Domain 1: Security and Risk Management : Risk Management Concepts

Breach

A breach is an attack that has been successful in reaching its goal. Often, a breach of an organization's data constitutes a security incident that the organization is legally required to report to affected individuals, regulatory agencies, and sometimes credit reporting agencies and media. It is vital that an organization quickly and effectively respond when an incident does escalate into a data breach. When a data breach has occurred, security professionals should, at minimum, quantify the damage and determine the response.

Asset and Asset Valuation

An asset is any resource, product, process, system, or other thing that has value to an organization and must be protected. Physical or tangible assets, including equipment or computers, are assets that can be touched. Intangible assets, including information or intellectual property, are assets that hold value to the organization but often cannot be touched in the physical sense. All organizational assets should be documented.

Attack

An attack is any event that violates an organization's security or privacy policies. Another word for an attack is an incident. It is important that all attacks are documented and fully analyzed so that the organization can take measures to prevent the attack from happening again. The measures that are taken can also prevent the attack from becoming a breach in the future.

Implementation

Before implementing any controls that have been chosen as part of the risk analysis process, security professionals must consider the frameworks used for reference, tools deployed, and metrics for managing the controls. These three facets ensure the success of the security architecture. The goal of any risk countermeasure implementation is to improve the organization's security without negatively impacting performance. Documentation and communication across all areas will ensure that each individual business unit's risk management implementation is as complete as possible.

COSO's Enterprise Risk Management (ERM) Integrated Framework

COSO broadly defines ERM as "the culture, capabilities and practices integrated with strategy-setting and its execution, that organizations rely on to manage risk in creating, preserving and realizing value." The ERM framework is presented in the form of a three-dimensional matrix. The matrix includes four categories of objectives across the top: strategic, operations, reporting, and compliance. There are eight components of enterprise risk management. Finally, the organization, its divisions, and business units are depicted as the third dimension of the matrix for applying the framework.

Corrective

Corrective controls, also known as correcting controls, are in place to reduce the effect of an attack or other undesirable event. Using corrective controls fixes or restores the entity that is attacked. Examples of corrective controls include installing fire extinguishers, isolating or terminating a connection, implementing new firewall rules, and using server images to restore to a previous state.

Risk Assessment/Analysis

Once the risk analysis team is formed, it is time to actually start the risk analysis or assessment process. This process includes two different types of risk analysis: quantitative risk analysis and qualitative risk analysis.

Preventive

Preventive controls, also known as preventing controls, prevent an attack from occurring. Examples of preventive controls include locks, badges, biometric systems, encryption, intrusion prevention systems (IPSs), antivirus software, personnel security, security guards, passwords, and security awareness training.

NIST Cybersecurity Framework: Create Cybersecurity Program

The following steps illustrate how an organization could use the framework to create a new cybersecurity program or improve an existing program. These steps should be repeated as necessary to continuously improve cybersecurity 1: Prioritize and scope 2: Orient 3: Create a current profile 4: Conduct a risk assessment 5: Create a target profile 6: Determine, analyze, and prioritize gaps 7: Implement the action plan

Exploit

An exploit is when a threat agent successfully takes advantage of a vulnerability.

Exposure

An exposure occurs when an organizational asset is exposed to losses. If the folder with the inappropriate or absent ACL is compromised by a threat agent, the organization is exposed to the possibility of data exposure and loss.

Compensative

Compensative controls, also known as compensating controls, are in place to substitute for a primary access control and mainly act as a mitigation to risks. Using compensative controls, you can reduce the risk to a more manageable level. Examples of compensative controls include requiring two authorized signatures to release sensitive or confidential information and requiring two keys owned by different personnel to open a safety deposit box.

Detective

Detective controls, also known as detecting controls, are in place to detect an attack while it is occurring to alert appropriate personnel. Examples of detective controls include motion detectors, intrusion detection systems (IDSs), logs, guards, investigations, and job rotation.

Deterrent

Deterrent controls, also known as deterring controls, deter or discourage an attacker. Via deterrent controls, attacks can be discovered early in the process. Deterrent controls often trigger preventive and corrective controls. Examples of deterrent controls include user identification and authentication, fences, lighting, and organizational security policies, such as an NDA.

Countermeasure

A control (sometimes called a countermeasure or safeguard) is a tactic, mechanism, or strategy that accomplishes one or more of the following: - Reduces or eliminates a vulnerability - Reduces or eliminates the likelihood that a threat agent will be able to exploit a vulnerability - Reduces or eliminates the impact of an exploit For our example, a good countermeasure would be to implement the appropriate ACL and to encrypt the data. The ACL protects the integrity of the data, and the encryption protects the confidentiality of the data.

