the life of the product or project

40

Risk Assessment

The Risk Equation

Risk Managemen

t

•Risk Avoidance•Risk Mitigation•Risk Acceptance•Risk

Transference•Evaluation of

risks

•Ongoing risk assessment

•Periodic evaluation

•Regulatory compliance

•Identification of risks

•Evaluation of risks

•Risk Impact•Recommendatio

n of risk-reducing measures

Risk Mitigation

Evaluation & Assurance

41

Risk Factors

ThreatsAssets

Vulnerabilities

42

Risk Factors

ThreatsAssets

Countermeasures

43

• Risk Management identifies and reduces Total Risks (Threats, Vulnerabilities, & Asset Value)

• Mitigating controls: Safeguards & Countermeasures reduce risk

• Residual Risk should be set to an acceptable level

Risk Management

44

Purpose of Risk Analysis

• Identifies and justifies risk mitigation efforts

• Describes current security posture

• Conducted based on risk to the organization’s objectives/mission

45

Benefits of Risk Analysis

• Focuses policy and resources

• Identifies areas with specific risk requirements

• Part of good IT Governance

• Supports

• Business continuity process

• Insurance and liability decisions

• Legitimizes security awareness programs

46

Emerging Threats Factor

• Risk Assessment must also address emerging threats

• Can come from many different areas

• May be discovered by periodic risk assessments

47

Sources to Identify Threats

• Users

• System Administrators

• Security Officers

• Auditors

• Operations

• Facility Records

• Community and Government Records

• Vendor/Security Provider Alerts

48

Risk Analysis Key Factors

• Obtain senior management support

• Establish the risk assessment team

• Risk Team Members

49

Use of Automated Tools for Risk Management

• Objective is to minimize manual effort

• Can be time consuming to setup

• Perform calculations quickly

50

Preliminary Security Evaluation

• Identify vulnerabilities

• Review existing security measures

• Document findings

• Obtain management review and approval

51

Risk Analysis Types

• Two types of Risk Analysis

• Quantitative Risk Analysis

• Qualitative Risk Analysis

• Both provide unique capabilities

• Both are often required to get a full picture

52

Quantitative Risk Analysis

• Assign independently objective numeric monetary values

• Fully quantitative if all elements of the risk analysis are quantified

• Difficult to achieve

• Requires substantial time and personnel resources

RISK = MONEY

53

Quantitative Analysis Steps

• Three primary steps

Estimate potential losses

Conduct a threat analysis

Determine annual loss expectancy

1

2

3

54

Determining Asset Value

• Cost to acquire, develop, and maintain

• Value to owners, custodians, or users

• Liability for protection

• Recognize cost and value in the real world

55

Quantitative Risk Analysis - Step One

Estimate potential losses

SLE – Single Loss Expectancy

• SLE = Asset Value ($) X Exposure Factor (%)

• Exposure Factor is percentage of asset loss when threat is successful

• Types of loss to consider

1

56

Quantitative Risk Analysis - Step Two

Conduct threat analysis

ARO - Annual Rate of Occurrence

• Number of exposures or incidents that could be expected per year

• Likelihood of an unwanted event happening

2

57

Quantitative Risk Analysis - Step Three

Determine Annual Loss Expectancy (ALE)

• Combine potential loss and rate/year

• Magnitude of risk = Annual Loss Expectancy

• Purpose of ALE

• Justify security countermeasures

ALE = SLE * ARO

3

58

Qualitative Risk Analysis - Second Type

• Scenario Oriented

• Does not attempt to assign absolute numeric values to risk components

• Purely qualitative risk analysis is possible

59

Qualitative Risk Analysis Critical Factors

• Rank seriousness of threats and sensitivity of assets

• Perform a carefully reasoned risk assessment

60

Risk Levels (AS/NZ 4360 Standard)

Consequence:

