1. Information Security Governance and Risk Management

2. 2 Domain Objectives Security Planning and Organization Roles of Individuals in a Security Program Differences between Policies, Standards, Guidelines, and Procedures as related to Security Security Awareness throughout the Organization Risk Management Practices and Tools

3. 3 Information Security TRIAD Availability Confidentiality Integrity Information Security

4. 4 Introduction Information Security Management includes: Governance Structure Policies Standards Procedures Baselines Guidelines

5. 5 Domain Agenda Principles and Requirements Policy Organizational Roles and Responsibilities Risk Management and Analysis Ethics

6. 6 IT Security Requirements Provides confidence that security function is performing as expected Critical part of the security program Defines the security behavior of the control measure Selected based on risk assessment Assurance Requirements Functional Requirements Complete Security Solutions

7. 7 Organizational & Business Requirements Focus on the mission of the organization Each type of organization has differing security requirements Security must make sense and be cost effective

8. 8 Integral Part of Overall Corporate Governance Three Major Parts Leadership Structure Processes IT Security Governance

9. 9 ISO 17799 Code of Practice - Guidance and Support Management Focus ISO 27001:2005 Management System Standard (Certifiable and Measurable Requirements) Assurance Focus ISO 17799 & ISO 27001

10. 10 Security Blueprints Used to identify and design security requirements Infrastructure Security Blueprints

11. 11 Domain Agenda Principles and Requirements Policy Organizational Roles and Responsibilities Risk Management and Analysis Ethics

12. 12 Policy Overview THE “ENVIRONMENT” Overarching Organizational Policy (Management’s Security Statement) Regulations Organizational Objectives Laws Organizational Goals Shareholders’ Interests

13. 13 Policy Overview Overarching Organizational Policy (Management’s Security Statement) Functional Implementing Policies (Management’s Security Directives) Standards Baselines Guidelines Procedures

14. 14 Management’s Security Policy “Security is essential to this company and its future” Management’s Security Policy Provides Management’s Goals and Objectives in Writing Documents compliance Creates security culture J.T. Lock, CEO

15. 15 Management’s Security Policy Anticipates and protects from surprises Establishes the security activity/function Holds individuals personally responsible/accountable Addresses potential future conflicts

16. 16 Management’s Security Policy Ensures employees and contractors are aware of organizational policy and changes Mandates an incident response plan Establishes processes for exception handling, rewards, discipline Security Violation Reprimand TO: I.M. Wrong FOR: Failing to follow established policies

17. 17 Policy Infrastructure Functional Policies Implement and interpret the high level security policies of the organization Functional Policies Management’s Security Policy “Security is essential to this company and its future” J.T. Lock CEO Functional Policies

18. 18 Policy Implementation From policies come the supporting elements These enforce the security policy principles on every business process and system Standards Procedures Baselines Guidelines

19. 19 Standards Adoption of common hardware and software mechanisms and products Corporate Standard Product Desktop Anti-Virus Firewall

20. 20 Procedures Required Step-by-step Actions Intrusion Tampering Material Destruction Corporate Procedures

21. 21 Baselines Establish consistent implementation of security mechanisms Platform unique Baseline Corporate Configuration VPN Setup IDS Configuration Password Rules

22. 22 TCSEC Guidelines Recommendations for security product implementations, procurement and planning, etc. Guidelines ISO 27001 SOX, HIPAA ITIL

23. 23 Levels of Security Planning Three levels of Security Planning Strategic Planning Tactical Level Planning Operational Planning These plans must be integrated Seamless transition between levels

24. 24 Domain Agenda Principles and Requirements Policy Organizational Roles and Responsibilities Risk Management and Analysis Ethics

25. 25 Organizational Roles and Responsibilities Everyone has a role and responsibility Specific security functions must be assigned

26. 26 Specific Roles and Responsibilities Executive Management Information Systems Security Professionals Owners Custodians

27. 27 Organizational Roles and Responsibilities Information Systems Auditor Users IS/IT Function

28. 28 Personnel Security: Hiring of New Staff Background Checks/Security Clearances Follow-up on References and Educational Records Sign Employment Agreements

29. 29 Personnel Security Low Level Checks Consult the Human Resources (H.R.) department Termination Procedures

