mss

JBP
-

\ .'

•v;
i } i it
'-' V
n
'•
i
V-,
!S

nformation Security
:

v;;

b
and
HttRisk Management i.

,u
I® (Sj
L lu
%
:.'*ÿ -.
IP SMB!
wmn
From the CISSP® CBK®, the definition of this domain—Information Security & Risk Management entails the identifica¬
tion of an organization’s information assets and the development, documentation, and implementation of policies, stan¬
dards, procedures and guidelines that ensure confidentiality, integrity and availability. Management tools such as data
classification, risk assessment, and risk analysis are used to identify the threats, classify assets, and to rate their vul¬
nerabilities so that effective security controls can be implemented.

Risk management is the identification, measurement, control, and minimization of loss associated with uncertain
events or risks. It includes overall security review, risk analysis; selection and evaluation of safeguards, cost benefit
analysis, management decision, safeguard implementation, and effectiveness review.

The candidate will be expected to understand the planning, organization, and roles of individuals in identifying and
securing an organization’s information assets; the development and use of policies stating management views and
position on particular topics and the use of guidelines, standards, and procedures to support the policies; security
awareness training to make aware of the importance of information security, its significance, and the specific secu¬
rity-related requirements relative to their position; the importance of confidentiality, proprietary and private informa¬
tion; employment agreements; employee hiring and termination practices; and risk management practices and tools to
identify, rate, and reduce the risk to specific resources.

i
 ; Domain Objectives—This slide provides good insight to
DOMAIN OBJECTIVES what the CISSP candidate should understand and be able to
do at the end of this domain.

; ® Security Planning and Organization

; 3 Roles of Individuals in a Security Program

: •Differences between Policies, Standards, Guidelines,
and Procedures as related to Security
i ® Security Awareness throughout the Organization
9 Risk Management Practices and Tools

INFORMATION SECURITY TRIAD • Availability—The concept of availability refers to the

providing of access to the information system and data
when required by the business. Availability is different
Availability for each organization and, often, for each department
in an organization. Some departments may require
continuous availability where an outage of seconds is
already a crisis, whereas other areas may be content
with a basic level of availability, for example during
normal business hours, where a system failure would
Aw-A be seen as an inconvenience and not cause a critical
impact on the operations. A complete information
security program must understand and address these
differences.
Integrity Confidentiality
* Integrity—There are two concepts we will address
3 through integrity, theproteetioiLofJatajmtfprocesses
from improper modFIciHoiTrahdlhe concept of ensur¬
9
AIC TRIAD—The overarching goals of information security ing the operations of the information system are reli¬
efforts are addressed through the AIC TRIAD. Nearly all infor¬ able and performing as expected. This means that the
mation security efforts are based on one or more of the ele¬ system will process transactions correctly and pre¬
ments of the TRIAD. The AIC TRIAD forms the foundation of serve the confidence of the organization in the quality
what we are trying to accomplish through our security poli¬ of the data and processing.
cies, standards, procedures, baselines, and guidelines. It’s
important to remember this includes all IT security efforts • Confidentiality—Is the concept of protecting informa¬
including outsourcing. tion from improper disclosure and protecting the
secrecy and privacy of sensitive data so that the intel¬
lectual property, and reputation of an organization is
not damaged and that data related to individuals is not
released in violation of regulations or the privacy policy
of the organization.

V/

i J

14 (ISC)1 — INFORMATION SECURITY AND RISK MANAGEMENT

 gr

This fairly basic, but authoritative document provides the

INTRODUCTION foundations for the security management program within the i:
organization. From the overarching security policy flows a 1,
rather long list of functional policies. These notes provide a Ip
® Information Security Management includes: list of what is normally considered as the minimum functional H
policies required in a good security management program.
— Governance Structure Naturally they are tailored to the organization and reflect the
organization’s priorities. Additional functional policies may
— Policies v V. S exist depending on the requirements of the organization.
It
1 — Standards 3
Information Security Management includes—
— Procedures
— Baselines ii 0

0
Governance Structure
Policies
— Guidelines
J. 8
Standards
8
Procedures
° Introduction—Information security management includes
many areas. It begins with a formal governance structure
0
Baselines
which provides authority and responsibility to different staff 9
Guidelines
members and sections. It also includes an overarching secu¬
rity policy that is endorsed/signed by senior management.

3
Principles and Requirements—Address the core objectives
DOMAIN AGENDA
of an information security program. Here are the main learn¬
ing points you should get from this section:
0 Principles and Requirements 8
Describe the two types of requirements for a good secu¬
rity solution.
3 Policy
0
Understand and explain the major concepts of IT Security
0 Organizational Roles and Responsibilities Governance.
® Risk Management and Analysis • Understand and be able to explain differences between key
international IT security standards.
Ethics
8
Understand the types of security blueprints and how they
support a strong security policy.

(ISC)1 — INFORMATION SECURITY AND RISK MANAGEMENT i5

 the considerations for functional controls. We will talk
IT SECURITY REQUIREMENTS aboutlheselrTgreater detail on later slides.
0
They should be layered and meet a specific security
* Defines the Complete Security Solutions
requirement.
security behavior A
of the control
0
They should not be depend on another control.
measure 3
They should fail safe, that is that, in the event of a
failure, they maintain the security of the systems.
» Selected based on
risk assessment
0
Assurance Requirements—Assurance mechanisms
confirm that security solutions are selected appropri¬
8 Provides confidence that security function is ately, performing as intended, and are having the
performing as expected desired effect. Many assurance mechanisms will be
reviewed throughout this course within their respec¬
9 Critical part of the security program tive domains i.e., IDS’s, Audit logs, BCP Tests, etc.
6 However, some are applicable especially to the area of
IT security, such as internal and external audits.
° Security Solutions—All security solutions should be Some criteria are used to evaluate the operation of security solutions:
designed with two focus areas; the functional requirements of
the solution, and the assurance requirements that the func¬ 3
Internal/External Audit Reports
tional solution is working correctly. No solution is complete
unless it addresses both of these two areas. For example: a 3
IIA’s Red Book, Yellow Book, etc. (the Institute of
complete “firewall solution" would be having the firewall han¬ Internal Auditors, www.theiia.org)
dling traffic and denying or permitting access correctly—the
functional requirement—and, the “logging and monitoring” ° Periodic Review by Management
aspect addressing the assurance requirements of the firewall 3
Security Reviews (Internal), Checklists, Supervision
solution by ensuring that the firewall is working properly and
providing the expected level of protection in relation to the
3
Third Party Reviews
risks that the firewall was intended to control. 8
Attack and Penetration Tests
8
Functional Requirements—Functional requirements 3
Policy Review
are the things most often thought about when consid¬
ering security controls. The risk assessment provides 8
Threat Risk Assessments

3
Each type of organization has differing security
ORGANIZATIONAL & BUSINESS requirements—Information security requirements differ
REQUIREMENTS greatly between government, military, and commercial ventures.
Each has a different set of priorities depending on their overall
8 Focus on the mission of the mission. Even in the commercial world, it’s very unlikely that
two businesses will have exactly the same security require¬
organization
ments. Businesses within the same type of industry may not
8 Each type of organization have similar requirements since their business flows and
information access requirements may be very different.
has differing security
Furthermore, their company culture may limit or dictate what
requirements is, or is not acceptable. All these and many other considera¬
0 Security must make tions weigh into the selection of security controls and assur¬
ance mechanisms.
sense and be cost
effective 0
Security must make sense and be cost effective—Security
solutions must be developed with due consideration of the
mission and environment of the business.-Hisk analysis,
determining the value of information systems anffassets, and
0
Focus on the mission of the organization—IT Security
cggt-benefit analysis will justify the adoption and implementa-
must focus on and address the requirements of the organiza¬ tiwfoTlecurity controls and risk mitigation efforts.
tion’s mission, goals, and objectives.

