360

360


RISK MANAGEMENT


A. Understand a
nd align security function to goals, mission and objectives of the
organization
B. Understand and apply security governance
B.1 Organizational processes (e.g.,
acquisitions, divestitures, governance committees)
B.2 Security roles and responsibilities
B.3 Legislative and regulatory compliance
B.4 Privacy requirements compliance
B.5 Control frameworks
B.6 Due care
B.7 Due diligence

C. Understand and apply

concepts of confidentiality, integrity and availability


D. Develop and implement security policy

D.1 Security policies

D.2 / Standards/baselines
D.3 Procedures
D.4 Guidelines
D.5 Documentation

E. Manage the inf

ormation life cycle (e.g., classification, categorization, and ow
nership)
F. /
Manage third-party governance (e.g., on-site assessment
, document exchange and review, process/policy review)


G. Understand and apply risk mana
gement concepts
G.1 Identify threats and vulnerabilities
G.2 / Risk assessment/analy
sis (qualitative, quantitative, hybrid)
G.3 / Risk assignment/acceptance
G.4 Countermeasure selection
G.5 Tangible and intangible asset valuation

H. Manage personnel security

H.1 Employment candidate
screening (e.g., reference checks, education verification)
H.2 Employment agreements and policies
H.3 Employee termination processes
H.4 Vendor, consultant and contractor control
s

I. Develop and manage security education, training and awareness

J. Manage the Security Function

J.1 Budget

J.2 Metrics

J.3 Resources

J.4 Develop and implement information security strategies

J.5 Assess the completeness and effectiveness of the security program


Security Management Responsibilities
Okay, who is in charge and why?
Own


Top-Down Approach

Top-Down Approach
Bottom-Up Approach

 (Information)?

ISO9000

(information assets)

(create)

(delivery)

(use)

(change)

(storage)

(destroy)

Confidentiality

Integrity

Availability

CIA DAD

lteration

isclosure

estruction

(Functional requirements)
:
Assurance requirements

3 .


Security Definitions
Gives rise to

Threat agent

Exploits

Threat

leads to

vulnerability

Risk

Directly affects

exposure

Safeguard

Asset
And causes an

Can be counter measured by a

Can damage


vulnerability

threat

risk

exposure

countermeasure, or safeguard



, :


Security Through Obscurity

;

;
HTTP 8088
;
;

.

Availability

Confidentiality
Information

Integrity



strategic plan ,

(tactical plan
, 1

operational plan
.


Security Program Components

CSO /CISO

/ / CIA

COSO
ITIL
COBIT
ISO27001/ISO17799

 COSO

1985
tread-way COSO Committee of Sponsoring Organizations of the
Treadway Commission Tread-way
1992 COSO
2004 SEC 2
COSO

COSO

Control environment Risk assessment

Control activities Information&Communication
Monitoring

COSO SOX 404

COSO
COSO

 ITIL

Information Technology Infrastructure Library

IT

5
IT

 COBIT

COBIT
C

CobiT ISACA Information

Systems Audit and Control
Association 1996

ob

CobiT
IT
IT

for information

and related Technology

Control
objectives

CobiT IT
34 IT 4 PO Planning &
Organization AI Acquisition & Implementation DS Delivery and
Support Monitoring 302

Cobit

IT

IT


Cobit

COSO

IT

IT COSO

IT IT

 ISO 27001/17799

BS7799

1992
BS7799 BSI

1998 1999 BS7799-1 1999 BS7799-2 1999

BS7799-1

BS7799-2

2000 4 BS7799-1
1999 ISO 10
ISO/IEC17799 2000

ISO17799

2005 ISO/IEC17799
2000 6 15
ISO/IEC17799 2005

2001 BS7799-2
1999 BS7799-2 2000

ISO27001

2002 BS7799-2 2000

BS7799-2
2002
ISO 2005 10 15
BS7799-2 2002
-ISO/IEC27001 2005


ISO 17799


Security Governance

SAL

SLA

Information Security Management

ITIL ISO27001 COSO COBIT
IT
IT

IT

RFC 2196 Site Security Handbook

Security policy

CC BS7799

Policy
Policy

Standard
Standard

Guideline
Guideline

Baseline
Baseline

Procedure
Procedure

Acceptable Use Policy AUP

Web

2 3

Risk

Risk Management


Asset

Threat
Threat source Threat agent
Vulnerability

Risk

Likelihood Probability Frequen

cy
Impact Consequence

Safeguard control countermeasure

Residual Risk

threats

Protect against

safeguards

Met by

exploit

increase

increase

reduce

indicate

Security
requirement

vulnerabilities

risks
risks

expose

assets

increase

Assets value

have

RISK
RISK

RISK



(IRM)
IRM


IRM
IRM

IRM

Risk Assessment

Risk Analysis Risk Evaluation

( )
( )
( )



