CISSP domain 1: Security and risk management — What you need to know for the exam
Risk is a crucial element in all our lives. In every action we plan to take in our personal and professional lives, we need to analyze the risks associated with it. From a cybersecurity perspective, industries such as energy, healthcare, banking, insurance and retail involve a lot of risks that impede the adoption of technology and need to be effectively managed. The associated risks which need to be addressed evolve quickly and must be handled in a short period of time.
Both simple and advanced devices are now part of our everyday lives, ranging from road signs to intelligent vending machines to advanced diagnosing medical services. Each of these types of devices needs to be secured since they all have their own requirements regarding Confidentiality, Integrity, and Availability of the data or resources they provide.
Risk management involves comprehensive understanding, analysis and mitigation of risk to help organizations achieve their information security objective. Risk is fundamentally inherent in every aspect of information security decisions and thus risk management concepts help aid each decision to be effective in nature.
CISSP domain 1: Security and risk management
- Understand, adhere to and promote professional ethics
- Understand and apply security concepts
- Evaluate and apply security governance principles
- Determine compliance and other requirements
- Understand legal and regulatory issues that pertain to information security in a holistic context
- Understand requirements for investigation types (i.e., administrative, criminal, civil, regulatory, industry standards)
- Develop, document, and implement security policy, standards, procedures and guidelines
- Identify, analyze and prioritize Business Continuity (BC) requirements
- Contribute to and enforce personnel security policies and procedures
- Understand and apply risk management concepts
- Understand and apply threat modeling concepts and methodologies
- Apply Supply Chain Risk Management (SCRM) concepts
- Establish and maintain a security awareness, education and training program
Goals of a security model
The two primary objectives of information security within the organization from a risk management perspective include:
- Have controls in place to support the mission of the organization.
- All the decisions should be based on the risk tolerance of the organization.
Strategy leads to tactics, tactics lead to operations
Then, the strategic goals may refer to having all domains centrally administered and implementing VPNs and RADIUS servers to provide a highly secure environment that provides a good amount of assurance to the management and employees.
A security model has different layers, but it also has different types of goals to accomplish in different time frames.
- Operational goals: Daily goals, or operational goals, focus on productivity and task-oriented activities to ensure the company’s functionality in a smooth and predictable manner. Operational goals may include patching computers as needed, supporting users, updating anti-virus signatures, and maintaining the overall network on a daily basis.
- Tactical goals: Corresponding mid-term goals, or tactical goals, could involve moving computers into domains, installing firewalls and segregating the network by creating a demilitarized zone. Other tactical goals could include integrating all workstations and resources into one domain so more central control can be achieved.
- Strategic goals: A long-term goal, or strategic goal, may involve moving all the branches from dedicated communication lines to frame relay, implementing IPSec virtual private networks (VPNs) for all remote users instead of dial-up entry, and integrating wireless technology with the comprehensive security solutions and controls existing within the environment.
This technique and approach to strategy is called the planning horizon. A company cannot usually implement all changes at once, and some changes are larger than others. Several times there arises a situation wherein certain changes cannot happen until some other changes take place. If an organization whose network is currently decentralized, and works in workgroups without any domain trust, wants to implement its own certificate authority (CA) and public key infrastructure (PKI) enterprise-wide, this cannot happen in a week’s time.
The operational goals are to keep production running smoothly and make small steps towards readying the environment for a domain structure. The tactical goal would be to put all workstations and resources into a domain structure and centralize access control and authentication. The strategic goal is to have all workstations, servers, and devices within the enterprise use the public key infrastructure to deliver authentication, encryption, and additional secure communication channels.
Generally, security works best if its operational, tactical and strategic goals are defined and work to support each other. This can be more difficult than it appears.
Security fundamentals: CIA
Confidentiality, integrity and availability (the CIA triad) is a typical security framework intended to guide policies for information security within an organization.