16 (ISC)a — INFORMATION SECURITY AND RISK MANAGEMENT

 1
IT SECURITY GOVERNANCE
3
Structure—IT governance occurs at many different levels of
the organization and is a layered approach. The Board of
Directors provide direction to the executives within the com¬
0 Integral Part of Overall Corporate Governance pany. The executives turn that direction into policies.
Managers take those policies and produce standards, base¬ S;
Three Major Parts
#
8
lines, and guidelines. Team leaders take tjjese standards,
— Leadership baselines, and guidelines and form procedures within their
organizations. The individual workers are critical to this lay¬
— Structure W ered structure as they are not only the ones that must imple¬
ment these procedures, but are also most likely to be the
— Processes if ones who first notice violations and unusual events within the
operations of our IT systems.
m i
m 8
Stakeholders and their values play a key role in the IT gov¬
ernance structure as well. Stakeholders include stockhold¬
8 ers, managers, employees, customers of the company,
suppliers, and possibly the government and public at large.
IT Security Governance—The bullets on this slide cover the The value these individuals place on the trust, confidence,
goals of IT security governance. IT security governance is part and security of the company’s IT infrastructure will be
of the overall governance of the company. In years gone by, reflected throughout the organization.
many executives considered IT security as being too difficult, 3
Processes—The security professional should have a good
technical, and well below their areas of responsibility. understanding of the security principles mentioned below.
Therefore, many passed these responsibilities to their already
overworked IT departments who were neither trained nor struc¬ 3
Processes should follow internationally accepted “Best
tured for these duties. Often, the end result was not favorable. Practices."
J
Integral Part of Overall Corporate Governance—IT security ° Job rotation
governance must be fully integrated into the overall risk-
based threat analysis of the company. It goes well beyond the ° Separation of duties
traditional threats to the IT assets and actually considers the 9
Least privilege
potential damage to the information on those IT assets and
the effects that such damage may have on the organization 9
Mandatory, vacations
. and its ability to accomplish its goals and objectives.
9
Brewer-Nash model
3
Governance ensures that the IT infrastructure of the
company: 8
Supervision (logs and monitoring)
0
Meets the A.I.C. requirements. 9
Security audits and reviews (including penetration
tests)
3
Supports the strategies and objectives of the company.
0
I/O controls
• Includes service level agreements when outsourced. 3
Antivirus management
Three Major Parts—
0
Leadership—IT security requires technical skills, but it also The International Organization for Standardization (ISO) and the
requires much more. It requires the ability to earn the trust International Electrotechnical Commission (IEC) 17799:2005
and confidence of the decision makers within the company. Code of Practice for Security Information Management pro¬
Security leaders must be fully integrated into the company vides a broad base of security controls that provides a point of
leadership, where their voices can be heard without filtering reference for completeness of the components within the blue¬
by competing interests. Lastly, the IT security leader must prints. The ISO/IEC 17799:2005 reference standard does not
understand the company—probably better than anyone else. however, provide all of the guidance that is' required for an
This is because the IT professional must understand the effective, holistic security architecture.
information/data, who produces it, where it is stored, who
needs it—when and how, and everything about how the International Security Standard ISO 27001, titled “Information
company operates. If that is true, then the IT security Security Management—Specification With Guidance for Use,”
professionafmust certainly understand everything already has been launched in replacement of BS7799-2. ISO 27001
mentioned as well as all the IT networks that provide these provides the foundation for third party audit, and is integrated
services, their strengths and weaknesses, as well as all the with several other ISO management standards such as ISO
threats to them. The successful IT security professional 9001 and ISO 14001.
must also understand the networks that connect to theirs On the next slide we will briefly talk about IS017799:2005 and

*
and the risks these connections bring. This quick look at the 27001:2005.
requirements for IT security professionals indicates that it
certainly takes a strong, confident, and technically proficient
professional to accomplish this job.

(ISC)1 — INFORMATION SECURITY AND RISK MANAGEMENT 1 1

 0
ISO 17799—Is based upon the British Standard 7799-1,
ISO I77QQ & ISO 27001
which was published in May 1999. The first version of ISO
17799 was published and adopted in December 2000. The
•ISO 17799 most current version is ISO 17799:2005.
— Code of Practice—Guidance and Support 3
ISO 27001:2005—Is the first in the new 27000 series of ISO
standards and replaces the older BS 7799-2.
— Management Focus
•ISO 27001:2005
— Management System Standard (Certifiable
and Measurable Requirements)
— Assurance Focus

SECURITY BLUEPRINTS • Technical architecture

* Normally cover several security domains
Used to identify and design security requirements 0
A comprehensive way to look at security
•Infrastructure Security Blueprints Used to identify and design security requirements—Each
component should directly reflect a policy decision. The
plans should be mutually supportive. All areas should be
considered even if they do not apply to that specific topic.
„ '. I An effective security architecture will always be able to “con¬
[i nect the dots” between the business decisions of the organi¬
zation, how these are reflected in the principles, policies and
standards of the organization, how these have been turned
into requirements, and how the requirements map to the
IO blueprints.

Security Blueprints—Provide a structure for organizing require¬ • eCommerce Solutions

ments and solutions. They are used to ensure that security is • Data Warehouses
considered from a holistic view. A holistic security architecture
can only be created by a professional security architect (such as • Supply Chain Management systems
an Information Systems Security Architecture Professional
(ISSAP®)) after carefully considering a wide range of threats, • Production systems, etc.
vulnerabilities, and organizational requirements. • The Security Blueprints provide a method of organizing
9
Security blueprints are discussed in both ISO 17799:2005 the requirements and the resulting components of a secu¬
and ISO 27001:2005. However, many vendors are now using rity architecture. This approach can be used to address
the term “security blueprint” to reference a wide range of the security requirements of a specific topic or across the
documents relating to their products. enterprise. Certainly not all topics will apply equally or
even at all in the different areas of the company. However,
• Normally used by architects when designing an overall lay¬ blueprints give us a way to think about them and to make
ered security solution. an informed decision as opposed to having an item over¬
looked by mistake.
• Tailored security best practices that combine to form a com¬
prehensive security structure. 0
Infrastructure Security Blueprints—Reflect:

* Policy * Security requirements of a specific company/infrastructure

• Program • Specific business priorities and decisions

18 (IS C)’ — INFORMATION SECURITY AND RISK MANAGEMENT

 0 Regulatory requirements a policy around e-mail usage; subscribe to news
services that warn of new threats; reevaluate the
8
All aspects of security across the entire infrastructure network architecture; host best practices seminars
for users; oh, and use virus blocking software, and,
8
The security policy approved by senior management
probably, firewalls.”
# A definition of Holistic Security Architecture, from the CIO
website, The ABCs of Security, by Scott Berinato and Sarah
Scalet, would be:
“Holistic security means making security part of
everything and not making it its own thing. It "
means security isn’t a~ddedTolhe“enterprise; it’s
woven into the fabric of the application. Here’s an
example. The nonholistic thinker sees a virus threat
and immediately starts spending money on virus¬
blocking software. The holistic security guru will set

» Policy—Here are the objectives for our next section:

DOMAIN AGENDA
8 Describe the purpose of organizational policy.

