cism - firebrand training · 5/6/2016 © 2016 firebrand ensure that the cism candidate… manages...
TRANSCRIPT
5/6/2016© 2016 Firebrand
CISM™
Certified Information
Security Manager
Firebrand Custom Designed Courseware
5/6/2016© 2016 Firebrand
Ensure that the CISM candidate…
Manages information risk to an acceptable level to meet the business and compliance requirements of the organization
• The content area in this chapter will represent approximately 33% of the CISM examination(approximately 66 questions).
Exam Relevance
ISACA CISM Review Manual Page 78
5/6/2016© 2016 Firebrand
Chapter 2 Task Statements
Establish an information asset classification and ownership process
Ensure risk, threat and vulnerability assessments are conducted periodically
Evaluate security controls
Identify gaps between current and desired state
ISACA CISM Review Manual Page 78
5/6/2016© 2016 Firebrand
Chapter 2 Task Statements cont.
Integrate risk, threat and vulnerability identification and management into the organization
Monitor existing risk to ensure changes are identified and managed appropriately
Report information risk management levels to management.
ISACA CISM Review Manual Page 78
5/6/2016© 2016 Firebrand
Definition of Risk
Risk is a function of the likelihood of a threat-source exercising a vulnerability and the resulting impact of that adverse event on the mission of the organization.
• Asset
• Threat
• Vulnerability
• Likelihood (probability)
• Impact (consequence)
NIST/CNSSI Definition
5/6/2016© 2016 Firebrand
Why is Risk Important?
• Provides rationale and justification for virtually all information security activities
Risk management is a fundamental function of Information Security
Prioritization of Risk allows the development of a security roadmap
ISACA CISM Review Manual Page 93
5/6/2016© 2016 Firebrand
Risk Management Definition
What is risk management?
• The systematic application of management policies, procedures and practices to the tasks of:
Identifying
Analyzing
Evaluating
Treating
Monitoring,
Risk related to information and information systems
5/6/2016© 2016 Firebrand
Risk Management Objective
The objective of risk management is to identify, quantify and manage information security risk.
Reduce risk to an acceptable level through the application of risk-based, cost-effective controls.
ISACA CISM Review Manual Page 94
5/6/2016© 2016 Firebrand
Risk Management Overview
Risk is the probability of occurrence of an event or transaction causing financial loss or damage to
• Organization
• Staff
• Assets
• Reputation
Quantitative and
Qualitative Measures
ISACA CISM Review Manual Page 94
5/6/2016© 2016 Firebrand
Risk Management Overview
Risk management is the process of ensuring that the impact of threats exploiting vulnerabilities is within acceptable limits at an acceptable cost
At a high level, this is accomplished by
• Balancing risk against mitigation costs
• Implementing appropriate countermeasures and controls
ISACA CISM Review Manual Page 94
5/6/2016© 2016 Firebrand
Risk Management Process
Risk
Identification
(Assessment
and Analysis)Risk
Treatment
(Control
Selection) Evaluation
and
Assessment
ISACA CISM Review Manual Page 98
5/6/2016© 2016 Firebrand
Defining the Risk Environment
• Key business drivers
• The organization’s SWOT (strengths, weaknesses, opportunities and threats)
• Internal and external stakeholders
• Organizational structure and culture
• Assets (resources, information, customers, equipment)
• Goals and objectives, and the strategies already in place to achieve them
The most critical
prerequisite to a
successful risk management program is
understanding the
organization including:
ISACA CISM Review Manual Page 95
5/6/2016© 2016 Firebrand
Threats to Information and
Information Systems
Threats to information and information systems are related to:
•Availability
•Confidentiality
•Integrity
•Non-repudiation
ISACA CISM Review Manual Page 98
5/6/2016© 2016 Firebrand
Communicating Risk
Involve all stakeholders
Consistent communication in a defined
format
Create awareness and accountability
ISACA CISM Review Manual Page 95
5/6/2016© 2016 Firebrand
Effective Risk Management
Integrated with the business mission
Supported by Senior Management
Integration with other business areas
