0% found this document useful (0 votes)

338 views202 pages

Ebook - CISSP - Domain - 01 - Security and Risk Management

Uploaded by

roy

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PDF, TXT or read online on Scribd

0% found this document useful (0 votes)

338 views202 pages

Ebook - CISSP - Domain - 01 - Security and Risk Management

Uploaded by

roy

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PDF, TXT or read online on Scribd

You are on page 1/ 202

Certified Information Systems Security Professional

(CISSP) Certification Training Course

CISSP® is a registered trademark of (ISC)² ®

Domain 01: Security and Risk Management
Learning Objectives

By the end of this lesson, you will be able to:

Recognize the importance of information security management

Describe security policy implementation

Describe information risk management

Define personnel security and security function management

process

Define computer crime

Explain the BCP process

Introduction to Domain 1: Security and Risk Management
Importance of Information Security and Risk Management

Kevin Butler is a Security Administrator in the network firewalls

division at Nutri Worldwide Inc. He must prepare for the CISSP exam.
He starts his preparation by reading a historical case of a competitor.

The competitor company had failed to understand the importance of

information security. The company had planned their Business
Continuity Plan (BCP) without continuous involvement of IT.
IT security input was taken without the team playing an active role.
The BCP was weak in the area of IT security. When the headquarters
of the competitor company was hit by a tornado, there was a huge
information leak as data protection measures were not well planned
at the time of the natural disaster. The IT department tried their best
to prevent this. The company faced major losses, which led them to
file for bankruptcy within a few years.
Introduction to Information Security

Information security is the process of protecting information and information systems

from the following:

Unauthorized disclosure,
access, and use Disruption
Information
Security

Destruction Modification

Deletion
Introduction to Information Security

Factors that impact information security:

Business plans and general

Technology
business environment

• Platforms and tools used • Nature of business

• Network connectivity • Risk tolerance

• Level of IT complexity • Industry trends

• New or emerging security tools • Merger acquisitions and partnership

• Operational support for security • Outsourcing service or providers

Cybersecurity

What is Cybersecurity? Why is Cybersecurity important?

• Cybersecurity refers to anything • Due to technological advancement, the

intended to protect enterprises from rate of cybercrime is increasing
intentional attacks, breaches, incidents,
and consequences • As most of the business happens
online these days, there is an
• It can also be defined as the protection increasing demand to protect this data
of information assets by addressing
• Presence of crime syndicates
threats to information processed,
stored, and transported by • Cyber armies
internetworked information systems
• Financial fraud
Difference between Information Security and Cybersecurity

Information Security Cybersecurity

• Information security deals with • It can be defined as the protection of

information regardless of its format. information assets by addressing
threats to information processed,
stored, and transported by
• It encompasses paper documents,
internetworked information systems.
digital data, and intellectual property.

• Cybersecurity is a component of
information security.
Terrifying Cybercrime Statistics

Recent trends which make Cybersecurity more important:

• During the first six months of 2018, more than 25 million

records were compromised or exposed every day
• Over 24,000 malicious mobile apps are blocked daily
• Ransomware attacks on the healthcare industry will quadruple
• Cybercrime to cost $6 trillion by 2021
• 300 billion passwords worldwide by 2020
• More than 60% of fraud originates from mobile devices
• Personal data sells for as little as $0.20
• 90% of hackers use encryption
Approaches to Cybersecurity

Compliance based Ad hoc

Relies on regulations or This approach simply

standards to determine implements security with no
security implementation rationale or criteria

Risk based
This approach relies on identifying
the unique risk a particular
organization faces and designing
and implementing security
controls to address that risk
Understand, Adhere to, and Promote Professional Ethics
(ISC)2 Code of Professional Ethics

The (ISC)2 Code of Professional Ethics has two categories:

• The safety and welfare of society and the common good, duty to
our principles, and to each other, requires that we adhere, and be
Code of Ethics
seen to adhere, to the highest ethical standards of behavior.
Preamble
• Therefore, strict adherence to this Code is a condition of
certification.

• Protect society, the common good, necessary public trust and

confidence, and the infrastructure.
Code of Ethics • Act honorably, honestly, justly, responsibly, and legally.
Canons
• Provide diligent and competent service to principles.
• Advance and protect the profession.
Organizational Code of Ethics

A code of ethics provides a

An organization code of ethics
general understanding of the
Ethics are the principles and expresses the overarching
ethical or moral responsibilities
values used by an individual to principles or ideals that guide an
that the governing body,
govern his or her actions and organization’s decisions and
employees, and volunteers are
decisions. actions when conducting
expected to meet while working
operations and service delivery.
for the organization.

A code of ethics can help your organization to:

• Show customers that • Define the terms of ethical • Guide decision-making

it values integrity standard of behavior at work in difficult situations
Understand and Apply Security Concepts
Role and Importance of CIA in Information Security

Confidentiality, Integrity, and Availability (CIA) have served as the industry

standard for computer security since the time of the first mainframes.

Integrity

Availability

Confidentiality

CIA Triad: The three principles of security

Confidentiality

The principle of confidentiality asserts that information and functions can be accessed only by
authorized parties.

Example: Military secrets

Threats to Confidentiality:
• Hackers
• Masqueraders Integrity

• Unauthorized user activity

• Unprotected files downloaded
Availability
Availability
• Unprotected networks
• Unauthorized programs Confidentiality

• Social engineering attacks

Integrity

The principle of integrity asserts that information and functions can be added, altered, or removed
only by authorized people and means.

Example: Incorrect data entered by the user into a database

Threats to Integrity:
• Hackers
• Masqueraders Integrity
• Unauthorized user activity
• Unprotected files downloaded
Availability
Availability
• Unprotected networks
• Unauthorized programs Confidentiality

• Social engineering attacks

• Authorized subjects corrupting data and programs
accidentally or intentionally
Availability

The principle of availability asserts that systems, functions, and data must be available on-demand
according to the agreed-upon parameters based on levels of service.

Example: Network Load Balancing

Threats to Availability:
• Denial of service
• Distributed denial of service attacks Integrity

• Natural disasters like fire, floods, storms, or earthquakes

• Human actions like bombs or strikes
Availability
Availability
Confidentiality
Evaluate and Apply Security Governance Principles
Information Security Management

• Information Security Management describes the controls

that an organization needs to implement to ensure that it
is sensibly protecting the confidentiality, availability, and
integrity of assets from threats and vulnerabilities.
Information
Security • It also includes information risk management which is a
Management process that involves the assessment of the risks an
organization must deal with in order to manage and
protect the assets, as well as the dissemination of other
risks to all appropriate stakeholders.
Information Security Management

Information security management ensures

the implementation of the following:

• Information security policies

• Standards
• Procedures
• Guidelines
• Baselines
• Information classification
• Risk management
• Security organization
• Security education
Information Security Governance

Major Focus of Governance

Risk Resource Performance Strategic Delivery

Management Management Measures Alignment
Information Security Governance

Information Security Governance is intended to guarantee

Risks are reduced

Appropriate information verifying

that security activities are being
performed

Information security
investments are
appropriately directed

The executive management can

determine program effectiveness
Governance, Risk Management, and Compliance (GRC)

GRC stands for Governance, Risk Management,

and Compliance.

The GRC of every organization is different and

varies based on the type of organization.

G R
RISK
C
COMPLIANCE
GOVERNANCE It depends on an organization’s mission (business),
size, industry, culture, and legal regulations.
Introduction to GRC

Ultimate responsibility of GRC program is to

protect their assets and operations, including
their IT infrastructure and information.
Governance, Risk Management, and Compliance (GRC)

Governance

Governance is the responsibility of

the board of directors and senior
management of the organization.
Governance, Risk Management, and Compliance (GRC)

Ascertain whether risk A governance program

is being managed has several goals
appropriately

Verify that the

organization’s resources Ensure that objectives are
are being used responsibly achieved

Provide strategic direction

Governance, Risk Management, and Compliance (GRC)

• Risk Management is the process by which an organization

manages risk to acceptable levels.