FIPS 199 High Impact

A potential impact is high if the loss of any tenet of CIA could be expected to have a severe or catastrophic adverse effect on organizational operations, organizational assets, or individuals. This occurs if an organization is not able to perform one or more of its primary functions. This category involves major damage, financial loss, or severe harm.

FIPS 199 Low Impact

A potential impact is low if the loss of any tenet of CIA could be expected to have a limited adverse effect on organizational operations, organizational assets, or individuals. This occurs if the organization is able to perform its primary function but not as effectively as normal. This category involves only minor damage, financial loss, or harm.

FIPS 199 Moderate Impact

A potential impact is moderate if the loss of any tenet of CIA could be expected to have a serious adverse effect on organizational operations, organizational assets, or individuals. This occurs if the effectiveness with which the organization is able to perform its primary function is significantly reduced. This category involves significant damage, financial loss, or harm.

Quantitative Risk Analysis

A quantitative risk analysis assigns monetary and numeric values to all facets of the risk analysis process, including asset value, threat frequency, vulnerability severity, impact, safeguard costs, and so on. Equations are used to determine total and residual risks. The most common equations are for single loss expectancy (SLE) and annual loss expectancy (ALE). Keep in mind that even though quantitative risk analysis uses numeric value, a purely quantitative analysis cannot be achieved because some level of subjectivity is always part of the data. In our example, how does the organization know that damage from the power failure will be 25% of the asset? This type of estimate should be based on historical data, industry experience, and expert opinion. An advantage of quantitative over qualitative risk analysis is that quantitative uses less guesswork than qualitative. Disadvantages of quantitative risk analysis include the difficulty of the equations, the time and effort needed to complete the analysis, and the level of data that must be gathered for the analysis.

Risk Assessment

A risk assessment is a tool used in risk management to identify vulnerabilities and threats, assess the impact of those vulnerabilities and threats, and determine which controls to implement. Risk assessment or analysis has four main goals: - Identify assets and asset value. - Identify vulnerabilities and threats. - Calculate threat probability and business impact. - Balance threat impact with countermeasure cost. Prior to starting the risk assessment, management and the risk assessment team must determine which assets and threats to consider. This process determines the size of the project. The risk assessment team must then provide a report to management on the value of the assets considered. Management can then review and finalize the asset list, adding and removing assets as it sees fit, and then determine the budget of the risk assessment project. If a risk assessment is not supported and directed by senior management, it will not be successful. Management must define the risk assessment's purpose and scope and allocate the personnel, time, and monetary resources for the project.

Risk

A risk is the probability that a threat agent will exploit a vulnerability and the impact if the threat is carried out. Risk is expressed in terms of the likelihood and impact of a threat event. The risk in the vulnerability example would be fairly high if the data residing in the folder is confidential. However, if the folder only contains public data, then the risk would be low. Identifying the potential impact of a risk often requires security professionals to enlist the help of subject matter experts.

Threat Agent

A threat is carried out by a threat agent. Continuing with the example, the attacker who takes advantage of the inappropriate or absent ACL is the threat agent. Keep in mind, though, that threat agents can discover and/or exploit vulnerabilities. Not all threat agents will actually exploit an identified vulnerability.

Threat

A threat is the next logical progression in risk management. A threat occurs when vulnerability is identified or exploited and is a potential danger. A threat would occur when an attacker identified the folder on the computer that has an inappropriate or absent ACL.

Vulnerability

A vulnerability is a weakness. Vulnerabilities can occur in software, hardware, or personnel. An example of a vulnerability is unrestricted access to a folder on a computer. Most organizations implement a vulnerability assessment to identify vulnerabilities.

System Life Cycle Processes and Codes

AQ - Acquisition AR - Architecture Definition BA - Business or Mission Analysis CM - Configuration Management DE - Design Definition DM - Decision Management DS - Disposal HR - Human Resource Management IF - Infrastructure Management IM - Information Management IN - Integration IP - Implementation KM - Knowlege Management LM - Life Cycel Model Management MA - Maintenance MS - Measurement OP - Operation PA - Project Assessment and Control PL - Project Planning PM - Portfolio Management QA - Quality Assurance QM - Quality Management RM - Risk Management SA - System Analysis SN - Stakeholder Needs and Requirements Definition SP - Supply SR - System Requirements Definition TR - Transition VA - Validation VE - Verification Each process listed has a unique purpose within the life cycle. Each process has tasks associated with it.

