CASP Domain 2: Risk Management and Incident Response

March 16, 2018 by Fakhar Imam

Risk Management and Incident Response falls under the second domain of the CompTIA Advanced Security Practitioner (CASP, edition CAS-002) exam and contributes 20% to the exam objectives. Before taking the CASP exam, you will need to understand the following concepts about risk management and incident response.

What Business and Industry Related Risks Do I Need to Know for CASP?

As a CASP certification holder, you must be able to analyze risk implications with regard to business decisions as well as numerous other business activities that we will describe below:

Risk management of new products, new technologies, and user behaviors
New products, technologies, and user behaviors are always evolving factors. You cannot stop them developing but can mitigate the risks associated with them. Risk mitigation requires you to adopt change management, incident management, user rights and permission reviews, perform routine audits, enforce policy and procedures, and enforce technology controls.

New or changing business models/strategies
In the age of globalization, businesses have evolved from one country to another and even from one continent to another, and these industries are complexly interlinked with one another. From an IT perspective, such partnerships may encounter numerous security risks. To avert such risks, CASP professionals must be aware of the various business models, including partnerships, outsourcing, Cloud, and merger and demerger/divestiture.

Security concerns of integrating diverse industries
Integrating diverse industries may invite several security complications, including proper interpretation of rules, policy, regulations, and geography. For example, geography may trigger more issues when two enterprises situated in different countries merge with each other. Under such circumstances, these countries may have different legal or regulatory requirements that may contradict each other but will nevertheless have to be resolved to one another.

Ensuring third-party providers have requisite levels of information security
Third-party outsourcing can be a liability, one that enterprises must consider as a part of their risk assessment process. Outsourcing is the process whereby one company gets its particular job function done by another company instead of having in-house workers or department to handle that function. The security measures on the eve of outsourcing include downstream liability, due diligence, and due care.

Internal and external influences
In industrialized countries such as the United States and the UK, organizations have developed their own policies to define their operational activities and address their working personnel. The internal factors include high-level policies and audit findings that can have a large impact on business continuity operations.

Impact of de-perimeterization
De-perimeterization is a network security solution for protecting a company’s data on multiple levels by utilizing encryption schemes and authentication mechanisms. De-perimeterization is applied when enterprises utilize telecommuting, Cloud technologies, Bring-Your-Own-Device (BYOD), and Outsourcing.

What Risk Mitigation Planning, Strategies, and Controls Do I Need to Know for CASP?

The next section briefly explains risk mitigation planning, strategies, and controls that you will need to know for the CASP exam.

Classify information types into levels of CIA based on organization/industry
The fundamentals of enterprises’ IT security are Confidentiality, Integrity, and Availability (CIA), also referred to as the CIA triad. Confidentiality is the act of preventing the unauthorized disclosure of information. It can be accomplished through encryption, steganography, ACLs, and data classification. Integrity ensures that data is not corrupted or altered by malicious actors. It can be achieved through hashing, checksum procedures, and digital signatures. Lastly, availability ensures that data and resources are available only to authorized persons when needed. Some essential factors include Information Classification Lifecycle, Commercial Business Classification that involves four classification levels (such as confidential, private, sensitive, and public), Military and Government Classification that incorporates five classification levels (such as top secret, secret, confidential, sensitive but unclassified, and unclassified).

Incorporate stakeholder input into CIA decisions
When determining the CIA levels, security professionals should also collaborate with stakeholders to attain their input to provide better security to corporate’s digital assets. For example, if the department head is called in to aid in making a CIA decision, the other stakeholders in the same department should also be consulted.

Implement Technical Controls Based on CIA Requirements and Policies of the Organization
Soon after their implementation, a “gap analysis” should be performed to check if any security gap exists. In addition, the CASP certified professional should also know Access Control Categories, including compensative, corrective, detective, deterrent, directive, preventive, and recovery. There are also three types of access controls, including administrative controls, physical controls, and logical controls.

Determine the aggregate score of CIA
The aggregate score of CIA can be determined through the SC information system = {(confidentiality, impact), (integrity, impact), (availability, impact)} formula.

Extreme scenario planning/worst case scenario
When planning security, enterprises must conduct extreme scenario/worst case scenario planning in order to make sure that leaders at the corporate level anticipate any disastrous event before it occurs and execute the appropriate plan accordingly.

Determine minimum required security controls based on aggregate score
Security professionals must implement minimum required security controls for all corporate digital assets based on the aggregate score.

Conduct System-Specific Risk Analysis
Conducting system-specific risk analysis requires security professionals to identify assets and their values, identify threats and vulnerabilities, determine threat probability and its potential impact on business, and balance threat impact with the cost requires for countermeasure strategies.

Make risk determinations
Making a risk determination requires security experts to perform a risk analysis. Risk analysis can be either qualitative or quantitative. Furthermore, the “magnitude of impact” imposed by the risk can be calculated through Annualized Loss Expectancy (ALE) and Single Loss Expectancy (SLE) calculation factors. Another important concept you should know is “likelihood of threat.” It measures the chances of a threat occurrence, and it can be determined by examining the source, motivation, Annualized Rate of Occurrence (ARO), and trend analysis. Risk determination is also performed through Return on Investment (ROI), which refers to the money lost or gained after a company makes an investment. Another technique for risk determination is Total Cost of Ownership (TCO).