Risk Management • It requires the development and implementation of internal

controls to manage and mitigate risk throughout the
organization, including financial and investment risk,
physical risk, and cyber risk.

• Compliance is the act of adhering to, and the ability to

demonstrate adherence to, mandated requirements defined
Compliance by laws and regulations.
• It also includes voluntary requirements resulting from
contractual obligations and internal policies.
Business Scenario

Kevin is studying the importance of Information Security Governance and Management.

• Governance is associated with providing an oversight, enacting policies,

establishing accountability, and planning resources and strategies.
• Management on the other hand involves implementing strategies, enforcing
policies, handling responsibilities, and planning resources and the project.

Doing the right thing is Management; doing things right is Governance.

Question: Is this statement true?

Business Scenario

Kevin is studying the importance of Information Security Governance and Management.

• Governance is associated with providing an oversight, enacting policies,

Doing the right thing is Management; doing things right is Governance.

Question: Is this statement true?

Answer: It is not true. The correct statement would be: Doing the right thing is Governance. Doing
things right is Management.
IT Security and Organizational Goals, Mission, and Objectives

Goal, mission, and objective:

Define what the Help in creating Indicate how it will

organization long term and proceed to achieve
desires to achieve short-term strategies them
Goals, Mission, and Objectives

The definition of goals, mission, and objectives is as follows:

Objectives Mission Goals

The map used to Provides the overall A statement of the

reach the goals of context for what the organization’s purpose
the organization organization wants to and reason for
accomplish existence
Aligning Security with Goals, Mission, and Objectives

Information security can be aligned with organizational goals, mission, and objectives in two ways.

Reducing Risk Senior Management Support

• Protect the organization’s assets and • It aids security professionals to be

processes through appropriate involved in and influence the
activities and controls. organization’s core activities.

• It also helps to identify priority tasks

• Be aware of IT assets and goals,
and divert resources to achieving
mission, and objectives of the
security goals.
organization.
Business Scenario

Kevin has understood the importance of the mission, goals, and objectives of
his organization and the importance of aligning its security to these.
He read the following statement on the company website.

“Nutri Worldwide Inc. will pursue and foster opportunities for growth and
enrichment for its employees and stakeholders with the customer being the
focal point.”

Question: Is this a mission, goal, or objective statement?

Business Scenario

“Nutri Worldwide Inc. will pursue and foster opportunities for growth and
enrichment for its employees and stakeholders with the customer being the
focal point.”

Question: Is this a mission, goal, or objective statement?

Answer: It is a mission statement.
Control Framework

• Control framework is a data structure that

comprises a set of an organization's internal
controls, that is, the practices and strategies built to
enhance business processes and minimize risk.

• It is a set of controls that protects data within the IT

infrastructure of a business or another entity.

• The control framework acts as a comprehensive

security protocol that protects against fraud or theft
from a spectrum of outside parties, including
hackers and other kinds of cyber-criminals.

• Example:
o COBIT (Control Objectives for Information and
Related Technologies)
o ISO 17799/27001
Control Objectives for Information and Related Technologies (COBIT)

• Issued by ISACA® (Information Systems Audit and Control

Association), which is a nonprofit organization for IT governance
COBIT
• Main function of COBIT is to help a company map their IT
process to ISACA® best practices and standards

• Meeting stakeholder needs

• Covering the enterprise end-to-end
COBIT Principles • Applying a single integrated framework
• Enabling a holistic approach
• Separating governance from management
ISO 27001:2013

ISO/IEC 27001 ISO 27001 Domains

• An internationally recognized and • Security policies

structured methodology dedicated to • Organization of information security
information security • Human resources security
• A management process to evaluate, • Asset management
implement, and maintain an information • Access control
security management system (ISMS)
• Cryptography
• A comprehensive set of controls • Physical and environmental security
comprised of the best practices in
• Operations security
information security
• Communications security
• System acquisition, development, and
maintenance
ISO 27001:2013

ISO/IEC 27001 ISO 27001 Domains

• Can be applicable to all industry sectors • Supplier relationships

• Emphasizes prevention • Information security incident

management
• ISO 27001 has 114 controls mapped to
14 security domains • Information security aspects of business
continuity management

• Compliance
Due Care

It’s a legal term. It pertains to the legal duty of the organization. Lack of due care is
considered negligence.

Due care shows that a company has:

Taken responsibility Taken necessary steps Taken reasonable care

for the activities that to protect the company, in protecting the
take place within the its resources, and its organization
corporation employees from
possible threats
Due Care: Examples

Training employees in Mandating statements from the Deploying firewalls in

security awareness employees stating that they have the organization
read and understood appropriate
computer behavior
Due Diligence

Due diligence might not be legally liable. It:

• Is the act of understanding and investigating

the risks the company faces
• Means practicing the activities that maintain
the due care efforts
• Pertains to the best practices that a company
should follow
Due Diligence: Examples

In the case of firewalls, security

Ensuring that the security controls controls should be regularly
are regularly monitored and monitored and rules should be
frequently updated updated depending on the
requirement
Determine Compliance and Other Requirements
Service-Level Agreement

Service-level agreement (SLA) is a formally defined level of service provided by an organization.

Service Requirements
SLAs may be defined for:

• Security incident response

• Security alert delivery
SLA
• Security investigation
• Policy and procedure review

Service Delivery

Client Provider
Managing Third-Party Governance

Outsourcing is the subcontracting of a business process to a third-party company.

• Loss of control of confidential information

• Accountability
Risks Associated • Compliance
with Outsourcing

• On-site assessment
• Document exchange and review
Secure • Policy and process review
Outsourcing
Offshoring: Privacy Requirements and Compliance

• Offshoring is outsourcing to another country.

• Offshoring can increase privacy and regulatory issues.

Example: Data offshored to India by a U.S medical

transcription organization is less secure.

• Health Insurance Portability and Accountability Act

(HIPAA) certification is a major regulation covering
healthcare data in the United States.
• A good contract ensures that regulations and laws
governing privacy are followed both in and beyond a
country’s jurisdiction.

Example: The Indian company to which the U.S. Medical

Transcription organization’s data is offshored can agree
to follow HIPAA rules via a contract.
Understand Legal and Regulatory Issues that Pertain to Information
Security in a Holistic Context
Computer Crimes

Cybercrime: Definition

Cybercrimes are defined as offences that

are committed against individuals or groups
of individuals with a criminal motive to
intentionally harm the reputation of the
victim or cause physical or mental harm to
the victim directly or indirectly, using
modern telecommunication networks, such
as the Internet, through chat rooms, emails,
notice boards, groups, and mobile phones
through SMS or MMS.
Introduction to Computer Crimes

• Any crime that involves a computer and a network.

• Computer-related crimes have increased due to
the:
o Connectivity of the Internet
o Low costs of computational resources
• Examples: Cracking, copyright infringement, child
pornography, and child grooming
Introduction to Intellectual Property (IP) Law

• Intellectual property laws are designed to protect both the tangible and intangible items
and properties.
• The main goal is to protect properties from those who want to copy or use it without due
compensation to the inventor or creator.