FIPS 199 Security Category (SC)

According to FIPS 199, the security category (SC) of an identified entity expresses the three tenets with their values for an organizational entity. The values are then used to determine which security controls should be implemented. If a particular asset is made up of multiple entities, then you must calculate the SC for that asset based on the entities that make it up. FIPS 199 provides a nomenclature for expressing these values, as shown here: SCinformation type = {(confidentiality, impact), (integrity, impact), (availability, impact)} Let's look at an example of this nomenclature in a real-world example: SCpublic site = {(confidentiality, low), (integrity, moderate), (availability, high)} SCpartner site = {(confidentiality, moderate), (integrity, high), (availability, moderate)} SCinternal site = {(confidentiality, high), (integrity, medium), (availability, moderate)} Now let's assume that all of the sites reside on the same web server. To determine the nomenclature for the web server, you need to use the highest values of each of the categories: SCweb server = {(confidentiality, high), (integrity, high), (availability, high)} Some organizations may decide to place the public site on a web server and isolate the partner site and internal site on another web server. In this case, the public web server would not need all of the same security controls and would be cheaper to implement than the partner/internal web server.

ISO/IEC 27005:2011

According to ISO/IEC 27005:2011, the risk management process consists of the following steps: 1: Context Establishment: Defines the risk management's boundary. 2: Risk Analysis (Risk Identification & Estimation phases): Evaluates the risk level. 3: Risk Assessment (Risk Analysis & Evaluation phases): Analyzes the identified risks and takes into account the objectives of the organization. 4: Risk Treatment (Risk Treatment & Risk Acceptance phases): Determines how to handle the identified risks. 5: Risk Communication: Shares information about risk between the decision makers and other stakeholders. 6: Risk Monitoring and Review: Detects any new risks and maintains the risk management plan.

SP 800-30 Rev. 1

According to NIST SP 800-30 Rev. 1, common information-gathering techniques used in risk analysis include automated risk assessment tools, questionnaires, interviews, and policy document reviews. Keep in mind that multiple sources should be used to determine the risks to a single asset. NIST SP 800-30 identifies the following steps in the risk assessment process: 1: Prepare for the assessment 2: Conduct assessment a - Identify threat sources and events b - Identify vulnerabilities and predisposing conditions c - Determine likelihood of occurrence d - Determine magnitude of impact e - Determine risk as a combination of likelihood and impact 3: Communicate results 4: Maintain assessment

Administrative (Management) Controls

Administrative or management controls are implemented to administer the organization's assets and personnel and include security policies, procedures, standards, baselines, and guidelines that are established by management. These controls are commonly referred to as soft controls. Specific examples are personnel controls, data classification, data labeling, security awareness training, and supervision. Security awareness training is a very important administrative control. Its purpose is to improve the organization's attitude about safeguarding data. The benefits of security awareness training include reduction in the number and severity of errors and omissions, better understanding of information value, and better administrator recognition of unauthorized intrusion attempts. A cost-effective way to ensure that employees take security awareness seriously is to create an award or recognition program

Directive

Directive controls, also known as directing controls, specify acceptable practice within an organization. They are in place to formalize an organization's security directive mainly to its employees. The most popular directive control is an acceptable use policy (AUP) that lists proper (and often examples of improper) procedures and behaviors that personnel must follow. Any organizational security policies or procedures usually fall into this access control category. You should keep in mind that directive controls are only efficient if there is a stated consequence for not following the organization's directions.

A Risk Management Standard by the Federation of European Risk Management Associations (FERMA)

FERMA's A Risk Management Standard provides guidelines for managing risk in an organization.

FIPS 199

FIPS 199 defines standards for security categorization of federal information systems. The FIPS 199 nomenclature may be referred to as the aggregate CIA score. This U.S. government standard establishes security categories of information systems used by the federal government. FIPS 199 requires federal agencies to assess their information systems in the categories of confidentiality, integrity, and availability and rate each system as low, moderate, or high impact in each category. An information system's overall security category is the highest rating from any category.

