cism - firebrand training · 5/6/2016 © 2016 firebrand ensure that the cism candidate… manages...

5/6/2016© 2016 Firebrand

CISM™

Certified Information

Security Manager

Firebrand Custom Designed Courseware

5/6/2016© 2016 Firebrand

Chapter 2Information Risk Management and

Compliance

5/6/2016© 2016 Firebrand

Ensure that the CISM candidate…

Manages information risk to an acceptable level to meet the business and compliance requirements of the organization

• The content area in this chapter will represent approximately 33% of the CISM examination(approximately 66 questions).

Exam Relevance

ISACA CISM Review Manual Page 78

5/6/2016© 2016 Firebrand

Chapter 2 Task Statements

Establish an information asset classification and ownership process

Ensure risk, threat and vulnerability assessments are conducted periodically

Evaluate security controls

Identify gaps between current and desired state


5/6/2016© 2016 Firebrand

Chapter 2 Task Statements cont.

Integrate risk, threat and vulnerability identification and management into the organization

Monitor existing risk to ensure changes are identified and managed appropriately

Report information risk management levels to management.


5/6/2016© 2016 Firebrand

Risk Management


5/6/2016© 2016 Firebrand

Definition of Risk

Risk is a function of the likelihood of a threat-source exercising a vulnerability and the resulting impact of that adverse event on the mission of the organization.

• Asset

• Threat

• Vulnerability

• Likelihood (probability)

• Impact (consequence)

NIST/CNSSI Definition

5/6/2016© 2016 Firebrand

Why is Risk Important?

• Provides rationale and justification for virtually all information security activities

Risk management is a fundamental function of Information Security

Prioritization of Risk allows the development of a security roadmap


5/6/2016© 2016 Firebrand

Risk Management Definition

What is risk management?

• The systematic application of management policies, procedures and practices to the tasks of:

Identifying

Analyzing

Evaluating

Treating

Monitoring,

Risk related to information and information systems

5/6/2016© 2016 Firebrand

Risk Management Objective

The objective of risk management is to identify, quantify and manage information security risk.

Reduce risk to an acceptable level through the application of risk-based, cost-effective controls.


5/6/2016© 2016 Firebrand

Risk Management Overview

Risk is the probability of occurrence of an event or transaction causing financial loss or damage to

• Organization

• Staff

• Assets

• Reputation

Quantitative and

Qualitative Measures


5/6/2016© 2016 Firebrand

Risk Management Overview

Risk management is the process of ensuring that the impact of threats exploiting vulnerabilities is within acceptable limits at an acceptable cost

At a high level, this is accomplished by

• Balancing risk against mitigation costs

• Implementing appropriate countermeasures and controls


5/6/2016© 2016 Firebrand

Risk Management Process

Risk

Identification

(Assessment

and Analysis)Risk

Treatment

(Control

Selection) Evaluation

and

Assessment


5/6/2016© 2016 Firebrand

Defining the Risk Environment

• Key business drivers

• The organization’s SWOT (strengths, weaknesses, opportunities and threats)

• Internal and external stakeholders

• Organizational structure and culture

• Assets (resources, information, customers, equipment)

• Goals and objectives, and the strategies already in place to achieve them

The most critical

prerequisite to a

successful risk management program is

understanding the

organization including:


5/6/2016© 2016 Firebrand

Threats to Information and

Information Systems

Threats to information and information systems are related to:

•Availability

•Confidentiality

•Integrity

•Non-repudiation


5/6/2016© 2016 Firebrand

Communicating Risk

Involve all stakeholders

Consistent communication in a defined

format

Create awareness and accountability


5/6/2016© 2016 Firebrand

Effective Risk Management

Integrated with the business mission

Supported by Senior Management

Integration with other business areas


5/6/2016© 2016 Firebrand

Developing a Risk Management Program

Establish context and purpose

Define scope

Define authority, structure and reporting

Ensure asset identification, classification and

ownership

Determine objectives

Determine risk methodology to be used


5/6/2016© 2016 Firebrand

Alignment of Risk Assessment and BIA

Risk Assessment measures Impact and Likelihood

Business Impact Analysis measures Impact over Time

Related disciplines – but not the same

BIA must be done periodically to determine how risk and impact levels increase over time

• Set priorities for critical business functions


5/6/2016© 2016 Firebrand

Threat Analysis

Intentional versus Unintentional attacks

• Natural

• Man-made

• Utility / Equipment

Threats affected by

• The skill and motivation of the attacker

• The existence of attack tools


5/6/2016© 2016 Firebrand

Aggregate Risk

Aggregate risk must be considered

•Aggregate risk is where several smaller risk factors combine to create a larger risk (the perfect storm scenario)

Added value in examination but not in Student Manual

5/6/2016© 2016 Firebrand

Cascading Risk

Cascading risks are the effect of one incident leading to a chain of adverse events (domino effect)

Added value in examination but not in Student Manual

5/6/2016© 2016 Firebrand

Identification of Vulnerabilities

• Patches not applied

• Non-hardened systems

• Inappropriate access levels

• Unencrypted sensitive data

• Software bugs or coding issues (buffer overflow)

• Physical security

Weaknesses in security controls


5/6/2016© 2016 Firebrand

The Effect of Risk

An exploit of a vulnerability by a threat may lead to an exposure.

