CRISCc

Risk Response and Reporting

The Scope of Enterprise Architecture

o Risk practitioners need to understand

the scope of network and information
architecture
o Enterprise view of the architecture
allows you to see the link between IT
and the company’s strategic objectives
o Organizations commonly use EA
frameworks to help make it easier
 The ”Four Are’s”

o Are we doing the right things?

o Are we doing them the right
way?
o Are we getting them done well?
o Are we seeing expected benefits?
Enterprise Architecture Categories

o Documentation
o Notation
o Process
o Organization
 Architecture Frameworks

o TOGAF
o Zachman Framework
o DODAF
o FEAF
o SABSA
Hardware And Software In Operations Management

o Risk practitioners do not need to be

technical experts in the design,
implementation and support of IT
systems and applications
o Practitioners should have a general
understanding of networking,
applications, and IT systems
o There are certain areas that require
more attention than others
 Hardware Concerns
o Obsolescence
o Misconfiguration
o Lack of secure configurations
o Physical loss or theft
o Physical access
o Network “sniffing”
o Component or system failure
o Supply chain management
Software Concerns

o Logic flaws or semantic errors

o Lack of patching
o Disclosure of sensitive
information
o Lack of version control
o Unnecessary services and
protocols running
o Lack of security software
updates
 Areas Of Software Risk

o Applications
o Databases
o Operating Systems
o Software Utilities
Networking Fundamentals

o Computers abilities to communicate to

one another is fundamental to
Information Systems (IS)
o Most modern networks are digital
which are more resilient than analog
o Networks are special in the world of IT
risk management.
o Because they move data back and
forth, they are prime targets by threat
actors
 Protocols and TCP/IP
o Networks use signals to transmit
data in small pieces that are put
back together at the receiving end
o The most important protocol to
understand is TCP/IP
o TCP/IP predates the OSI model
o The premise is still the same in
that you move down the model to
transmit and back up as you
receive it
Cabling and Infrastructure

o While wireless is hugely popular,

physical cabling is still very
useful
o Devices in the networking
infrastructure:
o Switches
o Wireless Access Point
o Routers
o Firewalls
 Software Based Networking

o Domain Name System (DNS)

o Dynamic Host Configuration
Protocol (DHCP)
o Virtual Local Area Networks
(VLANs)
o Quality of Service (QoS)
Other Networking Terms

o Software Defined Networking

(SDN)
o Demilitarized Zones (DMZs)
o Virtual Private Networks (VPNs)
Project Management

o Project management is all about

communication, managing
stakeholders, and risk
o Large amounts of risk are involved in
scheduling, cost and quality
o Many IT projects fail due to unclear or
changing requirements, problems with
technology
 Risk Responses For Project Management
o Project management
methodologies from waterfall to
Agile are well established
o Common risk responses:
o Change control boards
o Project task prioritization
o Risk management process
o Large projects can be aggregated
into Programs to help with
resource management
Disaster Recovery And Business Continuity

o Risk management considers the full

spectrum of risk from minor to
catastrophic impacts
o The business continuity process creates
a Business Continuity Plan (BCP) to
help with mitigating the risk
o BCPs provide sufficient levels of
functionality in operations when
disaster strikes
 Business Continuity Plans
o BCPs come out of the Business
Impact Analysis
o The BIA establishes the recovery
point objectives (RPOs) and
recovery time objectives (RTOs)
o Environments with low RTOs have
high availability systems
o Environments with low RPOs have
high availability data architectures
Disaster Recovery

o Disaster recovery refers to the

recovery of business and IT
services following a disaster
o Completed within a defined
schedule and budget
o Flows from RTOs established by BIA
and built into BCP
o Should be a primary and alternate
for every activity
Risk In The Data Life Cycle

o Data typically follows a six-phase

lifecycle
o There are many caveats to the lifecycle
o For example, creation can be original
collection or synthesis from other data
Data Management Lifecycle

Creation

Destruction Storage

Archiving Use

Sharing
 Data Management
o Data is one of business’ most
valuable assets
o To protect data you must first
identify it in terms of use and then
classify it in terms of value
o Data validation can be done with a
whitelist or blacklist
o Most important is control over the
permissions and authorization
levels
Risk In The System Development Lifecycle

o Systems exist in all organizations

o There is a lifecycle associated with
systems and their development
o SDLC can stand for Software
Development Lifecycle as well
o A SDLC is a methodology intended to
support effective project management
System Development Lifecycle