NIST Framework for Improving Critical Infrastructure Cybersecurity: Implementation Tiers

Framework implementation tiers describe the degree to which an organization's cybersecurity risk management practices exhibit the characteristics defined in the framework. The following four tiers are used: Tier 1: Partial means that risk management practices are not formalized, and risk is managed in an ad hoc and sometimes reactive manner. Tier 2: Risk Informed means that risk management practices are approved by management but may not be established as organization-wide policy. Tier 3: Repeatable means that the organization's risk management practices are formally approved and expressed as policy. Tier 4: Adaptive means that the organization adapts its cybersecurity practices based on lessons learned and predictive indicators derived from previous and current cybersecurity activities through a process of continuous improvement. Finally, a framework profile is the alignment of the functions, categories, and subcategories with the business requirements, risk tolerance, and resources of the organization. A profile enables organizations to establish a roadmap for reducing cybersecurity risk that is well aligned with organizational and sector goals, considers legal/regulatory requirements and industry best practices, and reflects risk management priorities.

Inherent Risk vs Residual Risk

Inherent risk is the risk that an organization could encounter if it decides not to implement any safeguards. As you already know, any environment is never fully secure so you must always deal with residual risk. Residual risk is risk that is left over after safeguards have been implemented. Residual risk is represented using the following equation: Residual risk = Inherent risk - Countermeasures This equation is considered to be more conceptual than for actual calculation.

SP 800-60 Vol. 1 Rev. 1 Example

Let's look at an example: An information system used for acquisitions contains both sensitive, pre-solicitation phase contract information, and routine administrative information. The management within the contracting organization determines that: - For the sensitive contract information, the potential impact from a loss of confidentiality is moderate, the potential impact from a loss of integrity is moderate, and the potential impact from a loss of availability is low. - For the routine administrative information (non-privacy-related information), the potential impact from a loss of confidentiality is low, the potential impact from a loss of integrity is low, and the potential impact from a loss of availability is low. The resulting security categories, or SCs, of these information types are expressed as SC contract information = {(confidentiality, moderate), (integrity, moderate), (availability, low)} SC administrative information = {(confidentiality, low), (integrity, low), (availability, low)} The resulting security category of the information system is expressed as SC acquisition system = {(confidentiality, moderate), (integrity, moderate), (availability, low)} This represents the high-water mark or maximum potential impact values for each security objective from the information types resident on the acquisition system. In some cases, the impact level for a system security category will be higher than any security objective impact level for any information type processed by the system. The primary factors that most commonly raise the impact levels of the system security category above that of its constituent information types are aggregation and critical system functionality. Other factors that can affect the impact level include public information integrity, catastrophic loss of system availability, large interconnecting systems, critical infrastructures and key resources, privacy information, and trade secrets.

Logical (Technical) Controls

Logical or technical controls are software or hardware components used to restrict access. Specific examples of logical controls include firewalls, IDSs, IPSs, encryption, authentication systems, protocols, auditing and monitoring, biometrics, smart cards, and passwords. Although auditing and monitoring are logical controls and are often listed together, they are actually two different controls. Auditing is a one-time or periodic event to evaluate security. Monitoring is an ongoing activity that examines either the system or users.

SP 800-160

NIST SP 800-160 defines the systems security engineering framework. It defines, bounds, and focuses the systems security engineering activities, both technical and nontechnical, toward the achievement of stakeholder security objectives and presents a coherent, well-formed, evidence-based case that those objectives have been achieved. The framework defines three contexts within which the systems security engineering activities are conducted. These are the problem context, the solution context, and the trustworthiness context. The problem context defines the basis for a secure system given the stakeholder's mission, capability, performance needs, and concerns; the constraints imposed by stakeholder concerns related to cost, schedule, risk, and loss tolerance; and other constraints associated with life cycle concepts for the system. The solution context transforms the stakeholder security requirements into system design requirements; addresses all security architecture, design, and related aspects necessary to realize a system that satisfies those requirements; and produces sufficient evidence to demonstrate that those requirements have been satisfied. The trustworthiness context is a decision-making context that provides an evidence-based demonstration, through reasoning, that the system-of-interest is deemed trustworthy based upon a set of claims derived from security objectives.

