CYBR 3300 - Chapter 7
Microsoft's Four Phases or the RM Process
1. ASsess risk 2. Conducting decision support 3. Implementing controls 4. Measuring program effectiveness
RMF steps include
1. CATEGORIZE Categorize the info systems and the info processed/stored/transmitted 2. SELECT Select an initial set of baseline security controls (tailor and supplement) 3. IMPLEMENT Implement the sec controls and describe how they are employed 4. ASSESS Assess the sec controls using appropriate assessment procedures to ensure correct implementation/operation/outcomes 5. AUTHORIZE Authorize information system operation based on a determination of the risk to org operations and assets, indivs, other org,s, Nation 6. MONITOR Monitor sec controls in the infosystem on an ongoing basis
FDIC four steps to create a successful SLA
1.Determining objectives 2.Defining requirements 3.Setting measurements 4.Establishing accountability
The controls recommended by NIST in this family of SPs are organized into
18 families of controls These families are used to structure the protection of information and as part of the NSIST security control assessment methodology The controls are classified according to the three-category system used by NIST
Trusted
A component is part of TCB's security system Not that it is necessarily trustworthy
Trusted Computer System Evaluation Criteria (TCSEC)
A deprecated (no longer used) DoD system certification and accreditation standard that defined the criteria for assessing the access controls in a computer system. Also known as the rainbow series.
Delphi Technique
A group rates or ranks a set of information The individual responses are compiled and then returned to the group for another iteration Continues until the entire group is satisfied with the result Can be applied to the development of scales asset valuation, asset or threat ranking, or any scenario
NIST SP 800-39: "Management Information Security Risk: Organization, Missions, and Information System View"
A process than organizations can use to frame risk decisions, assess risk, respond to risk when identified, and then monitor risk or ongoing effectiveness and continuous improvement to the RM process Intent is to offer a complete and org-wide approach that integrates RM into all oeprations and decisions
Internal benchmarking
AKA baselining Involves comparing measured past performance against actual performance for the assessed category
European Network and Information Security Agency (ENISA)
Agency of the EU Ranks 12 tools using 22 attributes Utilty to compare risk management methods or tools
cost-benefit analysis (CBA)
Also known as an economic feasibility study, the formal assessment and presentation of the economic expenditures needed for a particular security control, contrasted with its projected value to the organization.
operational feasibility
An examination of how well a particular solution fits within the organization's culture and the extent to which users are expected to accept the solution. AKA behavioral feasibility
political feasibility
An examination of how well a particular solution fits within the organization's political environment
organizational feasbility
An examination of how well a particular solution fits within the organization's strategic planning objectives and goals
technical feasibility
An examination of how well a particular solution is supportable given the organization's current technological infrastructure and resources, which include hardware, software, networking, and personnel
Due care and due diligence
An organization's actions when it adopts a certain minimum level of security What any prudent organization would do in a similar circumstance
Defense strategy
Applying controls and safeguards that eliminate or reduce the remaining uncontrolled risk
User engagement and support can be achieved by means of three simple actions
Communicate - share timetables, schedules, dates, tmes, locations, training - parties must know purpose of changes Educate - Educated and trained in how ot work under new constraints Involve - ask users what they want and what they will tolerate - include reps from various constituencies These three can reduce resistance to change and build resilience for change
Political Feasibility
Considers what can and cannot occur based on the consensus and relationships among the communities of interest. InfoSec limits must fit withing the realm of the possible
Monitoring
Continuous or discrete activities to ensure internal control systems are functioning as expected Internal control deficiencies should be reported upstream
Risk can be avoided by two ways
Countering threats facing an asset Minimizing the exposure of a particular asset
Objectives to remain competitive
Design and create a secure envmt in which processes and procedures can function and evolve effectively This envmt must maintain confidentiality and privacy and assure the integrity and availability of organizational data
