Information Security & Risk Management

  1. Steps of a Risk Analysis
    • 1 - Assign value to Assets
    • 2 - Estimate Potential Loss per Threat - (SLE) single loss expectancy
    • 3 - Perform a threat analysis - (ARO) Annualized rate of occurrence
    • 4 - Derive the overall - (ALE) Annualized loss expectancy
    • 5 - Reduce, Transfer, Avoid, or Accept Risk
  2. SLE
    Single Loss Expectancy

    asset value x exposure factor (EF) = SLE
  3. EF
    Exposure Factor - the percentage of loss a realized threat could have on a certain asset
  4. ALE
    SLE x annualized rate of occurrence (ARO) = ALE
  5. ARO
    Annualized Rate of Occurrence (ARO) - Value that represents the estimated frequency of a specific threat taking place within a one year timeframe.
  6. Qualitative Cons
    • The assessment and results are subjective
    • eliminates opportunity to create a dollar value for cost/benefit discussions
    • Difficult to track risk management objection with subjective measures
    • standards are not available.
  7. Quantitative Cons
    • Calculations are complex
    • process is laborious without automated tools
    • more preliminary work needed to gather detailed information about environment
    • standards are not available
  8. ISO 17799:2005
    • Newest version of BS7799 Part 1
    • Provides a list of controls that can be used within the framework outlined in ISO 27001:2005
  9. ISO 27001:2005
    • Newest version of BS7700 Part 11
    • Provides the steps for setting up and maintaining security program.
  10. OECD
    international organization that helps different governments come together and tackle the economic, social, and governance challenges of a globalized economy
  11. IRM
    Information Risk Management - is the PROCESS of identifying, assessing, and reducing risk to an acceptable level and implementing the right mechanisms to maintain that level of risk.
  12. FMEA
    Failure Mode and Effects Analysis is a method ofr determining functions, identifying functional failures, and assessing the causes of failure and the failure effects through a structured process.
  13. Delphi Technique
    group decision method where each group member can communicate anonumously
  14. vulnerability, threat, risk
    • vulnerability - is the absence of a safeguard (a weakness that can be exploited)
    • threat - possibility that someone or something would exploit a vulnerability to cause harm to an asset.
    • risk - the probability of threat agent exploiting a vulnerability and the loss potential from that action
  15. Study Sheet
    • Information Security and Risk Management Study Sheet
    • Confidentiality – the security objective to protect from improper disclosure of sensitive information.
    • Availability – the requirement of business to have access to systems and data.
    • Integrity – the reliability of systems to properly function in order to prohibit improper modification of data.
    • Known as the CIA or AIC Triad, Confidentiality, Availability,
    • and Integrity have to work in concert to keep data not only protected
    • and accurate, but accessible to authorized users.

    • Policy – management stating the role security plays in an organization.
    • Procedure – a mandated series of steps to accomplish a task, such as software installation.
    • Standard – usually the implementation of a common hardware or software solution to a security risk, such as a Firewall.
    • Baseline – a consistent minimum benchmark for security configurations across a multitude of implementations, such as password rules.
    • Guideline – a recommendation until adopted as standards, but are considered best practices, such as the Common Criteria.
    • The Organization’s Security Policy is an abstract statement from
    • management which is implemented through the IT staff. For example, the
    • following of a procedure, to install a standard, in accordance with a
    • guideline, and is setup referencing the baseline, is an instance of
    • adhering to policy.

    • Safeguards – uniform and proactive controls applied before an incident, which incorporates the idea of least privilege.
    • Vulnerability – a flaw in a procedure, implementation, or control that if exercised will result in a security breach.
    • Threat – a potential accidental or intentional danger to an information system.
    • Exposure – an opportunity for a threat to cause damage.
    • Risk – probability of a threat agent exploiting a vulnerability resulting in losses.
    • Risk Transference – the passing on of risk to a third party, such as insurance.
    • Countermeasure – reactive controls applied after an incident.
    • Safeguards are installed to protect against threats, but if a
    • vulnerability exists in a safeguard an exposure to a threat surfaces
    • resulting in a risk which either has to be countered or transferred.

    • Strategic Planning – a long term plan focusing on high level requirements, such as the overarching security plan.
    • Operational Planning – a mid term plan focusing on an organization’s functional plans.
    • Tactical Planning – a short term “fire fighting” strategy usually at the keyboard level.
    • The Planning Horizon is the compilation of strategic, operational, and tactical planning.

    • Job Rotation – movement of employees to expose collusion and policy violations.
    • Mandatory Vacations – forced leave to detect elements of fraud.
    • Separation of Duties – split knowledge and dual control of job tasks, which helps prevent errors and fraud.
    • Need to Know – only those persons absolutely requiring information should have access to such information.
    • Least Privilege – allowing processes and users only enough permission to accomplish their job.
    • Roles and Responsibilities – used to ensure everyone knows what an individual will be doing.
    • Due Care – responsible acts reducing the probability of being held liable or negligent.

    • Data Owners – responsible for data classification, user access, related business continuity plans and disaster recovery.
    • Data Custodian – is the security enforcer for the data owner, such as an email server admin.
    • Auditor – independent assurance that the security controls are being implemented correctly and are operational.
    • Application Owners – addresses user permissions and security controls on data specific to a particular application.

    • Information Risk Management – implementing the right mechanisms to mitigate and sustain an acceptable level of risk.
    • ISO 17799 & 27001 – guidelines, controls, and best practices for comprehensive security programs.
    • Asset Identification – are tangible, such as the facility, and intangible, such as data.
    • Assurance – a level of confidence that a particular security level is being upheld.
    • CobiT – four goals to ensure IT maps seamlessly with business needs; Plan and Organize, Acquire and Implement, Deliver and
    • Support, Monitor and Evaluate.

    • Governance – a set of management directives to ensure strategic direction, objective accomplishments, risk management,
    • and appropriate use of enterprise resources.
    • Organization for Economic Co-operation and Development (OECD) – an international group assisting governments with economic, social, and governance challenges worldwide.

    • Project Sizing – a pre risk analysis documentation of the scope of the project.
    • Failure Modes and Effect Analysis (FMEA) – an assessment of manufacturing defects.
    • Fault Tree Analysis (FTA) – analytical approach to detect failures and system safety within a complex environment.
    • Quantitative Risk Analysis – a monetary determination of risk.
    • Qualitative Risk Analysis – a scaled intrinsic value assigned to a level of risk, such as 1-5 or high med and low.
    • Delphi Technique – an anonymously communicated group decision.
    • Single Loss Expectancy (SLE) – amount that could be
    • lost if a threat is executed upon, such as the value of data, cost to
    • replace data, and potential opportunities missed.
    • Risk Analysis is performed to balance the economic impact of risk and the cost of the safeguards.

    • Risk Analysis Formulas
    • Total Risk = Threats X Vulnerability X Asset Value
    • Residual Risk = (Threats X Vulnerability X Asset Value) X Controls Gap
    • Annual Loss Expectancy (ALE) = Single Loss Expectancy X frequency per year
Card Set
Information Security & Risk Management
CISSP Information Security and Risk Management