SP 800-37 Rev. 1

NIST SP 800-37 Rev. 1 defines the tasks that should be carried out in each step of the risk management framework as follows: Step 1. Categorize information system. - Task 1-1: Categorize the information system and document the results of the security categorization in the security plan. - Task 1-2: Describe the information system (including system boundary) and document the description in the security plan. - Task 1-3: Register the information system with appropriate organizational program/management offices. Step 2. Select security controls. - Task 2-1: Identify the security controls that are provided by the organization as common controls for organizational information systems and document the controls in a security plan (or equivalent document). - Task 2-2: Select the security controls for the information system and document the controls in the security plan. - Task 2-3: Develop a strategy for the continuous monitoring of security control effectiveness and any proposed or actual changes to the information system and its environment of operation. - Task 2-4: Review and approve the security plan. Step 3. Implement security controls. - Task 3-1: Implement the security controls specified in the security plan. - Task 3-2: Document the security control implementation, as appropriate, in the security plan, providing a functional description of the control implementation (including planned inputs, expected behavior, and expected outputs). Step 4. Assess security controls. - Task 4-1: Develop, review, and approve a plan to assess the security controls. - Task 4-2: Assess the security controls in accordance with the assessment procedures defined in the security assessment plan. - Task 4-3: Prepare the security assessment report documenting the issues, findings, and recommendations from the security control assessment. - Task 4-4: Conduct initial remediation actions on security controls based on the findings and recommendations of the security assessment report and reassess remediated control(s), as appropriate. Step 5. Authorize information system. - Task 5-1: Prepare the plan of action and milestones based on the findings and recommendations of the security assessment report excluding any remediation actions taken. - Task 5-2: Assemble the security authorization package and submit the package to the authorizing official for adjudication. - Task 5-3: Determine the risk to organizational operations (including mission, functions, image, or reputation), organizational assets, individuals, other organizations, or the nation. - Task 5-4: Determine if the risk to organizational operations, organizational assets, individuals, other organizations, or the nation is acceptable. Step 6. Monitor security controls. - Task 6-1: Determine the security impact of proposed or actual changes to the information system and its environment of operation. - Task 6-2: Assess the technical, management, and operational security controls employed within and inherited by the information system in accordance with the organization-defined monitoring strategy. - Task 6-3: Conduct remediation actions based on the results of ongoing monitoring activities, assessment of risk, and outstanding items in the plan of action and milestones. - Task 6-4: Update the security plan, security assessment report, and plan of action and milestones based on the results of the continuous monitoring process. - Task 6-5: Report the security status of the information system (including the effectiveness of security controls employed within and inherited by the system) to the authorizing official and other appropriate organizational officials on an ongoing basis in accordance with the monitoring strategy. - Task 6-6: Review the reported security status of the information system (including the effectiveness of security controls employed within and inherited by the system) on an ongoing basis in accordance with the monitoring strategy to determine whether the risk to organizational operations, organizational assets, individuals, other organizations, or the nation remains acceptable. - Task 6-7: Implement an information system disposal strategy, when needed, which executes required actions when a system is removed from service.

SP 800-53 Rev. 4

NIST SP 800-53 Rev. 4 is a security controls development framework developed by the NIST body of the U.S. Department of Commerce. SP 800-53 Rev. 4 divides the controls into three classes: technical, operational, and management. Each class contains control families or categories. The process in this NIST publication includes the following steps: 1: Select security control baselines. 2: Tailor baseline security controls. 3: Document the control selection process. 4: Apply the control selection process to new development and legacy systems.

Risk Appetite

Risk appetite is the level of risk an organization is prepared to accept. The risk appetite for an organization can only be defined based on the organization's needs, and risk appetites will vary from organization to organization.

Risk Frameworks

Risk frameworks can serve as guidelines to any organization that is involved in the risk analysis and management process.

Physical Controls

Physical controls are implemented to protect an organization's facilities and personnel. Personnel concerns should take priority over all other concerns. Specific examples of physical controls include perimeter security, badges, swipe cards, guards, dogs, man traps, biometrics, and cabling. When controlling physical entry into a building, security professionals should ensure that the appropriate policies are in place for visitor control, including visitor logs, visitor escort, and limitation of visitors' access to sensitive areas.

Qualitative Risk Analysis

Qualitative risk analysis does not assign monetary and numeric values to all facets of the risk analysis process. Qualitative risk analysis techniques include intuition, experience, and best practice techniques, such as brainstorming, focus groups, surveys, questionnaires, meetings, and interviews. Although all of these techniques can be used, most organizations will determine the best technique(s) based on the threats to be assessed. Experience and education on the threats are needed. Each member of the group who has been chosen to participate in the qualitative risk analysis uses his experience to rank the likelihood of each threat and the damage that might result. After each group member ranks the threat possibility, loss potential, and safeguard advantage, data is combined in a report to present to management. All levels of staff should be represented as part of the qualitative risk analysis, but it is vital that some participants in this process have some expertise in risk analysis. Advantages of qualitative over quantitative risk analysis include qualitative prioritizes the risks and identifies areas for immediate improvement in addressing the threats. Disadvantages of qualitative risk analysis include all results are subjective and a dollar value is not provided for cost-benefit analysis or for budget help. Most risk analysis includes some hybrid use of both quantitative and qualitative risk analyses. Most organizations favor using quantitative risk analysis for tangible assets and qualitative risk analysis for intangible assets.

