-
7/28/2019 Information Security Governance and Risk
Management.docx
1/6
Information Security Governance and Risk Management
Confidentiality- prevent unauthorized disclosure of sensitive
information
National defense
Integrity prevent unauthorized modification systems and
information
BankingAvailability prevent disruption of service and
productivity.
E-commerce
ISO/IEC 17799 and 27001 Controls (exact copies)
Security policy
Organizing information Security
Asset management
Human Resources Security
Physical and Environmental security
Communications and operations management
Access controlInformation systems acquisition, development and
maintenance
Information security incident management
Business continuity management
Compliance
Plan DO Check Act (PDCA) modelSecurity is an ongoing process and
never achieved
Plan
Implement
Monitor and review
Act
Due care and Due Diligence
Due Care- to do the right thing to protect assets
Updating antivirus sigs
D C do correct
Due diligence to investigate actual threats and risks
Installing antivirus
Approach to security management
Top-Down Approach Better approach
Security practices are directed and supported at the senior
management level
Advantage - budgets
Bottom Up Approach
IT department tries to implement security
Planning Horizon
Operational goals dayto-day goals that focus on productivity and
task oriented activites
-
7/28/2019 Information Security Governance and Risk
Management.docx
2/6
Tactical goals mid term goals that lay the necessary foundation
to accomplish strategic goals
Strategic goals Long term goals supported by operational and
tactical goals
Risk management process
Risk Identification
Risk management
Qualitative Risk analysis
Quantitative risk analysis
Asset any resource that is of value
Vulnerability weakness in an asset
Threat potential danger to an asset which would be carried out
by a threat agent
Loss real or perceived devaluation of an asset
Risk likelihood of a threat agent exploiting a vulnerability
Exposure instance of being exposed to compromise
Even/exploit instance of loss experienced
Control/ measure a safeguard put into place to mitigate
potential losses
Purpose of risk assessment
Identify what a company actually has and what its potential loss
is for each and every threat
recognized
To ensure that a security program is cost-effective, relevant,
and appropriate for the real risks it
faces.
Four main goals of a risk assessment
Identify assets and their values
Identify risks
Quantify the impact of potential threats
Provide an economic balance between the impact of the risk and
the cost of the
countermeasure
SP 800-30: Risk Assessment Activities day 1 1:21
Step 1 System Characterization
Input - Hardware, system , system interfaces, data and
information, people, system
mission
Output System boundary, system functions, system and data
critically, system and
data sensitivity
Step 2 Threat identification
Input History of system attack, data from intelligence
agencies
Output threat statement
Step 3 - Vulnerability Identification
Input -Reports from prior risk assessments, any audit comments,
security requirements,
security test results
Output list of potential vulnerabilities
-
7/28/2019 Information Security Governance and Risk
Management.docx
3/6
Step 4 Control analysis
Input current controls
Step 5 - likelihood determination
Step 6 Impact analysis
Step 7 risk dtermination
Step 8 control recommendations
Step 9 results documentation
Asset valuation
Cost to acquire or develop the asset
Cost to maintain and protect the asset
Value of the asset to the owners
Price others are willing to pay for the asset
Liability of the asset is compromised
Operational and productivity losses that will be suffered if the
asset is unavailable
Cost to replace the asset
Data classification process
Value of data
Identified during risk analysis
Sensitivity and value of the information
Organize according to sensitivity to loss or disclosure
Decide on control
Data is segmented according to sensitivity level
Each classification of data should have different security
controls
Classification criteria
Usefulness of data
Value of data
Age of data
Level of damage that could be caused if the data were disclosed,
modified, or corrupted
Laws, regulations, or liability responsibility about protecting
the data
Effects the data has on national security
Who should accessing this data?
Who should be maintaining this data?
Who should be able to reproduce this data?
What data would require labels and special marking?
Data classification procedure
Identify Data Owner (part of management)
Identify Data custodian (technical person)
Develop classification criteria based on CIA
Define controls per classification
Define document exceptions
Document how to transfer custody of the data
-
7/28/2019 Information Security Governance and Risk
Management.docx
4/6
Decassification procedures
Security awareness program
Commercial classifications
Confidential
Private
Sensitive
Public
Military class
Top secret
Secret
Confidential
Sensitive but unclassified
Unclassified
Quantitative analysis
Numeric and monetary value
Management prefers quantitative
Qualitative
Subjective rating assigned
Intuition
Delphi method
Allows you to assign ratings anonymously to prevent company
culture influence
Annualized loss expectancy (ALE)
SLE =asset value (AV) x exposure factor(EF) =SLE
Building cost x amount of damage
ALE
SLE x Annualized rate of occurrence (ARO) =ALE
Qualitative risk analysis steps
Develop risk scenarios
Gather company subject matter experts
Work through scenario to determine outcome
Prioritize risks and threats to assets
Build consensus for best countermeasure
Type of risks
Total risk vs residual risk
Total risk - Risk that exits before a countermeasure is put into
place
Residual risk Remaining risk after a countermeasure is put in
place
Residual risk calculation =
threats +vulnerability= total risk
total risk control gap = residual risk
+ sign simply means in relation to
-
7/28/2019 Information Security Governance and Risk
Management.docx
5/6
Risk analysis team
Representatives from each department should be on the team
Identify company assets by interviewing individuals, reviewing
documentation, and tours
Identified assets must have values assigned to them
Many things go into estimating the value of an asset, not just
paper value
***Ensure business managers maintain accountability for their
decisions***
Threat sources
Easily identified
Fires, hackers, intruders
Not easily identified
Software flaw (buffer overflow)
Employee fraud
Potential loss
Delayed loss
Possible threats
Availablility
Disaster
Failure of components
DOS attacks
Integrity
Changing accounting records or system logs
Disabling the alert mechanism in an IDS
Modifying config files
Confidentiality
Shoulder surfing
Social engineering
Interception of a message
Mitigation
Options
Reduce avoidance, limitation, research and acknowledgment
Transfer
Accept when the cost to protect is more than the asset value
Reject ignorance or neglect
Cost-Benefit analysis formula
ALE (before countermeasure)-ALE (after countermeasure)- Annual
cost of
countermeasure= Value of the countermeasure to the company
Strategy
Control implementation
Control categories
-
7/28/2019 Information Security Governance and Risk
Management.docx
6/6
Policies
Standards binding
Compulsory rules that dictate how hardware and software are to
be used and expected
behavior of employees
Baselines - binding
Minimum level of security that is required throughout the
organization
Procedures - binding
Detailed step by step actions to be taken to achieve a specific
task
Guidelines non binding
Recommended actions and operations guides for users and staff
members where
standards to not apply
Roles and responsibilities
Executive management
Assigned overall responsibility for the security of
information
Information systems security professionals
Responsible for the design, implementation, management, and
review of the
organizations security policies
Data owners
Responsible for determing classification levels of the data as
well as maintaining the
accuracy and integrity of the data.
Process owners or system owner
Responsible for ensuring that appropriate security consistent
with the organizations
security policy is embedded in their information systems
Technology providers or third party providers
Responsible for assisting with the implementation of information
security
Users
Responsible for following the procedures set out in the
organizations security policy.
IT system auditor
Providing independent assurance to management on the
appropriateness of the
security objectives
Deciding whether the security policies are appropriate and
comply with the
organizations security objectives
Employee management policies
Termination procedures
First step is to inform all other departments that an employee
is no longer to be trusted
Second step disable or delete accounts
