IST 335, #64300 - Consolidation 1: Risk Management &

Information Security Concepts

Item Short Title

Key Point (What?)

Basis for Selection (Why?)

Overall Comments: Overall Comments: Good job for the first attempt. All were in on
time, and I believe you have done a pretty fair job of touching on major points. I did add
a couple of items at the tail end.
Administrative note: I have set the table properties to NOT allow rows to break over a
page. This makes the document more readable, but does cost you paper if printing. Feel
free to change if you like.
CIA Triad

CIA Triad

The CIA Triad has three

parts. Availability (access to
data/computing systems is
reliable and timely),
confidentiality (no
intentional or
unintentional disclosure
of information) and
integrity (no unauthorized
modifications to
systems/data. Data is
internally and externally
consistent).

The CIA Triad is well known because it is a

security concept that covers more than one
front. It makes sure there is no disclosure of
information. It makes sure that only
authorized modifications can be made as well
as the system is reliable and running at all
times. It is important to defend against threats
on these fronts because hackers are always
after the systems that this covers, but are
unable to get inside and see or change
anything.

Confidentiality, availability
and integrity are key points
in security controls.

To keep a good defense against threats, there

must be no intentional or unintentional
disclosure of information; No unauthorized
changes to the systems, remain consistent;
and need to make sure the access to the data
and systems is reliable and timely.

Comment: My slide is misleading (and

now fixed). Its missing the word
unauthorized in the confidentiality
discussion. Information would not be not
be very useful if it could not be disclosed
to anyone! That is akin to an old joke
regarding highly classified
informationBurn Before Reading. So
what we really mean is no disclosure to
an unauthorized party.

Comment: Really not much to add other

than to agree with your choice. These
really are foundational concepts for
information security. Without all three,
an organization would have to be
considered NOT secured. Even with
them, we know that the notion of security
is fleeting, with threats ever changing.
So, the technical and other controls in
place to protect the organization and
ensure those three goals must be
dynamic as well.

Defense in Depth

The term defense in depth

is used to describe a
layered defense that utilizes
two or more methods of
defense in protecting an
asset. This strategy is
characterized by
heterogeneity and entire
protection- which attempt
avoid leaving any asset
vulnerable to a single form
of attack, and an effective
defense that if broken, will
not cause failure in
subsequent layers of
defense.

It is important to understand the specific

elements of effective security controls, and
why they are relevant to protecting an asset.
Defense in depth is a universally important
characteristic of a competent defense
strategy, and the components of defense in
depth are relevant in all aspects of
information security.

Comment: Another important concept

and one to which well refer regularly
throughout the semester. The layers of
defenses should be redundant and
heterogeneous (big word for varied!).
Each should protect against a specific
threat or threats. Think broadly
technical, process, administrative, etc.
The goal is to provide redundant
protections to avoid the chance that a
single vulnerability, a single malfunction,
or a fail open (see added comments at
the end of the consolidation) can render
the entire system vulnerable.

Executive
Support

Top-management should
lead by example. Using
action to create a security
conscious environment.

Policies and programs cannot be taken

seriously until top-management leads by
example. Displaying prioritization of procedure
allows others to understand the importance of
policies for the organizations security.

Comment: This is one element, an

important one, if executive support.
Priorities, policies, and resourcing are
critically important as well.
Heterogeneity

Creating the best possible

security situation requires
both heterogeneity and
completeness of each
defense layer.

Layering different defense measures that

support each other in different ways allow the
company to be protected from singular
vulnerabilities and malfunctions that could
compromise the entire system.

Comment: See defense in depth

comment earlier.
Human threat

A large portion of security

breaches are due to
accidental, not necessarily
malicious, violations of
protocol (e.g. using 12345
as a password).

Understanding and anticipating the human

element is vital to effective security. Without
this, every system is vulnerable, no matter the
craft.

Comment: Although, some human

issues can be addressed technically.
The example you provide can be
thwarted with a password strength
requirement, but your overall point is
great. People can be a huge weakness or
a first line of defense. Appropriate
policies, good implementing processes,
communication, and strong leadership
make all the difference.

Outsourcing

Outsourcing is turning over

responsibility of some or all
of an organizations
information systems
applications and operations
to an outside firm.

Outsourcing is becoming more and more

common. It affects everyone in the working
industry. It also opens the doors to increased
risks, because more people have access to
confidential information. Accountability is also
more important to firms that use outsourcing.

Outsourcing

Having an outside firm take

over a part of your
business. For example,
having a separate firm do
your payroll system.

Outsourcing is becoming more relevant with a

growing need for companies to outsource due
to limited resources. Outsourcing is a concern
for security because a company has to
analyze the security measures the other firms
are taking to protect their data. Not only that,
companies have to take into account where
they firms are based in terms of the country. If
they are based in a country where they are
prone to many hacks, then proper security
measures have to be taken.