® Principles and Requirements

8 List the supporting elements of policy implementation.

0 Policy
8
Understand the purpose and differences of guidelines,
policies, procedures, baselines and standards.
® Organizational Roles and Responsibilities
* Describe the environment within which the security
• Risk Management and Analysis policy exists.

•Ethics

II

(ISC)1 — INFORMATION SECURITY AND RISK MANAGEMENT 19

 Policy Overview—The environment within which every com¬
POLICY OVERVIEW pany operates is a complex web of laws, regulations, require¬
ments, competitors, and partners. These are changing
frequently and interact with each other; often in unpredictable
THE “ENVIRONMENT” ways. In addition to these outside forces, senior management
Organizational
Regulations Goals must consider those within the organization such as morale,
. , Overarching labor relations, productivity, cost, cash flow, and many oth¬
Organizational ers. Within this environment, management must develop and
/
Policy publish the overall security statement and directives. From
Laws the security team perspective, these directives should be
addressed through security policies and their- supporting ele¬
Security ments such as standards, baselines and guidelines, to ensure
Organizational Statement) a proper implementation of a security program.
Shareholders’
Objectives
Interests
12

POLICY OVERVIEW —
Policy Overview Standards, baselines, procedures, and
guidelines will be discussed in the next few slides.
(CONT. . .)

..
Dverarching Organizational Policy
(Management’s Security Statement)
I

Functional Implementing Policies

(Management’s Security Directives)
0

Standards Guidelines
Baselines Procedures
13

20 (ISC)a — INFORMATION SECURITY AND RISK MANAGEMENT

 understood. If its too generic, it may be meaningless and
MANAGEMENT’S SECURITY irrelevant. The length and content of this critical document is I
POLICY as unique as the company itself, and must be created with
that in mind. One size does not fit all—or even two.
* Provides Management’s Goals and Objectives in It is good to introduce an appendix outlining the “terms of
#
8

Writing reference.” This is an authoritative document and as such

will be referenced frequently if written properly. Therefore,
O Documents compliance anything we can do that reduces confusion without adding
complexity is an advantage.
•Creates security culture
Security Poticyj • Policies are of no value if not read, available, and current.
“Security is essential to this I Policies must be posted in a location that is available to
company and its future ” every employee for review. They must be current, and
J.T. Lock, CEO reflect new laws and regulations. All employees must be
kept aware of the policies through an annual review. A
14 record of this review with each employee should be
maintained.
° Provides Management’s Goals and Objectives in
Writing—The organizational policy mandates the security
0
Documents compliance—Policy documents how the company
needs within the company. One policy does not fit every com¬ is complying with laws, regulations, and standards of due care.
pany’s requirements. Although two firms may be similar, as
we discussed earlier—they are unique and then also are their
0
—
Creates security culture Policy establishes the internal
environment for the security program. Explains what assets
security requirements. The overarching security policy should and principles the organization considers valuable.
be kept “high-level” and short. If it is too complex, it will be
difficult to get staffed and approved and it may not be read or
\

MANAGEMENT’S SECURITY • Establishes the security activity/function—It should also

establish a security group within the company and grant it
POLICY (CONT. . .) appropriate levels of responsibility. One must be careful not
$ to get too specific to address every detail. One problem with
•Anticipates and protects from surprises being too detailed is that if a situation arises later and it is
not clearly stated in the policy, then many will assume that it
3
Establishes the security activity/function is not covered by the intent of the policy and do what they
will. Therefore, it is normally a good proactive measure to
•Holds individuals personally responsible/accountable include a “catch all clause” that explains how issues not
specifically addressed in the policy will be adjudicated.
* Addresses potential future conflicts
8
Holds individuals personally responsible/accountable
A good security policy makes each employee accountable for
—
j their actions, from top management to the new hire. It's
important for senior management to set a good example and
follow their own policies. After all, if they are unwilling to
follow the policy then maybe no one else is either.
J
Anticipates and protects from surprises—Anticipates Addresses potential future conflicts—A well thought-out
0 s

situations and protects the company and employees from security policy anticipates situations and provides guidance
'surprises’ caused by lack of awareness of management to protect the organization. It should establish provisions for
expectations or ethical guidelines. resolving conflicts between competing interests or people
wondering what is, or is not, permitted.

(ISC)3 — INFORMATION SECURITY AND RISK MANAGEMENT 21

 employment. The security policy is a key document that must
MANAGEMENT’S SECURITY be read/re-read as part of the awareness training.
POLICY (CONT. . .)
0
Mandates an incident response plan—Generically covers
incident response and mandates the authority for, and devel¬
®
Ensures employees and Security opment of, a detailed incident response plan. The security
Violation
contractors are aware of policy should also contain overall information/instructions on
Reprimand
organizational policy TO: I.M. Wrong
how incidents will be handled.
and changes FOR: Falling to 9
Establishes processes for exception handling, rewards,
follow established
Mandates an incident
policies discipline—A policy provides the authority for the security
and human resources areas to enforce good practice and dis¬
response plan ciplinary action if necessary. Naturally, this should be a last
•Establishes processes for exception resort because good employees are expensive to hire and
hard to find in most cases. However, the policy should pro¬
handling, rewards, discipline
vide the H.R. department and management that final option.
16 A policy of this nature is a reference point for other persons
and agencies to know the intent of management—this can be
9
Ensures employees and contractors are aware of organi¬ important in a legal setting which could certainly occur for a
zational policy and changes—Establishes a process that variety of reasons.
ensures all employees and contractors are aware of organiza¬
tional policy and changes as they occur. The security awareness
program must begin the day an individual is hired and contin¬
ually provide refresher training throughout the period of

Policy Infrastructure—The high level policies of the organiza¬

POLICY INFRASTRUCTURE tion are then interpreted into a number of functional policies
that assist in the implement of the intent of the overall policy.
®
Functional Policies Functional Policies Depending on the culture and the risks faced by the organiza-
Functional Policies
: tion, there may be numerous functional policies.
•Implement and interpret Management's
Security Policy
the high level security
9
Functional Policies—Flow from the overarching policy of
policies of the the organizations and create the foundation for the proce¬
"Security is dures, standards, and baselines to accomplish the security
organization essential to this
objectives. Functional policies gain their credibility from sen¬
company andits
future" ior management’s signature on the overarching policy that
J.T. Lock established the goal or objective.
CEO
9
Examples of functional policies could include:
8
Data Classification
17 • Certification and Accreditation
Access Control
• Outsourcing
• Remote Access
* internet and Acceptable Use
• Privacy

33 (ISC)3 — INFORMATION SECURITY AND RISK MANAGEMENT

 Policy Implementation—Standards, procedures, baselines, and
POLICY IMPLEMENTATION guidelines turn the objectives and goals established by manage¬
ment in the overarching and functional policies into “actionable”
© From policies come the supporting elements and enforceable actions for the employees. We will talk about
each of these in more detail on the next few slides, but it is
important to note that in daily interactions within organizations,
."Standards These enforce the these are what cause the most challenges for the IT security
security policy staff. Few will directly challenge the policy that senior manage¬
.."Procedures | ment has created. However, many will challenge how policy is
principles on every
."Baselines | business process interpreted in the standards, procedures, baselines, and guide¬
. " Guidelines and system lines implemented. Therefore, it is wise to be careful in selec¬
tions and interpretations to ensure the full support of the policy
(and thereby senior management). Several times an aggressive
individual has over-stepped their authority with an aggressive
(but well-intentioned) standard and caused the entire security
It program to be re-evaluated.