Recommend which strategy should be applied based on risk appetite
Once the risk is identified, there are four possible responses that can be applied based on the organization’s risk appetite. The four responses are: avoid, transfer, mitigate, or accept.

Risk management processes
CASP candidates should learn the four possible ways or processes for risk management. These processes include: exemption, deterrence, inherent, and residual.

In addition to the above-mentioned risk mitigation planning, strategies, and controls, there are more that involve enterprise security architecture frameworks, continuous improvement/monitoring, business continuity planning, and IT governance.

What Do I Need to Know About Security, Privacy Policies, and Procedures Based on Organizational Requirements?

Below, we will talk about the concepts that you need to know about security, privacy policies, and procedures based on organizational requirements.

Policy development and updates in light of new business, technology, risks and environment change
Technological changes occur when new technologies are introduced in the IT industry. Risk changes must also occur because bad people always develop new strategies to launch cyber-attacks against enterprises. Finally, environmental changes may occur due to natural disasters and changes in temperature, humidity, and so on. All these changes require policy development as well as continual updates so that the policy addresses all possible current scenarios. Security policy can be developed by utilizing a series of ISO/IEC 27000 standards. Moreover, process or procedure development and updates in light of policy, environment, and business changes are also essential.

Support legal compliance and advocacy by partnering with HR, legal, management and other entities
Legal compliance makes sure that a company complies with laws, rules and regulations related to the business. Legal advocacy, on the other hand, is a process conducted by/for corporate to influence public policy and resource allocation decisions within social, economic, and political systems. Organizations must involve their Human Resource (HR) department, legal department, management, and even all their legal entities to achieve full legal compliance and legal advocacy.

Use common business documents to support security
There are numerous indispensable documents and legal agreements that are available for organizations to enhance their IT securities. These documents include Business Impact Analysis (BIA), Risk Assessment (RA)/Statement of Applicability (SOA), Interconnection Security Agreement (ISA), Interoperability Agreement (IA), Service Level Agreement (SLA), Memorandum of Understanding (MOU), Operating Level Agreement (OLA), Business Partnership Agreement (BPA), and Non-Disclosure Agreement (NDA).

Use general privacy principles for sensitive information (PII)
PII or Personally Identifiable Information is any information that can assist in tracing and distinguishing an individual’s identity, such as name, number, telephone, date of birth, and address. Protecting PII of each employee should be one of the top priorities of the organizations because leakage of such information may create unnecessary legal complications.

Support the development of policies
This includes crucial work-related tasks such as separation of duties, mandatory vacation, job rotation, incident response, least privilege, employment and termination procedures, forensic tasks, training and awareness for users, auditing requirements and frequency, and continuous monitoring.

What Incident Response and Recovery Procedures Do I Need to Know for CASP?

There are numerous incident response and recovery procedures, but CASP candidates should focus on the following essentials to pass the exam:

E-discovery: This is the process of recovering all the data residing on electronic media for forensic purposes. Once the data is recovered, it should be processed through security procedures, including electronic inventory and asset control, data recovery and storage, data retention policies, data handling, data ownership, and data holds.

Data breach: This is an incident that occurs when sensitive or confidential data is compromised or released to unauthorized personnel. Once an incident occurs, the incident response team is called in to respond immediately. The team must have training in detection and collection, mitigation, recovery/reconstitution, response, and disclosure.

Design systems to facilitate incident response: The organization should ensure that its systems are designed in a way that they may facilitate incident response in the event of a disaster. When a security breach or incident takes place, the malicious parties can involve either internal or external groups or individuals. The internal and external violations can be a company’s privacy policy violations, insider threats, criminal acts, and non-malicious threats or misconfigurations.

Incident and emergency response: Incident and emergency response requires preparing the Chain of Custody, performing forensic analysis of the compromised system, creating Continuity of Operation Plan (COOP), and considering Order of Volatility when collecting data from the compromised system.

Where Should I Focus My Time Studying?

Although passing the CASP exam is a herculean task, engaging in the right course of professional study and studying the appropriate material will lead you to accomplish your cherished goal of CASP certification. Students should focus their time studying CompTIA’s official material, which receives CompTIA Authorized Quality Curriculum (CAQC) seal. Here is a CASP Resources article that includes everything you need to know to get you started.

InfoSec’s CASP Boot Camp—Your First Bet

Do you want to take the CompTIA CASP exam? Fortunately, InfoSec Institute offers a uniquely designed CASP Boot Camp for the candidates aspiring for CASP examination. The goal of this course is to provide IT experts with the most comprehensive accelerated environment for the CASP exam. You can enroll in this course to acquire a professional CASP certification.

InfoSec also offers thousands of articles on a variety of security topics.

Posted: March 16, 2018
Articles Author
Fakhar Imam
View Profile

Fakhar Imam is a professional writer with a master’s program in Masters of Sciences in Information Technology (MIT). To date, he has produced articles on a variety of topics including on Computer Forensics, CISSP, and on various other IT related tasks.

Leave a Reply

Your email address will not be published. Required fields are marked *