Information Security & Risk Management
Card Set Information
Information Security & Risk Management
CISSP Information Security Risk Management
CISSP Information Security and Risk Management
Steps of a Risk Analysis
1 - Assign value to Assets
2 - Estimate Potential Loss per Threat - (SLE) single loss expectancy
3 - Perform a threat analysis - (ARO) Annualized rate of occurrence
4 - Derive the overall - (ALE) Annualized loss expectancy
5 - Reduce, Transfer, Avoid, or Accept Risk
Single Loss Expectancy
asset value x exposure factor (EF) = SLE
Exposure Factor - the percentage of loss a realized threat could have on a certain asset
SLE x annualized rate of occurrence (ARO) = ALE
Annualized Rate of Occurrence (ARO) - Value that represents the estimated frequency of a specific threat taking place within a one year timeframe.
The assessment and results are subjective
eliminates opportunity to create a dollar value for cost/benefit discussions
Difficult to track risk management objection with subjective measures
standards are not available.
Calculations are complex
process is laborious without automated tools
more preliminary work needed to gather detailed information about environment
standards are not available
Newest version of BS7799 Part 1
Provides a list of controls that can be used within the framework outlined in ISO 27001:2005
Newest version of BS7700 Part 11
Provides the steps for setting up and maintaining security program.
international organization that helps different governments come together and tackle the economic, social, and governance challenges of a globalized economy
Information Risk Management - is the PROCESS of identifying, assessing, and reducing risk to an acceptable level and implementing the right mechanisms to maintain that level of risk.
Failure Mode and Effects Analysis is a method ofr determining functions, identifying functional failures, and assessing the causes of failure and the failure effects through a structured process.
group decision method where each group member can communicate anonumously
vulnerability, threat, risk
vulnerability - is the absence of a safeguard (a weakness that can be exploited)
threat - possibility that someone or something would exploit a vulnerability to cause harm to an asset.
risk - the probability of threat agent exploiting a vulnerability and the loss potential from that action
Information Security and Risk Management Study Sheet
– the security objective to protect from improper disclosure of sensitive information.
– the requirement of business to have access to systems and data.
– the reliability of systems to properly function in order to prohibit improper modification of data.
Known as the CIA or AIC Triad, Confidentiality, Availability,
and Integrity have to work in concert to keep data not only protected
and accurate, but accessible to authorized users.
Policy – management stating the role security plays in an organization.
Procedure – a mandated series of steps to accomplish a task, such as software installation.
Standard – usually the implementation of a common hardware or software solution to a security risk, such as a Firewall.
Baseline – a consistent minimum benchmark for security configurations across a multitude of implementations, such as password rules.
Guideline – a recommendation until adopted as standards, but are considered best practices, such as the Common Criteria.
The Organization’s Security Policy is an abstract statement from
management which is implemented through the IT staff. For example, the
following of a procedure, to install a standard, in accordance with a
guideline, and is setup referencing the baseline, is an instance of
adhering to policy.
Safeguards – uniform and proactive controls applied before an incident, which incorporates the idea of least privilege.
Vulnerability – a flaw in a procedure, implementation, or control that if exercised will result in a security breach.
Threat – a potential accidental or intentional danger to an information system.
Exposure – an opportunity for a threat to cause damage.
Risk – probability of a threat agent exploiting a vulnerability resulting in losses.
Risk Transference – the passing on of risk to a third party, such as insurance.
Countermeasure – reactive controls applied after an incident.
Safeguards are installed to protect against threats, but if a
vulnerability exists in a safeguard an exposure to a threat surfaces
resulting in a risk which either has to be countered or transferred.
– a long term plan focusing on high level requirements, such as the overarching security plan.
– a mid term plan focusing on an organization’s functional plans.
– a short term “fire fighting” strategy usually at the keyboard level.
The Planning Horizon is the compilation of strategic, operational, and tactical planning.
Job Rotation – movement of employees to expose collusion and policy violations.
Mandatory Vacations – forced leave to detect elements of fraud.
Separation of Duties – split knowledge and dual control of job tasks, which helps prevent errors and fraud.
Need to Know – only those persons absolutely requiring information should have access to such information.
Least Privilege – allowing processes and users only enough permission to accomplish their job.
Roles and Responsibilities – used to ensure everyone knows what an individual will be doing.
Due Care – responsible acts reducing the probability of being held liable or negligent.
– responsible for data classification, user access, related business continuity plans and disaster recovery.
– is the security enforcer for the data owner, such as an email server admin.
– independent assurance that the security controls are being implemented correctly and are operational.
– addresses user permissions and security controls on data specific to a particular application.
Information Risk Management
– implementing the right mechanisms to mitigate and sustain an acceptable level of risk.
ISO 17799 & 27001
– guidelines, controls, and best practices for comprehensive security programs.
Asset Identification – are tangible, such as the facility, and intangible, such as data.
– a level of confidence that a particular security level is being upheld.
– four goals to ensure IT maps seamlessly with business needs; Plan and Organize, Acquire and Implement, Deliver and
Support, Monitor and Evaluate.
– a set of management directives to ensure strategic direction, objective accomplishments, risk management,
and appropriate use of enterprise resources.
Organization for Economic Co-operation and Development (OECD)
– an international group assisting governments with economic, social, and governance challenges worldwide.
Project Sizing – a pre risk analysis documentation of the scope of the project.
Failure Modes and Effect Analysis (FMEA) – an assessment of manufacturing defects.
Fault Tree Analysis (FTA) – analytical approach to detect failures and system safety within a complex environment.
Quantitative Risk Analysis – a monetary determination of risk.
Qualitative Risk Analysis – a scaled intrinsic value assigned to a level of risk, such as 1-5 or high med and low.
Delphi Technique – an anonymously communicated group decision.
Single Loss Expectancy (SLE) – amount that could be
lost if a threat is executed upon, such as the value of data, cost to
replace data, and potential opportunities missed.
Risk Analysis is performed to balance the economic impact of risk and the cost of the safeguards.
Risk Analysis Formulas
Total Risk = Threats X Vulnerability X Asset Value
Residual Risk = (Threats X Vulnerability X Asset Value) X Controls Gap
Annual Loss Expectancy (ALE) = Single Loss Expectancy X frequency per year