Comment: From a security perspective,

its important to recognize the added
challenges this outsourcing can present.
Vary cultures, organizational always and,
with off shoring national, practices, etc.
can pose problems. The topic of
managing such relationships is too broad
to discuss here, but service level
agreements (SLAs), the contractual
vehicles that will often be used to specify
service expectations address security
issues: practices, incident
response/reporting, audits and
accessibility, and the like.
Personnel
Security

Personnel Security is
focused on reducing the risk
of danger or threat posed
by people within an
organization.

The personnel within an organization are given

access to systems that contain sensitive
information. Organizations rely on these
systems for key business processes. Hiring
practices, training and termination procedures
help in ensuring that organizations mitigate
personnel risks.

Personnel/Staffin
g

How you go about hiring,

work practices, and
termination are important
factors of risk management.

When hiring someone, it is important to take

certain procedures. You need to do a
qualification assessment, background
verifications, and other things to make sure
you have the right person that won't commit
any unethical actions or be a liability to the
company. Once hired, it is important to place
some internal controls, such as separation of
duties, job rotation, and mandatory vacations.
When terminating an employee, it may be
important to just cut your losses and release
them immediately, revoking any passwords or
access rights. Rather than giving them there 2
weeks, which could give them the opportunity
to possibly sabotage the company.

Comment: Well touch on this again

when we discuss management of
authorization in the access security block,
but its important to tie any HR move to
appropriate corresponding changes in
authorizations. Probably the worst case
mismanagement is failure to change
privilegesdelete themin the case of
termination.
More broadly, though, screening to hire
the right kind of employee, care in
selecting managers for leadership skills
(not longevity, talented at doing, etc.),
mentoring/training staff, and other
management responsibilities are
important as well.
Privacy

Privacy is the freedom from

unauthorized intrusions and
is within the scope of the
confidentiality concept.

When charged with the security of PII,

confidentiality is key. For example, leakage of
PII could adversely affect the corresponding
individual. To prevent such consequences,
privacy is often protected by law as well as
incentivized by the market.

Comment: You bet! Privacy is

protected by a number of statutes and
regulations at federal, state, and local
levels and internationally as well. Beyond
that, though, an organization that collects
personally identifiable information (PII)
arguably has an ethical responsibly to
protect it, and, as compromises at major
retailers (Target, Home Depot, TJ Maxx,
etc.) have shown, market forces also
demand appropriate protections. Those
who dont do so can suffer in the
marketplace.

Qualitative Risk
Assessment

Occurs with a pre-defined

scope of assets or activities.
Assets can consist of
software applications,
information systems,
business equipment, or
buildings. Activities may
consist of activities carried
out by an individual, group,
or department.

A qualitative risk assessment will typically

identify a number of characteristics about an
asset or activity, including the following:
Vulnerabilities- These are weaknesses in
design, configuration, documentation,
procedure, or implementation.
Threats- These are potential activities that
would exploit specific vulnerabilities.
Threat probability- An expression of the
likelihood that a specific threat will be carried
out.
Countermeasures- The actual or proposed
measures that reduce the risks associated
with vulnerabilities or threats.

Qualitative Risk
Management

Identifying the scope of

assets and activities that
may be at risk or they may
generate risks themselves.

By knowing which assets and activities are

either at risk or generate risk themselves
allows for them to be examined for
vulnerabilities, threats that could be exploited,
and the impact of these occurrences. Once
this is known, preemptive countermeasures
can be used to protect the company.

Comment: Many times a qualitative

approach is completely sufficient.
Knowledgeable individuals will
subjectively assess risks, controls, and
such, although a number of methods and
approaches exist to provide structure and
a degree of objectivity to their
judgments.
Numbers, per se, do not make an
approach quantitative. If assigned
subjectively, the approach is still
qualitative. For example, Two elements
of a qualitative assessment are
probability and impact. A given risk
might be assigned a probability of .7, for
example, but, if assigned subjectively, the
method is still qualitative. Similarly,
planners might rate the impact of a given
risk as 6 on a 1-10 scale, but, if assigned
subjectively, the approach is still
qualitative. Organizations may
sometimes create a rubric or guidelines
to help add a degree of objectivity to
such subjective judgments.

Quantitative Risk
Assessment

A quantitative risk
assessment is an objective
method of measuring the
risk that a faces an asset.
The method measures the
current risk an owner is
exposed to by prorating the
complete current value of
his asset to the percentage
chance that the particular
asset faces loss.

This assessment is more valuable than a

qualitative risk assessment because it
provides a quantifiable answer. That is to
say, that there is a mathematically correct
solution when analyzing risk mitigation
options. This is particularly valuable because
the alternative option (qualitative risk
assessment) is less structured and more
subjective.

