Risk management concepts and the CISSP (Part 2) [Updated 2022]
Risk management is an important part of the CISSP certification exam. The risk in the context of security is the possibility of damage happening and the consequences should it occur. Risk management is the process of identifying and assessing risk, reducing it to an acceptable level, and implementing the right mechanisms to maintain that level. There is no such thing like zero percent risk exists. We must prepare ourselves for the potential threats and their outcomes.
When we look at information security, note that an organization needs to be aware of several types of risk and address them properly. The following items touch on the major categories:
- Physical damage Fire, water, vandalism, power loss, and natural disasters
- Human interaction Accidental or intentional action or inaction that can disrupt productivity
- Equipment malfunction Failure of systems and peripheral devices
- Inside and outside attacks Hacking, cracking and attacking
- Misuse of data Sharing trade secrets, fraud, espionage, and theft
- Loss of data Intentional or unintentional loss of information to unauthorized receivers
- Application error Computation errors, input errors, and buffer overflows
Threats must be identified, classified by category, and evaluated to calculate their damage potential to the organization. The focus is more about applications, devices, viruses and hacking as information security is big business today.
Carrying out risk management properly means that you have a holistic understanding of your organization, the threats it faces, the countermeasures that can be put into place to deal with those threats, proper implementation of risk countermeasures and continuous monitoring to ensure the acceptable risk level is being met on an ongoing basis.
Implementing risk management
Proper risk management requires a strong commitment from senior management, a documented process that supports the organization’s mission, an information risk management policy, and a delegated team for that.
To implement risk management effectively, a proper policy should be documented. The policy should address the following items:
- The objectives of the Risk management team.
- The level of risk the organization will accept and what is considered an acceptable level of risk.
- Formal processes of risk identification.
- The connection between the risk management policy and the organization’s strategic planning processes.
- Responsibilities that fall under risk management and the roles to fulfill them.
- The mapping of risk to internal controls.
- The approach toward changing staff behaviors and resource allocation in response to risk analysis.
- The mapping of risks to performance targets and budgets.
- Key indicators to monitor the effectiveness of controls.
The policy is the initial step as it provides the foundation and direction for the organization’s security risk management processes and procedures, and should address all issues of information security.
In the process of risk management, we perform risk analysis and risk assessment. To implement risk analysis concepts, we must prepare a potential risk analysis team. Same goes to assessment process; we must implement the potential methods to mitigate risk.
Risk analysis team
Risk analysis plays an important role in the process of risk management. It helps integrate the security program objectives with the company’s business objectives and requirements and also helps the company to draft a proper budget for a security program and its constituent security components.
Each organization has different departments, and each department has its functionality, resources, tasks, and quirks. For the most effective risk analysis, an organization must build a risk analysis team that includes individuals from many or all departments to ensure that all of the threats are identified and addressed. This is the most effective way because if the risk analysis team comprises only individuals from the IT department, it may not understand how the company as a whole would be affected if the accounting department’s data files were wiped out by an accidental or intentional act.
To respond effectively, the risk analysis team should ask the following questions:
- What event could occur (threat event)?
- What could be the potential impact (risk)?
- How often could it happen (frequency)?
- What level of confidence do we have in the answers to the first three questions (certainty)?
Viewing threats with these questions in mind helps the team focus on the tasks at hand and assists in making the decisions more accurate and relevant.
Identify threats and vulnerabilities
Risk is the probability of a threat agent exploiting vulnerability to cause harm to an asset and the resulting business impact. User errors, intentional or accidental, are easier to identify by monitoring and auditing user activities. Audits and reviews must be conducted to discover if employees are inputting values incorrectly into programs, misusing technology, or modifying data in an inappropriate manner.
A threat is a possible danger that might exploit a vulnerability to breach security and therefore cause possible harm. However, the vulnerability is a weakness which allows an attacker to reduce a system’s information assurance. Vulnerability is the intersection of three elements: a system susceptibility or flaw, attacker access to the flaw, and attacker capability to exploit the flaw.