Initiation

Dev or
Disposal
Acquire

Operation Implement
 Key Security Tasks

o Document the risk

o Security categorization
o What are the CIA requirements?
o Privacy impact assessment
o Vendor/Supplier risk assessment
o Waterfall or Agile methodology
Emerging Technologies And Risk

o Technology is constantly changing

and growing everywhere
o Pressure to implement new
technologies to “keep up” with the
competition is huge
o This can cause an organization to lose
track of its primary goals and
objectives
 Emerging Technologies

o Omnipresent connectivity
o Bring Your Own Device (BYOD)
o Internet of Things (IoT)
o Deepfakes and AI
o Blockchain
Information Security Concepts

o The goal of risk management is to

make sure technology used in
organizations is:
o Adequately protected
o Reliable
o Secure
 Information Security Concepts

o Risk based concerns include:

o Creating policies
o System identification for backups
o Assigning Risk ownership
o Reviewing regulatory needs
o Training your staff and admins
Information Security Concepts

o Practitioners should understand that

every system needs a system owner
o Most owners delegate down to
operations
o Transferrence of Responsibility DOES
NOT mean transferring accountability
o There can be different cultures within
an organization due to size and
complexity of groups/teams
 Likelihood

o Likelihood (Probability) is the

measure of frequency of which
events occur
o Likelihood is affected by:
o Motivation
o Proximity
o Skill
o Volatility
o Visibility
The CIA Triangle (Iron Triangle)

o Practitioners need to understand the

CIA triad as all security risk derives
from these three principles
o Sometimes called the Iron Triangle
o There is a fourth principle in addition
to confidentiality, integrity and
availability: Nonrepudiation
o All are needed to perform successful
risk management
 Confidentiality

o Confidentiality is all about the

secrecy and privacy of data
o Risk practitioners should be on the
lookout for policies or actions that
violate:
o Need to know
o Least privilege
Integrity

o All about protecting data from

improper modification, exclusion or
destruction
o Relies upon levels of error checking
and verification
o Principle of least privilege is critical
when identifying risk
 Availability

o All about providing timely and

reliable access to information
o Systems and data need to be
highly available (HA)
o High availability can be expensive
and needs to be assessed with
CBA
o To identify potential risk, compare
current levels of availability to
desired levels (gaps=risk)
Other Aspects of CIA Triangle

o System Authorization
o Segregation of Duties (SoD)
o Cross-training and Job Rotation
Access Control

o Managing access to systems and data

is one of the most difficult risk areas
for a practitioner
o In order to help with this, there is the
concept of IAAA.
o Identification
o Authentication
o Authorization
o Accountability (Accounting)
 Authentication

o The process of validating an

identity
o Something you know
o Something you have
o Something you are
o Changing passwords on a regular
basis is a risk response for this
part of IAAA
Authorization

o Authentication must occur first

o Systems then provide appropriate
authorized access
o Proper use of the “least privilege”
principle is vital here
o Isolation is important. Authorization
is typically granted for a limited
period and only from certain devices
or locations
Accountability

o Accountability is completed
through auditing
o Needs excellent systems logging
or recording activity
o Audit logs should NOT be
changeable by operations staff
(even admins)
What is Encryption?

o Mathematical means of altering data

from readable forms to unreadable
forms (ciphertext)
o Data encryption uses two forms:
o Symmetric
o Asymmetric
o Used primarily for confidentiality
 Symmetric Key Cryptography

o Most common system in place is

Advanced Encryption Standard
(AES)
o Shorter keys are easier to crack
o Shares the same secret key
o Disadvantages:
oOne party delivers keys (SPOF)
oNo way to tell who orginated message
Asymmetric Key Cryptography
o Diffie and Hellman created a different
method called the Diffie-Hellman
model
o Two related keys are created: Private
and Public
o Public keys are freely distributed.
Private keys are only held by the
creators and receivers
o Disadvantages:
o Computer resource intensive
o Much slower than Symmetric
 Digital Signatures

o Combines a hash function with

the ability of PKI to prove the
author’s identity
o Creates excellent nonrepudiation
o Digital signatures do NOT encrypt
the message…just the digest
o PKI uses Certificates to verify the
identity of the owner of a public
key
Core Concepts to Remember
o Symmetric keys are excellent for
confidentiality but difficult to manage
o Aysmmetric algorithms are much slower
but much more secure
o Using both is the secret
o Hashing algorithms can help make sure of
message integrity
o Certificates provide assurance that a public
key belongs to the right owner
Information Security Awareness and Training

o Familiarity with technology can help

reduce operation training costs but
increase security risk
o Threat actors know that human users
are the weakest link
o Social media has made people more
willing to share information openly
o Inadequate SoD and Least Privilege
has also caused risk
 Best Practices For Security Awareness Training

o Practitioners need to review the

scope of information being trained
o Topics to cover:
o Social engineering
o How to alert internal security
o Policies and regulatory
requirements specific to certain job
roles
o Resilient people help create resilient
organizations
Data Privacy Fundamentals

o Practitioners should understand that

privacy is similar to confidentiality
o Difference between privacy and
confidentiality: Rights regarding the
handling and retention of a subject’s
PII (Personal Identifiable Information)
o These rights are still valid even if the
data is not in the subject’s control
 Data Privacy Concepts

o Informed Consent
o Privacy Impact Assessment (PIA)
o Minimization
o Destruction
o Risk is involved in monitoring the
legal and regulatory requirements