An exposure is measured by the impact it has on the organization or the ability of the organization to meet its mission.


5/6/2016© 2016 Firebrand

Impact

Examples of direct and indirect

financial losses:

• Direct loss of money (cash or credit)

• Criminal or civil liability

• Loss of reputation/goodwill/image

• Reduction of share value

• Conflict of interests to staff or customers or shareholders


5/6/2016© 2016 Firebrand

Impact cont.

Examples of direct and indirect financial losses:

• Breach of confidence/privacy

• Loss of business opportunity/competition

• Loss of market share

• Reduction in operational efficiency/performance

• Interruption of business activity

• Noncompliance with laws and regulations resulting in penalties


5/6/2016© 2016 Firebrand

Risk Assessment Methodology

Quantitative

• Determine the impact of a single event

• Single Loss Expectancy

• SLE = Asset Value x Exposure Factor

• Calculate frequency of events

• Annualized rate of occurrence (ARO)

• ARO = Incidents per year


5/6/2016© 2016 Firebrand

Annualized Loss Expectancy (ALE)

ALE is the calculated cost of risk per year from a single event

• ALE = SLE x ARO

Used to justify expense of implementing controls to reduce risk levels

Cost of controls should not be greater than benefit realized by implementing the control


5/6/2016© 2016 Firebrand

Semiquantitative Analysis

Combination of qualitative analysis with

financial impact levels

Brings together the benefits of both

qualitative and quantitative analysis

Often used in workshops with representatives

of the business


5/6/2016© 2016 Firebrand

Qualitative Risk Assessment

Determine risk levels through scenario-based analysis

Rank risk levels according to frequency and impact (Low (1), Moderate (2), High (3))

Impact

Lik

elihood Low Moderate High

High 3 6 9

Moderate 2 4 6

Low 1 2 3


5/6/2016© 2016 Firebrand

Data Gathering Techniques

Surveys / Questionnaires

Observation

Workshops

Delphi techniques


5/6/2016© 2016 Firebrand

Risk Acceptance

The level of risk that senior management is

willing to accept – retention of the risk

Must include the calculation of the total risk

level being accepted to ensure management

has accurate data to work from.


5/6/2016© 2016 Firebrand

Results of Risk Assessment

Documentation of risk levels

• Risk register

Determination of threat and vulnerability levels

Forecast of impact and frequency of events

Recommendations for risk mitigation

• Controls, safeguards, countermeasures


5/6/2016© 2016 Firebrand

Risk Treatment

5/6/2016© 2016 Firebrand

Risk Treatment

Risk Treatment takes the recommendations from the risk assessment process and selects the best choice for managing risk at an acceptable level

• Residual Risk

• Risk Acceptance

• Cost / Benefit

• Priorities

• Balance between security and business


5/6/2016© 2016 Firebrand

Risk Treatment

Risk Treatment Options

•Reduction / mitigation – implement changes

•Enhance managerial, technical, physical and operational controls

•Acceptance

•Transference

•Avoidance /Terminate the activity


5/6/2016© 2016 Firebrand

Residual Risk

The risk that remains after the application of

controls or countermeasures to reduce the

risk.

The objective is to reduce residual risk to a

level that is equal to, or below, the level of

acceptable risk

• Risk that exceeds acceptable risk levels

should be further mitigated


5/6/2016© 2016 Firebrand

Risk Mitigation and Controls

Controls (safeguards / countermeasures) are

implemented in order to reduce a specified risk

•Existing controls and countermeasures can be evaluated

•New controls and countermeasures can be designed


5/6/2016© 2016 Firebrand

Control Recommendations

• Cost-benefit analysis

• Anticipated effectiveness

• Compatibility with other controls, systems, and processes

• Legislation and regulation

• Organizational policy, standards, and culture

• Impact of control on business processes

• Control reliability

Factors to be considered

when recommending

new or enhanced

controls are:


5/6/2016© 2016 Firebrand

Cost Benefit

Analysis of Controls

Cost-benefit analysis must consider the cost of the control throughout the full

life cycle of the control or countermeasure including:

•Acquisition / purchase costs

•Deployment and implementation costs

•Recurring maintenance costs

•Testing and assessment costs


5/6/2016© 2016 Firebrand

Cost Benefit

Analysis of Controls cont.