Technical Feasibility
Determine whether the organization already has or can acquire the tech necessary to implement and support them Examines whether the org has the tech expertise to manage the new tech
The Risk Treatment Strategy Selection Process
Diagram: 1. Determine whether info system has vulns that can be exploited. 2. If yes, determine what an attacker will gain. 3. Estimate the expected loss the organization will incur 4. If the org can absorb the loss OR the attacker's gain is less than cost of executing attack, org may accept the risk 5. If not, then it must select another strategy. 6. After selection and implementation, controls should be monitored and measured ongoing At a minimum, each information threat/vulnerability/asset (TVA) triplet that was developed in the risk assessment created previously should have a documented treatment strategy that clearly identifies any residual risk that remains after the proposed strategy has been executed - must articulate which strategy will be used - must jusitfy selection Organizations should document the outcome of the selection process for each TVA
Recommended Alternative Risk Treatment Practices
Each tiem a contrl is added to the matrix, it undoubtedly changes the ALe for the info asset vuln for which it has been designed, and it may also change the ALE for the other info vulns
ISO 27005:2011 Information Technology--Security Techniques--Information Security Risk Management
Five-stage management methodology 1. Risk Assessment - encompasses risk analysis and risk evaluation - risk analysis = risk identification + risk estimation 2. Risk treatment - ways to deal with unacceptable residual risk 3. Risk acceptance 4. Risk communication 4. Risk monitoring and review
Gold standard
For those ambitious organizations in which the best business practices are not sufficient They aspire to set the standard for their industry
Risk Treatment Strategies
General mgt empowers the InfoSec and IT communities to trat risks from threats creating a competitive disadvantage Once the project team for InfoSec development has identified the information assets with unacceptable levels of risk the team must choose one of five basic strategies to treat the risks for those assets •Defense •Transference •Mitigation •Acceptance Termination
single loss expectancy (SLE)
In a cost benefit analysis, the calculated value associated with the most likely loss from an attack. The SLE is the product of the asset's value and the exposure factor
annualized rate of occurrence (ARO)
In a cost benefit analysis, the expected frequency of an attack, expressed on a per year basis
annualized loss expectancy (ALE)
In a cost benefit analysis, the product of the annualized rate of occurrence and single loss expectancy
New Zealand's IsecT Ltd.
Independent governance, risk management, and compliance consultanty Maintains the ISO 27001 Security Web site Describes a large number of RM methods
Alternative Risk Management Methodologies
International and national standards and methodologies from industry-leading orgs
Committee of Sponsoring Organizations (COSO) of the Treadway Commission
Major objective is to identify the factors that cause fraudulent financial reporting and to make recommendations to reduce its incidence Has established a common definition of internal controls, standards, and criteria against which companies and organizations can assess their contorl systems
SP 800-12, Rev. 1: An Introduction to Information Security
Newly revised after over 20 years, this document serves as a starting point for those with little to no background in InfoSec.
Mitre
Nonprofit org Designed to support research and development groups with federal funding four-step approach 1. Risk ID 2. Risk impact assessment 3. Risk prioritization analysis 4. Risk mitigation planning, implementation, and progress monitoring
Asset Valuation Techniques
Once you determine the loss from a single attack and the likely frequency of successful attacks, you can calculate the overall loss potential per risk expressed as an annualized loss expectancy (ALE) using the previous values for the ARO and SLE ALE = SLE x ARO Armed with this, Infoec design team can deliver a budgeted value for panning purposes
SP 800-184: Guide for Cybersecurity Event Recovery
One of the newest SPs This guide provides a significant update and extension to NIST SP 800-61 This SP extends the roles and responsibilities of those involved in IR to include a tactical-to-strategic approach on the latter IR stages Recovery and program improvement, involving management in the performance measure and continuous improvement administration of the It program, as well as technicians responsible for the recovery of technology and info assets from cyber-related incidents.