Comment: Id avoid the thought of a

superior-inferior relationship and rather
think of quantitative assessment as an
extension of qualitative. One might
qualitatively identify and assess a
possible risk, but then add the greater
rigor of quantitative calculations if
appropriate.
A number of quantitative approach to risk
assessment exist* besides the
calculations in this chapter.
Asset Value x Exposure Factor (EF)
= Single Loss Expectancy (SLE).
SLE x Annualized Rate of
Occurrence (ARO) = Annual Loss
Expectancy (ALE)
These do offer some insights for
managers, though, and resulting
management actions can influence the
ALE positively by addressing individual
factors. Lower cost assets and/or a
reduced exposure factor (perhaps as a
result of mitigating controls) can reduce
SLE, thereby decreasing ALE.
Efforts to reduce ARO...again, alone or in
conjunction with SLE reduction, can also
reduce ALE. For example, the
organization may revise processes to
make damage to equipment less likely.
(* Students from IST 410 last semester
may recallI hopediscussions of
expected monetary value, Monte Carlo
simulations, and sensitivity analysis of
risk factors.)

Residual Risk

Any risk that is leftover

after treatment.

Residual risk is critical because a company has

to take into account any risk that remains
even after treatment. Sometimes these risks
are not evident until after treatment is
completed. So the company has to be aware
of the fact that they will not be 100%
protected even after treatment as they might
think so in the beginning. Sometimes these
risks can be identified in the beginning and
the treatment can be modified to reduce
residual risk.

Residual Risk and

Secondary risk

Residual risk is any risk that

remains after any treatment
and secondary risk is risks
thats created in direct
relation to preventing/
control another risk.

The is a difference in the two types of risk in

that secondary risk a new risk will arise from
trying to prevent an initial risk and residual
risk is risk left over from trying to control the
risk. It is important to consider both of these
because when trying to control or remove a
risk, actions or back up plans should be set in
order to deal with the residual and secondary
risk.

Comment: Well said. A point of

emphasis, not a criticism of your input:
BE CAREFUL TO AVOID READING THE
WRONG NOTION OR MEANING INTO
SECONDARY RISK. This sort of risk is
secondary only in terms of timing. It
does not exist until implementation of a
control for a primary risk, one identified
in the initial risk assessment. It is NOT
meant to imply the risk is secondary in
IMPORTANCE. This is an erroneous notion
that I see from time to time.
Risk
Management

Understanding the risk

associated with a certain
activity.
Two types:
1. risk assessment or what
might affect me?
2. risk management or
what will I do about it

Risk management is important to ensure a

company is taking proper precautions when
engaging in activities to ensure their assets
and intellectual property remain secure.

Risk
Management

There is no person or
organization that can fully
eliminate risk, but can only
manage it.

Threats are forever evolving, so risk

management and controls must continue to
grow as well. Its necessary to identify the
assets and activities that may be at risk or
generate risks. Need to find the vulnerabilities,
threats, impacts of these breaches, and the
probability that they can occur.

Comment: Inputs are a bit brief, but the

concept that you manage risk because
you cant eliminate it is an important one.
Different organizations view risk
differently, so various definitions of what
is acceptable will exist. In essence,
though, risk management involves the
following steps: comment:
1. Identify the risks posed to the
organizations assets (human,
capital, reputational, etc.think
broadly) OR generated by the
nature of the organizations
operations.
2. Asses the likelihood or occurrence
and impact of each.
3. Identify possible controls (of
various types) for each.
4. Determine which controls will
reduce the risk/impact to an
acceptable level.
5. Implement such controls well
and keep them current.
6. Consider any secondary risks
created by those controlsand
control for those if possible.
7.

Develop contingency plans

(discussed later this semester) for
any risks that remain

Risk Treatments /
Responses

There are four responses to

risk, those being
acceptance (live with risk),
avoidance (prevent risk),
reduction (lessen results or
risk), and transfer (move
risk to another, e.g.
insurance).

The response to risk will vary, depending on

how much of a loss would be expected if
accepting the risk. Its important to note that
while one response may work for a certain
company, it may not be the best option for
another.

Comment: You might see some other,

synonymous terms:
1. Risk avoidance or prevention
2. Risk reduction/mitigation
3. Risk acceptance
4. Risk transfer
As an aside and not really mentioned in
class (in this course), youll find that
many treatments of risk broaden the
thought of something bad possibly
occurring to something occurring, good
or bad. The good would be a positive
risk or opportunity. An organization that
anticipates opportunities might be better
positioned to take advantage of them.
With regard to positive risk or
opportunities, an organizations can:
1. Exploit the opportunity
2. Enhance the opportunity
3. Share the opportunity
Simply accept the opportunity, that is, do
nothing. Just let it happen.