Recovery

Recovery controls, also known as recovering controls, recover a system or device after an attack has occurred. The primary goal of recovery controls is restoring resources. Examples of recovery controls include disaster recovery plans, data backups, and offsite facilities.

Handling Risk and Risk Response

Risk reduction is the process of altering elements of the organization in response to risk analysis. After an organization understands its total and residual risk, it must determine how to handle the risk. The following four basic methods are used to handle risk: - Risk avoidance -Terminating the activity that causes a risk or choosing an alternative that is not as risky - Risk transfer - Passing the risk on to a third party, including insurance companies - Risk mitigation - Defining the acceptable risk level the organization can tolerate and reducing the risk to that level - Risk acceptance - Understanding and accepting the level of risk as well as the cost of damages that can occur

Information and Asset (Tangible/Intangible) Value and Costs

Tangible assets include computers, facilities, supplies, and personnel. Intangible assets include intellectual property, data, and organizational reputation. The value of an asset should be considered in respect to the asset owner's view. The six following considerations can be used to determine the asset's value: - Value to owner - Work required to develop or obtain the asset - Costs to maintain the asset - Damage that would result if the asset were lost - Cost that competitors would pay for asset - Penalties that would result if the asset were lost After determining the value of the assets, you should determine the vulnerabilities and threats to each asset.

SP 800-60 Vol. 1 Rev. 1

Security categorization is the key first step in the NIST risk management framework. FIPS 199 works with NIST SP 800-60 to identify information types, establish security impact levels for loss, and assign security categorization for the information types and for the information systems as detailed in the following process: 1: Identify information types. a - Identify mission-based information types based on 26 mission areas, including defense and national security, homeland security, disaster management, natural resources, energy, transportation, education, health, and law enforcement. b - Identify management and support information based on 13 lines of business, including regulatory development, planning and budgeting, risk management and mitigation, and revenue collection. 2: Select provisional impact levels using FIPS 199. 3: Review provisional impact levels, and finalize impact levels. 4: Assign system security category. The end result of NIST SP 800-60 Vol. 1 Rev 1 is security categorization documentation for every information system. These categories can then be used to complete the business impact analysis (BIA), design the enterprise architecture, design the disaster recovery plan (DRP), and select the appropriate security controls.

Controls Assessment, Monitoring, and Measurement

Security control assessments (SCAs) should be used to verify that the security goals of an organization or a business unit are being met. Vulnerability assessments and penetration tests are considered part of this process. If a security control is implemented that does not meet a security goal, this security control is ineffective. Once the assessment has been conducted, security professionals should use the assessment results to determine which security controls have weaknesses or deficiencies. Security professionals should then work to eliminate the weaknesses or deficiencies. Security controls should be monitored to ensure that they are always performing in the way expected. As part of this monitoring, security professionals should review all logs. In addition, performance reports should be run and compared with the performance baselines for all security devices and controls. This allows security professionals to anticipate some issues and resolve them before they become critical. The performance measurements that are taken should be retained over time. New baselines need to be captured if significant events or changes occur. For example, if you add 200 new users who will need authentication, you need to capture new authentication baselines to ensure that authentication can still occur in a timely manner. In addition, if you change an authentication setting, such as implementing an account lockout policy, you should monitor the effect that the setting has on performance and security.

Risk Management Policy

Senior management must commit to the risk management process. The risk management policy is a formal statement of senior management's commitment to risk management. The policy also provides risk management direction. A risk management policy must include the overall risk management plan and list the risk management team and must specifically list the risk management team's objectives, responsibilities and roles, acceptable level of risk, risk identification process, risk and safeguards mapping, safeguard effectiveness, monitoring process and targets, and future risk analysis plans and tasks.

Annual loss expectancy (ALE)

The ALE is the expected risk factor of an annual threat event. To determine the ALE, you must know the SLE and the annualized rate of occurrence (ARO). The ARO is the estimate of how often a given threat might occur annually. The calculation for obtaining the ALE is as follows: ALE = SLE × ARO Using the previously mentioned example, if the risk assessment has determined that the ARO for the power failure of the web server farm is 50%, the ALE for this event equals $2,500. Security professionals should keep in mind that this calculation can be adjusted for different geographical locations. For example, a DNS server located in a small town may have a higher risk of power outage than one in a large city. Using the ALE, the organization can decide whether to implement controls or not. If the annual cost of the control to protect the web server farm is more than the ALE, the organization could easily choose to accept the risk by not implementing the control. If the annual cost of the control to protect the web server farm is less than the ALE, the organization should consider implementing the control.

