Date post: | 12-Jan-2016 |
Category: |
Documents |
Upload: | damian-cross |
View: | 216 times |
Download: | 0 times |
Information Security
Governance
and
Risk Management
2
Domain Objectives
• Security Planning and Organization
• Roles of Individuals in a Security Program
• Differences between Policies, Standards, Guidelines, and Procedures as related to Security
• Security Awareness throughout the Organization
• Risk Management Practices and Tools
3
Information Security TRIAD
Availability
ConfidentialityIntegrity
Information Security
4
Introduction
• Information Security Management includes:
• Governance Structure
• Policies
• Standards
• Procedures
• Baselines
• Guidelines
5
Domain Agenda
• Principles and Requirements
• Policy
• Organizational Roles and Responsibilities
• Risk Management and Analysis
• Ethics
6
IT Security Requirements
•Provides confidence that security function is performing as expected
•Critical part of the security program
•Defines the security behavior of the control measure
•Selected based on risk assessment
Assurance Requiremen
tsFunct
ional
Requir
em
ent
s
Complete Security Solutions
7
Organizational & Business Requirements
• Focus on the mission of the organization
• Each type of organization has differing security requirements
• Security must make sense and be cost effective
8
• Integral Part of Overall Corporate Governance
• Three Major Parts
• Leadership
• Structure
• Processes
IT Security Governance
9
• ISO 17799
• Code of Practice - Guidance and Support
• Management Focus
• ISO 27001:2005
• Management System Standard (Certifiable and Measurable Requirements)
• Assurance Focus
ISO 17799 & ISO 27001
10
Security Blueprints
• Used to identify and design security requirements
• Infrastructure Security Blueprints
11
Domain Agenda
• Principles and Requirements
• Policy
• Organizational Roles and Responsibilities
• Risk Management and Analysis
• Ethics
12
Policy Overview
THE “ENVIRONMENT”
Overarching Organizational
Policy
(Management’s Security
Statement)
Regulations
Organizational Objectives
Laws
Organizational Goals
Shareholders’ Interests
13
Policy Overview
Overarching Organizational Policy
(Management’s Security Statement)
Overarching Organizational Policy
(Management’s Security Statement)
Functional Implementing Policies
(Management’s Security Directives)
Standards Baseline
s
GuidelinesProcedures
14
Management’s Security Policy
“Security is essential to this company and its
future”
Management’s Security Policy
•Provides Management’s Goals and Objectives in Writing
•Documents compliance
•Creates security culture
J.T. Lock, CEO
15
Management’s Security Policy
•Anticipates and protects from surprises
•Establishes the security activity/function
•Holds individuals personally responsible/accountable
•Addresses potential future conflicts
16
Management’s Security Policy
• Ensures employees and contractors are aware of organizational policy and changes
• Mandates an incident response plan
• Establishes processes for exception handling, rewards, discipline
Security Violation ReprimandTO: I.M. Wrong
FOR: Failing to follow established policies
17
Policy Infrastructure
• Functional Policies
• Implement and interpret the high level security policies of the organization
Functional Policies
Management’sSecurity Policy
“Security is essential to
this company and its future”
J.T. LockCEO
Functional Policies
18
Policy Implementation
• From policies come the supporting elements
These enforce the security policy principles on
every business process and
system
StandardsProcedures
BaselinesGuidelines
19
Standards
• Adoption of common hardware and software mechanisms and products
Corporate Standard Product
Corporate Standard Product
Desktop
Anti-Virus
Firewall
20
Procedures
•Required Step-by-step Actions
IntrusionTampering
Material Destruction
Corporate Procedures
21
Baselines• Establish consistent
implementation of security mechanisms
• Platform unique
BaselineCorporate
Configuration
BaselineCorporate
Configuration
VPN Setup IDS
Configuration
Password Rules
22
TCSEC
TCSEC
Guidelines
• Recommendations for security product implementations, procurement and planning, etc.