30. 30 Third Party Considerations Vendors/Suppliers Contractors Temporary Employees Customers

31. 31 Personnel Good Practices Job Descriptions and Defined Roles and Responsibilities Least Privilege / Need to Know Separation of Duties Job Rotation Mandatory Vacations

32. 32 Security Awareness, Training, and Education Awareness Training Job Training Professional Education

33. 33 Good Training Practices Address the audience Management Data Owner and Custodian Operations Personnel User Support Personnel

34. 34 Domain Agenda Principles and Requirements Policy Organizational Roles and Responsibilities Risk Management and Analysis Ethics

35. 35 Definition of Risk from NIST SP 800-30 Risk is a function of the likelihood of a given threat-source’s exercising a particular potential vulnerability, and the resulting impact of that adverse event on the organization SP800-30

36. 36 Risk Management Concept Flow

37. 37 Risk Management Definitions Asset Threat Threat Agent Exposure

38. 38 Risk Management Terms Vulnerability Attack Countermeasures and Safeguards Risk Residual Risk

39. 39 Risk Management The purpose of Risk Management is to identify potential problems Before they occur So that risk-handling activities may be planned and invoked as needed Across the life of the product or project

40. 40 Risk Assessment The Risk Equation Risk Management Risk Avoidance Risk Mitigation Risk Acceptance Risk Transference Evaluation of risks Ongoing risk assessment Periodic evaluation Regulatory compliance Identification of risks Evaluation of risks Risk Impact Recommendation of risk-reducing measures Risk Mitigation Evaluation & Assurance

41. 41 Risk Factors Threats Assets Vulnerabilities

42. 42 Risk Factors Threats Assets Countermeasures

43. 43 Risk Management identifies and reduces Total Risks (Threats, Vulnerabilities, & Asset Value) Mitigating controls: Safeguards & Countermeasures reduce risk Residual Risk should be set to an acceptable level Risk Management

44. 44 Purpose of Risk Analysis Identifies and justifies risk mitigation efforts Describes current security posture Conducted based on risk to the organization’s objectives/mission

45. 45 Benefits of Risk Analysis Focuses policy and resources Identifies areas with specific risk requirements Part of good IT Governance Supports Business continuity process Insurance and liability decisions Legitimizes security awareness programs

46. 46 Emerging Threats Factor Risk Assessment must also address emerging threats Can come from many different areas May be discovered by periodic risk assessments

47. 47 Sources to Identify Threats Users System Administrators Security Officers Auditors Operations Facility Records Community and Government Records Vendor/Security Provider Alerts

48. 48 Risk Analysis Key Factors Obtain senior management support Establish the risk assessment team Risk Team Members

49. 49 Use of Automated Tools for Risk Management Objective is to minimize manual effort Can be time consuming to setup Perform calculations quickly

50. 50 Preliminary Security Evaluation Identify vulnerabilities Review existing security measures Document findings Obtain management review and approval

51. 51 Risk Analysis Types Two types of Risk Analysis Quantitative Risk Analysis Qualitative Risk Analysis Both provide unique capabilities Both are often required to get a full picture

52. 52 Quantitative Risk Analysis Assign independently objective numeric monetary values Fully quantitative if all elements of the risk analysis are quantified Difficult to achieve Requires substantial time and personnel resources RISK = MONEY

53. 53 Quantitative Analysis Steps Three primary steps Estimate potential losses Conduct a threat analysis Determine annual loss expectancy 1 2 3

54. 54 Determining Asset Value Cost to acquire, develop, and maintain Value to owners, custodians, or users Liability for protection Recognize cost and value in the real world

55. 55 Quantitative Risk Analysis - Step One Estimate potential losses SLE – Single Loss Expectancy SLE = Asset Value ($) X Exposure Factor (%) Exposure Factor is percentage of asset loss when threat is successful Types of loss to consider 1

56. 56 Quantitative Risk Analysis - Step Two Conduct threat analysis ARO - Annual Rate of Occurrence Number of exposures or incidents that could be expected per year Likelihood of an unwanted event happening 2

57. 57 Quantitative Risk Analysis - Step Three Determine Annual Loss Expectancy (ALE) Combine potential loss and rate/year Magnitude of risk = Annual Loss Expectancy Purpose of ALE Justify security countermeasures ALE = SLE * ARO 3