Standards—Refer to hardware or software solutions that are

STANDARDS selected to address a security risk being standardized through¬

«
out the enterprise. For instance, a specific anti-virus product or
0 Adoption of common password generation token that has been chosen for use
hardware and software throughout the organization. This often reduces cost of owner¬
mechanisms and ship by allowing for large blank purchase agreements with ven¬
dors and allows for standardized training further reducing
products costs. Standards can also be guidelines created by govern¬
<
ment, industrial or other organizations that have been formally
adopted as a standard.

Desktop
8
Standards are essential so that a common basis can be
Firewall
established and implemented. Having a common basis for the
Anti-Virus overall organization is better than having each individual
department operating under their own separate (and in some
cases non-compliant) environment. This helps reduce the
19 seams that can develop between sections, departments, and
subordinate organizations. However, it’s also useful to note
that if a vulnerability to the selected target is exploited by a
j
A threat agent, the entire organization is at risk. This needs to
be considered by the security designers when designing the
network and build in places to control this risk.

:
§

(ISC)’ — INFORMATION SECURITY AND RISK MANAGEMENT 23

 Procedures—Are the way to ensure that the intent of policy is
PROCEDURES enforced through a mandated series of steps that must be fol¬
lowed to accomplish a task.
8 Required Step-by-step Actions
5
Required Step-by-step Actions—Procedures are statements
of step-by-step actions to be performed to accomplish a
Snq security requirement, process, or objective. They are one of
the most powerful tools available in security arsenals and
srlal must be used wisely. For instance, password changing,
notion
incident response, and BCP procedures.
.V
Corporate • Reduce mistakes in a crisis.
Procedures
8
Ensure important steps are not missed.
8
Provides for places within the process to do assurance
50 checks.
Procedures, like policies are considered to be mandatory
requirements.

Baselines—Are the benchmarks used to ensure that a mini¬

BASELINES mum level of security configuration is provided across multiple
implementations of the systems and many different products.
* Establish cgnsi§ten1ÿ • Establish consistent implementation of security
implementation of
ISfsl mechanisms—Baselines are descriptions of how to imple¬
security mechanisms ment security mechanisms to ensure that implementations
0 Platform unique result in a consistent level of security throughout the organi¬
zation. Different systems (platforms) have different methods
of handling security issues. Baselines are created to inform
VPN Setup T Passwor
user groups about how to set-up the security for each plat¬
IDS d Rules
Configuration form so that the desired level of security is achieved
consistently.
a Platform unique—Baselines are the great “leveier” of secu¬
rity levels between different security products, including from
51 different vendors. This is becoming more important as more
and more “hybrid” products are entering the security market,
combining services into “multi-functional” devices, and defy¬
ing many of our current definitions such as the roles of a
switch and router.

24 (ISC)3 — INFORMATION SECURITY AND RISK MANAGEMENT

 I
::
Guidelines—Guidelines-ace-Fe&ommBfldatiaaF;!!!
GUIDELINES ::
8
Guidelines will remain as recommended actions unless
mandated by company policy and adopted as a standard.
® Recommendations A They are white papers, best practices, or formats for a secu¬
for security product
rity program that may be used by an organization. However,
.i implementations, care must be used to ensure that careless use of words in
procurement and Guidelines policies don’t move a guideline from a best practice into the
w
——
planning, etc. realm of a company standard unless that is the intent. For
example, an overarching statement in a security policy signed
IS017799
by the CEO stating that “this company will follow the recom¬
Common Criteria

—
*ÿ
mendations of the ISO 17799 guideline” just made ISO 17799
ITIL mandatory within that organization.
8
Guidelines are often used to help provide structure to a secu¬
rity program, to outline recommendations for procurement
25 and deployment of acceptable products and systems. |

0
Three levels of Security Planning—Security planning is
LEVELS OF SECURITY
conducted at the three levels.
PLANNING 0
Strategic Planning—Focuses on the high-level, long-
range requirements of the organization and are part of
3 Three levels of Security the company’s long-term plan. Examples of this are
Planning r our overarching security policy.
— Strategic Planning A
m 5
Tactical Level Planning—Are more mid-term and
V'.. focus on events that will affect the entire organization.
— Tactical Level Planning :
i
Many of our functional plans fit into this category.
%
— Operational Planning •77.:/- 0
Operational Planning—Focuses on “fighting fires” at
3 These plans must be integrated the keyboard level. This is planning for the near-term
that directly affects the ability of the organization to
19 Seamless transition between levels accomplish its Objectives.
23 J
These plans must be integrated—Plans and actions from all
three levels must work together. That occurs with detailed
planning.
8 Seamless transition between levels—Actions must seam¬
lessly transition between the different levels.

(ISC)’ — INFORMATION SECURITY AND RISK MANAGEMENT 25

 0
Organizational Roles and Responsibilities—The main
DOMAIN AGENDA learning points of this section include:

Principles and Requirements 9

Understand and be able to explain the various roles
and responsibilities of all people in an organization as
•Policy related to security. ,AV

Organizational Roles and Responsibilities 9 Explain the importance of personnel security to a good
IT security program.
O
Risk Management and Analysis
9
Be able to explain key considerations of a good per¬
•Ethics sonnel security program.

24

ORGANIZATIONAL ROLES ° if Everyone has a role and responsibility—Security is not

;! a function of a single person nor of one group or team.
AND RESPONSIBILITIES Everyone must be aware of their responsibility and role in
creating a secure environment. A security program contains !
® Everyone has a role
and responsibility
- •

— many important elements as seen earlier. Each must be

addressed through the security program and not overlooked
or forgotten. They must be clearly communicated and must
Q Specific security be clearly understood by all.
functions must be : '
J
9
Specific security functions must be assigned—Specific
assigned security functions must be assigned to designated security
\ ?
professionals as their primary duty such as:

• Email security
9
Violation report review
35 9
Awareness training

26 (ISC)1 — INFORMATION SECURITY AND RISK MANAGEMENT

 I
0
Information Systems Security Professionals—Information
SPECIFIC ROLES security professionals are responsible for the design, imple¬
AND RESPONSIBILITIES mentation, management, and review of the organization’s
security policies, standards, baselines, procedures, and
a Executive Management guidelines.

3 Information Systems Security Professionals

0
Owners—Individual data and system owners play a key role -V,
in the security program. They are the best qualified people to
* Owners perform tasks essential to our security efforts; such asinfor-
mation classification, set user access conditions, and decide
9
Custodians on business continuity priorities.They authoffze appropriate
security programs consistent with the organization’s security
policy, determine appropriate sensitivity or classification lev¬
|
m mmu
[ 1126 els based on established classification criteria, and determine
access privileges based on need to know and other criteria.
• Custodians—Responsible for ensuring the security of the
information entrusted to them by the information owners.
3
Executive Management —Publish and endorse security pol¬ Custodians have care of information that does not belong to
icy establishing goals, objectives, and overall responsibility them directly—such as email servers and data backups. A cus¬
-1 for asset protection. Senior management sets the tone for the todian must be aware of the risks to information and espe¬
information security program and bears ultimate responsibility cially the threat of social engineering.
for any security breaches and acceptance of risk mitigation
strategies.