The OCTAVE Methods
Operationall Critical Threat, ASset, and Vulnerability Evaluation (OCTAVE) InfoSec risk evaluation methodology that alolows orgs to balance the protection of critical information asset agains the costs of providing protective and detection controls Can enable an org to measure itself against known or accepted good securitypractices and then establish an org-wide protection startegy and InfoSec •The Operationally Critical Threat, Asset, and Vulnerability Evaluation (OCTAVE) Method defines the essential components of a comprehensive, systematic, context-driven, self-directed information security risk evaluation risk •By following the OCTAVE Method, an organization can make information-protection decisions based on risks to the confidentiality, integrity, and availability of critical information technology assets •The operational or business units and the IT department work together to address the information security needs of the organization
Table 8-4
Page 423 NIST SP 800-14 Principles for Securing IT systems
Principles, policies and frameworks
Primary enabler are the vehicle to translate the desired behavior into practical guidance for day-to-day management
FAIR
RM FW by Jack A Jones Understand, analyze, measure info risk Outcomes: mosre cost-effective info RM, greater credibility for InfoSec, foundation to develop scientific approach to info RM
Mitigation strategy
Reducing the impact to info assets should an attacker successfully exploit a vulnerability
Operational feasibility
Refers to user acceptance and support, management acceptance and support, and the system's compatibility with the requirements of the org's stakeholders User buy-in on projects is important One of the most common ways of obtaining user acceptance = user engagement
Termination strategy
Removing or discontinuing the info asset from the organization's operating environment
Microsoft Risk Management Approach
Security Risk Management Guide provieds the company's approcha to the RM process Comprehensive, easily scalable, and repeatable RM is not a standalone subjecta and should be part of a general governance program Purpose of RM process: Prioritze and manage sec risk •The Microsoft Security Risk Management Guide was discontinued late last year. A copy of the document is in D2L. •The Microsoft Security Risk Management Guide was discontinued late last year. A copy of the document is in D2L.
Federal Deposit Insurance Corporation's (FDIC) typical SLA
Service category Acceptable range of service quality Definition of what is being measured Formula for calculating measurement Relevant credits/penalties for achieving/failing performance targets Frequency and interval of measurement
Transference strategy
Shifting risks to other areas or to outside entities
FAIR Stages and Steps
Stage 1 - Identify scenario components: 1. Identify the asset at risk 2. Identify the threat community under consideration Stage 2 - Evaluate Loss Event Frequency (LEF): 3. Estimate the probable Threat Event Frequency (TEF) 4. Estimate the Threat Capability (TCap) 5. Estimate Control strength (CS) 6. Derive Vulnerability (Vuln) 7. Derive Loss Event Frequency (LEF) Stage 3 - Evaluate Probable Loss Magnitude (PLM) 8. Estimate worst-case loss 9. Estimate probable loss Stage 4—Derive and articulate Risk 10. Derive and articulate Risk
SP 800-53A, Rev. 4: Assessing Sec and Privacy Controls in Federal Info Systems and Orgs: Building Effective Assessment Plans
The companion guide to SP 800-53 Functional successor to SP 800-26 Provides a SDLC approach to sec assessment of info systems Takes the controls of SP 800-53
cost avoidance
The financial savings from using the defense risk control strategy to implement a control and eliminate the financial ramifications of an incident.
Three variations
The original OCTAVE method, which forms the basis for the OCTAVE body of knowledge and which was designed for large orgs OCTAVE-S, for small orgs (~100) OCTAVE_Allegro, a streamlined approach for InfoSec assessment and assurance
asset valuation
The process of assigning financial value or worth to each information asset.