Guidelines
ISO 27001
SOX, HIPAA
ITIL
23
Levels of Security Planning
• Three levels of Security Planning
• Strategic Planning
• Tactical Level Planning
• Operational Planning
• These plans must be integrated
• Seamless transition between levels
24
Domain Agenda
• Principles and Requirements
• Policy
• Organizational Roles and Responsibilities
• Risk Management and Analysis
• Ethics
25
Organizational Roles and Responsibilities
• Everyone has a role and responsibility
• Specific security functions must be assigned
26
Specific Roles and Responsibilities
• Executive Management
• Information Systems Security Professionals
• Owners
• Custodians
27
Organizational Roles and Responsibilities
• Information Systems Auditor
• Users
• IS/IT Function
28
Personnel Security: Hiring of New Staff
• Background Checks/Security Clearances
• Follow-up on References and Educational Records
• Sign Employment Agreements
29
Personnel Security
• Low Level Checks
• Consult the Human Resources (H.R.) department
• Termination Procedures
30
Third Party Considerations
• Vendors/Suppliers
• Contractors
• Temporary Employees
• Customers
31
Personnel Good Practices
• Job Descriptions and Defined Roles and Responsibilities
• Least Privilege / Need to Know
• Separation of Duties
• Job Rotation
• Mandatory Vacations
32
Security Awareness, Training, and Education
• Awareness Training
• Job Training
• Professional Education
33
Good Training Practices
• Address the audience
• Management
• Data Owner and Custodian
• Operations Personnel
• User
• Support Personnel
34
Domain Agenda
• Principles and Requirements
• Policy
• Organizational Roles and Responsibilities
• Risk Management and Analysis
• Ethics
35
Definition of Risk from NIST SP 800-30
• Risk is a function of the likelihood of a given threat-source’s exercising a particular potential vulnerability, and the resulting impact of that adverse event on the organization
SP800-30
36
Risk Management Concept Flow
37
Risk Management Definitions
• Asset
• Threat
• Threat Agent
• Exposure
38
Risk Management Terms
• Vulnerability
• Attack
• Countermeasures and Safeguards
• Risk
• Residual Risk
39
Risk Management
• The purpose of Risk Management is to identify potential problems
• Before they occur
• So that risk-handling activities may be planned and invoked as needed
• Across the life of the product or project
40
Risk Assessment
The Risk Equation
Risk Managemen
t
•Risk Avoidance•Risk Mitigation•Risk Acceptance•Risk
Transference•Evaluation of
risks
•Ongoing risk assessment
•Periodic evaluation
•Regulatory compliance
•Identification of risks
•Evaluation of risks
•Risk Impact•Recommendatio
n of risk-reducing measures
Risk Mitigation
Evaluation & Assurance
41
Risk Factors
ThreatsAssets
Vulnerabilities
42
Risk Factors
ThreatsAssets
Countermeasures
43
• Risk Management identifies and reduces Total Risks (Threats, Vulnerabilities, & Asset Value)
• Mitigating controls: Safeguards & Countermeasures reduce risk
• Residual Risk should be set to an acceptable level
Risk Management
44
Purpose of Risk Analysis
• Identifies and justifies risk mitigation efforts
• Describes current security posture
• Conducted based on risk to the organization’s objectives/mission
45
Benefits of Risk Analysis
• Focuses policy and resources
• Identifies areas with specific risk requirements
• Part of good IT Governance
• Supports
• Business continuity process
• Insurance and liability decisions
• Legitimizes security awareness programs
46
Emerging Threats Factor
• Risk Assessment must also address emerging threats
• Can come from many different areas
• May be discovered by periodic risk assessments
47
Sources to Identify Threats
• Users
• System Administrators
• Security Officers
• Auditors
• Operations
• Facility Records
• Community and Government Records
• Vendor/Security Provider Alerts
48
Risk Analysis Key Factors
• Obtain senior management support
• Establish the risk assessment team
• Risk Team Members
49
Use of Automated Tools for Risk Management
• Objective is to minimize manual effort
• Can be time consuming to setup
• Perform calculations quickly
50
Preliminary Security Evaluation
• Identify vulnerabilities
• Review existing security measures
• Document findings
• Obtain management review and approval
51
Risk Analysis Types
• Two types of Risk Analysis
• Quantitative Risk Analysis
• Qualitative Risk Analysis
• Both provide unique capabilities
• Both are often required to get a full picture
52
Quantitative Risk Analysis
• Assign independently objective numeric monetary values
• Fully quantitative if all elements of the risk analysis are quantified
• Difficult to achieve
• Requires substantial time and personnel resources
RISK = MONEY
53
Quantitative Analysis Steps
• Three primary steps
Estimate potential losses
Conduct a threat analysis
Determine annual loss expectancy
1
2
3
54
Determining Asset Value
• Cost to acquire, develop, and maintain
• Value to owners, custodians, or users
• Liability for protection
• Recognize cost and value in the real world
55
Quantitative Risk Analysis - Step One
Estimate potential losses
