In this article
Risk Management Concepts and the CISSP (Part 2)
- Control Frameworks
- Due Care vs. Due Diligence
- Security Governance Principals
- Security Personnel
- Threat Modeling
- Vendor, Consultant and Contractor Security
In this article
The risk in the context of security is the possibility of damage happening and the consequences of such damage should it occur. Risk management is the process of identifying and assessing risk, reducing it to an acceptable level, and implementing the right mechanisms to maintain that level. There is no such thing like zero percent risk exists. We must prepare ourselves for the potential threats and its outcomes.
When we look at information security, note that an organization needs to be aware of several types of risk and address them properly. The following items touch on the major categories:
Threats must be identified, classified by category, and evaluated to calculate their damage potential to the organization. The focus is more about applications, devices, viruses and hacking as information security is big business today.
Carrying out risk management properly means that you have a holistic understanding of your organization, the threats it faces, the countermeasures that can be put into place to deal with those threats, proper implementation of risk countermeasures and continuous monitoring to ensure the acceptable risk level is being met on an ongoing basis.
Proper risk management requires a strong commitment from senior management, a documented process that supports the organization’s mission, an information risk management policy, and a delegated team for that.
To implement risk management effectively, a proper policy should be documented. The policy should address the following items:
The policy is the initial step as it provides the foundation and direction for the organization’s security risk management processes and procedures, and should address all issues of information security.
In the process of risk management, we perform risk analysis and risk assessment. To implement risk analysis concepts, we must prepare a potential risk analysis team. Same goes to assessment process; we must implement the potential methods to mitigate risk.
Risk analysis plays an important role in the process of risk management. It helps integrate the security program objectives with the company’s business objectives and requirements and also helps the company to draft a proper budget for a security program and its constituent security components.
Each organization has different departments, and each department has its functionality, resources, tasks, and quirks. For the most effective risk analysis, an organization must build a risk analysis team that includes individuals from many or all departments to ensure that all of the threats are identified and addressed. This is the most effective way because if the risk analysis team comprises only individuals from the IT department, it may not understand how the company as a whole would be affected if the accounting department’s data files were wiped out by an accidental or intentional act.
To respond effectively, the risk analysis team should ask the following questions:
Viewing threats with these questions in mind helps the team focus on the tasks at hand and assists in making the decisions more accurate and relevant.
Risk is the probability of a threat agent exploiting vulnerability to cause harm to an asset and the resulting business impact. User errors, intentional or accidental, are easier to identify by monitoring and auditing user activities. Audits and reviews must be conducted to discover if employees are inputting values incorrectly into programs, misusing technology, or modifying data in an inappropriate manner.
A threat is a possible danger that might exploit a vulnerability to breach security and therefore cause possible harm. However, the vulnerability is a weakness which allows an attacker to reduce a system’s information assurance. Vulnerability is the intersection of three elements: a system susceptibility or flaw, attacker access to the flaw, and attacker capability to exploit the flaw.
Many types of threat agents can take advantage of several types of vulnerabilities, resulting in a variety of specific threats:
Risk Assessment Methodologies:
The industry has different standardized methodologies when it comes to carrying out risk assessments. Each of the individual methodologies has the same basic core components (identify vulnerabilities, associate threats, calculate risk values), but each has a specific focus.
NIST developed a risk methodology, which is published in their SP 800-30 document. This NIST methodology is named a “Risk Management Guide for Information Technology Systems” and is considered a U.S. federal government standard. It is specific to IT threats and how they relate to information security risks. It lays out the following steps:
Failure Modes and Effect Analysis (FMEA) is another method for determining functions, identifying functional failures, and assessing the causes of failure and their failure effects through a structured process.
The goal is to identify where something is most likely going to break and either fix the flaws that could cause this issue or implement controls to reduce the impact of the break. The FMEA methodology uses failure modes (how something can break or fail) and effects analysis (impact of that break or failure).
FMEA is most useful as a survey method to identify major failure modes in a given system; the method is not as useful in discovering complex failure modes that may be involved in multiple systems or subsystems.
By following a specific order of steps, the best results can be maximized for an FMEA:
The table shows the example of how an FMEA can be carried out and documented:
Unfortunately, security policies, standards, and management guidelines often are written because an auditor instructed a company to document these items, but then they are placed on a file server and are not shared, explained, or used. To be useful, they must be put into action. To be effective, employees need to know about all the potential risk that may encounter in their organization.
Being a CISSP candidate you should fully understand access control concepts, methodologies and their implementation within centralized and decentralized environments across an organization’s computing environment.
Access Control domain covers mechanisms by which a system grants or revokes the right to access data or perform an action on an information system.
To implement an access control, threat must be classified. Which types of controls are implemented per classification depends upon the level of protection that management and the security team have determined is needed. Access controls enable management to:
In the context of risk management in CISSP, classification is the process in which we identify and characterize the critical information assets (i.e. sensitivity). Moreover, we explain the level of safeguarding (protection level) and how the information assets should be handled (sensitivity and confidentiality).
Process of Classification:
Types of Security Controls:
Categories of Security Controls:
However, performing risk analysis and assessment will not make your organization secured. There is no such thing like fully secured. So, you must go for maintaining the preparedness by monitoring and managing the risks. There are systems available from which we can monitor network traffic to detect and prevent any threat or risk.
Intrusion prevention and detection:
An Intrusion Prevention System (IPS) is a network security/threat prevention technology that examines network traffic flows to detect and prevent vulnerability exploits. It is an Inline preventive control device.
An Intrusion Detection System (IDS) is a device or software application that monitors a network or systems for malicious activity or policy violations. It is a Passive monitoring device that passively monitors and audit transmitted packets.
IDS Analysis Methods & Engine:
Audit Trail Monitoring:
The Audit trail is a record of system activities that captures system, network, application & user activities. It alerts security officer of suspicious activities, provides details on non-conformance or illegal activities and information for legal proceedings.
By applying and implementing the methods and systems mentioned above, we can minimize the risks, and make our organization prepared for any potential risk. However, we cannot eliminate the risk factor completely, we must adopt and implement the risk management concepts to mitigate the risks.