External benchmarking
The process of seeking out and studying the practices used in other organizations that produce results you desire in your organization
defense risk treatment strategy
The risk treatment strategy that attempts to eliminate or reduce any remaining uncontrolled risk through the application of additional controls and safeguards in an effort to change the likelihood of a successful attack on an information asset Also known as the avoidance strategy
mitigation risk treatment strategy
The risk treatment strategy that attempts to reduce the impact of the loss caused by an incident, disaster, or attack through effective contingency planning and preparation
transference risk treatment strategy
The risk treatment strategy that attempts to shift risk to other assets, other processes, or other organizations
termination risk treatment strategy
The risk treatment strategy that eliminates all risk associated with an information asset by removing it from service
acceptance risk treatment strategy
The risk treatment strategy that indicates the organization is willing to accept the current level of residual risk. As a result, the organization makes a conscious decision to do nothing else to protect an information asset from risk and to accept the outcome from any resulting exploitation
SP 800-61, Rev. 2: Computer Security Incident Handling Guide
This SP provides a methodology and specific measures for responding to computer incidents. Also provides guidance on the development of policy and plans for designing and implementing an IR program
SP 800-39: Managing Info Sec Risk: Organization, Mission, and Info System View
This SP provides additional discussion on the higher-level functions associaed with risk management
SP 800-53, Rev. 4: Security and Privacy Controls in Federal Info Systems and Orgs
This SP provides detailed information on the SP family of sec controls Also discusses the use of controls as part of planned baselines of varying rigor
SP 800-55, Rev. 1: Performance Measurement Guide for InfoSec
This SP provides guidance on the development and implementation of a performance measurement program, including the selection of key performance measured related to info sec
SP 800-100: InfoSec Handbook: A Guide for Managers
This SP serves as the managerial tutorial equivalent of SP 800-12, providing overviews of the roles and responsibilities of a security manager in the development, administration, and improvement of a secu program
SP 800-37, Rev. 1: Guide for Applying the Risk Management Framework to Federal Info Systems: A Security Life Cycle Approach
This document continues the NIST RMF program and provides additional guidance on the use of the NIST RMF
SP 800-14, Generally Accepted Principles and Practices for Securing Information Technology Systems (1996)
This document describes recommended practices and provides information on commonly accepted InfoSec principles that can direct the security team in the development of a security blueprint Also describes the philosophical principles that the security team should integrate into the entire InfoSec process
Information and communication
This encompasses the delivery of reports--regulatory, financial, and otherwise. Should also include those made to third parties and other stakeholders
SP 800-34, Rev. 1: Contingency Planning Guide for Federal Information Systems (2010)
This guide defines the seven-stage methodology for responding to an event requiring disaster recovery operations. The guide also provides an overview of business continuity strategies and methods This document, when combined with NIST SP 800-61, forms the basis for all incident response, disaster recovery, and business continuity lectures
SP 800-30, Rev. 1: Guide for Conducting Risk Assessments (2012)
This guide provides a foundation for the development of an effective risk management program, and it contains both the definitions and the practical guidance necessary for assessing and mitigating risks identified within IT systems. The ultimate goal is to help organizations better manage IT-related mission risks. The document is organized into three chapters that explain the overall risk management as well as preparing for, conducting, and communicating a risk assessment
SP 800-18 Rev. 1: Guide for Developing Security Plans for Federal Information Systems (2006)
This guide provides detailed methods for assessing, designing, and implementing controls and plans for applications of various sizes. It serves as a guide for the security planning activities described later and for the overall InfoSec planning process In addition, this document provides templates for major application security plans Must be customized to fit the particular needs of a(n) organization.
Control activities
This includes those policies and procedures that support management directives These occur throughout the organization and include approvals, authorizations, verifications, reconciliations, reviews of operating performance, etc.
Control environment
This is the foundation of all internal control components. Include integrity, ethical values, management's operative style, etc
•Best business practices
Those thought to be among the best in the industry, balancing the need to access the information with adequate protection
The RMF operates primarily at
Tier 3 Can also have interactions at Tiers 1 and 2
covert channels
Unauthorized or unintended methods of communications hidden inside a computer system. One of the biggest challenges in TCB
Trusted Computing Base (TCB)
Under TCSEC, the combination of all hardware, firmware, and software responsible for enforcing the security policy.