ISACA CISM Review Manual Page 96
5/6/2016© 2016 Firebrand
Developing a Risk Management Program
Establish context and purpose
Define scope
Define authority, structure and reporting
Ensure asset identification, classification and
ownership
Determine objectives
Determine risk methodology to be used
ISACA CISM Review Manual Page 96
5/6/2016© 2016 Firebrand
Alignment of Risk Assessment and BIA
Risk Assessment measures Impact and Likelihood
Business Impact Analysis measures Impact over Time
Related disciplines – but not the same
BIA must be done periodically to determine how risk and impact levels increase over time
• Set priorities for critical business functions
ISACA CISM Review Manual Page 104
5/6/2016© 2016 Firebrand
Threat Analysis
Intentional versus Unintentional attacks
• Natural
• Man-made
• Utility / Equipment
Threats affected by
• The skill and motivation of the attacker
• The existence of attack tools
ISACA CISM Review Manual Page 112
5/6/2016© 2016 Firebrand
Aggregate Risk
Aggregate risk must be considered
•Aggregate risk is where several smaller risk factors combine to create a larger risk (the perfect storm scenario)
Added value in examination but not in Student Manual
5/6/2016© 2016 Firebrand
Cascading Risk
Cascading risks are the effect of one incident leading to a chain of adverse events (domino effect)
Added value in examination but not in Student Manual
5/6/2016© 2016 Firebrand
Identification of Vulnerabilities
• Patches not applied
• Non-hardened systems
• Inappropriate access levels
• Unencrypted sensitive data
• Software bugs or coding issues (buffer overflow)
• Physical security
Weaknesses in security controls
ISACA CISM Review Manual Page 113
5/6/2016© 2016 Firebrand
The Effect of Risk
An exploit of a vulnerability by a threat may lead to an exposure.
An exposure is measured by the impact it has on the organization or the ability of the organization to meet its mission.
ISACA CISM Review Manual Page 117
5/6/2016© 2016 Firebrand
Impact
Examples of direct and indirect
financial losses:
• Direct loss of money (cash or credit)
• Criminal or civil liability
• Loss of reputation/goodwill/image
• Reduction of share value
• Conflict of interests to staff or customers or shareholders
ISACA CISM Review Manual Page 117
5/6/2016© 2016 Firebrand
Impact cont.
Examples of direct and indirect financial losses:
• Breach of confidence/privacy
• Loss of business opportunity/competition
• Loss of market share
• Reduction in operational efficiency/performance
• Interruption of business activity
• Noncompliance with laws and regulations resulting in penalties
ISACA CISM Review Manual Page 117
5/6/2016© 2016 Firebrand
Risk Assessment Methodology
Quantitative
• Determine the impact of a single event
• Single Loss Expectancy
• SLE = Asset Value x Exposure Factor
• Calculate frequency of events
• Annualized rate of occurrence (ARO)
• ARO = Incidents per year
ISACA CISM Review Manual Page 119
5/6/2016© 2016 Firebrand
Annualized Loss Expectancy (ALE)
ALE is the calculated cost of risk per year from a single event
• ALE = SLE x ARO
Used to justify expense of implementing controls to reduce risk levels
Cost of controls should not be greater than benefit realized by implementing the control
ISACA CISM Review Manual Page 119
5/6/2016© 2016 Firebrand
Semiquantitative Analysis
Combination of qualitative analysis with
financial impact levels
Brings together the benefits of both
qualitative and quantitative analysis
Often used in workshops with representatives
of the business
ISACA CISM Review Manual Page 118
5/6/2016© 2016 Firebrand
Qualitative Risk Assessment
Determine risk levels through scenario-based analysis
Rank risk levels according to frequency and impact (Low (1), Moderate (2), High (3))
Impact
Lik
elihood Low Moderate High
High 3 6 9
Moderate 2 4 6
Low 1 2 3
ISACA CISM Review Manual Page 121
5/6/2016© 2016 Firebrand
Data Gathering Techniques
Surveys / Questionnaires
Observation
Workshops
Delphi techniques
ISACA CISM Review Manual Page 120
5/6/2016© 2016 Firebrand
Risk Acceptance
The level of risk that senior management is
willing to accept – retention of the risk
Must include the calculation of the total risk
level being accepted to ensure management
has accurate data to work from.
