Governance standard and control frameworks focused on internal risk analysis

Risk is a crucial element in all our lives. In every action we plan to take in our personal and professional lives, we need to analyze the risks associated with it. From a cybersecurity perspective, industries such as energy, healthcare, banking, insurance and retail involve a lot of risks that impede the adoption of technology and need to be effectively managed. The associated risks which need to be addressed evolve quickly and must be handled in a short period of time.

Both simple and advanced devices are now part of our everyday lives, ranging from road signs to intelligent vending machines to advanced diagnosing medical services. Each of these types of devices needs to be secured since they all have their own requirements regarding Confidentiality, Integrity, and Availability of the data or resources they provide.

Risk management involves comprehensive understanding, analysis and mitigation of risk to help organizations achieve their information security objective. Risk is fundamentally inherent in every aspect of information security decisions and thus risk management concepts help aid each decision to be effective in nature.

Security and risk management is the first domain of eight domains covered on the CISSP certification exam. The exam was last updated in May 2021, and the updated exam subdomains include:

• Understand, adhere to and promote professional ethics
• Understand and apply security concepts
• Evaluate and apply security governance principles
• Determine compliance and other requirements
• Understand legal and regulatory issues that pertain to information security in a holistic context
• Understand requirements for investigation types (i.e., administrative, criminal, civil, regulatory, industry standards)
• Develop, document, and implement security policy, standards, procedures and guidelines
• Identify, analyze and prioritize Business Continuity (BC) requirements
• Contribute to and enforce personnel security policies and procedures
• Understand and apply risk management concepts
• Understand and apply threat modeling concepts and methodologies
• Apply Supply Chain Risk Management (SCRM) concepts
• Establish and maintain a security awareness, education and training program

Below is additional information on security and risk management that will help you prepare for the CISSP certification exam. Additional information can be found in the CISSP exam outline.

Goals of a security model

The two primary objectives of information security within the organization from a risk management perspective include:

• Have controls in place to support the mission of the organization.
• All the decisions should be based on the risk tolerance of the organization.

Strategy leads to tactics, tactics lead to operations

Then, the strategic goals may refer to having all domains centrally administered and implementing VPNs and RADIUS servers to provide a highly secure environment that provides a good amount of assurance to the management and employees.

A security model has different layers, but it also has different types of goals to accomplish in different time frames.

• Operational goals: Daily goals, or operational goals, focus on productivity and task-oriented activities to ensure the company’s functionality in a smooth and predictable manner. Operational goals may include patching computers as needed, supporting users, updating anti-virus signatures, and maintaining the overall network on a daily basis.
• Tactical goals: Corresponding mid-term goals, or tactical goals, could involve moving computers into domains, installing firewalls and segregating the network by creating a demilitarized zone. Other tactical goals could include integrating all workstations and resources into one domain so more central control can be achieved.
• Strategic goals: A long-term goal, or strategic goal, may involve moving all the branches from dedicated communication lines to frame relay, implementing IPSec virtual private networks (VPNs) for all remote users instead of dial-up entry, and integrating wireless technology with the comprehensive security solutions and controls existing within the environment.

This technique and approach to strategy is called the planning horizon. A company cannot usually implement all changes at once, and some changes are larger than others. Several times there arises a situation wherein certain changes cannot happen until some other changes take place. If an organization whose network is currently decentralized, and works in workgroups without any domain trust, wants to implement its own certificate authority (CA) and public key infrastructure (PKI) enterprise-wide, this cannot happen in a week’s time.

The operational goals are to keep production running smoothly and make small steps towards readying the environment for a domain structure. The tactical goal would be to put all workstations and resources into a domain structure and centralize access control and authentication. The strategic goal is to have all workstations, servers, and devices within the enterprise use the public key infrastructure to deliver authentication, encryption, and additional secure communication channels.

Generally, security works best if its operational, tactical and strategic goals are defined and work to support each other. This can be more difficult than it appears.

Security fundamentals: CIA

Confidentiality, integrity and availability (the CIA triad) is a typical security framework intended to guide policies for information security within an organization.

1. Confidentiality: Prevent unauthorized disclosure

Confidentiality of information refers to protecting the information from disclosure to unauthorized parties.

Key areas for maintaining confidentiality:

• Social engineering: Training and awareness, defining separation of duties at the tactical level, enforcing policies and conducting vulnerability assessments
• Media reuse: Proper sanitization strategies
• Eavesdropping: Use of encryption and keeping sensitive information off the network with adequate access controls

2. Integrity: Detect modification of information

The integrity of information denotes protecting sensitive information from being modified by unauthorized parties.

Key areas for maintaining confidentiality:

• Implement encryption using integrity-based algorithms
• Prevent intentional or malicious modification (message digest, MAC, digital signatures)

3. Availability: Provide timely and reliable access to resources

Availability of information signifies ensuring that all the required or intended parties are able to access the information when needed.

Key areas for maintaining availability:

• Prevent single point of failure
• Comprehensive fault tolerance (data, hard drives, servers, network links, etc.)

Best practices to support CIA

• Separation of duties: Prevents any one person from becoming too powerful within an organization. This policy also provides singleness of focus. For instance, a network administrator who is concerned with providing users access to resources should never be the security administrator. This policy also helps prevent collusion as there are many individuals with discrete capabilities. Separation of duties is a preventative control.
• Mandatory vacations: Prevents an operator from having exclusive use of a system.  Periodically, that individual is forced to take a vacation and relegate control of the system to someone else. This policy is a detective control.
• Job rotation: Similar in purpose to mandatory vacations, but with the added benefit of cross-training employees.
• Least privilege: Allowing users to have only the required access to do their jobs.
• Need to know: In addition to clearance, users must also have a “need to know” to access classified data.
• Dual control: Requiring more than one user to perform a task.

