In this article
Risk Management Concepts and the CISSP (Part 1)
- Control Frameworks
- Due Care vs. Due Diligence
- Security Governance Principals
- Security Personnel
- Threat Modeling
- Vendor, Consultant and Contractor Security
In this article
The Certified Information Systems Security Professional (CISSP) is an information security certification that was developed by the International Information Systems Security Certification Consortium, also known as (ISC) ². The risk management is one of the modules of CISSP training that entails the identification of an organization’s information assets and the development, documentation, implementation, and updating of policies, standards, procedures, and guidelines that ensure confidentiality, integrity, and availability.
Management tools such as risk assessment and risk analysis are used to identify threats, classify assets, and to rate their vulnerabilities so that effective security measures and controls can be implemented. The process of risk management is carried out to identify potential risks, tools, practices, rate and reduce the risk to specific resources of an organization.
Beyond basic security fundamentals, the concepts of risk management are perhaps the most important and complex part of the information security and risk management domain. It is necessary for the candidate to understand all the core concepts of risk management like risk assessment methodologies, risk calculations, and safeguard selection criteria and objectives.
A risk comprises a threat and a vulnerability of an asset, defined as follows:
Threat: Any natural or man-made circumstance that could have an adverse impact on an organizational asset.
Vulnerability: The absence or weakness of a safeguard in an asset that makes a threat potentially more likely to occur, or likely to occur more frequently.
Asset: An asset is a resource, process, product, or system that has some value to an organization and must, therefore, be protected.
The Threat, Vulnerability, and Assets are known as the risk management triples. It is the main concept that is covered in risk management from CISSP exam perspective. Risk can never be completely eliminated. Any system or environment, no matter how secure, can eventually be compromised.
Threat x Vulnerability = Risk
Some threats or events, such as natural disasters are largely unpredictable. Therefore, the main goal of risk management is risk mitigation that involves reducing risk to a level that’s acceptable to an organization. There are three main elements of which risk management is comprised of:
Risk identification is the initial step in the risk management that involves identifying specific elements of the three components of risk: assets, threats, and vulnerabilities.
To determine the appropriate level of security, the identification of an organization’s assets and determining their value is a critical step. The value of an asset to an organization can be both quantitative (related to its cost) and qualitative (its relative importance).
Any inaccurate asset valuation may result in:
While a properly conducted asset valuation process has several benefits to an organization:
There are three main elements that are used to determine the value of assets:
In the process of risk management, we perform two different analyses that include:
Threat analysis is a process of examining the sources of cyber threats and evaluating them in relation to the information system’s vulnerabilities. The objective of the analysis is to identify the threats that endanger a particular information system in a specific environment.
It consists of four steps that include:
An organization should be well prepared for all type of threats, the number and types of threats can be overwhelming but can generally be categorized as
The next element in risk management is risk analysis. A risk analysis brings together all the elements of risk management (identification, analysis, and control) and is critical to an organization for developing an effective risk management strategy.
It consists of four steps that include:
The Annualized Loss Expectancy (ALE) provides a standard, quantifiable measure of the impact that a realized threat has on an organization’s assets. ALE is particularly useful for determining the cost-benefit ratio of a safeguard or control. ALE is determined by this formula:
Single Loss Expectancy (SLE) x Annualized Rate of Occurrence (ARO) = Annualized Loss Expectancy (ALE)
The process of conducting a risk analysis is very similar to identifying an acceptable risk level. Essentially, you do a risk analysis on the organization as a whole to determine the acceptable risk level.
A risk analysis has four main goals:
In the process of identifying assets and its value we consider the value placed on assets (including information), what work was required to develop it, how much it costs to maintain, what damage would result if it were lost or destroyed, and what benefit another party would gain if it were to obtain it.
Understanding the value of an asset is the first step to understanding what security mechanisms should be put in place and what funds should go toward protecting it.
The following issues should be considered when assigning values to assets:
Once the assets have been identified and assigned values, all of the vulnerabilities and associated threats need to be identified that could affect each asset’s integrity, availability or confidentiality requirements.
Since there is a large amount of vulnerabilities and threats that can affect the different assets, it is important to be able to properly categorize and prioritize them so that the most critical items can be taken care of first.
CISSP Instant Pricing- Resources
The team carrying out the risk assessment needs to figure out the business impact of the identified threats. To estimate potential losses posed by threats, answer the following questions:
What physical damage could the threat cause, and how much would that cost?
How much productivity loss could the threat cause, and how much would that cost?
These are some general questions, while the specific questions will depend upon the types of threats the team uncovers. The team then needs to calculate the probability and frequency of the identified vulnerabilities being exploited.
The team then needs to identify countermeasures and solutions to reduce the potential damages from the identified threats. A security countermeasure must make good business sense, meaning that it is cost-effective and that its benefit outweighs its cost. This requires another type of analysis: a cost/benefit analysis.
A commonly used cost/benefit calculation can be given as:
Value of safeguard to the company =
(ALE before implementing safeguard) – (ALE after implementing safeguard) – (annual cost of safeguard)
For example, if the ALE of the threat of a hacker bringing down a Web server is $12,000 prior to implementing the suggested safeguard, $3,000 after implementing the safeguard, and the annual cost of maintenance and operation of the safeguard is $650, then the value of this safeguard to the company is $8,350 each year.
The following items need to be considered and evaluated when deriving the full cost of a countermeasure:
It is important that the team knows how to calculate the actual cost of a countermeasure to properly weigh it against the benefit and savings the countermeasure is supposed to provide.
The following is a short list of what generally is expected from the results of a risk analysis:
Risk analysis can be divided into two major types:
A Quantitative risk analysis attempts to assign an objective numeric value (cost) to the components (assets and threats) of the risk analysis. In quantitative risk analysis all elements of the process, including asset value, impact, threat frequency, safeguard effectiveness, safeguard costs, uncertainty, and probability are measured and assigned a numeric value. However, achieving a purely quantitative risk analysis is impossible.
A qualitative risk analysis is scenario-driven and doesn’t attempt to assign numeric values to the components (assets and threats) of the risk analysis. In qualitative risk analysis, we develop real scenarios that describe a threat and potential losses to organizational assets. Unlike a quantitative risk analysis, it’s possible to conduct a purely qualitative risk analysis.
As far as CISSP is concerned, the candidate must know all the core element of risk management that also includes control. Risk Control is a safeguard or countermeasure that reduces risk associated with a specific threat. The absence of a safeguard against a threat creates vulnerability and increases the risk.
Risk control can be done through one of three general remedies:
Mitigating risk by implementing the necessary security controls, policies, and procedures to protect an asset. This can be achieved by altering, reducing, or eliminating the threat and/or vulnerability associated with the risk.
To avoid the outcomes of risk, we can assign the potential loss associated with a risk to a third party, such as an insurance company.
It involves the acceptance of the loss associated with a potential risk.
However, in risk management, we mitigate the threats that itself should not introduce new vulnerabilities. It’s an ongoing process that must be conducted by organizations in order to prevent cyber attacks. The above discussed management techniques and processes are the basic and fundamental and are also included in CISSP exam by International Information Systems Security Certification Consortium.