ISACA CISM Review Manual Page 121
5/6/2016© 2016 Firebrand
Results of Risk Assessment
Documentation of risk levels
• Risk register
Determination of threat and vulnerability levels
Forecast of impact and frequency of events
Recommendations for risk mitigation
• Controls, safeguards, countermeasures
ISACA CISM Review Manual Page 120
5/6/2016© 2016 Firebrand
Risk Treatment
Risk Treatment takes the recommendations from the risk assessment process and selects the best choice for managing risk at an acceptable level
• Residual Risk
• Risk Acceptance
• Cost / Benefit
• Priorities
• Balance between security and business
ISACA CISM Review Manual Page 120
5/6/2016© 2016 Firebrand
Risk Treatment
Risk Treatment Options
•Reduction / mitigation – implement changes
•Enhance managerial, technical, physical and operational controls
•Acceptance
•Transference
•Avoidance /Terminate the activity
ISACA CISM Review Manual Page 121
5/6/2016© 2016 Firebrand
Residual Risk
The risk that remains after the application of
controls or countermeasures to reduce the
risk.
The objective is to reduce residual risk to a
level that is equal to, or below, the level of
acceptable risk
• Risk that exceeds acceptable risk levels
should be further mitigated
ISACA CISM Review Manual Page 121
5/6/2016© 2016 Firebrand
Risk Mitigation and Controls
Controls (safeguards / countermeasures) are
implemented in order to reduce a specified risk
•Existing controls and countermeasures can be evaluated
•New controls and countermeasures can be designed
ISACA CISM Review Manual Page 121
5/6/2016© 2016 Firebrand
Control Recommendations
• Cost-benefit analysis
• Anticipated effectiveness
• Compatibility with other controls, systems, and processes
• Legislation and regulation
• Organizational policy, standards, and culture
• Impact of control on business processes
• Control reliability
Factors to be considered
when recommending
new or enhanced
controls are:
ISACA CISM Review Manual Page 122
5/6/2016© 2016 Firebrand
Cost Benefit
Analysis of Controls
Cost-benefit analysis must consider the cost of the control throughout the full
life cycle of the control or countermeasure including:
•Acquisition / purchase costs
•Deployment and implementation costs
•Recurring maintenance costs
•Testing and assessment costs
ISACA CISM Review Manual Page 122
5/6/2016© 2016 Firebrand
Cost Benefit
Analysis of Controls cont.
Cost benefit analysis includes
costs of:
• Compliance monitoring and enforcement
• Inconvenience to users
• Reduced throughput of controlled processes
• Training in new procedures or technologies as applicable
• End of life decommissioning
ISACA CISM Review Manual Page 123
5/6/2016© 2016 Firebrand
Risk Mitigation Schematic
Owners
Countermeasures
Threat Agents
Threats
Risk
AssetsTo
Wish to minimize Value
Impose
To
Reduce
Give Rise to
Wish to abuse and/or may damage
ToThat
increase
From the Common Criteria
5/6/2016© 2016 Firebrand
Control Types
Controls may be:
•Managerial
•Technical
•Physical
ISACA CISM Review Manual Page 122
5/6/2016© 2016 Firebrand
Control Types and Categories cont.