1. Confidentiality: Prevent unauthorized disclosure
Confidentiality of information refers to protecting the information from disclosure to unauthorized parties.
Key areas for maintaining confidentiality:
- Social engineering: Training and awareness, defining separation of duties at the tactical level, enforcing policies and conducting vulnerability assessments
- Media reuse: Proper sanitization strategies
- Eavesdropping: Use of encryption and keeping sensitive information off the network with adequate access controls
2. Integrity: Detect modification of information
The integrity of information denotes protecting sensitive information from being modified by unauthorized parties.
Key areas for maintaining confidentiality:
- Implement encryption using integrity-based algorithms
- Prevent intentional or malicious modification (message digest, MAC, digital signatures)
3. Availability: Provide timely and reliable access to resources
Availability of information signifies ensuring that all the required or intended parties are able to access the information when needed.
Key areas for maintaining availability:
- Prevent single point of failure
- Comprehensive fault tolerance (data, hard drives, servers, network links, etc.)
Best practices to support CIA
- Separation of duties: Prevents any one person from becoming too powerful within an organization. This policy also provides singleness of focus. For instance, a network administrator who is concerned with providing users access to resources should never be the security administrator. This policy also helps prevent collusion as there are many individuals with discrete capabilities. Separation of duties is a preventative control.
- Mandatory vacations: Prevents an operator from having exclusive use of a system. Periodically, that individual is forced to take a vacation and relegate control of the system to someone else. This policy is a detective control.
- Job rotation: Similar in purpose to mandatory vacations, but with the added benefit of cross-training employees.
- Least privilege: Allowing users to have only the required access to do their jobs.
- Need to know: In addition to clearance, users must also have a “need to know” to access classified data.
- Dual control: Requiring more than one user to perform a task.
Risk management and the CISSP
Risk management is the process of identifying, examining, measuring, mitigating or transferring risk. Its main goal is to reduce the probability or impact of an identified risk. The risk management lifecycle includes all risk-related actions such as assessment, analysis, mitigation and ongoing risk monitoring, which we will discuss in the latter part of this article.
The success of a security program can be traced to a thorough understanding of risk. Without proper consideration and evaluation of risks, the correct controls may not be implemented. Risk assessment ensures that we identify and evaluate our assets, then identify threats and their corresponding vulnerabilities.
Risk analysis allows us to prioritize these risks and ultimately assign a dollar value to each risk event. Once we have a dollar value for a particular risk, we can then make an informed decision as to which mitigation method best suits our needs. And finally, as with all elements of a security policy, ongoing evaluation is essential. New attacks and other threats are always emerging, and security professionals must stay informed and up to date.
Best practices to support risk management
- Every decision starts with looking at risk.
- Determine the value of your assets.
- Evaluate and identify cost-effective solutions to reduce risk to an acceptable level (rarely can we eliminate risk).
- Keep in mind that safeguards are proactive and countermeasures are reactive.
The following definitions are crucial for risk management:
- Asset: Anything of value to the company
- Vulnerability: A weakness, the absence of a safeguard
- Threat: Things that could pose a risk to all or part of an asset
- Threat agent: The entity which carries out the attack
- Exploit: An instance of compromise
- Risk: The probability of a threat materializing
- Controls: Physical, administrative and technical protections (including both safeguards and countermeasures)
Multiple scenario-based use cases are evaluated in the CISSP exam, based on the following general sources of risk:
- Weak, unpatched or non-existing anti-virus software
- Disgruntled employees posing an internal threat
- Poor physical security controls
- Weak access controls
- Lack of change management
- Lack of formal processes for hardening systems
- Poorly trained users and lack of awareness
Lifecycle of risk management
- Risk assessment: Categorize, classify and evaluate assets, as well as identify threats and vulnerabilities
- Risk analysis: Both qualitative and quantitative
- Risk mitigation/response: Includes reducing or avoiding risk, transferring risk, and accepting or rejecting risk
Each section within the lifecycle is crucial for CISSP and has been further defined below.