Risk management and the CISSP

Risk management is the process of identifying, examining, measuring, mitigating or transferring risk. Its main goal is to reduce the probability or impact of an identified risk. The risk management lifecycle includes all risk-related actions such as assessment, analysis, mitigation and ongoing risk monitoring, which we will discuss in the latter part of this article.

The success of a security program can be traced to a thorough understanding of risk. Without proper consideration and evaluation of risks, the correct controls may not be implemented. Risk assessment ensures that we identify and evaluate our assets, then identify threats and their corresponding vulnerabilities.

Risk analysis allows us to prioritize these risks and ultimately assign a dollar value to each risk event. Once we have a dollar value for a particular risk, we can then make an informed decision as to which mitigation method best suits our needs. And finally, as with all elements of a security policy, ongoing evaluation is essential. New attacks and other threats are always emerging, and security professionals must stay informed and up to date.

Best practices to support risk management

• Every decision starts with looking at risk.
• Determine the value of your assets.
• Evaluate and identify cost-effective solutions to reduce risk to an acceptable level (rarely can we eliminate risk).
• Keep in mind that safeguards are proactive and countermeasures are reactive.

The following definitions are crucial for risk management:

• Asset: Anything of value to the company
• Vulnerability: A weakness, the absence of a safeguard
• Threat: Things that could pose a risk to all or part of an asset
• Threat agent: The entity which carries out the attack
• Exploit: An instance of compromise
• Risk: The probability of a threat materializing
• Controls: Physical, administrative and technical protections (including both safeguards and countermeasures)

Multiple scenario-based use cases are evaluated in the CISSP exam, based on the following general sources of risk:

• Weak, unpatched or non-existing anti-virus software
• Disgruntled employees posing an internal threat
• Poor physical security controls
• Weak access controls
• Lack of change management
• Lack of formal processes for hardening systems
• Poorly trained users and lack of awareness

Lifecycle of risk management

1. Risk assessment: Categorize, classify and evaluate assets, as well as identify threats and vulnerabilities
2. Risk analysis: Both qualitative and quantitative
3. Risk mitigation/response: Includes reducing or avoiding risk, transferring risk, and accepting or rejecting risk

Each section within the lifecycle is crucial for CISSP and has been further defined below.

1. Risk assessment

Looks at risks corresponding to identified parameters for a specific period and must be reevaluated periodically. Managing risks is an ongoing process. The following steps are officially part of a risk assessment as per NIST 800-30:

• System characterization
• Threat identification
• Vulnerability identification
• Control analysis
• Likelihood determination
• Impact analysis
• Risk determination
• Control recommendation
• Results documentation

2. Risk analysis

Risk can be analyzed through a qualitative and quantitative lens.

Qualitative analysis is subjective in nature and uses words like “high,” “medium,” “low” to describe the likelihood and severity of the impact of a threat exposing a vulnerability.

Quantitative analysis is objective and numbers-driven. It requires more experience than qualitative analysis and involves calculations to determine a dollar value associated with each risk element. Business decisions are fundamentally driven by this type of analysis. It is essential in order to conduct a cost/benefit analysis

Key pointers to be remembered for risk analysis include:

• AV: Asset value
• EF: Exposure factor
• ARO: Annual rate of occurrence
• Single loss expectancy = AV * EF
• Annual loss expectancy = SLE * ARO
• Risk value = probability * impact (Probability is how likely it is for the threat to materialize and impact the extent of the damage)

3. Mitigating risk

There are three acceptable responses to risk mitigation:

Organizations need to continue to monitor for risks. How an organization decides to mitigate business risks becomes the basis for security governance and policy.

Security governance and policy

The goal of security governance is to ensure that security strategies, goals, risks and objectives are assessed according to a top-down model. By doing so, we ensure that those ultimately responsible for the success or failures of a security program are directly involved.

To achieve security governance, security blueprints have to be created to allow organizations to implement practices and procedures to support their security goals and the overall mission of the organizations. Various industry consortiums have provided insight into the goals, objectives, and means of developing successful information security management systems (ISMS).

The following industry standards are some of those which provide multiple frameworks that could be reviewed when creating security baselines to achieve security governance.

• BS 7799, ISO 17799, and 27000 Series
• COBIT and COSO
• OCTAVE
• ITIL

Approach to security management

Poor security management causes the majority of a company’s security problems. Security needs to be directed and supported by top management, referred to as the top-down approach because, without that, any security efforts will be doomed. Unfortunately, most companies follow a bottom-up approach, where the IT department takes security seriously and attempts to develop a security program. This approach usually will not provide those individuals with the necessary funds, support, resources, or attention. Thus, it is often doomed from the start.

Information Management Security Program primarily consists of the following key areas to be aware of:

• Roles and responsibilities
• Policies/standards/procedures/guidelines
• SLA’s service level agreements/outsourcing
• Data classification/security
• Auditing

Senior management’s roles and responsibilities across the following areas are generally evaluated for CISSP and are crucial for the overall understanding of the security risk management for any organization.

What is a risk assessment Cissp?

What are the steps of a risk assessment Cissp?

When we are doing quantitative risk analysis What does the asset value AV tell us?

When authenticating against our access control systems you present your fingerprint which type of authentication are you using?