Insignificant Minor Moderate Major Catastrophic

Likelihood: 1 2 3 4 5

A (almost certain) H H E E E

B (likely) M H H E E

C (possible) L M H E E

D (unlikely) L L M H E

E (rare) L L M H H

E Extreme Risk: Immediate action required to mitigate the risk or decide to not proceed

H High Risk: Action should be taken to compensate for the risk

M Moderate Risk: Action should be taken to monitor the risk

L Low Risk: Routine acceptance of the risk

61

Other Risk Analysis Methods

• Failure Modes and Effects Analysis

• Examine potential failures of each part or module

• Examine effects of failure at three levels

• Fault Tree Analysis

• Sometimes called ‘spanning tree analysis’

• Create a “tree” of all possible threats to, or faults of the system

62

Risk Mitigation Options

•Risk Acceptance

•Risk Reduction

•Risk Transference

•Risk Avoidance

63

• Cost/Benefit Analysis - balance between the cost to protect and asset value

The Right Amount of Security

Security is a Balancing Act!

Cost Value

64

Countermeasure Selection Principles

• Based on a cost/benefit analysis

• Cost must be justified by the potential loss

• Accountability

• Absence of Design Secrecy

• Audit Capability

65


• Vendor Trustworthiness

• Independence of Control and Subject

• Universal Application

• Compartmentalization and Defense in Depth

• Isolation, Economy, and least Common Mechanism

66


• Acceptance and Tolerance by Personnel

• Minimum Human Intervention

• Sustainability

67


• Reaction and Recovery

• Override and Fail-safe Defaults

• Residuals and Reset

68

Domain Agenda


• Policy



• Ethics

69

Ethical Responsibilities

• CISSPs “set the example”

• CISSPs encourage adoption of ethical guidelines and standards

• CISSPs inform users through security awareness training

70

Basis and Origin of Ethics

• Religion

• Law

• National Interest

• Individual Rights

• Common good/interest

• Enlightened self interest

• Professional ethics/practices

• Standards of good practice

• Tradition/culture

71

Formal Ethical Theories

• Teleology

• Ethics in terms of goals, purposes, or ends

• Deontology

• Ethical behavior is a duty

72

Common Ethical Fallacies

• Computers are a game

• Law-abiding Citizen

• Shatterproof

• Candy-from-a-baby

• Hackers

• Free Information

73

Codes of Ethics

• Relevant Professional Codes of Ethics include:

• (ISC)2 and other professional codes of ethics

• Internet Activities Board (IAB)

• Auditors

• Professional codes may have legal importance

74

(ISC)2 Code of Ethics Preamble

• “Safety of the commonwealth, duty to our principals, and to each other requires that we adhere, and be seen to adhere, to the highest ethical standards of behavior”

• “Therefore, strict adherence to this code is a condition of certification”

75

(ISC)2 Code of Ethics Canons

• “Protect society, the commonwealth, and the infrastructure”

• “Act honorably, honestly, justly, responsibly, and legally”

• “Provide diligent and competent service to principals”

• “Advance and protect the profession”

76

RFC 1087

• Ethics and the Internet

• Access and use of the Internet is a PRIVILEGE and should be treated as such by all users

77

Internet Activities Board (IAB)

• Any activity is unethical & unacceptable that purposely:

• Seeks to gain unauthorized access to Internet resources

• Disrupts the intended use of the Internet

• Wastes resources (people, capacity, computer) through such actions

78

Internet Activities Board (IAB)

• Destroys the integrity of computer-based information

• Compromises the privacy of users

• Involves negligence in the conduct of Internet-wide experiments

79

Ethical Environments

• Ethics are difficult to define

• Begin with senior management

80

Domain Summary

• This domain sets the foundation for a respected and solid Information Security Management Program:

• Policies, Procedures, Baselines, Guidelines

• Roles and Responsibilities

• Risk Management

• Ethics

“Security Transcends

Technology”

Date post:	12-Jan-2016
Category:	Documents
Upload:	damian-cross
View:	216 times
Download:	0 times