IP Law Categories

Industrial Property Copyright

Novels, poems, plays, films,

Inventions or patents,
musical works, drawings,
trademarks, industrial
paintings, photographs,
designs, and geographical
and sculptures and
indications of source
architectural designs
Types of Intellectual Property (IP) Law

Patent Trademark

• A patent grants the owner a legally • Trademark laws protect the goodwill a
enforceable right to exclude others from merchant or vendor invests in the
practicing the invention. products.
• A patent is applicable for 20 years. • A trademark grants exclusive rights to the
• A patent protects new, useful, and owner of the trademark.
nonobvious inventions. • A trademark consists of any word, name,
• After the expiry of a patent, the invention symbol, color, sound, product shape,
is open to the public domain. device, or a combination of these.

• Three requirements that need to be • Trademarks are registered with a

satisfied are: government registrar.

o The invention should be new and an • One trademark must not be similar to
original idea another trademark.
o The invention must be useful • The trademark should not be descriptive
o The invention must not be obvious of the goods or service that you will offer.
Types of Intellectual Property (IP) Law

• A copyright covers the expression of ideas • Trade secret law protects certain types of
• It usually protects artistic properties, such information or resources from
as writing, recordings, databases, and unauthorized use or disclosure.
computer programs. • A trade secret is something that is
• The duration of protection is longer. proprietary to a company and important for
its survival and profitability.
• Works of one or more authors are protected
until 70 years after the death of the last • Examples include the formula used for a
surviving author. soft drink such as Coke or Pepsi, a new form
of mathematics, the source code of a
• Anonymous works are provided protection program, or a method of making the perfect
for 95 years from the first publishing date or jellybean.
120 years from the date of creation,
whichever is shorter. • You can protect a trade secret by having
your own control structures depending on
the type of trade secret and by making your
employees sign an NDA.
Digital Millennium Copyright Act (DMCA)

Digital Millennium DMCA Takedown Notice

• The Digital Millennium Copyright Act (DMCA) • It is a notification given to a company,

is a controversial United States digital rights usually a web host or a search engine,
management (DRM) law. The intent behind that they are either hosting or linking to
DMCA was to create an updated version of copyright-infringing material. It
the copyright laws to deal with the special provides them a notice to remove the
challenges of regulating digital material. copyrighted works.
• Nonprofit organizations are exempted from
this act.
Types of Intellectual Property (IP) Laws

• Software licenses are a contract between the provider of a software and the consumer.
• The four categories of software licensing are:
o Contractual license agreement: It is a written contract between the software vendor
and the customer.
o Shrink-wrap license: A shrink-wrap license is an end-user agreement (EULA) that is
enclosed with a software in a plastic-wrapped packaging. Once the end-user opens
Licenses the packaging, the EULA is in effect.
o Clickwrap license: This type of agreement is often used in connection with software
licenses. Most clickwrap agreements require the end-user to manifest his or her
assent by clicking an OK or agree button on a dialog box or a pop-up window.
o Cloud services license agreement: It is similar to a clickwrap agreement and is
mainly concentrated on the services provided by cloud vendors.
Business Scenario

Kevin Butler was studying about intellectual property laws as a part of his
preparation for the CISSP exam. While studying the topic, he remembered a
recent case in which his organization had successfully won a lawsuit against a
competitor organization.

The case in question was regarding the use of Nutri Worldwide Inc.’s
product name for a similar product by the competitor organization.
The court gave its verdict in favor of Nutri Worldwide Inc., and the opposite
party had to pay a heavy fine.

Question: Under which type of IP law was the lawsuit filed?

Business Scenario

Question: Under which type of IP law was the lawsuit filed?

Answer: The dispute was over the violation of Nutri Worldwide Inc.’s trademark.
Import or Export Controls and Transborder Data Flow

Following are the basic concepts of import or export controls and transborder data flow:

Import or Export Controls Transborder Data Flow

• They ensure that software complies • It involves transfer of data from one
with the local laws. country to another.

• A few software applications are illegal • An information security professional

to import or export, for example an should understand the jurisdiction
encryption software. over the data when it moves from
one country to the other.
• The United Nations Security Council
(UNSC) can impose sanctions on any
country as voted on by member
nations of the council. Due to the
sanctions, the technology transfer to
these countries is strictly prohibited.
OECD Privacy Principles

Personal data should be obtained by

Collection lawful and fair means and, where
limitation appropriate, with the knowledge or
consent of the individual.

Personal data should be relevant,

The Organization for Economic
Data quality necessary, accurate, complete, and up-to-
Cooperation and Development
date.
(OECD) is a group of 34
member countries that discuss
The purpose for which the data is used
and develop economic and Purpose
should, in principle, be specified at the time
social policies. specification
of the collection.

Personal data should in principle not be

Use used for purposes other than those
limitation specified at the time of the collection,
except in certain cases.
OECD Privacy Principles

Security Personal data should be protected by

Safeguards reasonable security safeguards.

Data collection and processing should be

Openness
transparent to the individuals.
The OECD published a set of
revised guidelines governing
the protection of privacy and
Individuals should have the right to access
transborder flows of Individual
Participation personal data and have the data erased,
personal data.
rectified, completed, or amended.

A data controller should be accountable

Accountability for complying with the implemented
measures.
General Data Protection Regulation (GDPR)

The EU General Data Protection Regulation (EU GDPR) is a regulation that

requires businesses to protect the personal data and privacy of EU citizens
for transactions that occur within the EU.

Companies that collect data on citizens in the European Union (EU)

countries will need to comply with strict new rules for protecting customer
data from the May 25, 2018.

Noncompliant organizations may face administrative fines up to €20 million

or up to 4% of the entity’s global turnover of the preceding financial year,
whichever is higher.
General Data Protection Regulation (GDPR)

Organizations must report data breaches within 72 hours.

Companies must also allow users to export their data and delete it.

Under the existing right to be forgotten provisions, people who don’t want
certain data about them online can request companies to remove it.
GDPR: Roles and Responsibilities

• A data subject is an identifiable natural person who can be

identified, directly or indirectly, in particular by reference to an
identifier such as a name, an identification number, location data,
an online identifier, or to one or more factors specific to the
physical, physiological, genetic, mental, economic, cultural, or
social identity of that natural person.
• A data controller is the legal entity who either alone or jointly
determines the purpose for and manner in which personal data is,
or will be, processed.
• A data processor processes data on behalf of the data controller
but does not control the data and cannot change the purpose or
use of the particular set of data.
• A supervisory authority (SA), established in each EU member
state, has been tasked to enforce the GDPR and monitor the
application of GDPR rules to protect individual rights with respect
to the processing and transfer of personal data within the EU.
Data Protection Principles

The EU General Data Protection Regulation (EU GDPR) outlines six data protection principles that
organizations need to follow for collecting, processing, and storing individuals’ personal data.

1. Lawfulness, fairness, 2. Purpose limitation 3. Data minimization

and transparency

6. Integrity and
4. Accuracy 5. Storage limitations
confidentiality

The data controller is responsible for complying with the principles and must be able
to demonstrate the organization’s compliance practices.
Data Protection Principles

Lawfulness, fairness,
Purpose limitation Data minimization
and transparency

Personal data shall be processed Personal data shall be collected for Personal data shall be adequate,
lawfully, fairly, and in a specified, explicit, and legitimate relevant, and limited to what is
transparent manner in relation to purposes and not further processed necessary in relation to the
the data subject. in a manner that is incompatible purposes for which they are
with those purposes. processed.
Data Protection Principles

Integrity and
Accuracy Storage limitations
confidentiality

Personal data shall be accurate Personal data shall be kept in a Personal data shall be processed
and, where necessary, kept up to form which permits identification of in a manner that ensures
date; every reasonable step must data subjects for no longer than is appropriate security of the
be taken to ensure that personal necessary for the purposes for personal data, including
data that are inaccurate, having which the personal data are protection against unauthorized
regard to the purposes for which processed. or unlawful processing and
they are processed, are erased or against accidental loss,
rectified without delay. destruction or damage, using
appropriate technical or
organizational measures.
Business Scenario

A regulatory authority is required by an enactment to carry out certain functions,

including the handling of complaints from members of the public who have
environmental concerns.