Many types of threat agents can take advantage of several types of vulnerabilities, resulting in a variety of specific threats:
Risk assessment methodologies
The industry has different standardized methodologies when it comes to carrying out risk assessments. Each of the individual methodologies has the same basic core components (identify vulnerabilities, associate threats, calculate risk values), but each has a specific focus.
NIST developed a risk methodology, which is published in their SP 800-30 document. This NIST methodology is named a “Risk Management Guide for Information Technology Systems” and is considered a U.S. federal government standard. It is specific to IT threats and how they relate to information security risks. It lays out the following steps:
- System characterization
- Threat identification
- Vulnerability identification
- Control analysis
- Likelihood determination
- Impact analysis
- Risk determination
- Control recommendations
- Results documentation
Failure Modes and Effect Analysis (FMEA) is another method for determining functions, identifying functional failures, and assessing the causes of failure and their failure effects through a structured process.
The goal is to identify where something is most likely going to break and either fix the flaws that could cause this issue or implement controls to reduce the impact of the break. The FMEA methodology uses failure modes (how something can break or fail) and effects analysis (impact of that break or failure).
FMEA is most useful as a survey method to identify major failure modes in a given system; the method is not as useful in discovering complex failure modes that may be involved in multiple systems or subsystems.
By following a specific order of steps, the best results can be maximized for an FMEA:
- Start with a block diagram of a system or control.
- Consider what happens if each block of the diagram fails.
- Draw up a table in which failures are paired with their effects and an evaluation of the effects.
- Correct the design of the system, and adjust the table until the system is not known to have unacceptable problems.
- Have several engineers review the Failure Modes and Effect Analysis.
The table shows the example of how an FMEA can be carried out and documented:
Unfortunately, security policies, standards, and management guidelines often are written because an auditor instructed a company to document these items, but then they are placed on a file server and are not shared, explained, or used. To be useful, they must be put into action. To be effective, employees need to know about all the potential risk that may encounter in their organization.
Being a CISSP candidate you should fully understand access control concepts, methodologies and their implementation within centralized and decentralized environments across an organization’s computing environment.
The identity and access management domain covers mechanisms by which a system grants or revokes the right to access data or perform an action on an information system.
- File permissions, such as “create,” “read,” “edit,” or “delete” on a file server
- Program permissions, such as the right to execute a program on an application server
- Data rights, such as the right to retrieve or update information in a database
To implement access control, threats must be classified. Which types of controls are implemented per classification depends upon the level of protection that management and the security team have determined is needed. Access controls enable management to:
- Specify which user can access the resources contained within the information system
- Specify what resources they can access
- Specify what operations they can perform
- Provide individual accountability
Security consideration in system life cycle (SLC):
Initiation Phase (IEEE 1220: Concept Stage)
- Survey & understand the policies, standards, and guidelines
- Identify information assets (tangible & intangible)
- Define information security categorization & protection level
- Define rules of behavior
Acquisition / Development Phase (IEEE 1220: Development Stage)
- Conduct business impact analysis (a.k.a. risk assessment)
- Define security requirements and select security controls
- Perform cost/benefit analysis (CBA)
- Security planning (based on risks & CBA)
- Practice Information Systems Security Engineering (ISSE) Process to develop security controls
- Develop security test & evaluation plan for verification & validation of security controls
Implementation Phase (IEEE 1220: Production Stage)
- Implement security controls in accordance with baseline system design and update system security plan
- Perform Security Certification & Accreditation of the target system
Operations / Maintenance Phase (IEEE 1220: Support Stage)
- Configuration management & performs change control
- Continuous monitoring – perform a periodic security assessment
Disposition Phase (IEEE 1220: Disposal Stage)
- Preserve information: archive and store electronic information
- Sanitize media: Ensure the electronic data stored on the disposed of media are deleted, erased and over-written
- Dispose of hardware. Ensure all electronic data resident in hardware are deleted, erased, and over-written (i.e. EPROM, BIOS, etc.)
In the context of risk management in CISSP, classification is the process in which we identify and characterize the critical information assets (i.e. sensitivity). Moreover, we explain the level of safeguarding (protection level) and how the information assets should be handled (sensitivity and confidentiality).