Acceptance strategy
Understanding the consequences of choosing to leave an info asset's vulnerability facing the current level of risk, but only after a formal evaluation and intentional acknowledgment of this decision
ISO 31000
Used in the formalization of the RM method presented elsewhere Developed using the AU/NZ standard AS/NZS 4360:2004 as a foundation More generic than the standard for information security risk management Provides a structured method for evaluating threats to economic performance in an org Targeted toward any type of risk management, including enterprise risk management, financial risk management, and environmental risk management
Government recommendations and best practices
Useful for organizations that operate in industries regulated by governmental agencies. Requirements that also server as excellent sources for infor about what some orgs may be doing to control InfoSec risks
NIST SP 800-37, Rev. 1: Guide for Applying the Risk Management Framework to Federal Info Systems
Uses the FW in SP 800-39 Risk Management Framework Promoted concept of timely risk management and robust continuous monitoring and encourages use of automation Three-tiered approach 1. Organization - Governance 2. Mission/business process - Information and info flows 3. Info system - environment of operation six-step process
Most commonly used quantitative approaches used to value assets
Value retained from the cost of creating the asset Value retained from past maintenance of the information asset Value implied by the cost of replacing the information Value from providing the information Value acquired from the cost of protecting the information Value to owners Value of intellectual property Value to adversaries Loss of productivity while the information assets are unavailable Loss of revenue while information assets are unavailable Total cost of ownership - sum of elements in previous categories
reference monitor
Within TCB, a conceptual piece of the system that manages access controls—in other words, it mediates all access to objects by subjects. •Systems administrators must be able to audit or periodically review it to ensure it is functioning effectively, without unauthorized modification
Information Security Governance Framework
a managerial model which provides guidance in the development and implementation of an organizational information security governance structure Specifies that each independent organizational unit should develop, document, and implement an InfoSec program consistent with guideance of accepted sec practices Recommends that each org establish clear, effective, and periodic reporting regarding the InfoSec program from each unit
Usually, the probability of a threat occurring is depicted as
a table that indicates how frequently an attack from each threat type is likely to occur within a given time frame - commonly referred to as the annualized rate of occurrence (ARO) - and simply indicates how often you expect a specific type of attack to occur
The Three Lines of Defense
addresses how specific duties related to risk and control could be assigned and coordinated within an organization Clarifies the difference and relationship between the organizations' assurance and other monitoring activities
Treating risk begins with
an understanding of what risk treatment strategies are and how to formulate them
Principles and enablers
are dependent on the employers' skills and abilities within their organization
Organizational structures
are the key decision-making entities in an enterprise
Culture, ethics and behavior of individuals and of the enterprise
are very often underestimated as a success factor in governance and management activities
Risk assessment
assists in the identification and examination of valid risks to the defined objectives of the organizations Also includes assessment of risks to information systems
Termination
based on the organization's intentional choice not to protect an asset however, the organization does not wish the information asset to remain at risk and so removes it from the environment that represents risk •Sometimes, the cost of protecting an asset may outweigh its value, or it may be too difficult or expensive to protect an asset, compared to the value or advantage that asset offers the company Termination must be a conscious business decision
Risk response should provide a
consistent and org-wide process based on developing alternative responses, evaluating them, selecting courses of action, implementing them
Processes
describe an organized set of practices and activities to achieve certain objectives and produce a set of outputs in support of achieving overall goals
Formal models
do not usually find their way directly into usable implementations Form the basic approach that an implementation uses Lends credibility, improve reliability, and leads to improved results of an implementation
•A traditional model of calculating quantitative cost-benefit analyses involves
estimating the likelihood of an attack based on an annualized rate of occurrence and the impact of an attack based on loss expectancy Once an organization calculates worth of assets, it can calculate potential loss from the successful exlploitation = estimate of potential loss per risk Questions to ask - What damage could occue? Financial impact? - Cost to recover from attack plus financial impact of damage? - SLE per risk?