NIST SP 800

FRAP Facilitated Risk Analysis Process

OCTAVE Operationally Critical Threat, Asset, and Vulnerability Evaluatio
n


Failure Modes and Effect Analysis (FMEA)

IPS

IPS

IPS

15

:
,
, ,

2






SLE

3
4

ARO

4

3
ALE

/

AV EF =
SLE
SLE AR
O =ALE

15
25%
10

SLE=1525%=3.75
ALE=3.751/10=0.3750

500,000
45
5 ARO 0.20
ALE 45,000

Asset

Threat Asset Value

EF

SLE

ARO

ALE

$500,000

0.45

225,00
0

0.20

$45,00
0

Web

$25,000

0.25

$6,250

0.50

$3,125

Web

%150,000

0.33

$50,000

2.00

$100,00
0

$250,000

0.75

$187,50
0

0.66

$123,75
0

12

Delphi
Checklist Questionnaire
Interview Survey



Delphi

Delphi

Delphi

Delphi

Threat Agent

(risk impact):

1 2 3 4 5

(probability)

1 2 3 4 5

5L

10 M

15 S

20 H

25 H

4L

8M

12 S

16 S

20 H

3L

6M

9M

12 S

15 S

2L

4L

6M

8M

10 M

1L

2L

3L

4L

5L

25, 20

High

12, 15, 16

Significant

6, 8, 9, 10

Moderate

1, 2, 3, 4,
5

Low

Reduce Risk

Avoid Risk Rejecting Risk

Transfer Risk Risk Assignment

Accept Risk

Residual Risk

Rr R0
R
Rr Rt

 VS.

X
X

 VS



ALE - ALE -
=

 VS.

1
=
=

2
=
- =

1
2
3
4
5

1
2
3
4
5 /
6

1
2
3
4

CSO/ISSO

 (Classification)

Top Secret Secret Confidential
Sensitive But Unclassified Unclassified

Confidential Private
Sensitive Public
Owner
Custodian User

, ,

CEO
CFO
CIO
CPO
CSO

Senior management

security committee
IT

Security Administrator


/

Information systems security

professionals
InfoSec Officer CSO
CIO

Information systems auditor

Systems Administrator

 Background Check

Reference Check

 Confidentiality Ag
reement
NDA Nondisclo
sure Agreement

 (Termination)


Checklist

ID

Internet

operator
security
practitioner


Social Engneering

Kevin Mitnick

Kevin Mitnick The Art of Deception:

Controlling the Human Element of Security


Security awareness

Intranet

banner

Training

IT

Education


What does a risk analysis show management?
A The amount of money that could be lost if security measur
es are not implemented
B How much a countermeasure will cost
C The cost benefit of implementing a countermeasure
D The amount of money that can be saved if security is impl
emented

A
B
C
D


Why should the team performing a risk analysis be formed wit
h representatives from all departments?
A To ensure everyone is involved.
B To ensure that all the risk used in the analysis is as representati
ve as possible.
C The risk analysis should be performed by an outside group and
not by biased insiders.
D To hold those accountable for causing the risk.

A
B
C
D


A signed user acknowledgment of the corporate security policy
:
A Ensures that users have read the policy
B Ensures that users understand the policy, as well as the conseq
uences for not following the policy
C Can be waived if the organization is satisfied that users have an
adequate understanding of the policy
D Helps to protect the organization if a users behavior violates th
e policy

a
B
C
D


Which choice below MOST accurately describes the organiza
tion's responsibilities during an unfriendly termination?
A System access should be removed as quickly as possible after
termination .
B The employee should be given time to remove whatever files h
e needs from the network .
C Cryptographic keys can remain the employee's property .
D Physical removal from the offices would never be necessary .

A
B
C
D


Which function would be most compatible with th
e security function?
A Data entry
B Database administration
C Change management
D Network management

A
B
C
D