58. 58 Qualitative Risk Analysis - Second Type Scenario Oriented Does not attempt to assign absolute numeric values to risk components Purely qualitative risk analysis is possible

59. 59 Qualitative Risk Analysis Critical Factors Rank seriousness of threats and sensitivity of assets Perform a carefully reasoned risk assessment

60. 60 Risk Levels (AS/NZ 4360 Standard) Consequence: InsignificantMinorModerateMajorCatastrophic Likelihood: 12345 A (almost certain)HHEEE B (likely)MHHEE C (possible)LMHEE D (unlikely)LLMHE E (rare)LLMHH E Extreme Risk: Immediate action required to mitigate the risk or decide to not proceed H High Risk: Action should be taken to compensate for the risk M Moderate Risk: Action should be taken to monitor the risk L Low Risk: Routine acceptance of the risk

61. 61 Other Risk Analysis Methods Failure Modes and Effects Analysis Examine potential failures of each part or module Examine effects of failure at three levels Fault Tree Analysis Sometimes called ‘spanning tree analysis’ Create a “tree” of all possible threats to, or faults of the system

62. 62 Risk Mitigation Options Risk Acceptance Risk Reduction Risk Transference Risk Avoidance

63. 63 Cost/Benefit Analysis - balance between the cost to protect and asset value The Right Amount of Security Security is a Balancing Act! Cost Value

64. 64 Countermeasure Selection Principles Based on a cost/benefit analysis Cost must be justified by the potential loss Accountability Absence of Design Secrecy Audit Capability

65. 65 Countermeasure Selection Principles Vendor Trustworthiness Independence of Control and Subject Universal Application Compartmentalization and Defense in Depth Isolation, Economy, and least Common Mechanism

66. 66 Countermeasure Selection Principles Acceptance and Tolerance by Personnel Minimum Human Intervention Sustainability

67. 67 Countermeasure Selection Principles Reaction and Recovery Override and Fail-safe Defaults Residuals and Reset

68. 68 Domain Agenda Principles and Requirements Policy Organizational Roles and Responsibilities Risk Management and Analysis Ethics

69. 69 Ethical Responsibilities CISSPs “set the example” CISSPs encourage adoption of ethical guidelines and standards CISSPs inform users through security awareness training

70. 70 Basis and Origin of Ethics Religion Law National Interest Individual Rights Common good/interest Enlightened self interest Professional ethics/practices Standards of good practice Tradition/culture

71. 71 Formal Ethical Theories Teleology Ethics in terms of goals, purposes, or ends Deontology Ethical behavior is a duty

72. 72 Common Ethical Fallacies Computers are a game Law-abiding Citizen Shatterproof Candy-from-a-baby Hackers Free Information

73. 73 Codes of Ethics Relevant Professional Codes of Ethics include: (ISC) 2 and other professional codes of ethics Internet Activities Board (IAB) Auditors Professional codes may have legal importance

74. 74 (ISC) 2 Code of Ethics Preamble “Safety of the commonwealth, duty to our principals, and to each other requires that we adhere, and be seen to adhere, to the highest ethical standards of behavior” “Therefore, strict adherence to this code is a condition of certification”

75. 75 (ISC) 2 Code of Ethics Canons “Protect society, the commonwealth, and the infrastructure” “Act honorably, honestly, justly, responsibly, and legally” “Provide diligent and competent service to principals” “Advance and protect the profession”

76. 76 RFC 1087 Ethics and the Internet Access and use of the Internet is a PRIVILEGE and should be treated as such by all users

77. 77 Internet Activities Board (IAB) Any activity is unethical & unacceptable that purposely: Seeks to gain unauthorized access to Internet resources Disrupts the intended use of the Internet Wastes resources (people, capacity, computer) through such actions

78. 78 Internet Activities Board (IAB) Destroys the integrity of computer-based information Compromises the privacy of users Involves negligence in the conduct of Internet- wide experiments

79. 79 Ethical Environments Ethics are difficult to define Begin with senior management

80. 80 Domain Summary This domain sets the foundation for a respected and solid Information Security Management Program: Policies, Procedures, Baselines, Guidelines Roles and Responsibilities Risk Management Ethics

81. “Security TranscendsTechnology”