Risk is a crucial element in all our lives. In every action we plan to take in our personal and professional lives, we need to analyze the risks associated with it. From a cybersecurity perspective, industries such as energy, healthcare, banking, insurance and retail involve a lot of risks that impede the adoption of technology and need to be effectively managed. The associated risks which need to be addressed evolve quickly and must be handled in a short period of time. Show
Both simple and advanced devices are now part of our everyday lives, ranging from road signs to intelligent vending machines to advanced diagnosing medical services. Each of these types of devices needs to be secured since they all have their own requirements regarding Confidentiality, Integrity, and Availability of the data or resources they provide. Risk management involves comprehensive understanding, analysis and mitigation of risk to help organizations achieve their information security objective. Risk is fundamentally inherent in every aspect of information security decisions and thus risk management concepts help aid each decision to be effective in nature. Security and risk management is the first domain of eight domains covered on the CISSP certification exam. The exam was last updated in May 2021, and the updated exam subdomains include:
Below is additional information on security and risk management that will help you prepare for the CISSP certification exam. Additional information can be found in the CISSP exam outline. Goals of a security modelThe two primary objectives of information security within the organization from a risk management perspective include:
Strategy leads to tactics, tactics lead to operationsThen, the strategic goals may refer to having all domains centrally administered and implementing VPNs and RADIUS servers to provide a highly secure environment that provides a good amount of assurance to the management and employees. A security model has different layers, but it also has different types of goals to accomplish in different time frames.
This technique and approach to strategy is called the planning horizon. A company cannot usually implement all changes at once, and some changes are larger than others. Several times there arises a situation wherein certain changes cannot happen until some other changes take place. If an organization whose network is currently decentralized, and works in workgroups without any domain trust, wants to implement its own certificate authority (CA) and public key infrastructure (PKI) enterprise-wide, this cannot happen in a week’s time. The operational goals are to keep production running smoothly and make small steps towards readying the environment for a domain structure. The tactical goal would be to put all workstations and resources into a domain structure and centralize access control and authentication. The strategic goal is to have all workstations, servers, and devices within the enterprise use the public key infrastructure to deliver authentication, encryption, and additional secure communication channels. Generally, security works best if its operational, tactical and strategic goals are defined and work to support each other. This can be more difficult than it appears. Security fundamentals: CIAConfidentiality, integrity and availability (the CIA triad) is a typical security framework intended to guide policies for information security within an organization. 1. Confidentiality: Prevent unauthorized disclosureConfidentiality of information refers to protecting the information from disclosure to unauthorized parties. Key areas for maintaining confidentiality:
2. Integrity: Detect modification of informationThe integrity of information denotes protecting sensitive information from being modified by unauthorized parties. Key areas for maintaining confidentiality:
3. Availability: Provide timely and reliable access to resourcesAvailability of information signifies ensuring that all the required or intended parties are able to access the information when needed. Key areas for maintaining availability:
Best practices to support CIA
Risk management and the CISSPRisk management is the process of identifying, examining, measuring, mitigating or transferring risk. Its main goal is to reduce the probability or impact of an identified risk. The risk management lifecycle includes all risk-related actions such as assessment, analysis, mitigation and ongoing risk monitoring, which we will discuss in the latter part of this article. The success of a security program can be traced to a thorough understanding of risk. Without proper consideration and evaluation of risks, the correct controls may not be implemented. Risk assessment ensures that we identify and evaluate our assets, then identify threats and their corresponding vulnerabilities. Risk analysis allows us to prioritize these risks and ultimately assign a dollar value to each risk event. Once we have a dollar value for a particular risk, we can then make an informed decision as to which mitigation method best suits our needs. And finally, as with all elements of a security policy, ongoing evaluation is essential. New attacks and other threats are always emerging, and security professionals must stay informed and up to date. Best practices to support risk management
The following definitions are crucial for risk management:
Multiple scenario-based use cases are evaluated in the CISSP exam, based on the following general sources of risk:
Lifecycle of risk management
Each section within the lifecycle is crucial for CISSP and has been further defined below. 1. Risk assessmentLooks at risks corresponding to identified parameters for a specific period and must be reevaluated periodically. Managing risks is an ongoing process. The following steps are officially part of a risk assessment as per NIST 800-30:
2. Risk analysisRisk can be analyzed through a qualitative and quantitative lens. Qualitative analysis is subjective in nature and uses words like “high,” “medium,” “low” to describe the likelihood and severity of the impact of a threat exposing a vulnerability. Quantitative analysis is objective and numbers-driven. It requires more experience than qualitative analysis and involves calculations to determine a dollar value associated with each risk element. Business decisions are fundamentally driven by this type of analysis. It is essential in order to conduct a cost/benefit analysis Key pointers to be remembered for risk analysis include:
3. Mitigating riskThere are three acceptable responses to risk mitigation: Organizations need to continue to monitor for risks. How an organization decides to mitigate business risks becomes the basis for security governance and policy. Security governance and policyThe goal of security governance is to ensure that security strategies, goals, risks and objectives are assessed according to a top-down model. By doing so, we ensure that those ultimately responsible for the success or failures of a security program are directly involved. To achieve security governance, security blueprints have to be created to allow organizations to implement practices and procedures to support their security goals and the overall mission of the organizations. Various industry consortiums have provided insight into the goals, objectives, and means of developing successful information security management systems (ISMS). The following industry standards are some of those which provide multiple frameworks that could be reviewed when creating security baselines to achieve security governance.
Approach to security managementPoor security management causes the majority of a company’s security problems. Security needs to be directed and supported by top management, referred to as the top-down approach because, without that, any security efforts will be doomed. Unfortunately, most companies follow a bottom-up approach, where the IT department takes security seriously and attempts to develop a security program. This approach usually will not provide those individuals with the necessary funds, support, resources, or attention. Thus, it is often doomed from the start. Information Management Security Program primarily consists of the following key areas to be aware of:
Senior management’s roles and responsibilities across the following areas are generally evaluated for CISSP and are crucial for the overall understanding of the security risk management for any organization. What is a risk assessment Cissp?A risk assessment is the process of identifying and prioritizing risks to the business. The assessment is crucial. Without an assessment, it is impossible to design good security policies and procedures that will defend your company's critical assets.
What are the steps of a risk assessment Cissp?It consists of four steps that include:. Define the actual threat.. Identify possible consequences to the organization if the threat is realized.. Determine the probable frequency of a threat.. Assess the probability that a threat will materialize.. When we are doing quantitative risk analysis What does the asset value AV tell us?We find the asset's value: How much of it is compromised, how much one incident will cost, how often the incident occurs and how much that is per year.
When authenticating against our access control systems you present your fingerprint which type of authentication are you using?2 Biometrics. Biometric authentication involves using some part of your physical makeup to authenticate you. This could be a fingerprint, an iris scan, a retina scan, or some other physical characteristic.
|