8
Information Systems Auditor—The information systems
ORGANIZATIONAL ROLES auditor plays a key role in the assurance of our networks and
AND RESPONSIBILITIES our security programs. They provide independent assurance
that the right controls and being used in the right manner, for
•Information Systems Auditor the right purpose, and if they are having the desired outcome.

° Users * Users—Responsible to use resources appropriately and in •

L compliance with procedures, and to preserve the availability,

9
IS/IT Function integrity, and confidentiality of assets.
1 ' • IS/IT Function—Responsible for implementing and adhering
to security policies as well as building the systems and
networks that incorporate security best practices.

J (ISC)a — INFORMATION SECURITY AND RISK MANAGEMENT 37

 3
Background Checks/Security Clearances—Normally there
PERSONNEL SECURITY; HIRING are legal concerns when it comes to background checks. It
OF NEW STAFF is important to respect the rights of individuals and the laws
\ of the country where people are hired—but it is a good prac¬
Background Checks/Security tice to check as much as possible into the background of a
° potential employee to prevent hiring the wrong person into a
Clearances
trusted role.
9 Follow-up on References and a Follow-up on References and Educational Records—
Educational Records Naturally, laws supersede any company policy and individual’s
rights must be protected. However, it is important that efforts
•Sign Employment Agreements be made to verify the information provided by prospective

3$ 0
employees including following-up with references, verifying
educational records, etc.
Sign Employment Agreements—Non-disclosure agree¬
ments; business ethics, including telephone and Internet
i'y- acceptable usage policies, etc., should be a part of the hiring
process and must begin with security awareness training on
the first day of employment. This should include having
them read appropriate policies and procedures and sign
NDAs and acceptable use policies. Care must be taken to
ensure that this doesn’t become so difficult or time consum¬
ing that management finds ways to get around the policy.

0
Cover points such as keys, ID card, passwords,
PERSONNEL SECURITY
equipment loaned out to employee (laptops, cell
phones, pagers).
•Low Level Checks
° Termination Procedures—Termination and disciplinary
•Consult the Human Resources actions are always difficult for everyone involved. Managers
(H.R.) department often feel sympathy for the individuals and sometimes make

i
decisions that place our information and assets at unneces- i1
•Termination Procedures sary risk. Therefore, all termination and disciplinary actions .v
must be pre-coordinated within a confidential circle that
includes the H.R. and IT security personnel. When a termina-
tion is occurring, the individual’s access to the network,
information, and assets must be stopped. This is best done
by the IT security personnel while the individual is being
informed of the action. However, one must be careful to
29 follow local laws in these matters.
• The only way to ensure that all company property is
0
Low Level Checks—If someone comes in at a low-level job returned is to keep an accurate inventory of all equipment
then subsequently moves to a higher level position, there should given to a user—remote access tokens, keys, ID cards,
be further checks done. The appropriateness of background cell-phones, pagers, credit cards, laptops, software, etc.
checks may have to follow legal statutes, i.e., Privacy laws, etc. This makes it easy to account for these assets and recover
them upon termination.
0
Consult the Human Resources (H.R.) department—To
'•
\ protect management and the company, all personnel actions ° An Individual’s access to the network should be sus¬
should be processed through the H.R. department using pended during all periods of suspension from duties and
\r established procedures. A single manager should not be considered when serious disciplinary actions are pending.
7: allowed to control the process to avoid possible security Individuals faced with these situations often feel trapped
* concerns. Procedures should: and lash-out at the company using their access to the net¬
work as the only weapon with which to fight back.
0
Include approved company standard checklists for hir¬ Suspension/disciplinary procedures can often create secu¬
ing interviews. rity concerns similar to termination—procedures should
address these risks/concerns.

28 (ISC)3 — INFORMATION SECURITY AND RISK MANAGEMENT

 Third Party Considerations—All of these groups create differ¬
THIRD PARTY CONSIDERATIONS ent, but equally challenging situations for our security efforts.
Establish procedures that address these groups on an individ¬
® Vendors/Suppliers ual basis to ensure that EVERYONE with access to systems, 1
information, assets, network, etc. complies with the same (or
®
Contractors more) stringent security as do fulltime employees.
0 Temporary Employees 9
Vendors/Suppliers—Often need access to systems, but have
little control over their practices unless it is in the contract.
0 Customers
MmI The granting of temporary IDs or access should be coordi¬
nated to ensure that the access is appropriate and removed at
4 the completion of the project.

* Contractors—May work at the facility and be “just another

employee.” However, much like vendors, the organization
have little control over their company’s practices.
30 0
Temporary Employees—By their nature they pose increased
risks. They have no vested interest in, or loyalty to, the
organization.
0
Customers—Are demanding more and more online services.
This increases security challenges.

Personnel Good Practices—Must be applied appropriately in

PERSONNEL GOOD PRACTICES our information security program based on the culture and
risks in the organization.
9 Job Descriptions and Defined Roles and
0
Job Descriptions and Defined Roles and
Responsibilities
Responsibilities—Clearly defined job descriptions and
•Least Privilege/Need to Know defined roles and responsibilities helps ensure that everyone
knows what an individual should be doing and aids in detect¬
0 Separation of Duties ing unusual behavior.

j ° Job Rotation 3
Least Privilege/Need to Know—The principle of least privi¬
lege and the requirement for need to know should always be
0 Mandatory Vacations executed to minimize access to information and assets.
|
0
Separation of Duties—Forces collusion in order to manipu¬
late the system for unauthorized purposes.
3i ° Job Rotation—(When possible) Breaks up collusion and pro¬
i vides opportunities to review authorizations and actions taken
by the individual. If our other security measures have failed,
4w. \IA .Vu&v'X $ r>' this gives us an opportunity to find the breach in security
before it gets worse or goes on excessively long. Job rotation
also provides trained backups.
0
Mandatory Vacations—Much like job rotation, mandatory
vacations provide the opportunity to detect fraud. Also, when
people are on vacation, their access to the site should sus¬
pended. This prevents working from home (possibly covering
their tracks) and provides the much needed vacation they
have earned.

(ISC)a — INFORMATION SECURITY AND RISK MANAGEMENT 39

 situations. One could easily use real events within
SECURITY AWARENESS organizations on almost any day without violating
TRAINING. AND EDUCATION privacy or exposing material weaknesses.