Given the large number of complaints it receives, a regulatory authority

provider decides to outsource its complaints handling department to a much
larger regulatory authority provider with a better logistical capacity and most
of its staff will second the larger authority.
The two authorities put an agreement in place stating that all data protection
compliance responsibilities have been passed over to the larger authority.

Question: Is the larger authority provider a data controller or a data processor?

Business Scenario

A regulatory authority is required by an enactment to carry out certain functions,

including the handling of complaints from members of the public who have
environmental concerns.

Given the large number of complaints it receives, a regulatory authority

Question: Is the larger authority provider a data controller or a data processor?

Answer: The larger authority provider is a data processor acting on the instruction of the regulatory
authority.
Understand Requirements for Investigation Types
Investigation

“An investigation is a fact-finding process of logically, methodically, and lawfully gathering and
documenting information for the specific purpose of objectively developing a reasonable conclusion
based on the facts learned through the process.”

~ ANSI/ASIS INV.1-2015 Investigation Standards

The purpose of an investigation is to:

Identify and collect evidence Determine what happened

Determine who is responsible

Investigation Types: Criminal Investigation

Criminal Punishment usually

Criminal cases
investigations involve It is usually involves jail time,
involve an action
determining whether conducted by law monetary fines, or
that is harmful to
a criminal law has enforcement sometimes capital
society.
been violated. organizations. punishment.
Investigation Types: Civil Investigation

Civil investigation
deals with offense Punishment usually
committed against involves recovering
individuals or money to compensate
companies that result the victim for
in damages or loss. damages.
Investigation Types: Administrative Investigation

Administrative investigation is explained as:

These are conducted by Administrative

local management in investigation may be
response to complaints or initiated in response to
concerns that generally complaints, mishaps,
are personnel related and misconduct, or violation
non-criminal in nature. of organization’s policy.

If evidence reveal any malicious or

criminal activities, it could trigger
criminal or civil investigations.
Investigation Types: Regulatory Investigation

Initial inquiries range

from an informal
Regulatory
phone call seeking
investigations
Regulation is a law limited information
involve determining
established by the to a full-blown
whether a
government body. regulatory
regulatory law has
investigation with
been violated.
subpoenas seeking
answers.
Investigation Types: Industry Standards

Penalties may lead to

fines or other sanctions.

Investigations into violations of

industry standards (such as PCI Investigations may be
DSS) are based on contractual performed by independent
obligations between participating third party.
organizations.
Business Scenario

Kevin Butler was studying the major legal systems, which are followed throughout
the world. He then thought of going through the archives of legal cases involving
Nutri Worldwide Inc.

He came across a recent case where Nutri Worldwide Inc. lost a legal battle
against one of its partner organizations. The dispute was regarding breach of
some clause of the partner agreement. The partner filed a lawsuit against
Nutri Worldwide Inc. for violation of its rights and claimed a compensation of
$2 million.

Question: Under which type of law had the partner filed the lawsuit?
Business Scenario

Kevin Butler was studying the major legal systems, which are followed throughout
the world. He then thought of going through the archives of legal cases involving
Nutri Worldwide Inc.

Question: Under which type of law had the partner filed the lawsuit?
Answer: The partner had filed the lawsuit under the Civil Law.
Develop, Document, and Implement Security Policy, Standards,
Procedures, and Guidelines
Security Policies

Security policy is a broad statement produced by the senior management that dictates the role of
security within the organization.

The characteristics of security policies are:

It must be generic, non-technical, and It must integrate security into all

easily understood. business processes and functions.

It must be reviewed and modified

It must support the vision and mission
periodically or as the company
of the organization.
environment changes.
Types of Security Policies

There are mainly three types of security policies:

Organizational It focuses on issues relevant to every aspect of

security policy the organization.

Issue-specific It focuses on a specific service, department, or

policy function that is distinct from the organization.

System-specific It focuses on individual systems.

policy
Security Policy Implementation

Policy documents often come with the endorsement or signature of the executive
powers within an organization.

Standard policy Purpose statement, policy objectives, resources provision, staff

components allocation, and guidelines and standards

Policy elements Purpose, scope, responsibilities, and compliance

Assigning a principal function to be responsible for control, compliance

Policy creation
with policy as a condition of employment, and avoiding exceeding two
guidelines
pages and use generic terms
Security Policy Implementation

Policy documents often come with the endorsement or signature of the executive
powers within an organization.

Management Protecting resource assets within the company’s control, implementing

responsibilities security in accordance with the company policy, and initiating corrective
for policy actions for security violations

Policy Avoiding errors that can lead to legal challenges and ensuring compliance
enforcement with policy
Policy Chart

A strategic goal can be viewed as the ultimate endpoint, while tactical goals are the steps
necessary to achieve it.

Laws, regulations, and requirements

General organizational policy

Functional implementation policies

Standards Guidelines Procedures Baselines

Standards, Guidelines, Procedures, and Baselines

Standards Guidelines

• Refers to the mandatory activities, • Refers to the recommended

rules, actions, or regulations operational guides or actions
provided to the users, operations
• Defines compulsory requirements staff, IT staff, and others

• Provides a course of action for • Are flexible and can be customized

uniform deployment of technology for each unique system

• Are tactical documents • Serves as operating guides

• Example: ISO 27001 • Are not mandatory statements

• Example: Security password

guideline
Standards, Guidelines, Procedures, and Baselines

Procedures Baseline

• Refers to the step-by-step tasks to be • Defines minimum level of security

performed to achieve a certain that every system must meet
objective
• Are system-specific
• Forms the final elements of the
formalized security policy structure • Establishes common secure states

• Are system and software specific • Refers to a stage or state that is

used as a comparison for future
• Example: Incident response procedure changes (reference point)

• Example: All Windows 7 systems

must have SP1 installed
Identify, Analyze, and Prioritize Business Continuity (BC) Requirements
Need for Business Continuity Planning

Business operations are interrupted by unexpected events. Companies must develop Business
Continuity and disaster recovery plans to face these issues.

The focus areas of business continuity planning are:

Protect lives of Minimize the Restore normal Prevent financial

employees disruptions business losses
Basic Concepts: Disruptive Events

Any incident, act, or occurrence that suspends normal operations can be termed as a disruptive
event or disaster.
• Disruptive events can be intentional or unintentional.
• BCP aims at minimizing the effects of a disruptive event on a company.

Few types of
disruptive
events are: Human
Natural

Environmental
Basic Concepts: Business Continuity Planning

The goal of a BCP is to ensure business continuity before, during, and after a disaster strikes.
Importance of Business Continuity Planning

The organization’s ability to respond to any

disaster and recover from disruptions depends on
Business Continuity Planning (BCP) or Disaster
Recovery Planning (DRP) as it:

• Is the last line of defense for any organization

against any threat

• Ensures all planning has been considered

• Helps reduce the risks faced by the

organization

Example: Usage of cloud computing resources to

safeguard data
Business Continuity Planning Phases

The high-level phases as per NIST 800-34 for achieving comprehensive BCP or DRP are:

Project initiation Preventive controls Planning design BCP or DRP

and scoping identification and development maintenance

Business impact Recovery Implementation,

analysis strategy testing, and training
BCP or DRP Phase 1: Project Initiation and Scoping

According to NIST 800-34, project initiation and scoping is the first step to achieve a
comprehensive BCP or DRP.