Organizational Feasibility
examines how well the proposed InfoSec alternatives will contribute to the efficiency, effectiveness, and overall operation of an organization The proposed control approach must contribute to the organization's strategic objectives Org shouldn't get tech that changes its fundamental ability to explore certain avenues and opportunities
The risk frame
identifies boundaries for risk responsibilities and delineates key assumptions about the threats and vulnerabilities found in the org's operating environment
Security architecture models
illustrate information security implementations, and can help organizations to quickly make improvements through adaptation •Some models are implemented into computer hardware and software, some are implemented as policies and practices, and some are implemented in both •Some models focus on the confidentiality of information, while other focus on the integrity of the information as it is being processed
Services, infrastructure and applications
include the infrastructure, technology and applications that provide the enterprise with information technology processing and services
Internal control
is a process, effected by an entity's board of directors, management and other personnel, designed to provide reasonable assurance regarding the achievement of objectives in the following categories •Effectiveness and efficiency of operations •Reliability of financial reporting •Compliance with applicable laws and regulations
Trusted Computer System Evaluation Criteria (TCSEC)
is an older DoD standard that defines the criteria for assessing the access controls in a computer system part of a larger series of standards collectively referred to as the Rainbow Series, due to the color-coding used to uniquely identify each document also known as the "Orange Book" and is considered the cornerstone of the series was replaced by the "Common Criteria" in 2005 defines a trusted computing base (TCB) as the combination of all hardware, firmware, and software responsible for enforcing the security policy Is only as effective as its internal controls mechanisms and administration of systems made up of the hardware and software that has been implemented to provide security for a particular information system
Information
is required for keeping the organization running and well governed, but at the operational level, ______ is very often the key product of the enterprise itself
Once the organization has decided on a risk treatment strategy,
it must then re-estimate the effect of the proposed strategy on the residual risk that would be present after the proposed treatment was implemented
After the risk management (RM) process team has identified, analyzed, and evaluated the level of risk currently inherent in its information assets (risk assessment),
it then must treat the risk that is deemed unacceptable when it exceeds its risk appetite
competitive disadvantage
organizations strive not to fall behind technologically
Control Objectives for Information and Related Technology (COBIT)
provides advice about the implementation of sound controls an control objectives for InfoSec Can be used not only as planning tool for InfoSec but also as a control model designed to be an IT governance and management structure Includes a framework to support InfoSec requirements and assessment needs
COBIT 5
provides five principles focused on the governance and management of IT in an organization
Framing risk establishes the organization's context for
risk-based decision making, with the intent of establishing documented processes for a RM stratefy
avoidance strategy
see defense risk treatment strategy
behavioral feasibility
see operational feasibility.
COBIT was created by
the Information Systems Audit and Control Association (ISACA) and the IT Governance Institute (ITGI) in 1992
•A single loss expectancy, or SLE,
the calculated value associated with the most likely loss from a single occurrence of a specific attack •SLE = asset value (AV) x exposure factor (EF) •Where EF = the percentage loss that would occur from a given vulnerability being exploited Estimating the probability of a threat is more difficult than estimating value
Benchmarking
the comparison of org effectiveness, efficiency, and productivity against an established measure External and internal The gap: the comparison between two performance staes may reveal shortfalls in the org's performance Gap analysis: allows the org to create a plan for moving the org closer to ideal level or perormance Org typically uses either metrics-based of process-based measures
The COSO Internal Control-Integrated Framework outlines
the components, principles, and factors necessary for an organization to effectively manage its risks through the implementation of an internal control
Asset Valuation
the estimation of real or perceived costs - costs can be selected from various things (381) - some costs are simple to determine, others impossible Some assets acquire value that is beyond their intrinsic value - this acquired value is the more appropriate value in most coases
Assessing risk within the context of the organizational risk frame requires
the identification of threats, vulnerabilities, consequences of exploitation leading to losses, and the likelihood of such loss
The key to an effective transference risk control strategy is
the implementation of an effective service level agreement (SLA) •In some circumstances, an SLA is the only guarantee that an external organization will implement the level of security the client organization wants