• Directive
• Deterrent
• Preventative
• Detective
• Recovery
• Corrective
• Compensating
Controls may be:
Added value in the examination but not in Student Manual
5/6/2016© 2016 Firebrand
Security Control Baselines
Creating baselines of control can assist in developing a consistent security infrastructure
Principles for developing baselines include
• Assessing the level of security that is appropriate for the organization
• Mandating a configuration for all systems and components attached to the organization’s network
ISACA CISM Review Manual Page 123
5/6/2016© 2016 Firebrand
Information Asset Classification
Need to know what information to protect
•Ownership
•Roles and responsibilities
Need to know who is responsible to protect it
ISACA CISM Review Manual Page 126
5/6/2016© 2016 Firebrand
Roles and Responsibilities
Information protection requires clear assignment of responsibilities
• Information owner
• Information System owner
• Board of Directors / Chief Executive Officer
• Users
• Information Custodians
• Third Party Suppliers
ISACA CISM Review Manual Page 125
5/6/2016© 2016 Firebrand
Roles and Responsibilities
Information security risk management is an integral part of security governance
• Is the responsibility of the board of directors or the equivalent to ensure that these efforts are visible
Management must be involved in and sign off on acceptable risk levels and risk management objectives
ISACA CISM Review Manual Page 121
5/6/2016© 2016 Firebrand
Information Classification Considerations
Business Impact and reliance of business on information and information systems
• Understand business objectives
• Availability of data / systems
• Sensitivity of data / systems
ISACA CISM Review Manual Page 126
5/6/2016© 2016 Firebrand
Regulations and Legislation
Information asset protection may be required by legislation
•Privacy
•Consumer data
•Employee data
•Financial accuracy
•SOX-type laws
ISACA CISM Review Manual Page 125
5/6/2016© 2016 Firebrand
Asset Valuation
Information Asset valuation may be based on:
• Financial considerations
• Liability for lost data
• Cost to create or restore data
• Impact on business mission
• Reputation
• Customer or supplier confidence
ISACA CISM Review Manual Page 125
5/6/2016© 2016 Firebrand
Valuation Process
Determine ownership
Determine number of classification levels
Develop labeling scheme
Identify all information types and locations
De-classify when data no longer needs protection
ISACA CISM Review Manual Page 126
5/6/2016© 2016 Firebrand
Information Protection
Ensure that data is protected consistently across all systems
Protect data in all forms – paper, electronic, optical, fax,
Protect data at all times:
• Storage
• Transmission
• Processing
• Destruction
ISACA CISM Review Manual Page 126
5/6/2016© 2016 Firebrand
Information Asset Protection
• Communicated
• Enforced
• Clean desk / Clear screen
• Need to know – Least privilege
Policies
• Labeling
• DestructionProcedures
ISACA CISM Review Manual Page 126
5/6/2016© 2016 Firebrand
Recovery Time Objectives (RTO)
Business needs determine recovery time
objectives
The RTO indicates the time by which critical
services should be restored
Includes identification of dependencies
between systems and processes
Calculated as part of Business Impact Analysis
(BIA)
ISACA CISM Review Manual Page 129
5/6/2016© 2016 Firebrand
Recovery Point Objectives (RPO)
Based on acceptable data loss in case of a
crisis or major failure
Drives the frequency of backups as well as
the type of backup used to enable recovery
of systems within acceptable timeframes.
ISACA CISM Review Manual Page 130
5/6/2016© 2016 Firebrand
Service Delivery Objectives (SDO)
Defined as the minimal level of service that
must be restored to meet business
requirements until normal levels of business
can be restored.
ISACA CISM Review Manual Page 130
5/6/2016© 2016 Firebrand
Third Party Providers
External support functions
Adequate controls and monitoring in place
Ensure that controls are addressed in
contracts
Obtain assurance that control requirements
are being met
• SLAs, SOC2 report, ISO27001
Remember that liability for a breach remains
with the outsourcing organization
ISACA CISM Review Manual Page 131
5/6/2016© 2016 Firebrand
Risk Related to Physical Controls
Unsecure physical environment
Poor environmental controls
Shared premises
External parties on site
ISACA CISM Review Manual Page 132
5/6/2016© 2016 Firebrand
Risk Related
to Change Control
Uncontrolled / Unauthorized changes
Changes implemented incorrectly
• Backup
• Rollback
Changes that bypass / overwrite controls
Interruption to service
ISACA CISM Review Manual Page 132
5/6/2016© 2016 Firebrand
Controlling Risk
in Change Control
Oversight / Steering Committee
Formal Change control process
• Documentation of changes
• Approvals
• Testing
Review of all proposed / implemented changes for impact on security controls
ISACA CISM Review Manual Page 132
5/6/2016© 2016 Firebrand
Risk Management
During SDLC
Integrate risk management throughout the SDLC
• Review risk levels as system is designed, developed, tested and implemented
• Test the implemented security controls
• Ensure the ability to log and monitor events is built into all systems
Review all new systems for correct operation of controls and associated risk levels
ISACA CISM Review Manual Page 133
5/6/2016© 2016 Firebrand
Risk in Project Management
Risk of “Scope Creep”
Risk of project overrun
•Budget
•Time
•Failure to deliver expected results
•Vendor compliance with requirements
ISACA CISM Review Manual Page 134
5/6/2016© 2016 Firebrand
Ongoing Risk Management Monitoring
and Analysis
Do risk assessment annually
• More frequently in event of:
• Organizational changes
• Regulation
• Incidents
Monitor controls frequently and report to management
• Standardized reporting (format)
• Trend analysis
ISACA CISM Review Manual Page 135
5/6/2016© 2016 Firebrand
Audit and Risk Management
Audit validates that risk is being managed correctly
•Compared with culture of organization
•Policy
•Regulation
•Best practices
ISACA CISM Review Manual Page 135
5/6/2016© 2016 Firebrand
Audit and
Risk Management cont.