SLE – Single Loss Expectancy
• SLE = Asset Value ($) X Exposure Factor (%)
• Exposure Factor is percentage of asset loss when threat is successful
• Types of loss to consider
1
56
Quantitative Risk Analysis - Step Two
Conduct threat analysis
ARO - Annual Rate of Occurrence
• Number of exposures or incidents that could be expected per year
• Likelihood of an unwanted event happening
2
57
Quantitative Risk Analysis - Step Three
Determine Annual Loss Expectancy (ALE)
• Combine potential loss and rate/year
• Magnitude of risk = Annual Loss Expectancy
• Purpose of ALE
• Justify security countermeasures
ALE = SLE * ARO
3
58
Qualitative Risk Analysis - Second Type
• Scenario Oriented
• Does not attempt to assign absolute numeric values to risk components
• Purely qualitative risk analysis is possible
59
Qualitative Risk Analysis Critical Factors
• Rank seriousness of threats and sensitivity of assets
• Perform a carefully reasoned risk assessment
60
Risk Levels (AS/NZ 4360 Standard)
Consequence:
Insignificant Minor Moderate Major Catastrophic
Likelihood: 1 2 3 4 5
A (almost certain) H H E E E
B (likely) M H H E E
C (possible) L M H E E
D (unlikely) L L M H E
E (rare) L L M H H
E Extreme Risk: Immediate action required to mitigate the risk or decide to not proceed
H High Risk: Action should be taken to compensate for the risk
M Moderate Risk: Action should be taken to monitor the risk
L Low Risk: Routine acceptance of the risk
61
Other Risk Analysis Methods
• Failure Modes and Effects Analysis
• Examine potential failures of each part or module
• Examine effects of failure at three levels
• Fault Tree Analysis
• Sometimes called ‘spanning tree analysis’
• Create a “tree” of all possible threats to, or faults of the system
62
Risk Mitigation Options
•Risk Acceptance
•Risk Reduction
•Risk Transference
•Risk Avoidance
63
• Cost/Benefit Analysis - balance between the cost to protect and asset value
The Right Amount of Security
Security is a Balancing Act!
Cost Value
64
Countermeasure Selection Principles
• Based on a cost/benefit analysis
• Cost must be justified by the potential loss
• Accountability
• Absence of Design Secrecy
• Audit Capability
65
Countermeasure Selection Principles
• Vendor Trustworthiness
• Independence of Control and Subject
• Universal Application
• Compartmentalization and Defense in Depth
• Isolation, Economy, and least Common Mechanism
66
Countermeasure Selection Principles
• Acceptance and Tolerance by Personnel
• Minimum Human Intervention
• Sustainability
67
Countermeasure Selection Principles
• Reaction and Recovery
• Override and Fail-safe Defaults
• Residuals and Reset
68
Domain Agenda
• Principles and Requirements
• Policy
• Organizational Roles and Responsibilities
• Risk Management and Analysis
• Ethics
69
Ethical Responsibilities
• CISSPs “set the example”
• CISSPs encourage adoption of ethical guidelines and standards
• CISSPs inform users through security awareness training
70
Basis and Origin of Ethics
• Religion
• Law
• National Interest
• Individual Rights
• Common good/interest
• Enlightened self interest
• Professional ethics/practices
• Standards of good practice
• Tradition/culture
71
Formal Ethical Theories
• Teleology
• Ethics in terms of goals, purposes, or ends
• Deontology
• Ethical behavior is a duty
72
Common Ethical Fallacies
• Computers are a game
• Law-abiding Citizen
• Shatterproof
• Candy-from-a-baby
• Hackers
• Free Information
73
Codes of Ethics
• Relevant Professional Codes of Ethics include:
• (ISC)2 and other professional codes of ethics
• Internet Activities Board (IAB)
• Auditors
• Professional codes may have legal importance
74
(ISC)2 Code of Ethics Preamble
• “Safety of the commonwealth, duty to our principals, and to each other requires that we adhere, and be seen to adhere, to the highest ethical standards of behavior”
• “Therefore, strict adherence to this code is a condition of certification”
75
(ISC)2 Code of Ethics Canons
• “Protect society, the commonwealth, and the infrastructure”
• “Act honorably, honestly, justly, responsibly, and legally”
• “Provide diligent and competent service to principals”
• “Advance and protect the profession”
76
RFC 1087
• Ethics and the Internet
• Access and use of the Internet is a PRIVILEGE and should be treated as such by all users
77
Internet Activities Board (IAB)
• Any activity is unethical & unacceptable that purposely:
• Seeks to gain unauthorized access to Internet resources
• Disrupts the intended use of the Internet
• Wastes resources (people, capacity, computer) through such actions
78
Internet Activities Board (IAB)
• Destroys the integrity of computer-based information
• Compromises the privacy of users
• Involves negligence in the conduct of Internet-wide experiments
79
Ethical Environments
• Ethics are difficult to define
• Begin with senior management
80
Domain Summary
• This domain sets the foundation for a respected and solid Information Security Management Program:
• Policies, Procedures, Baselines, Guidelines
• Roles and Responsibilities
• Risk Management
• Ethics
“Security Transcends
Technology”