Risk monitoring over time required
the org to verify that planned risk response measures are implemented and that effectiveness of risk measures are achieved
security policy
the rules of configuration for a system, rather than a managerial guidance document
Risk assessment relies on a variety of
tools, techniques, and underlying factors - assumptions about risk - contraints within org and its environment - roles and resps of org members - how and where risk info is collected and processed - particular approach to risk assessment in the org - frequence of periodic reassessment of risk
•The Factor Analysis of Information Risk (FAIR) framework includes:
•A taxonomy for information risk •Standard nomenclature for information risk terms •A framework for establishing data collection criteria •Measurement scales for risk factors •A computational engine for calculating risk •A modeling construct for analyzing complex risk scenarios
Three common methods of risk defense
•Application of policy •Application of SETA programs •Implementation of technology
Feasibility and Cost-Benefit Analysis
•Before deciding on the strategy for a specific TVA triplet, an organization should explore all readily accessible information about the economic and noneconomic consequences of an exploitation of the vulnerability, when the threat causes a loss to the asset •"What are the actual and perceived advantages of implementing a control as opposed to the actual and perceived disadvantages?" The primary way to identify the advantages of a specific strategy is to determine the value of the info assets it's designed to protect •Cost avoidance is the money saved by using the defense strategy via the implementation of a control, thus eliminating the financial ramifications of an incident •The criterion most commonly used when evaluating a strategy to implement InfoSec controls and safeguards is economic feasibility as calculated in a cost-benefit analysis
Benefit
•Benefit is the value to the organization of using controls to prevent losses associated with a specific vulnerability •usually determined by valuing the information asset or assets exposed by the vulnerability and then determining how much of that value is at risk and how much risk there is for the asset expressed as the annualized loss expectancy (ALE)
Information Security Governance Framework Core Members
•Board of directors/trustees Strategic oversight regarding InfoSec •Senior executives Provide oversight of a comprehensive InfoSec program •Executive team members who report to a senior executive oversee org sec policies and practices •Senior managers Provide InfoSec for info and info systems that support the operations and assets •All employees and users Maintain sec of info and info systems
Five Components of the COSO Framework
•Control environment •Risk assessment •Control activities •Information and communication •Monitoring
Acceptance is recognized as a valid strategy only when the organization has:
•Determined the level of risk posed to the information asset •Assessed the probability of attack and the likelihood of a successful exploitation of a vulnerability •Estimated the potential impact (damage or loss) that could result from a successful attack •Evaluated potential controls using each appropriate type of feasibility •Performed a thorough risk assessment, including a financial analysis such as a CBA •Determined that the costs to treat the risk to a particular function, service, collection of data, or information asset do not justify the cost of implementing and maintaining the controls
Alternatives to Feasibility Analysis
•Due care and due diligence •Benchmarking •Best business practices •Gold standard •Government recommendations and best practices
Cost
•Just as it is difficult to determine the value of information, it is difficult to determine the cost of safeguarding it Some of the items that affect the cost of a control or safeguard include: •Cost of development or acquisition •Training fees •Cost of implementation •Service costs •Cost of maintenance •Potential cost from the loss of the asset
Qualitative and Hybrid Asset Valuation Measures
•Many of the approaches to asset valuation described previously attempt to use actual values or estimates to create a quantitative assessment; in some cases, an organization might be unable to determine these values •Fortunately, risk assessment steps can be executed using estimates based on a qualitative assessment •A more granular approach, the semi-qualitative or hybrid assessment, tries to reduce some of the ambiguity of qualitative measures without resorting to the unsubstantiated estimations used for quantitative measures Hybrid uses scales rather than specific estimates
Selecting the Best Risk Management Model
•Most organizations already have a set of RM practices in place •If not, a recommended approach is to begin by studying the models presented here and by identifying what each offers to the envisioned process •Other organizations may hire a consulting firm to provide or even develop a proprietary model - not the least expensive - guarantees a functional model + advice + training •When faced with the daunting task of building a risk management program from scratch, it may be best to talk with other security professionals, perhaps through professional security organization meetings like ISSA, to find out how others in the field have approached this problem - what models they prefer and why What works well for one org may not work well for others