Recent trends which make Cybersecurity more important:

• Creating project scope and defining parameters

• Obtaining management’s support
• Identifying potential outages to critical systems for risk analysis to be
performed
• Appointing project planner and selecting staff for plan development and
execution
• Assigning the BCP or DRP project manager or coordinator as the key point of
contact (POC)
• Ensuring the completions of BCP or DRP by Project Manager and testing it
routinely
• Identifying the representatives of BCP committee from senior management,
legal, CFO, systems and applications, business units, systems support,
communications, data center, communications, and information security
BCP or DRP Phase 2: Business Impact Analysis (BIA)

According to NIST 800-34, business impact analysis is the second phase to achieve a
comprehensive BCP or DRP.

The Business Impact Analysis (BIA):

• Is the formal method of determining the impact of disruption to the

organization’s IT systems on the business and organization’s processes
and functions
• Enables the BCP or DR project manager to plan the requirements and
priorities for IT contingencies by identifying and prioritizing critical IT
systems and components
BIA: Goals

The three major goals of BIA are:

• Identification and prioritization of every critical business unit process

Criticality • Evaluation of the impact of a disruptive event
Prioritization • Time-critical business processes require higher priority rating for
recovery than non–critical business processes

• Estimating Maximum Tolerable Downtime (MTD) using the BIA

Downtime • The downtime required for the business to remain viable
Estimation • Non-recovery, if the interruption of critical process extends the maximum
tolerable downtime

• Estimating resource requirements

Resource
• Most resources allocated to time sensitive processes as compared to less
Requirements
critical processes
BIA: Steps

The steps of a BIA are outlined here:

Identify the
Select individuals to Calculate risk for
resources on which
interview for data each business
the critical business
gathering function
functions depend

Gather, analyze, and

Calculate the
Create and use data interpret the
longevity of these
gathering qualitative and
functions without
techniques quantitative impact
the resources
information

Identify the Identify

Document and
company’s critical vulnerabilities and
report to the
business functions threats to these
management
functions
BIA Steps: Business Unit Level

For each major business unit within the organization, the following steps will be performed:

Identify business components

or activities that, if disrupted Determine required
or unavailable, could Maximum Tolerable
jeopardize the company’s Downtime (MTD)
operations
Maximum Tolerable Downtime (MTD)

Maximum Tolerable Downtime (MTD) is:

The maximum period for which the organization’s key

processes and functions are unavailable, after which the
organization would suffer significant losses

Measured in minutes, hours,

Revised several times during
days, or longer, depending on
the course of a project
the nature of the business
Maximum Tolerable Downtime (MTD)

The alternate terms for MTD include Maximum Allowable Downtime (MAD), Maximum Acceptable
Outage (MAO), and Maximum Tolerable Outage (MTO).

Business Continuity and Disaster Recovery Timeline

RPO, RTO and MTD

Recovery Point Objective Recovery Time Objective

(RPO) (RTO)

App and Normal

Disaster Infrastructure Test Critical Business is
Data Backup Data Loss Data Business
Strikes Recovery Apps Hurt
Recovery Resumes

Maximum Tolerable Downtime (MTD)

Failure and Recovery Metrics

A number of metrics are used to quantify the frequency of system failures.

Recovery Point Objective

• Level of data, work loss, or system inaccessibility resulting from a disruptive event
• Usually expressed in units of time

Recovery Time Objective

• The maximum time allowed to recover business or IT systems

• Expressed in units of time such as minutes, hours, or days

Work Recovery Time

• The time required to configure a recovered system

• Consists of the system’s recovery time and the work recovery time
Failure and Recovery Metrics

A number of metrics are used to quantify the frequency of system failures.

Mean Time between Failures

• The predicted elapsed time between inherent failures of a system during operation
• Calculated as the arithmetic mean time between failures of a system

Mean Time to Repair

• The duration to recover a specific failed system
• The total corrective maintenance time divided by the total number of corrective
maintenance actions during a given period

Minimum Operating Requirements

• The minimum environmental and connectivity requirements for a computer equipment
to operate
• Documentation is important for each IT critical asset
Stages of Failure and Recovery

The various stages of failure and recovery are shown in the figure.

Normal Normal
Operations Disruptive Recovery Time Frame Operations
Event

RPO RTO WRT

MTD

1 2 3 4
BCP or DRP Phase 3: Identify Preventive Controls

According to NIST 800-34, Identify Preventive Controls is the third phase to achieve a comprehensive
BCP or DRP. Preventive controls avert the potential impact of disruptive events.
The types of preventive controls include:

Process or device that mitigates effect of a threat but cannot

Existing controls
prevent occurrence

Fire suppression or sprinkler systems, access control systems,

Physical controls
security guards

Procedural controls Hiring and termination policies and clean desk policy

Data storage protection and protection given to assets based

Logical controls
on their location
Contribute to and Enforce Personnel Security Policies and Procedures
Best Work Practices

Following are the best practices:

Separation of duties

Job rotation

Mandatory vacations

Split knowledge

Dual control
Importance of Managing Personnel Security

The people inside the organization need access to data and resources to complete their assigned
work and, therefore, have the potential to abuse these access privileges. It is important to:

• Protect sensitive information by securely managing

the lifecycle of employment

• Hire qualified and trustworthy individuals to reduce

the risk to information assets

• Screen out individuals whose past actions indicate

undesirable behavior to avoid potential risks to the
organization
Managing Personnel Security: Hiring Practices

Following are the hiring practices:

• Perform background checks: Education, prior

employment, financial history, and criminal history
• Get the confidentiality agreements signed:
Non-Disclosure Agreement and Intellectual Property
Agreement
• Get Conflict of Interest Agreements for the positions
handling competitive information
• Get the Non-Compete Agreements for the positions
in charge of unique corporate processes
Managing Personnel Security: Employee Termination

Following are the employee termination policies:

• Voluntary: Return of all access keys and badges, exit

interview, removal of system access
• Involuntary: Escort from premises, restriction of
access immediately upon notification, change of
system passwords in user’s area
Vendor, Contractors, and Consultant Controls

Controls for vendors, contractors, and consultants mostly act as preventive controls.

• Vendors and temporary employees should be

given limited access to the information.
• Contractors should always be escorted within the
organization.
• Consultants must be escorted whenever they visit
your facility.
Compliance: Need for Compliance

Compliance means conforming to a rule, such as a specification, policy, standard, or law.

Need for Compliance

• Protect critical information

• Enforce controls through formal written policy
• Understand the requirements for protecting organizational information
• Identify requirements for protecting organizational information
• Avoid inadequate implementation and enforcement; this can lead to fines, penalties, and
imprisonment
• Avoid failures that lead to loss of customer confidence, competitive advantage, contracts, and jobs
• Protect shareholder interests
• Use good controls that make good business sense
Compliance Policy Requirements

Compliance policy facilitates compliance with

applicable laws, regulations, policies, and standards.

Compliance training must be provided to all employees to

ensure they are aware of their compliance responsibilities.
Then training should be tailored to specific employees in
high-risk areas.

Audits are performed to ensure compliance to contracts,

regulations, and laws and assist in detecting abnormal
activities.
Acceptable Usage Policy

• Outlines which activities are acceptable and

unacceptable in the workplace and establishes What should an Acceptable Use Policy
employee expectations on how to use the contain?
company resources.
• Introducing malicious programs
• Inappropriate use exposes the organization to • Disclosing confidential information
risks including virus attacks, compromise of
network systems and services, and legal issues. • Sharing passwords
• Unauthorized security scanning
• Employees should be aware of the consequence of • Sending unsolicited email
non-compliance with their company's AUP.
• Circumventing security
• Employees should know that violation of this policy • Making unauthorized representations
may be subject to disciplinary action, up to and
including termination of employment.
Privacy Policy Requirements

A privacy policy is a statement that discloses how a particular organization collects,

stores, and utilizes the personal information provided by its users.