• Topics include items such as:

•Awareness Training
• Policies, standards, procedures, baselines, and
9 Job Training £ guidelines
» Professional Education
.
• Errors, accidents, and omissions
1
* Physical and environmental hazards -
9
Continuity Planning
9
Malicious code/logic

32 0
Media handling responsibilities
9
Incident reporting
Security Awareness, Training and Education—These are three
different concepts applying to the development of staff. 9
Social engineering
Awareness programs start from the first day of employment
and address the requirements of policy, social engineering, and • These topics lend themselves to a variety of •

security requirements. Training and education are often expen¬ approaches.

sive programs required to ensure staff has adequate skills to • Job Training—Provides skills needed to perform the security
maintain a security posture, maintain equipment, manage proj¬ functions in their jobs. Training time and money is always
ects, and other key business operations. Such programs are
limited and IT professionals almost always want more train¬
often delivered just in time as required to use training budgets ing to stay professionally current in this ever-changing field.
effectively.
Therefore, training must focus on skills needed in the work¬
place for their current job unless management is specifically
9
—
Awareness Training Provides employees with a reminder
trying to train them for another position. Be careful to ensure
of their security responsibilities.
that training programs are not directed at staff that merely
9
Variety of methods are available uses this as an avenue to a better paying job elsewhere.
9
Videos 9
Training should:
9
Newsletters 9
Focus on security-related job skills.
9
Posters 9
Specifically address security requirements of the
organization.
9
Briefings
9
Increase the ability to hold employees accountable
9
Key-chains, trinkets, etc. for their actions.
9
The objective is to ~~
motivate personnel to comply with 9
Provide specialized or technical training as needed
requirements. for specific personnel, such as configuring firewalls
9
The campaign must be creative, and the depth and or conducting audits.
type of topics should target the audiences appropri¬
ately, and frequently change.
9
—
Professional Education Provides decision-making, and
security management skills that are important for the success
9
Reward practices such as protecting the physical area of an organization’s security program. Whereas training is
and equipment, protecting passwords, and reporting often focused on specific skills, education focuses on the
security violations. decision making capability and processes to obtain expertise
in decision making. Therefore, education is normally provided
9
Awareness Training efforts can quickly become stale, to management personal and those moving into the manage¬
mundane, and routine. At some point, it loses its ment ranks to improve their ability to excel at these levels.
effectiveness and the returns for the cost and effort are A variety of education methods should be used and provided
marginal. To avoid this problem, vary the topics as to different individuals within the organization to bring the
well as the approach. Try to select a topic that is in the maximum talent to bear on a given problem when it arises.
news to maximize the learning opportunity. Try to Additionally, training depth must be considered, It doesn’t
“spark conversations" around the office of events that make sense to send a management trainee to advanced enter¬
are happening NOW. Current events and real world prise decision making. The same thought process must be
examples are much more interesting than hypothetical used when selecting training for IT Security professionals.

30 (ISC)2 — INFORMATION SECURITY AND RISK MANAGEMENT

 0
Address the audience—Each group has different interests
GOOD TRAINING PRACTICES
and the material you present will be filtered through their
personal bias.
•Address the audience 0
Management— Overall costs savings (a Risk Analysis L
— Management will yield this type of information), the need to protect
information, and the need for efficient and effective
— Data Owner and Custodian security. / -- 'r~:
— Operations Personnel 0
Data Owner and Custodian—Easy to follow
— User instructions. r. : •

Operations Personnel—Non-intrusive security.

— Support Personnel 0

• User—Productivity, easy compliance, understanding

requirements.
33 0
Support Personnel—Their role, cost-effective
compliance.

•'>
i Jj
>
c
\

Risk Management and Analysis—A sound approach to IT

DOMAIN AGENDA security is based on sound risk analysis and good risk man¬
j
agement. A CISSP must have mastery of the concepts and
a Principles and Requirements methods addressed here.
9 Policy 9
Here are the objectives in this section:
® Organizational Roles and Responsibilities • Define the key risk management terms.
° Risk Management and Analysis • Describe the importance of a risk analysis.
® Ethics • List examples of potential threats.
• Describe some types of risk analysis.
9
Describe safeguard selection principles.

34

(ISC)a — INFORMATION SECURITY AND RISK MANAGEMENT 3i

 0
A situation and method that may accidentally trigger a
DEFINITION OF RISK FROM vulnerability.
NIST SP 800-qo 9
Common threat sources are natural, human or environ¬
mental. NOTE: The ‘threat source’ is also called the 'threat
0 Risk is a function of the likelihood
agent.’
of a given threat-source's
exercising a particular potential
0
Threat—The potential for a threat-source to exercise (acci¬
dentally trigger or intentionally exploit) a specific vulnerability.
vulnerability, and the resulting
impact of that adverse event on the 9
Vulnerability—A flaw or weakness in system security proce¬
organization dures, design, implementation or internal controls that could be
exercised (accidentally triggered or intentionally exploited) and
SP800-30 could result in a security breach or a violation of a system’s
security policy.
o e! 5
Likelihood—The probability that a potential vulnerability may
be exercised within the construct of an associated threat
Definitions from SP800-30 environment.
9
A threat-source is either:
9
Countermeasure—A control to reduce risk—may be jecfint_
cal, operational or.manaqement controls or a combination of
9
Intent and method targeted at the intentional exploitation these types.
of a vulnerability.
3

•n

0
Risk Management Concept Flow—This overview shows
RISK MANAGEMENT
the relationships among the key components. Threats,
CONCEPT FLOW Vulnerabilities, and Asset values are used to identify the over¬
all risk to an organization’s assets. The understanding of this
slide is important and demonstrates several concepts related
wish to minimize
to Risk and Countermeasures. One key point is the recogni¬
i impose
tion that safeguards may also contain new vulnerabilities that
Lj Safeguards
that may the information security professional must be aware of.
possess
[hatmay i
reduced byj
may be aware of

that
>mm. leading to
| give rise to
that Rtefc
.

u
wish to 1

1f-drth- \s
11 36
1
tj\y

X- \
\

32 (ISC)1 — INFORMATION SECURITY AND RISK MANAGEMENT

 RISK MANAGEMENT ° Asset—Something that is valued by the organization to
accomplish its goals and objectives.
DEFINITIONS
* Threat—Any potential danger to information or an informa¬
® Asset
tion system. II
# ® Threat
0
Examples of threats include, but are not limited to:

a Threat Agent * Unauthorized access

a Exposure * Hardware failure
* Utility failure
• Loss of key personnel
9
Human errors
21 0
Neighboring hazards
Risk Management Definitions—To understand risk analysis, * Tampering
the organization must work from a common set of terms.
Understanding and using terminology correctly is important 9
Disgruntled employees
especially when presenting risk analysis efforts to senior man¬
agement. This and the next slide provides the key terms used • Threat Agent—Anything that has the potential of causing a
in this section. Learn them well, how they are used, and when threat.
each term is appropriate. 0
Exposure—An opportunity for a threat to cause loss.
A $ -t f- C
'
h JK S/»
0 y r u.
RISK MANAGEMENT TERMS * Attack—An intentional action trying to cause harm. An attack
is an effort by a threat agent to launch a threat by exploiting a
vulnerability in an information system. That explains the
# ® Vulnerability
I _ importance of understanding the correct terminology. As
security professionals, CISSPs are the experts and are
•Attack expected to use precise, correct terminology. Otherwise it
may affect their reputations and listeners start to wonder if
* Countermeasures and the security professional really knows what he/she is talking
Safeguards
about.