Open Source Security Testing Methodology Manual (OSSTMM)

The Institute for Security and Open Methodologies (ISECOM) published OSSTMM, which was written by Pete Herzog. This manual covers the different kinds of security tests of physical, human (processes), and communication systems, although it does not cover any specific tools that can be used to perform these tests. It defines five risk categorizations: vulnerability, weakness, concern, exposure, and anomaly. Once a risk is detected and verified, it is assigned a risk assessment value.

NIST Framework for Improving Critical Infrastructure Cybersecurity

The NIST Framework for Improving Critical Infrastructure Cybersecurity provides a cybersecurity risk framework. The framework is based on five framework core functions: 1: Identify (ID): Develop the organizational understanding to manage cybersecurity risk to systems, assets, data, and capabilities. 2: Protect (PR): Develop and implement the appropriate safeguards to ensure delivery of critical infrastructure services. 3: Detect (DE): Develop and implement the appropriate activities to identify the occurrence of a cybersecurity event. 4: Respond (RS): Develop and implement the appropriate activities to take action regarding a detected cybersecurity event. 5: Recover (RC): Develop and implement the appropriate activities to maintain plans for resilience and to restore any capabilities or services that were impaired due to a cybersecurity event. Within each of these functions, security professionals should define cybersecurity outcomes closely tied to organizational needs and particular activities. Each category is then divided into subcategories that further define specific outcomes of technical and/or management activities.

Single loss expectancy (SLE)

The SLE is the monetary impact of each threat occurrence. To determine the SLE, you must know the asset value (AV) and the exposure factor (EF). The EF is the percent value or functionality of an asset that will be lost when a threat event occurs. The calculation for obtaining the SLE is as follows: SLE = AV × EF For example, an organization has a web server farm with an AV of $20,000. If the risk assessment has determined that a power failure is a threat agent for the web server farm and the exposure factor for a power failure is 25%, the SLE for this event equals $5,000.

Countermeasure (Safeguard) Selection

The criteria for choosing a safeguard is the cost effectiveness of the safeguard or control, for compliance reasons, or to fulfill contractual obligations. Planning, designing, implementing, and maintenance costs need to be included in determining the total cost of a safeguard. To calculate a cost-benefit analysis, use the following equation: (ALE before safeguard) - (ALE after safeguard) - (Annual cost of safeguard) = Safeguard value To complete this equation, you have to know the revised ALE after the safeguard is implemented. Implementing a safeguard can improve the ARO but will not completely do away with it. In the example mentioned earlier, the ALE for the event is $2,500. Let's assume that implementing the safeguard reduces the ARO to 10%, so the ALE after the safeguard is calculated as $5,000 × 10% or $500. You could then calculate the safeguard value for a control that costs $1,000 as follows: $2,500 - $500 - $1,000 = $1,000 Knowing the corrected ARO after the safeguard is implemented is necessary for determining the safeguard value. A legal liability exists if the cost of the safeguard is less than the estimated loss that would occur if the threat is exploited. The cost of a safeguard must include the actual cost to implement plus any training costs, testing costs, labor costs, and so on.

SP 800-39

The purpose of NIST SP 800-39 is to provide guidance for an integrated, organization-wide program for managing information security risk to organizational operations (i.e., mission, functions, image, and reputation), organizational assets, individuals, other organizations, and the nation resulting from the operation and use of federal information systems. NIST SP 800-39 defines three tiers in an organization. Tier 1 is the organization view, which addresses risk from an organizational perspective by establishing and implementing governance structures that are consistent with the strategic goals and objectives of organizations and the requirements defined by federal laws, directives, policies, regulations, standards, and missions/business functions. Tier 2 is the mission/business process view, which designs, develops, and implements mission/business processes that support the missions/business functions defined at Tier 1. Tier 3 is the information systems view, which includes operational systems, systems under development, systems undergoing modification, and systems in some phase of the system development life cycle. The risk management process involves the following steps: 1: Frame risk 2: Assess risk 3: Respond to risk 4: Monitor risk

Risk Analysis Team

The risk analysis team must consist of a representative from as many departments and as many employment levels as possible. Having a diverse risk analysis team ensures that risks from all areas of the organization can be determined. If the risk analysis team cannot contain members from all departments, the members must interview each department to understand all the threats encountered by that department. During the risk analysis process, the risk analysis team should determine the threat events that could occur, the potential impact of the threats, the frequency of the threats, and the level of confidence in the information gathered.