Any organization collecting any personal information from their customers, clients,
or end users, are legally required to publish a privacy policy on their site.

The exact content of a privacy policy will depend on the nature of the business,
location of the business, location of the users, and the applicable laws.

At minimum, an organization’s privacy policy should disclose what personal or sensitive

information they collect, how they collected it, how they intend to use that information,
and whether they will disclose some or all the information to any third parties.
Understand and Apply Risk Management Concepts
Security Definitions

A few security terms that a CISSP candidate must know:

Asset: An asset is any information, software, 1
hardware, or equipment that is utilized for,
and critical to, business objective, service
delivery, and financial success. 2 Vulnerability: Vulnerability is any hardware,
software, or procedural weakness that may
give an attacker the open door for
Threat: Threat is any potential danger to 3 unauthorized access to resources.
systems or information.

4 Threat Agent: Threat agent is any entity that

takes advantage of a vulnerability.

Risk: Risk is the likelihood of a threat agent 5

taking advantage of a weakness or
vulnerability and the resulting business
impact. 6 Exposure: Exposure is an instance of being
exposed to losses from a threat agent.

Countermeasure or Safeguard: 7
Countermeasure or safeguard is put into
place to mitigate the potential risk.
Information Risk Management

Information Risk Management is the process of identifying and assessing risk, reducing it to an
acceptable level, and implementing the right mechanisms to maintain it at that level.

Recognition
Threat of the Annualized
Impact Uncertainty Cost

Threat Threat Risk Cost or

Event Frequency Mitigation Benefit
Analysis
Risk Management: Steps

There are four steps in the risk management life cycle:

Risk Response Risk and Control Monitoring

and Mitigation and Reporting

Risk
Management
Life Cycle
IT Risk IT Risk Identification
Assessment
Business Scenario

While studying the Information Risk Management process, Kevin made notes
on the security definitions based on examples from his day-to-day work:

• Asset: Servers and systems of the company

• Vulnerability: Weak rule in firewall
• Threat: Hacking network or servers
• Threat Agent: Hacker
• Risk: Loss of critical organization data
• Exposure: 25% loss of data (which is unencrypted)

Question: What will the risk management process achieve?

Business Scenario

While studying the Information Risk Management process, Kevin made notes
on the security definitions based on examples from his day-to-day work:

• Asset: Servers and systems of the company

Question: What will the risk management process achieve?

Answer: It helps to maintain the identified risks at an acceptable level.
Introduction to Risk Analysis

Risk analysis is the analysis of the probability and consequences of each known risk.

• Risk analysis prioritizes risks and calculates the

cost of safeguards.

• It provides a cost/benefit comparison between

cost of safeguards and cost of loss.

• It identifies and prioritizes the risk factors with

great impact.

• It also integrates the security program objectives

with the organization’s business objectives and
requirements.
Goals of Risk Analysis

To identify organizational
assets and their value

To balance the cost of

To identify vulnerabilities
countermeasure and the
and threats
impact of threats

Goals of Risk Analysis

To measure probability and

the impact of latent threats
Risk Analysis Team

An organization needs to form a risk analysis team to analyze risks effectively. These are the stakeholders
in a risk analysis team:

Information Risk
Security Manager
Officer

Executive System or
Sponsor Network
Risk Analysis Administrator
Team

System System
Technical Business
Owner Owner
Risk Analysis Team

The steps to perform risk analysis:

Risk analysis and assessment

Countermeasure
Asset and information value
selection and
assignment
implementation
Information and Asset Valuation

The following issues should be considered when assigning values to an asset:

• Cost to acquire or develop the asset

• Cost to maintain and protect the asset
• Value of the asset to owners and users
• Value of the asset to adversaries
• Value of intellectual property that went into developing the
information
• Price others are willing to pay for the asset
• Cost to replace the asset if lost or damaged
Information and Asset Valuation

The following issues should be considered when assigning values to an asset:

• Operational and production activities that are affected if the

asset is unavailable
• Liability issues if the asset is compromised
• Usefulness and role of the asset in the organization
Types of Risk Analysis

There are two major types of approaches to risk analysis and their features are as follows:

• Uses risk calculations that attempt to predict the level of

monetary losses and the percentage of chance for each
Quantitative type of threat
Analysis
• Objective in nature

• Situation and scenario based

Qualitative • Subjective in nature

Analysis
• Does not assign numbers and monetary values to
components and losses
Key Terms in Quantitative Risk Analysis

Asset • Total value of assets

• Percentage of loss the organization

Exposure would suffer if a risk materializes
Factor
• Also referred to as the loss potential

• Cost associated with a single-realized risk

Single Loss against a specific asset
Expectancy
• SLE = AV * EF
(SLE)
• It is calculated in dollars
Key Terms in Quantitative Risk Analysis

• Frequency with which a specific threat will occur within

Annualized a single year
Rate of
Occurrence • Ranges from 0 (threat will not occur) to large numbers
(ARO)
• Also known as probability determination

Annualized • Possible yearly cost of all instances of a specific threat

Loss realized against a specific asset
Expectancy
(ALE) • ALE = SLE * ARO

Annual Cost • The cost associated in procuring, developing, and

of Safeguard maintaining control against a potential threat
(ACS) • The ACS should not exceed the ALE
Quantitative Risk Analysis Steps

Step 1: Assign asset

value

Step 6: Perform
Step 2: Calculate
cost or benefit
exposure factor
analysis of
countermeasure

Steps in
Quantitative
Risk Analysis

Step 5: Derive Step 3: Calculate single

annualized loss loss expectancy
expectancy

Step 4: Assess
annualized rate of
occurrence
Quantitative Risk Analysis: Problem

Problem: Fire destroys a server with encrypted data.

Consider the following conditions:
• Asset value = $6,000
• EF = 50%
• ARO = 10% chances of fire in one year
?
Solution:
• Single Loss Expectancy (SLE) = $6,000 x 50% = $3,000
• Annual Loss Expectancy (ALE) = 10% x $3,000 = $300
Qualitative Risk Analysis

Qualitative analysis techniques include judgment, best practices, intuition, and experience. Examples of
qualitative techniques to gather data are:

Delphi Brainstorming Storyboarding

Focus Groups Surveys Questionnaires

Checklists One-on-one meetings Interviews

Qualitative Risk Analysis

The following table deals with some of the threats, the level of threat, and countermeasures:

Threat
Threat Impact Countermeasure
Probability

Fire Low High Fire Extinguishers

Theft Medium High Key cards, guards

Logical Intrusion prevention

Medium High
Intrusion system
Qualitative Risk Analysis

• The type of approach to risk analysis will be decided based on the risk analysis team,
management, risk analysis tools, and culture of the company.
• The chart below sorts different attributes into qualitative and quantitative risk analysis.

Attributes Quantitative Qualitative

Requires complex calculations √ X

Requires high degree of guess work X √

Provides credible cost/benefit analysis √ X

Provides opinions of the individuals who know the process well X √

Shows clear-cut losses that can be accrued within one year √ X

Hybrid Analysis

Hybrid analysis uses both quantitative and qualitative analysis.

The following are some points about why hybrid analysis is required:

• It is almost impossible to carry out only

quantitative assessment.

• Qualitative analysis does not provide

sufficient data to make financial decisions.

• Quantitative evaluation is used for

financial values of tangible assets.