1. Risk assessment
Looks at risks corresponding to identified parameters for a specific period and must be reevaluated periodically. Managing risks is an ongoing process. The following steps are officially part of a risk assessment as per NIST 800-30:
- System characterization
- Threat identification
- Vulnerability identification
- Control analysis
- Likelihood determination
- Impact analysis
- Risk determination
- Control recommendation
- Results documentation
2. Risk analysis
Risk can be analyzed through a qualitative and quantitative lens.
Qualitative analysis is subjective in nature and uses words like “high,” “medium,” “low” to describe the likelihood and severity of the impact of a threat exposing a vulnerability.
Quantitative analysis is objective and numbers-driven. It requires more experience than qualitative analysis and involves calculations to determine a dollar value associated with each risk element. Business decisions are fundamentally driven by this type of analysis. It is essential in order to conduct a cost/benefit analysis
Key pointers to be remembered for risk analysis include:
- AV: Asset value
- EF: Exposure factor
- ARO: Annual rate of occurrence
- Single loss expectancy = AV * EF
- Annual loss expectancy = SLE * ARO
- Risk value = probability * impact (Probability is how likely it is for the threat to materialize and impact the extent of the damage)
3. Mitigating risk
There are three acceptable responses to risk mitigation:
Organizations need to continue to monitor for risks. How an organization decides to mitigate business risks becomes the basis for security governance and policy.
Security governance and policy
The goal of security governance is to ensure that security strategies, goals, risks and objectives are assessed according to a top-down model. By doing so, we ensure that those ultimately responsible for the success or failures of a security program are directly involved.
To achieve security governance, security blueprints have to be created to allow organizations to implement practices and procedures to support their security goals and the overall mission of the organizations. Various industry consortiums have provided insight into the goals, objectives, and means of developing successful information security management systems (ISMS).
The following industry standards are some of those which provide multiple frameworks that could be reviewed when creating security baselines to achieve security governance.
- BS 7799, ISO 17799, and 27000 Series
- COBIT and COSO
Approach to security management
Poor security management causes the majority of a company’s security problems. Security needs to be directed and supported by top management, referred to as the top-down approach because, without that, any security efforts will be doomed. Unfortunately, most companies follow a bottom-up approach, where the IT department takes security seriously and attempts to develop a security program. This approach usually will not provide those individuals with the necessary funds, support, resources, or attention. Thus, it is often doomed from the start.
Information Management Security Program primarily consists of the following key areas to be aware of:
- Roles and responsibilities
- SLA’s service level agreements/outsourcing
- Data classification/security
Senior management’s roles and responsibilities across the following areas are generally evaluated for CISSP and are crucial for the overall understanding of the security risk management for any organization.
- Development and support of policies: Senior management is responsible for the company-wide policies within an organization. These policies should be high-level statements from management that detail the company’s philosophy and commitment to security. Additionally, it is the management’s responsibility to ensure the enforcement of these policies and to lead by example.
- Allocations of resources: Senior management is also responsible for providing the necessary resources to enable policies to be carried out. A true understanding of issues regarding liability is necessary in order to justify the resources.
- Decisions based on risk: It is senior management’s task to be the ultimate decision-makers for the organization. Once provided with the facts from a risk analysis, it is up to management to make decisions on forms of risk mitigation.
- Security policy: The organization’s security policy is a high-level document that contains generalized terms of the management’s directive pertaining to security’s role within the organization. It establishes how a security program will be set up, dictates the program’s goals, assigns responsibility, shows the background, and explains the strategic and tactical values of security. It explains how enforcement will be carried out and addresses laws and regulations that it fulfills. It will provide scope and direction for all future activities within the organization. After the security policy is defined, the next step is creating the standards, guidelines, procedures, baselines, etc. The security policy should always support the strategic goals of the organization.
For more information on the CISSP certification, view our CISSP certification hub.