Role of the
Security Function

Its important to have

security built into the things
we do because its easier to
prevent a problem than it is
to pick up the pieces after a
problem/security breach has
occurred.

The first step into building security around the

organization is the locate where the problems
might occur - such as the organizations
investments and the things they do that may
pose risk for the employees/corporation and
people outside the corporation. Once
identified, the next step is to have appropriate
controls. Additionally, there needs to be a
leadership style where the employees
are told what is expected from them and
also WHY theyre supposed to do that
certain thing in that specific manner.
Doing so makes it possible so that the staff is
less likely to break the rules and protocol.

Comment: Wed prefer that the

security elements in an organization be
well versed in the vision, mission, and
strategic objectives of the organization,
hopefully allowing them to influence
policy development in ways that enhance
security and/or positions them to be
better able to understand where the risks
to the organization might lie, how they
might affect the organization, and so
forth.
Security measures are much more likely
to be effective if designed into the
policies and practices of the organization.
Those added as an afterthought or,
regretfully, in reaction to an adverse
event are likely to be more challenging
and, possibly, expensive to implement
and sometimes less effective.
With regard to the bolded statement
above, I agree that this style is important,
very much so. I believe, though, that it
cannot be tied to the security function. It
is more appropriately the purview of
every level of management and,
hopefully, in a peer-to-peer supportive
culture.
Security Controls

Security controls are

safeguards that provide a
certain degree of protection
from potential threats to
personal or business
property. The controls that
are put in place attempt to
minimize threat or damage.

While there are many different forms of

security controls that can be placed upon a
system in order to mitigate risk, it is important
to understand that these controls can not
completely eliminate risk. The main goals of
the controls are to detect, deter, prevent, or
correct against potential threats. It is
important to note that this sense of security is
built on the foundation of confidentiality,
integrity, availability.

Security Controls

Different mechanisms to
ensure your tangible and
intangible assets are being
protected or corrected.

From a business perspective, these controls

are very important to have in place. Different
controls help from prevent fraud, detect
wrongdoings, and can have corrective
features. If these types of internal controls are
not in place, the business will not be operating
for very long.

Comment: Well discussion controls of

various types in the course: preventive,
mitigating, corrective, administrative,
compensating, etc. A given control can
fall into more than one category.
Single Point
Failure

When a single flaw in the

system causes a complete
crash in the system.

Single point failure is something to look out for

and to identify before the system is
implemented. Once these flaws are identified,
the company can set up preventative
measures to avoid a complete system failure.
Another critical point about single point failure
is that people can cause the whole system to
fail. Its crucial for the company to have a
check and balance system as a preventative
measure.

Single Point of
Failure

Single point of failure is a

characteristic of a system
where a single component
can cause an entire system
to fail.

Single point of failure is often overlooked and

can be taken for granted, however it is
something that can inhabit the integrity of an
entire system. Its important for organizations
to have multiple layers of protection and
preemptive procedures in order to assure that
a single point of failure does not happen.

Comment: Clearly a major issue when

assessing risk, as this ups the likely
impact level of a failure.
While the text focuses on SYSTEMS, I
think it useful when considering risk to
extend the concept to staff. An
organization places itself at risk by
allowing one deep staffing, especially in
key positions. This can be more
prevalent in small to mid-sized
businesses (SMBs).
<Added>
Failure Modes

Fail safe: Blocks/denies

all
Fail open:
Allows/permits all
Fail soft: Middle ground.
Shutting down some
activities to allow priority
support for other, more
critical
activities/systems.

A risk assessment will want to consider

the failure modes of an organizations
systems to accurately determine risk
levels.

<Added>
Terms:
Policies,
guidelines, etc.

I think the exact meaning of terms can

vary from organization to organization,
but some things are constant. Senior
leadership sets policies that are
consistent with the organizations vision,
mission, and strategic objectives. Those
are also the basis of technical
requirements for supporting systems.
Policies state, as you emphasize, what
needs to be done, with guidelines,
procedures, and such providing the
guidance on how to accomplish the
whats specified in policy. Similarly,
organizations develop technical
standards to efficiently and effectively
meet requirements.
Perhaps especially in the info security
area, policy seems at times reactive.
Something bad happens, and then we
establish a corrective policy. We tend to
address the last problem. Better, of
course, is to attempt to proactively
anticipate and address issues.
I recall when flying fighter aircraft that
one of the commanders I most respected
used to opine that good tactics too often
repeated are no longer good tactics. For
us, in that role, predictability was at
times good but could be at times fatal.
Good policies, to remain good, must be
kept fresh and current. We said that
security is not an event but rather an
ongoing process that must consider the
dynamic nature of threats. The
importance of policy will remain a point
of emphasis throughout the course, but
just having a policy is not sufficient.
Policies need to be kept current. As for
laziness, quality leadership is the key to
preventing that sort of culture or attitude
to develop.