Today let’s take a look at the CISSP Domain that deals with Information Security Governance and Risk Management. When we speak about IS Governance we’re talking about how management views security, how the security organization is structured, who the Information Security Officer (ISO) reports to and some basic guiding principles for security. First and foremost, information security is not just about IT. The fundamental principles of security revolve around the CIA triad. No, that’s not the Central Intelligence Agency. But rather confidentiality, integrity, and availability. Availability in the sense that the data is available when needed (think about a Denial of Service attack that stops access to your data); Integrity in the sense that the data is accurate and has not been modified (think about your checking account balance, you wouldn’t want someone changing that); and finally, Confidentiality (think PII or personal identifying information) your data is confidential, only the people who should know or have access to your private information know and have access.
There has been a lot of talk lately about DAD (Disclosure-Alteration-Destruction) vs. CIA (Confidentiality-Integrity-Availability) so for your information.
When we talk about Confidentiality, we mean the data hasn’t been Disclosed.
When we talk about Integrity, we mean the data hasn’t been Altered
And when we talk about Availability, we mean the data is there and hasn’t been Destroyed
In information risk management there are several concepts that you need to review and understand. First let’s look at Q vs. Q or quantitative vs. qualitative risk assessment. If you can determine a specific amount or quantity then it is a quantitative analysis, e.g. the system will be down for 24 hours. It is an objective risk assessment, whereas on the other hand if you can’t quantify the variables and the decisions are subjective then the risk assessment is qualitative. There are a number of risk management frameworks, including
- Operationally Critical Threat, Asset and Vulnerability Evaluation (OCTAVE)
- Factor Analysis of Information Risk (FAIR)
- National Institute of Standards and Technology’s (NIST) Risk Management Framework (RMF)
- Threat Agent Risk Assessment (TARA), a recent creation
And you should follow the links above and become familiar with these.
In risk analysis, there are a number of concepts that you will need to understand. First, what is the value of your information and assets? (Asset Valuation or AV) Second, what are the threats against those assets? Third, what are the vulnerabilities associated with those assets? Finally, what is the impact or probability that the threat/vulnerability will have on the organization?
So now here are some formulas that you need to know:
1) Single Loss Expectancy (SLE) is the cost of a single loss and can be calculated by multiplying Asset Value (AV) by Exposure Facture (EF), which is the impact the loss of this asset will have on the organization. SLE = AV * EF
2) Annual Rate of Occurrence (ARO) is how many times you lost an asset.
3) Annualized Loss Expectancy (ALE) is an expression of your annual anticipated loss due to risk and can be calculated by multiplying SLE by ARO. ALE = SLE * ARO.
4) And finally, Risk = Asset Value * Threat * Vulnerability * Impact
Policies, Standards, Procedures and Guidelines
Policies, standards and procedures are required, i.e. you must do these. Guidelines are suggestions, they are optional.
You should be familiar with the different roles and responsibilities in information security including; System Owner, Data Owner, Data Custodian, Security Administrator and System Administrator.
And while we’re talking about roles and responsibilities, don’t forget that all of these roles require security awareness training. All must have the basics and then each role will have specific training for their individual position.