Process of classification
- Determine data classification project objectives
- Establish organizational support
- Develop data classification policy
- Develop data classification standard
- Develop data classification process flow and procedure
- Develop tools to support processes
- Identify application owners
- Identify data owners and date owner delegates
- Distribute standard templates
- Classify information and applications
- Develop auditing procedures
- Load information into a central repository
- Train users
- Periodically review and update data classifications
- Top Secret shall be applied to information, the unauthorized disclosure of which reasonably could be expected to cause exceptionally grave damage to the national security that the original classification authority can identify or describe.
- Secret shall be applied to information, the unauthorized disclosure of which reasonably could be expected to cause serious damage to the national security that the original classification authority can identify or describe.
- Confidential shall be applied to information, the unauthorized disclosure of which reasonably could be expected to cause damage to the national security that the original classification authority can identify or describe.
Types of security controls
- Directive Controls: Policy and standard that advise employees of the expected behavior for protecting an organization’s information asset from unauthorized access
- Preventive Controls: Physical, administrative, and technical measures intended to prevent unauthorized access to organization’s information asset
- Detective Controls: Practices, processes, and tools that identify and possibly react to unauthorized access to information asset
- Corrective Controls: Physical, administrative, and technical countermeasures designed to react to security incident(s) to reduce or eliminate the opportunity for the unwanted event to recur
- Recovery Controls: The act to restore access controls to protect organization’s information asset
Categories of security controls
- Management (Administrative) Controls: Policies, Standards, Processes, Procedures, & Guidelines
- Administrative Entities: Executive-Level, Mid.-Level Management
- Operational (and Physical) Controls: Operational Security (Execution of Policies, Standards & Process, Education & Awareness)
- Service Providers: IA, Program Security, Personnel Security, Document Controls (or CM), HR, Finance, etc
- Physical Security (Facility or Infrastructure Protection)
- Locks, Doors, Walls, Fence, Curtain, etc.
- Service Providers: FSO, Guards, Dogs
- Technical (Logical) Controls: Access Controls, Identification & Authorization, Confidentiality, Integrity, Availability, Non-Repudiation.
- Service Providers: Enterprise Architect, Security Engineer, CERT, NOSC, Helpdesk.
Monitor & management
However, performing risk analysis and assessment will not make your organization secure. There is no such thing as fully secured. So, you must go for maintaining the preparedness by monitoring and managing the risks. There are systems available from which we can monitor network traffic to detect and prevent any threat or risk.
Intrusion prevention and detection
- Intrusion Prevention System (IPS): An Intrusion Prevention System (IPS) is a network security/threat prevention technology that examines network traffic flows to detect and prevent vulnerability exploits. It is an Inline preventive control device.
- Intrusion Detection Systems (IDS): An Intrusion Detection System (IDS) is a device or software application that monitors a network or system for malicious activity or policy violations. It is a Passive monitoring device that passively monitors and audits transmitted packets.
IDS analysis methods & engine
- Pattern Matching Method
- Scans incoming packets for specific byte sequences (signatures) stored in a database of known attacks
- Identifies known attacks
- Require periodic updates to signatures
- Stateful Matching Method
- Scan traffic stream rather than individual packets
- Identifies known attacks
- Detects signatures across multiple packets
- Require periodic updates to signatures
- Statistical / Traffic Anomaly-based
- Develop baseline of “normal” traffic activities and throughput
- Can identify unknown attacks and DoS
- Must have a clear understanding of “normal” traffic for IDS tuning
- Protocol Anomaly-based
- Looks for deviations from RFC (Request for Comment) standards
- Can identify unknown attacks
Audit trail monitoring
The audit trail is a record of system activities that capture system, network, application & user activities. It alerts security officers of suspicious activities, provides details on non-conformance or illegal activities and information for legal proceedings.
By applying and implementing the methods and systems mentioned above, we can minimize the risks, and make our organization prepared for any potential risk. However, we cannot eliminate the risk factor completely, we must adopt and implement the risk management concepts to mitigate the risks.