Cost benefit analysis includes

costs of:

• Compliance monitoring and enforcement

• Inconvenience to users

• Reduced throughput of controlled processes

• Training in new procedures or technologies as applicable

• End of life decommissioning


5/6/2016© 2016 Firebrand

Risk Mitigation Schematic

Owners

Countermeasures

Threat Agents

Threats

Risk

AssetsTo

Wish to minimize Value

Impose

To

Reduce

Give Rise to

Wish to abuse and/or may damage

ToThat

increase

From the Common Criteria

5/6/2016© 2016 Firebrand

Control Types

Controls may be:

•Managerial

•Technical

•Physical


5/6/2016© 2016 Firebrand

Control Types and Categories cont.

• Directive

• Deterrent

• Preventative

• Detective

• Recovery

• Corrective

• Compensating

Controls may be:

Added value in the examination but not in Student Manual

5/6/2016© 2016 Firebrand

Security Control Baselines

Creating baselines of control can assist in developing a consistent security infrastructure

Principles for developing baselines include

• Assessing the level of security that is appropriate for the organization

• Mandating a configuration for all systems and components attached to the organization’s network


5/6/2016© 2016 Firebrand

Information Asset Classification


5/6/2016© 2016 Firebrand

Information Asset Classification

Need to know what information to protect

•Ownership

•Roles and responsibilities

Need to know who is responsible to protect it


5/6/2016© 2016 Firebrand

Roles and Responsibilities

Information protection requires clear assignment of responsibilities

• Information owner

• Information System owner

• Board of Directors / Chief Executive Officer

• Users

• Information Custodians

• Third Party Suppliers


5/6/2016© 2016 Firebrand

Roles and Responsibilities

Information security risk management is an integral part of security governance

• Is the responsibility of the board of directors or the equivalent to ensure that these efforts are visible

Management must be involved in and sign off on acceptable risk levels and risk management objectives


5/6/2016© 2016 Firebrand

Information Classification Considerations

Business Impact and reliance of business on information and information systems

• Understand business objectives

• Availability of data / systems

• Sensitivity of data / systems


5/6/2016© 2016 Firebrand

Regulations and Legislation

Information asset protection may be required by legislation

•Privacy

•Consumer data

•Employee data

•Financial accuracy

•SOX-type laws


5/6/2016© 2016 Firebrand

Asset Valuation

Information Asset valuation may be based on:

• Financial considerations

• Liability for lost data

• Cost to create or restore data

• Impact on business mission

• Reputation

• Customer or supplier confidence


5/6/2016© 2016 Firebrand

Valuation Process

Determine ownership

Determine number of classification levels

Develop labeling scheme

Identify all information types and locations

De-classify when data no longer needs protection


5/6/2016© 2016 Firebrand

Information Protection

Ensure that data is protected consistently across all systems

Protect data in all forms – paper, electronic, optical, fax,

Protect data at all times:

• Storage

• Transmission

• Processing

• Destruction


5/6/2016© 2016 Firebrand

Information Asset Protection

• Communicated

• Enforced

• Clean desk / Clear screen

• Need to know – Least privilege

Policies

• Labeling

• DestructionProcedures


5/6/2016© 2016 Firebrand

Recovery Time Objectives (RTO)

Business needs determine recovery time

objectives

The RTO indicates the time by which critical

services should be restored

Includes identification of dependencies

between systems and processes

Calculated as part of Business Impact Analysis

(BIA)


5/6/2016© 2016 Firebrand

Recovery Point Objectives (RPO)

Based on acceptable data loss in case of a

crisis or major failure

Drives the frequency of backups as well as

the type of backup used to enable recovery

of systems within acceptable timeframes.


5/6/2016© 2016 Firebrand

Service Delivery Objectives (SDO)

Defined as the minimal level of service that

must be restored to meet business

requirements until normal levels of business

can be restored.