• Qualitative assessment can be used for

priority values of intangible assets.
Countermeasure Selection: Problem

A commonly used cost/benefit calculation for a given safeguard:

Value of the safeguard to the company = (ALE before implementing safeguard) – (ALE after
implementing safeguard) – (Annual cost of safeguard)

Problem:
• ALE of the threat of a fire bringing down a web server prior to implementing the suggested
safeguard = $10,000
• ALE after implementing the safeguard= $2,000
• Annual cost of maintenance and operation of the safeguard = $500

Solution:
• Value of the safeguard to the company = $10,000 -$2,000 -$500
= $7,500
Countermeasure Selection: Other Factors

Other factors that influence the selection of countermeasure or safeguard:

Total Cost of
TCO is the total cost of a mitigating safeguard
Ownership (TCO)

Return on
Investment (ROI) ROI is the amount of money saved by implementing a safeguard

Uncertainty refers to the degree to which you lack confidence in an estimate.

Uncertainty This is expressed as a percentage, from 0 to 100 percent. If you have a 25
percent confidence level in something, then it could be said that you have a
75 percent uncertainty level.
Handling Risk

Risk treatment can be done in the following four ways:

Transfer the risk

Accept the loss 4 2 Terminate the risk activity

3
Take measures
Handling Risk

Conceptual formulas to calculate total risk and residual risk:

Visitor’s Perspective Online Strategy

Total Risk Total Risk = Threats x Vulnerabilities x Asset Value

Residual Risk Residual Risk = Total Risk x Control Gap

Residual Risk = Total Risk – Countermeasures
Residual Risk Mitigation

Here is a flowchart that explains the steps in the risk mitigation process:

Risk < Acceptable level ? Yes

Mitigate Risk No Mitigation Cost > Asset Yes Accept Risk

Value
Controls or Countermeasures

Physical control

Controls based on Technical control

• Security controls are the measures taken to implementation
safeguard an information system from attacks
Administrative control
against the confidentiality, integrity, and
availability of the information system. Deterrent control
Categories of
• Security controls are selected and applied based Controls
Preventive control
on a risk assessment of the information system.
Detective control
• The risk assessment process identifies system Controls based on
threats and vulnerabilities, and then security functionality
Corrective control
controls are selected to reduce or mitigate
the risk. Recovery control

Compensating control
Controls Based on Implementation

There are three types of controls based on implementation:

Administrative controls Technical controls Physical controls

Physical controls
• They are commonly • Technical controls, also • They are items put into
referred to as soft called logical controls, place to protect facility,
controls because they are software or personnel, and
are more management hardware components. resources.
oriented.
• Examples: Firewalls, • Examples of physical
• Examples of IDS, encryption, controls are security
administrative controls identification, and guards, locks, and
are security authentication fencing
documentation, risk mechanisms
management, personnel
security, and training
Controls Based on Functionality

The six controls based on functionality are:

Deterrent Intends
• Usesto discourage
risk a potential
calculations attacker
that attempt to predict the level of

Preventive Intends to avoid an incident from occurring

• Uses risk calculations that attempt to predict the level of

Corrective
Corrective Fixes components or systems after an incident has occurred

Recovery Intends to bring the environment back to regular operations

Recovery • Uses risk calculations that attempt to predict the level of

Detective Helps identify an incident’s activities and potentially an intruder

Detective
• Uses risk calculations that attempt to predict the level of

Compensating
Compensating
•Provides an calculations
Uses risk alternative measure of control
that attempt to predict the level of
Security Control Assessment (SCA)

Security control assessment (SCA) is a

comprehensive evaluation or Its goal is to determine the extent to
assessment of the management, which the controls are meeting the
operational, and technical security security requirements of the system.
controls of an information system.
Security Control Assessment (SCA)

• Evidence of the effectiveness of implemented controls

SCA results • An indication of the quality of the risk management processes employed
provide: within the organization
• Information about the strengths and weaknesses of information systems
that are supporting organizational missions and business functions
Assurance for Security Control Effectiveness

To ensure security control effectiveness, one should compile evidence that the controls are:

Implemented correctly

Operating as intended

Meeting the security

requirements of the information
system
Security Control Assessment (SCA)

The types of system tests conducted Security control assessments are

include audits, security reviews, conducted before the system is put
vulnerability scanning, and into production and annually
penetration testing. thereafter.
Security Control Assessment Team

• The SCA team is an individual, group, or organization

responsible for conducting a comprehensive security
control assessment of an information system.

• They may also provide a risk assessment of the severity

of weaknesses or deficiencies discovered in the
information system and recommend corrective actions
to address the identified vulnerabilities in the system.

• Common controls utilized for high and moderate impact

systems must be performed by an independent
assessment team.

• They prepare the final security assessment report

containing the results and findings of the assessment.
Risk Monitoring and Measurement

The risk environment is dynamic because the organization’s internal and

external environments are constantly changing.

Organizations should continuously monitor the IT risks and controls to relevant

stakeholders in order to ensure the continued efficiency and effectiveness of the
IT risk management strategy and its alignment to business objectives.
Risk Measurement

KRIs and KPIs can be used to measure, monitor, and report risk. The two are
explained below in detail.

• A key risk indicator (KRI) is a measure used in risk management to

indicate how risky an activity is.
Key risk indicator
• By comparing an appropriate set of key risk indicators with defined
(KRI)
thresholds, organizations receive an early warning when a risk
approaches an unacceptable level.

• A key performance indicator (KPI) is used to measure how well a

Key
process is performing in terms of its stated goal.
performance
indicators (KPIs) • KPIs are used to set benchmarks for risk management goals and
to monitor whether those goals are being met.
Risk Reporting

A risk report includes information on current risk

management capabilities and actual status and trends
about risk.

Results of the risk monitoring process need to be

documented and reported to the senior management
on a regular basis.

A significant security incident or significant changes in

risk should trigger a report to the senior management
and a reassessment of the risk controls.
Continuous Improvement

Organizations can use a risk

A mature risk management
maturity model to improve their
program is better at preventing,
risk management processes by
detecting, and responding to
identifying their current and
security incidents.
desired capabilities.

Maturity and growth comes

from practice and learning from
past experiences.
Continuous Improvement

Risk Management Impact on Optimizing

Business Value
Quantitatively
Managed

Defined
Initial Managed

Stages of Risk Management Maturity

Continuous Risk
Focus Risk Management is Basic Risk Management
Standardized Risk Quantitative Risk
Management Process
informal and Adhoc Management Process Management Process

Medium Quality/
Result Lowest Quality / Highest
Low Quality/ High Risk Medium Risk High Quality / Low Risk Highest Quality / Lowest Risk
Risk
Risk Frameworks

Risk management framework is used to identify, measure, manage, monitor, and

report the significant risks to the achievement of business objectives.

There are three risk frameworks, namely:

ENISA Risk
NIST Risk Management Management/
ISO 31000
Framework Risk Assessment
(RM/RA) Framework
Understand and Apply Threat Modeling Concepts
and Methodologies
Threat Modeling

Threat Modeling

• It is a security process where potential

threats in a system are identified,
quantified, and addressed.