1
•Risk 9
Countermeasures and Safeguards—Are those measures
0 Residual Risk and actions that are taken to try and protect systems. They
could be one of several types of controls which we will talk
about later.
9
Risk—Is a “likelihood” or probability that some unwanted
event could occur. Possibility that a particular threat will
adversely impact an information system by exploiting a par¬
• Vulnerability—Is any weakness that could be exploited. ticular vulnerability.
Vulnerabilities exist in every IT system, product and applica¬
tion. A security program will address vulnerabilities by imple¬ Several times throughout this course we will say
menting safeguards or countermeasures to prevent the that we cannot reduce risk to zero. The next term
exploitation of a vulnerability, however the security person answers that issue.
must always be aware of the risk of new vulnerabilities and the 8
Residual Risk—Is the amount of risk remaining after coun¬
inability to completely remove all vulnerabilities from a system.
termeasures and safeguards are applied.

j /J L J it, A
C1 \

(ISC)’ — INFORMATION SECURITY AND RISK MANAGEMENT 33

 0
Purpose of Risk Management—Is a pjrgastjye activity
RISK MANAGEMENT designed to prevent possible breaches or incidents through
the ide.ntification_oLpo ssible threats, the,selection of appro¬
•The purpose of Risk Management is to identify priate risk control cMhtirmeasures 04 safeguards, and the
potential problems continuous monitoring of the risk environment.

— Before they occur c,

— So that risk-handling activities may be planned JL 4 v £ '

and invoked as needed

M
— Across the life of the product or project

JO
r :s*
L
s ;
39 „ £
- x.

The Risk Equation—Risk Management is comprised of Risk

THE RISK EQUATION Assessment, Risk Mitigation and Evaluation and Assurance.
jj- tr> Risk
Note that Risk Management is a continuous, ongo¬
ing effort and includes the periodic re-evaluation of
Management risk and risk assessment in all three phases of the
Risk Assessment .
Evaluation &
\ Identification of r Assessment Risk Management effort:-
risks Ongoing risk
Evaluation of risks assessment Ref: NIST SP800-30
\ Risk Impact Risk Mitigation Periodic
Recommendation Risk Avoidance evaluation
of risk-reducing Risk Mitigation Regulatory
measures Risk Acceptance compliance
Risk Transference
Evaluation of risks
0-

\v b /- Aÿ lh
.c 7
40
/ r •

A r.~i -
0*
u
,a‘
•(-: \.C-L
; RISK FACTORS A/'-1 *)
.1,
>5
u V
W5
!
Threats
"
17-
1

Assets &
t t
ijb 0 l>
§
(-
_
L

Vulnerabilities
s

I 41

34 (ISC)a — INFORMATION SECURITY AND RISK MANAGEMENT

 RISK FACTORS (CONT, . .)
• i

Threats l!
Assets

m
°Q mi
X wmm
%
%
43

Risk Management—The definition of risk management is the

RISK MANAGEMENT effort applied to manage exposure before a threat could take
advantage of a vulnerability. Notice that the calculation of total
0 Risk Management identifies and reduces risk is comprised of the factors of threats, vulnerabilities, and
i Total Risks (Threats, Vulnerabilities, & current value of the asset.
Asset Value) Risk should be reduced to a residual level of risk
0 Mitigating controls: Safeguards & acceptable to the seniorjnanager responsible for
the system. If risk management is properly accom¬
Countermeasures reduce risk plished, residual risks will not create an unaccept¬
3
Residual Risk should be set to able risk to the organization.
an acceptable level

43

I
analysis should remain focused on the objectives set, on “what
PURPOSE OF RISK ANALYSIS does this mean to the company” and “what is the value of this
to the company?”
•Identifies and justifies risk
mitigation efforts mm Identifies and justifies risk mitigation efforts—
• Identifies the threats to business processes and infor¬
9
Describes current security mation systems.
posture
° Justifies the implementation of specific countermea¬
•Conducted based on risk to sures to mitigate risk.
the organization’s objectives/mission 0
Describes current security posture—Risk analysis helps us
explain the current security posture to management in terms
they understand.
Conducted based on risk to the organization’s objectives/
J
44 ‘ mission—Risk analysis is much more than just a risk to the
IT Systems. It is primarily concerned with the inability of the
7 Purpose of Risk Analysis—A good risk analysis should pro¬ organization to accomplish its business mission.
vide data to explain the company's risk environment to
management in terms they understand. The process of risk
A k' Tj J- kx}>
J (ISC)3 — INFORMATION SECURITY AND RISK MANAGEMENT 35
 BENEFITS OF RISK ANALYSIS • Identifies areas with specific requirements—Some areas
under the influence of specific regulations include financial
sections, those involved with stock, privacy, and often health¬
® Focuses policy and resources care (in some countries this is covered by the privacy laws).
You will need to determine if any of these apply before begin¬
® Identifies areas with specific risk requirements ning your risk analysis. As we discussed earlier, this should be
•Part of good IT Governance part of identifying the environment that your company oper¬
ates in and a routine part of your IT Governance program.
® Supports
With limited personnel, budgets and tools, risk
— Business continuity process analysis ensures that the resources of the organization
are targeted at the areas of greatest risk and in the
— Insurance and liability decisions ; meantime making sure that there are no gaps in the
security process.
— Legitimizes security awareness programs
• Part of good IT Governance—Risk analysis is a key part of
45 good IT Governance.

Focuses policy and resources—Risk Analysis ensures that Sometimes, security professionals can get compla¬
the resources and policy of an organization are directed cent if they have not had an incident for a period of
appropriately. Risk analysis is not a cookie-cutter approach— time. This “sunny day period” can be dangerous as
professionals start to relax. Many have said that a
it requires an in-depth look at the organization as a whole and
at each functional area. Risk is different from one area to fresh risk analysis project sharpens their skills and
another and risk analysis and management must reflect those generates new-found excitement for their work.
differences. Functional experts from each area should be part
of the process to help assess value and impacts to the com¬
• Supports—A risk analysis effort also supports many other
associated activities, such as the business continuity plan¬
pany. After all, they should know their area better than any¬
ning project and business impact analysis; it provides infor¬
one else.
mation for corporate insurance premium calculation and
lends legitimacy to security awareness programs.

0
Risk Assessment must also address emerging
EMERGING THREATS FACTOR threats—

•Risk Assessment must 9

New technology
also address emerging • Change in culture of the organization or environment
threats
A • Unauthorized use of technology (i.e., wireless technolo¬
•Can come from many x j gies, rogue modems, PDAs, unlicensed software, iPods)
different areas 9
Changes in regulations and laws
* May be discovered by 9
Changes in business practices (i.e., outsourcings,
periodic risk assessments globalization)
'C
i
-W
• Can come from many different areas—As seen above, from
Vi both internal and external sources.
j
®
May be discovered by periodic risk assessments—Properly
Emerging Threats Factor—Are always looming on the horizon. done, a new risk assessment will continue to pick up these
The slide lists a few of these that you should be aware of and new threats as they appear.
pay attention to in your organizations. The threat from PDA’s
includes theft of corporate data, poor controls over wireless
transmission and interception of wireless traffic, and risk of
having multiple copies or versions of data if not updated
correctly.

