Professional Documents
Culture Documents
360
RISK MANAGEMENT
A. Understand a
nd align security function to goals, mission and objectives of the
organization
B. Understand and apply security governance
B.1 Organizational processes (e.g.,
acquisitions, divestitures, governance committees)
B.2 Security roles and responsibilities
B.3 Legislative and regulatory compliance
B.4 Privacy requirements compliance
B.5 Control frameworks
B.6 Due care
B.7 Due diligence
D. Develop and implement security policy
G. Understand and apply risk mana
gement concepts
G.1 Identify threats and vulnerabilities
G.2 / Risk assessment/analy
sis (qualitative, quantitative, hybrid)
G.3 / Risk assignment/acceptance
G.4 Countermeasure selection
G.5 Tangible and intangible asset valuation
J.1 Budget
J.2 Metrics
J.3 Resources
Security Management Responsibilities
Okay, who is in charge and why?
Own
Top-Down Approach
Top-Down Approach
Bottom-Up Approach
(Information)?
ISO9000
(information assets)
(create)
(delivery)
(use)
(change)
(storage)
(destroy)
Confidentiality
Integrity
Availability
CIA DAD
lteration
isclosure
estruction
(Functional requirements)
:
Assurance requirements
3 .
Security Definitions
Gives rise to
Threat agent
Exploits
Threat
leads to
vulnerability
Risk
Directly affects
exposure
Safeguard
Asset
And causes an
Can damage
vulnerability
threat
risk
exposure
countermeasure, or safeguard
, :
Security Through Obscurity
;
;
HTTP 8088
;
;
.
Availability
Confidentiality
Information
Integrity
strategic plan ,
(tactical plan
, 1
operational plan
.
Security Program Components
CSO /CISO
/ / CIA
COSO
ITIL
COBIT
ISO27001/ISO17799
COSO
1985
tread-way COSO Committee of Sponsoring Organizations of the
Treadway Commission Tread-way
1992 COSO
2004 SEC 2
COSO
COSO
COSO
COSO
ITIL
5
IT
COBIT
COBIT
C
ob
CobiT
IT
IT
for information
Control
objectives
CobiT IT
34 IT 4 PO Planning &
Organization AI Acquisition & Implementation DS Delivery and
Support Monitoring 302
Cobit
IT
IT
Cobit
COSO
IT
IT COSO
IT IT
ISO 27001/17799
BS7799
1992
BS7799 BSI
BS7799-1
BS7799-2
2000 4 BS7799-1
1999 ISO 10
ISO/IEC17799 2000
ISO17799
2005 ISO/IEC17799
2000 6 15
ISO/IEC17799 2005
2001 BS7799-2
1999 BS7799-2 2000
ISO27001
ISO 17799
Security Governance
SAL
SLA
Information Security Management
ITIL ISO27001 COSO COBIT
IT
IT
IT
Security policy
CC BS7799
Policy
Policy
Standard
Standard
Guideline
Guideline
Baseline
Baseline
Procedure
Procedure
Acceptable Use Policy AUP
Web
2 3
Risk
Risk Management
Asset
Threat
Threat source Threat agent
Vulnerability
Risk
Residual Risk
threats
Protect against
safeguards
Met by
exploit
increase
increase
reduce
indicate
Security
requirement
vulnerabilities
risks
risks
expose
assets
increase
Assets value
have
RISK
RISK
RISK
(IRM)
IRM
IRM
IRM
IRM
Risk Assessment
( )
( )
( )
NIST SP 800
Failure Modes and Effect Analysis (FMEA)
IPS
IPS
IPS
15
:
,
, ,
2
SLE
3
4
ARO
4
3
ALE
/
AV EF =
SLE
SLE AR
O =ALE
15
25%
10
SLE=1525%=3.75
ALE=3.751/10=0.3750
500,000
45
5 ARO 0.20
ALE 45,000
Asset
EF
SLE
ARO
ALE
$500,000
0.45
225,00
0
0.20
$45,00
0
Web
$25,000
0.25
$6,250
0.50
$3,125
Web
%150,000
0.33
$50,000
2.00
$100,00
0
$250,000
0.75
$187,50
0
0.66
$123,75
0
12
Delphi
Checklist Questionnaire
Interview Survey
Delphi
Delphi
Delphi
Delphi
Threat Agent
(risk impact):
1 2 3 4 5
(probability)
1 2 3 4 5
5L
10 M
15 S
20 H
25 H
4L
8M
12 S
16 S
20 H
3L
6M
9M
12 S
15 S
2L
4L
6M
8M
10 M
1L
2L
3L
4L
5L
25, 20
High
12, 15, 16
Significant
6, 8, 9, 10
Moderate
1, 2, 3, 4,
5
Low
Reduce Risk
Accept Risk
Residual Risk
Rr R0
R
Rr Rt
VS.
X
X
VS
ALE - ALE -
=
VS.
1
=
=
2
=
- =
1
2
3
4
5
1
2
3
4
5 /
6
1
2
3
4
CSO/ISSO
(Classification)
Top Secret Secret Confidential
Sensitive But Unclassified Unclassified
Confidential Private
Sensitive Public
Owner
Custodian User
, ,
CEO
CFO
CIO
CPO
CSO
Senior management
security committee
IT
Security Administrator
/
Systems Administrator
Background Check
Reference Check
Confidentiality Ag
reement
NDA Nondisclo
sure Agreement
(Termination)
Checklist
ID
Internet
operator
security
practitioner
Social Engneering
Kevin Mitnick
Security awareness
Intranet
banner
Training
IT
Education
What does a risk analysis show management?
A The amount of money that could be lost if security measur
es are not implemented
B How much a countermeasure will cost
C The cost benefit of implementing a countermeasure
D The amount of money that can be saved if security is impl
emented
A
B
C
D
Why should the team performing a risk analysis be formed wit
h representatives from all departments?
A To ensure everyone is involved.
B To ensure that all the risk used in the analysis is as representati
ve as possible.
C The risk analysis should be performed by an outside group and
not by biased insiders.
D To hold those accountable for causing the risk.
A
B
C
D
A signed user acknowledgment of the corporate security policy
:
A Ensures that users have read the policy
B Ensures that users understand the policy, as well as the conseq
uences for not following the policy
C Can be waived if the organization is satisfied that users have an
adequate understanding of the policy
D Helps to protect the organization if a users behavior violates th
e policy
a
B
C
D
Which choice below MOST accurately describes the organiza
tion's responsibilities during an unfriendly termination?
A System access should be removed as quickly as possible after
termination .
B The employee should be given time to remove whatever files h
e needs from the network .
C Cryptographic keys can remain the employee's property .
D Physical removal from the offices would never be necessary .
A
B
C
D
Which function would be most compatible with th
e security function?
A Data entry
B Database administration
C Change management
D Network management
A
B
C
D