• It can be performed as a proactive measure

during the planning and design phase of the
SDLC and is continued throughout the
lifecycle

• A reactive approach to threat modeling

takes place after a product has been
created and deployed.
Threat Modeling

Goals of threat modeling

Reducing the number

of security-related Reducing the severity
coding and design of remaining defects
defects
Threat Modeling

Approaches to threat modeling:

Proactive Approach Reactive Approach

• Also known as the defensive approach • Also known as the adversarial approach

• Takes place during early stages of • Takes place after a product has been
systems development created and deployed

• Based on predicting threats and • This is the core concept behind ethical
design-specific countermeasures hacking, PT, source code review, and fuzz
during the coding and crafting process testing
Threat Modeling Steps

• Focused on assets
Identifying threats • Focused on attackers
• Focused on software

Categorization of
• STRIDE model
threats

Determining and • Data flow diagrams

diagramming • Privilege boundaries
potential attacks • Elements

• Trust boundaries
• Data flow path
Performing reduction
• Input points
analysis
• Privilege operation
• Security stance and approach

Prioritization and • DREAD model

response
Step 1: Identification of Threats

• Frames the threats based on the mindset of the perceived attacker

Focused on
attackers • Determines and addresses the attacker’s characteristics, skill sets,
motivations, and intentions

• Identifies the elements of the system that have risk associated

with them
Focused on
assets • Classifies assets according to their intrinsic value to a potential
attacker

Focused on • Establishes a system structure first and then identifies relevant

system or attack vectors on the macro- and micro-levels of interaction
software between subsystems
Step 2: Categorization of Threats (STRIDE Approach)

Spoofing An attack with the goal of gaining access to a target system through the
use of a falsified identity

Tampering This is used to falsify communications or alter static information

Repudiation The ability of a user or an attacker to deny having performed an action

or activity

Information The revelation or distribution of private, confidential, or controlled

disclosure information to external or unauthorized entities

Denial of service An attack that attempts to prevent an authorized use of a resource

(DoS)

Elevation of An attack where a limited user account is transformed into an account

privilege with greater privileges, powers, and access
Step 3: Determining and Diagramming Potential Attacks

Determining and Diagramming Potential Attacks

• Post identifying threats, the next step is to

determine the potential attack concepts that
could materialize

• Often accomplished by data flow diagrams,

privilege boundaries, and elements involved

• Once a diagram has been crafted, identify all the

technologies involved

• Identify attacks that could be targeted at each

element of the diagram

• Attacks should include all forms: logical,

physical, and social
Step 3: Determining and Diagramming Potential Attacks

User / Web Server

Boundary

Authenticate
Login Request User()

Web Login
Users Servlet Process
Authenticate
User Result

Authenticate Authenticate User

Login Response
User SQL SQL Query
Pages Query Result
Web Server /
Database Boundary
Data
Web College
Pages Database
Library
Files
Database

Data
Step 4: Performing Reduction Analysis

Reduction analysis involves decomposing the application, system, or environment.

Input points
Locations where an
external input is received

Data flow paths Privilege operations

Movement of data Activities that require
between locations greater privileges

Trust boundaries Security stance and approach

Locations where the Declaration of the security
level of trust changes policy, security foundation, and
security assumptions
Step 5: Prioritization and Response

Prioritization and Response

• Rates the threats in order to prioritize and address the most significant threats first

• Risk posed by a particular threat is equal to the probability of the threat occurring
against the potential damage
Risk = Probability * Potential Damage

• If a threat is rated as high, it poses a significant risk and needs to be addressed as

soon as possible

• Medium threats need to be addressed but with less urgency

• Low-level threats can be ignored depending upon the effort and cost required to
address these
Step 5: Prioritization and Response

DREAD rating system:

Damage
How severe is the damage likely to be if the threat is realized?
potential

Reproducibility How complicated is it for attackers to reproduce the exploit?

Exploitability How hard is it to perform the attack?

Affected users How many users are likely to be affected by the attack?

Discoverability How hard is it for an attacker to discover the weakness?

DREAD Rating

Threat description D R E A D Total Rating

Attacker obtains authentication

3 3 2 2 2 12 High
credentials by monitoring the network

Injection of SQL commands 3 3 3 3 2 14 High

Threat Template

Threat description Injection of SQL commands

Threat target Data access component

Risk rating

Attacker appends SQL commands to username, which is used to form SQL

Attack techniques
query

Use a regular expression to validate the username and use a stored procedure
Countermeasures
that uses parameters to access the database
Threat Template

Threat description Attacker obtains authentication credentials by monitoring the network

Threat target User authentication process in a web application

Risk rating High

Attack techniques Attacker uses network monitoring software

Countermeasures Use SSL to provide an encrypted channel

Threat Template

Threat description Injection of SQL commands

Threat target Data access component

Risk rating

Attacker appends SQL commands to user name, which is used to form SQL
Attack techniques
query

Use a regular expression to validate the user name, and use a stored
Countermeasures
procedure that uses parameters to access the database
Threat Modeling Outcomes

Outcome of a threat modeling activity is a threat module document that identifies:

Countermeasures

Assets, actors, and

use cases

Weakness that could

be exploited

Relevant threats
Apply Supply Chain Risk Management (SCRM) Concepts
Supply-Chain Risk Management

Supply chain is the network of all the individuals, organizations, resources, activities, and technology
involved in the creation and sale of a product, from the delivery of source materials from the supplier
to the manufacturer through to its eventual delivery to the end user.

Supply-chain risk management (SCRM) is a process to help identify, monitor, detect, and mitigate
threats to supply chain continuity and profitability.

A supply chain compromise is an occurrence within the supply chain whereby an adversary
jeopardizes the confidentiality, integrity, or availability of a system or the information the system
processes, stores, or transmits.

It can occur anywhere within the system development life cycle of the product or service.
Risks Associated with Hardware, Software, and Services

Here are a few risks associated with hardware, software, and services:

Counterfeit hardware or hardware Poor information security practices

with embedded malware by lower-tier suppliers

Software security vulnerabilities Compromised software or

in supply chain management or hardware purchased from
supplier systems suppliers
Mitigating Risks Associated with Hardware, Software, and Services

These supply-chain risks can be mitigated during acquisition lifecycle by:

Ensure supplier has good security development and

Supplier capability
management practices

Perform an assessment of the risk of the product for critical

Product security
security compromise and mitigation requirements

Control access to the product in transit at each step in the

Product logistics
supply chain

Operational product Implement appropriate configuration and monitoring controls

control during the operational use of the product or service
Third-Party Management

• A third party is a company that is not under direct business control of the organization
that engages it. A third-party relationship is any business arrangement between a
company and another entity, by contract or otherwise.

• Outsourcing is the subcontracting of a business process to a third-party company.

• Organizations are increasingly outsourcing systems, business processes, and

data processing to service providers in an effort to focus on core competencies,
reduce costs, and more quickly deploy new application functionality.

• Third-party risk management is a comprehensive plan for identifying and

mitigating potential business uncertainties and legal liabilities regarding the
hiring of third-party services.
Third-Party Risks

Information Security or Data

Business Continuity
Privacy

Third party has insufficient experience and

Third party cannot continuously maintain
controls to protect the company's and
its services due to business disruption
customer's information from unauthorized
(e.g., ineffective redundancy procedures).
access, disclosure, modification, or
destruction.

Financial Viability

Third party is not financially secure to

continue to provide you services at
acceptable levels.
Third-Party Risks

Contract Compliance Legal or Regulatory

Third party products, services, or Third party does not possess the necessary licenses
systems are not consistent with your to operate. It lacks the expertise to enable the
policies and procedures, applicable company to remain compliant with domestic and
laws, regulations, and ethical standards. international laws and regulations.
Third-Party Risk Management

The diagram given below will help us to understand the third-party risk management.

Planning

Due
Termination
Diligence

Ongoing Contract
Monitoring Negotiation

Oversight and Accountability

Third-Party Risk Management

The plan should oversee the full lifecycle of a third-party relationship including:

• Company's strategy for why it is using the third party and the inherent risks the
relationship presents
• Proper due diligence in selecting the third party
• Written contracts that outline the rights and responsibilities of all parties
• Ongoing monitoring of the third party’s activities and performance
• Contingency plans for terminating the relationship in an effective manner
• Clear roles and responsibilities for overseeing and managing the relationship and
risk management process
• Documentation and reporting that facilitate oversight, accountability, monitoring,
and risk management
• Independent reviews that allow organization's management to determine that
processes align with its strategy and effectively manage risks
Third-Party Risk Management Lifecycle