5/6/2016© 2016 Firebrand

Third Party Providers

External support functions

Adequate controls and monitoring in place

Ensure that controls are addressed in

contracts

Obtain assurance that control requirements

are being met

• SLAs, SOC2 report, ISO27001

Remember that liability for a breach remains

with the outsourcing organization


5/6/2016© 2016 Firebrand

Risk Related to Physical Controls

Unsecure physical environment

Poor environmental controls

Shared premises

External parties on site


5/6/2016© 2016 Firebrand

Risk Related

to Change Control

Uncontrolled / Unauthorized changes

Changes implemented incorrectly

• Backup

• Rollback

Changes that bypass / overwrite controls

Interruption to service


5/6/2016© 2016 Firebrand

Controlling Risk

in Change Control

Oversight / Steering Committee

Formal Change control process

• Documentation of changes

• Approvals

• Testing

Review of all proposed / implemented changes for impact on security controls


5/6/2016© 2016 Firebrand

Risk Management

During SDLC

Integrate risk management throughout the SDLC

• Review risk levels as system is designed, developed, tested and implemented

• Test the implemented security controls

• Ensure the ability to log and monitor events is built into all systems

Review all new systems for correct operation of controls and associated risk levels


5/6/2016© 2016 Firebrand

Risk in Project Management

Risk of “Scope Creep”

Risk of project overrun

•Budget

•Time

•Failure to deliver expected results

•Vendor compliance with requirements


5/6/2016© 2016 Firebrand

Ongoing Risk Management Monitoring

and Analysis

Do risk assessment annually

• More frequently in event of:

• Organizational changes

• Regulation

• Incidents

Monitor controls frequently and report to management

• Standardized reporting (format)

• Trend analysis


5/6/2016© 2016 Firebrand

Audit and Risk Management

Audit validates that risk is being managed correctly

•Compared with culture of organization

•Policy

•Regulation

•Best practices


5/6/2016© 2016 Firebrand

Audit and

Risk Management cont.

Validate that risk is within acceptable levels

• Risk appetite

Threat and vulnerability analysis was done correctly

Controls are working correctly

• Mitigating risk effectively

• Validate compliance with controls

Reporting and recommendations


5/6/2016© 2016 Firebrand

Ongoing Risk Assessment

Monitor controls to ensure that they are working effectively

• Implemented as designed

•Operating properly

•Producing the desired outcome (mitigating the risk they were installed to address)


5/6/2016© 2016 Firebrand

Measuring Control Effectiveness

Determine metrics to measure control effectiveness

• Do regular monitoring and reporting

Aggregate data from several control points

• Security Event Incident Monitoring (SEIM)

Measure control effectiveness in comparison to business goals and objectives


5/6/2016© 2016 Firebrand

New Employee Initiation

Require signing of

•Non-disclosure agreements (NDA)

•Non-compete agreements

•Ethics statement

Review security policy

•Awareness training


5/6/2016© 2016 Firebrand

Risk During Employment

Access Creep – adding more and more access

•Violation of least privilege / need to know

Enforce compliance with controls

Regular awareness sessions


5/6/2016© 2016 Firebrand

Risk at

Termination of Employment

Need to remove all access

Recover all organizational assets

• ID cards

•Laptops

•Remote access tokens

•Blackberry/ cellphone

•Documents

Review NDAs


5/6/2016© 2016 Firebrand

Risk During

Employment Process

Hiring Procedures

•Correct skills and experience

•Background checks

•Criminal

•Financial

•References from former employers / associates


5/6/2016© 2016 Firebrand

Risks During Procurement

• Improper buying practices

• Influence

• Kickbacks

• Piracy / imitations

• Inappropriate relations / selection of vendors

Need to purchase the ‘right’ equipment

at the right price

5/6/2016© 2016 Firebrand

Risk During Procurement cont.

Equipment not delivered according to specifications /contract terms

Equipment not configured / installed properly

Vendor not providing contracted maintenance according to maintenance agreements

Maintain correct patch levels

5/6/2016© 2016 Firebrand

Reporting to Management

Regular reporting

• Standard format

• Scheduled basis

Consistent metrics to allow comparison of results over time

Reporting on an exceptional basis

• Following an event


5/6/2016© 2016 Firebrand

Training and Awareness

The most effective control to mitigate risk is training of all personnel

• Awareness

• Training

• Education

Educate on policies, standards, practices

Creates accountability


5/6/2016© 2016 Firebrand

Training and Awareness

End users should receive

training on

• The importance of adhering to information security policies, standards, and procedures

• Clean desk policy

• Responding to incidents and emergencies

• Privacy and confidentiality requirements

• The security implications of logical access in an IT environment


5/6/2016© 2016 Firebrand

Training for End Users

• Clean desk policy

• Responding to incidents and emergencies

• Privacy and confidentiality requirements

• Handling sensitive data and intellectual property

• The security requirements for access to IT systems

Practical training topics


5/6/2016© 2016 Firebrand

Documentation

Typical risk management

documentation includes:

• A risk register

• An inventory of information assets

• Threat and vulnerability analysis

• Control effectiveness report

• Initial risk rating

• Risk report - consequences and likelihood of compromise

• A risk mitigation and action plan