Other Methods of Establishing Feasibility
•Organizational feasibility •Operational feasibility •Technical feasibility •Political feasibility
COBIT 5 Principles
•Principle 1: Meeting Stakeholder Needs •Principle 2: Covering the Enterprise End-to- End •Principle 3: Applying a Single, Integrated Framework •Principle 4: Enabling a Holistic Approach •Principle 5: Separating Governance From Management
Managing Risk
•Risk appetite is the quantity and nature of risk that organizations are willing to accept as they evaluate the trade-offs between perfect security and unlimited accessibility The reasoned approach to risk is one that balances the expense against the possible losses, if exploited The key is for the organization to find balances in its decision-making processes and in its feasibility analyses •When vulnerabilities have been controlled to the degree possible, there is often remaining risk that has not been completely removed, shifted, or planned for - in other words, residual risk •Residual risk persists even after safeguards are implemented to reduce the levels of risk associated with threats, vulnerabilities, and information assets •The goal of InfoSec is not to bring residual risk to zero; rather it is to bring it in line with an organization's risk appetite
Acceptance
•The acceptance risk treatment strategy is the decision to do nothing beyond the current level of protection to protect an information asset from risk, and to accept the outcome from any resulting exploitation •While the selection of this treatment strategy may not be a conscious business decision in some organizations, the unconscious acceptance of risk is not a productive approach to risk treatment •This strategy assumes that it can be a prudent business decision to examine the alternatives and conclude that the cost of protecting an asset does not justify the security expenditure. An organization that decides on acceptance as a strategy for every identified risk of loss may be unable to conduct proactive security activities and may have an apathetic approac to security The risks far outweigh the benefits of this approach
Defense
•The defense risk treatment strategy attempts to prevent the exploitation of the vulnerability the preferred approach accomplished by means of countering threats, removing vulnerabilities in assets, limiting access to assets, and adding protective safeguards sometimes referred to as "avoidance". Organization is attempting to improve the security of an asset by reducing the likelihood of a successful attack
Mitigation
•The mitigation risk treatment strategy is the treatment approach that focuses on planning and preparation to reduce the impact or potential consequences of an incident or disaster four types of plans: •Disaster recovery (DR) plan •Incident response (IR) plan •Business continuity (BC) plan •Crisis Management (CM) plan {TABLE 7-1, pg. 372} •Mitigation derives its value from its ability to detect and respond to an attack as quickly as possible.
Transference
•The transference risk treatment strategy attempts to shift risk to another entity accomplished by - rethinking how services are offered, revising deployment models, - outsourcing to other organizations, purchasing insurance, or - implementing service contracts with providers Organization should consider this whenever they begin to expand their operations •When an organization does not have adequate security management and administration experience, it should consider hiring individuals or firms that provide expertise in those areas (outsourcing)
Rules of thumb for selecting a strategy
•When a vulnerability exists in an important asset—Implement security controls to reduce the likelihood of a vulnerability being exploited •When a vulnerability can be exploited—Apply layered protections, architectural designs, and administrative controls to minimize the risk or prevent the occurrence of an attack •When the attacker's potential gain is greater than the costs of attack—Apply protections to increase the attacker's cost or reduce the attacker's gain by using technical or managerial controls •When the potential loss is substantial—Apply design principles, architectural designs, and technical and nontechnical protections to limit the extent of the attack, thereby reducing the potential for loss
Information Technology Infrastructure Library (ITIL)
•a collection of methods and practices useful for managing the development and operation of information technology infrastructures has been produced as a series of books, each of which covers an IT management topic •Since it includes a detailed description of a many significant IT-related practices it can be tailored to many IT organizations
CBA
•determines whether the benefit from a control alternative is worth the associated cost of implementing and maintaining the control may be performed before implementing a control, or they can be performed after controls have been in place for a while Observation adds precision The easiest way to calculate CBA: CBA = ALE(precontrol) - ALE(postcontrol) - ACS Where: •ALE (precontrol) = ALE of the risk before the implementation of the control •ALE (postcontrol) = ALE examined after the control has been in place for a period of time •ACS = annualized cost of the safeguard
•NIST documents have two notable advantages:
•they are publicly available at no charge •they have been available for some time; thus they have been broadly reviewed (and updated) by government and industry professionals