Risk Management Team

The team's goal is to protect the organization and its assets from risk in the most cost-effective way. Because in most cases the risk management team members are not dedicated solely to risk management, senior management must specifically put a resource allocation measure in place to ensure the success of the risk management process. Management must also ensure that the members of the risk management team, particularly the team leader, be given the necessary training and tools for risk management. In larger organizations, the team leader should be able to dedicate the majority of his time to the risk management process.

Asset and Asset Valuation - Continued

There are three basic elements used to determine an asset's value: - The initial and ongoing cost for purchasing, licensing, developing, and maintaining the physical or information asset - The asset's value to the enterprise's operations - The asset's value established on the external marketplace and estimated value of the intellectual property Many organizations will also factor in additional elements, including the following: - Value of the asset to adversaries - Cost to replace the asset if lost - Operational and productivity costs incurred if the asset is unavailable - Liability issues if the asset is compromised No matter which elements are used to determine asset valuation, it is important that this information is documented. When new assets are acquired, they should be documented and assessed to add to the risk management plan. In addition, organizations should reassess assets and their value to the organization at least annually.

Security Concept Cycle

Threat agent (Discovers) > Threat (Expoits) > Vulnerability (Develops) > Risks (Damages) > Assets (Causes) > Exposures (Needs) > Safeguards (Affects) > Threat agent

NIST

To comply with the federal standard, organizations first determine the security category of their information system in accordance with Federal Information Processing Standard (FIPS) Publication 199, Standards for Security Categorization of Federal Information and Information Systems, derive the information system impact level from the security category in accordance with FIPS Publication 200, and then apply the appropriately tailored set of baseline security controls in NIST Special Publication 800-53 Rev. 4. The NIST risk management framework includes the following steps: 1: Categorize information systems. 2: Select security controls. 3: Implement security controls. 4: Assess security controls. 5: Authorize information systems. 6: Monitor security controls. These steps implement different NIST publications, including FIPS 199, SP 800-60, FIPS 200, SP 800-53 Rev. 4, SP 800-160, SP 800-53A Rev. 4, SP 800-37, and SP 800-137.

Identity Threats and Vulnerabilities

When determining vulnerabilities and threats to an asset, considering the threat agents first is often easiest. Threat agents can be grouped into the following six categories: - Human - Includes both malicious and non-malicious insiders and outsiders, terrorists, spies, and terminated personnel - Natural - Includes floods, fires, tornadoes, hurricanes, earthquakes, or other natural disasters or weather events - Technical - Includes hardware and software failure, malicious code, and new technologies - Physical - Includes CCTV issues, perimeter measures failure, and biometric failure - Environmental - Includes power and other utility failure, traffic issues, biological warfare, and hazardous material issues (such as spillage) - Operational - Includes any process or procedure that can affect CIA When the vulnerabilities and threats have been identified, the loss potential for each must be determined. This loss potential is determined by using the likelihood of the event combined with the impact that such an event would cause. An event with a high likelihood and a high impact would be given more importance than an event with a low likelihood and a low impact. Different types of risk analysis, including quantitative risk analysis and qualitative risk analysis, should be used to ensure that the data that is obtained is maximized.

Control Types

Whereas the access control categories classify the access controls based on where they fit in time, access control types divide access controls on their method of implementation. The three types of access controls are - Administrative (management) controls - Logical (technical) controls - Physical controls In any organization where defense in depth is a priority, access control requires the use of all three types of access controls. Even if you implement the strictest physical and administrative controls, you cannot fully protect the environment without logical controls.

Control Categories

You implement access controls as a countermeasure to identified vulnerabilities. Access control mechanisms that you can use are divided into seven main categories: - Compensative - Corrective - Detective - Deterrent - Directive - Preventive - Recovery Any access control that you implement will fit into one or more access control category. Note: Access controls are also defined by the type of protection they provide.

Reporting and Continuous Improvement

ality improvement commonly uses a four-step quality model, known as Deming's Plan-Do-Check-Act cycle. These are the steps in this cycle: - Plan - Identify an area for improvement and make a formal plan to implement it. - Do - Implement the plan on a small scale. - Check - Analyze the results of the implementation to determine whether it made a difference. - Act - If the implementation made a positive change, implement it on a wider scale. Continuously analyze the results. Other similar guidelines include Six Sigma, Lean, and Total Quality Management. No matter which of these an organization uses, the result should be a continuous cycle of improvement organization-wide.