Validate that risk is within acceptable levels
• Risk appetite
Threat and vulnerability analysis was done correctly
Controls are working correctly
• Mitigating risk effectively
• Validate compliance with controls
Reporting and recommendations
ISACA CISM Review Manual Page 135
5/6/2016© 2016 Firebrand
Ongoing Risk Assessment
Monitor controls to ensure that they are working effectively
• Implemented as designed
•Operating properly
•Producing the desired outcome (mitigating the risk they were installed to address)
ISACA CISM Review Manual Page 135
5/6/2016© 2016 Firebrand
Measuring Control Effectiveness
Determine metrics to measure control effectiveness
• Do regular monitoring and reporting
Aggregate data from several control points
• Security Event Incident Monitoring (SEIM)
Measure control effectiveness in comparison to business goals and objectives
ISACA CISM Review Manual Page 135
5/6/2016© 2016 Firebrand
New Employee Initiation
Require signing of
•Non-disclosure agreements (NDA)
•Non-compete agreements
•Ethics statement
Review security policy
•Awareness training
ISACA CISM Review Manual Page 136
5/6/2016© 2016 Firebrand
Risk During Employment
Access Creep – adding more and more access
•Violation of least privilege / need to know
Enforce compliance with controls
Regular awareness sessions
ISACA CISM Review Manual Page 136
5/6/2016© 2016 Firebrand
Risk at
Termination of Employment
Need to remove all access
Recover all organizational assets
• ID cards
•Laptops
•Remote access tokens
•Blackberry/ cellphone
•Documents
Review NDAs
ISACA CISM Review Manual Page 136
5/6/2016© 2016 Firebrand
Risk During
Employment Process
Hiring Procedures
•Correct skills and experience
•Background checks
•Criminal
•Financial
•References from former employers / associates
ISACA CISM Review Manual Page 136
5/6/2016© 2016 Firebrand
Risks During Procurement
• Improper buying practices
• Influence
• Kickbacks
• Piracy / imitations
• Inappropriate relations / selection of vendors
Need to purchase the ‘right’ equipment
at the right price
5/6/2016© 2016 Firebrand
Risk During Procurement cont.
Equipment not delivered according to specifications /contract terms
Equipment not configured / installed properly
Vendor not providing contracted maintenance according to maintenance agreements
Maintain correct patch levels
5/6/2016© 2016 Firebrand
Reporting to Management
Regular reporting
• Standard format
• Scheduled basis
Consistent metrics to allow comparison of results over time
Reporting on an exceptional basis
• Following an event
ISACA CISM Review Manual Page 136
5/6/2016© 2016 Firebrand
Training and Awareness
The most effective control to mitigate risk is training of all personnel
• Awareness
• Training
• Education
Educate on policies, standards, practices
Creates accountability
ISACA CISM Review Manual Page 136
5/6/2016© 2016 Firebrand
Training and Awareness
End users should receive
training on
• The importance of adhering to information security policies, standards, and procedures
• Clean desk policy
• Responding to incidents and emergencies
• Privacy and confidentiality requirements
• The security implications of logical access in an IT environment
ISACA CISM Review Manual Page 136
5/6/2016© 2016 Firebrand
Training for End Users
• Clean desk policy
• Responding to incidents and emergencies
• Privacy and confidentiality requirements
• Handling sensitive data and intellectual property
• The security requirements for access to IT systems
Practical training topics
ISACA CISM Review Manual Page 136
5/6/2016© 2016 Firebrand
Documentation
Typical risk management
documentation includes:
• A risk register
• An inventory of information assets
• Threat and vulnerability analysis
• Control effectiveness report
• Initial risk rating
• Risk report - consequences and likelihood of compromise
• A risk mitigation and action plan
ISACA CISM Review Manual Page 137