36 (ISC)3 — INFORMATION SECURITY AND RISK MANAGEMENT

 Sources to Identify Threats—This slide lists some of the
SOURCES TO IDENTIFY sources that can provide information about threats.
THREATS
• Users—Users may be the first ones to notice that something §
is not right on their systems. They must know who to contact |
® Users
to report possible problems.
•System Administrators 3
Systems Administrators—Systems administrators and help
3 Security Officers desk personnel must be trained to identify and report possi¬
ble attacks on the network and systems, and not destroy
® Auditors evidence as part of their troubleshooting.
Operations • Security Officers—Should oversee the security program and
perform tests of the information systems infrastructure and
* Facility Records incident response programs to determine the source and
frequency of threats.
•Community and Government Records
0 Vendor/Security Provider Alerts
®
Auditors—While performing audits, the auditors will often
47 notice gaps in security or lack of compliance with procedures
that can be considered weaknesses or possible threats.
I

ti !~'if E Ic-' 9
Operations—Operations personnel will often become aware
of incidents through job errors, systems failures, and unex¬
i plained changes in systems performance that may indicate an
ongoing threat.
)
0
Facility Records—Will often contain valuable information
about the trends and performance of the system that can be
used to observe repeated errors or unresolved problems.
\
9
Community and Government Records—May alert to possible
weather or other environmental (human) conditions that
could affect the secure operation of the organization.
!
0
Vendor/Security Provider Alerts—Professional organizations
and mailing lists should be monitored to become aware of
new threats or vulnerabilities.
Other types of threats that could be considered:

• Natural disasters—Flood, tornado, earthquake, forest fire,

lightning

• Environment—Overcrowding or poor morale

• Facility—Physical security or location of building
• Access Controls—Logical and physical access control
• Data processing controls—Prevention of improper
modification

(ISC)1 — INFORMATION SECURITY AND RISK MANAGEMENT 37

 RISK ANALYSIS KEY
8
State the official authority and responsibility of the
team.
FACTORS
• Have management review findings and recommenda¬
« Obtain senior tions.
management support rm Risk Team Members—It’s important to have representation
from each of the key areas to ensure nothing is overlooked
0 Establish the risk and to avoid the “not invented here” syndrome that can occur
assessment team if a department or business unit feels excluded. However, it is
also important to keep the number of team members to a
— Risk Team Members t: manageable number. This is a balance that the team leaders
will have to work their way through based on the organiza¬
tion, culture, and many other factors.
The Risk Analysis team would usually include peo¬
48 ple from each of the following areas:
» Information System Security
® Obtain senior management support—The next few slides
will examine the steps to Risk Analysis beginning with obtain¬ 8
IT & Operations management
ing and preserving continued management support—this is
the most critical step for effective risk analysis and the sub¬ 8 System and network administrators
sequent risk management program. It’s important to note that
just because you had their support in the beginning, it is not
8
Internal audit
guaranteed to continue. This is a relationship that must be 8 Physical security
nourished.
8 Business process and information owners
9 Establish the risk assessment team—
8 Representatives from each business unit
8
Define and approve the purpose and scope of the Risk
Assessment Team. 8
Advisors from each of the functional areas (Human
Resources, Legal, Emergency Measures Coordinator,
8
Select team members. Safety Officers)
I

USE OF AUTOMATED TOOLS 8 Objective is to minimize manual effort—The automated

tools available for conducting risk assessments are very
FOR RISK MANAGEMENT useful once set-up.Jjallows the risk managers to quickly .
reran their analysis .with.different parameters to answer the
® Objective is to minimize manual effort “what-ifs.”

•Can be time consuming to setup 8 Can be time consumingjoÿsetup—However, they can be

very time consuming~fo configure and to populate the data¬
•Perform calculations quickly base with the required information. The learmTiÿcurve to use
the product may also be a detriment, however, once set-up,
i the workload may be greatly reduced.
0
Perform calculations quickly—
i 8 Estimate future expected losses.
8 Determine the benefit of security measures.

fib
% , S* A
!i
\

A bo \ h js>
A

38 (ISC)1 — INFORMATION SECURITY AND RISK MANAGEMENT

 0
Identify vulnerabilities—The main purpose of this initial
PRELIMINARY SECURITY security scan is to get a quick assessment of the posture of
EVALUATION the organization and quickly identify glaring concerns that
must be addressed immediately. This sets the foundations for
0 Identify vulnerabilities the rest of the process and helps avoid the problems that can
occur if a crisis happens in the middle of the risk assessment
3 Review existing process.
security measures
• Review existing security measures—Include all existing
8 Document findings controls—be careful not to be too biased when examining
existing controls—be objective and factual—list both
•Obtain management strengths and vulnerabilities—potential risks.
review and approval s
—
Document findings—Leave nothing to memory provide
lists of reasons for assumptions and conclusions.
50 0
Obtain management review and approval—It's important to
ensure management agrees with your initial findings or a lot
of effort and money will be wasted.

RISK ANALYSIS TYPES • Two Types of Risk Analysis—There are benefits and draw¬
backs to each type of risk analysis. Most organizations will
use a combination of the two in order to get a more complete
0
Two types of Risk Analysis picture of their risk.
— Quantitative Risk Analysis
— Qualitative Risk Analysis
® Both provide unique capabilities
t 0/
0
Both are often required to get
a full picture

5i

(ISC)3 — INFORMATION SECURITY AND RISK MANAGEMENT 39

 0
Assign independently objective numeric monetary values—
QUANTITATIVE RISK ANALYSIS
To the elements of the risk assessment and to the assess¬
ment of potential losses.
© Assign independently objective
numeric monetary values
0
Fully quantitative if ail elements of the risk analysis are
quantified—When all elements (asset value, impact, threat
® Fully quantitative if all elements of frequency, safeguard effectiveness, safeguard costs, uncer¬
the risk analysis are quantified tainty and probability) are quantified, the process is consid¬
ered to be fully quantitative. The easy way to remember this
•Difficult to achieve method is that EVERYTHING gets a dollar value—or at least
that is the objective.
° Requires substantial time and 0
Difficult to achieve—It is very difficult (most say impossible)
personnel resources
to do a purely quantitative risk analysis. This is because
many items, such as company reputation, are hard to place a
RISK = MONEY monetary value on in the process. These items lend them¬
52 selves better to qualitative analysis.
3
Requires substantial time and personnel resources—
Quantitative risk analysis is very labour and time intensive.
However, it does have its place in the risk management field
and plays a valuable role.

0
Quantitative Analysis Steps—Three steps of a quantitative
QUANTITATIVE ANALYSIS
risk analysis process. These slides are very important to fully
STEPS understand and study as they form a very important part of
information security risk management.
•Three primary steps
1. Estimate potential losses
2. Conduct a threat analysis r
0-

3. Determine annual loss

expectancy

53

40 (ISC)’ — INFORMATION SECURITY AND RISK MANAGEMENT

 DETERMINING ASSET VALUE ° Value to owners, custodians, or users—The value to the
owners is related to the impact on productivity, lost time,

•Cost to acquire, develop, and maintain

® Value to owners, custodians, or users
e
customer satisfaction, and confidence.
Liability for protection—Mishandling of data may leave an
organization liable for financial or criminal penalties.
_
v
3 Liability for protection a Recognize cost and value in the real world—
0 Recognize cost and value in the real world 3
Price others are willing to pay (mailing lists, etc.)—The
value of information for adversaries may be far greater
J than the perceived value of the data to the original organi¬
P' zation. An organization may also realize additional revenue
through the sale of customer data.
/rÿtCÿ 0
Value of intellectual property (trade secrets, patents,
54 copyrights, etc.)—A company that fails to protect its
intellectual property, research, trademarks, and patents
Determining Asset Value—The value of information and infor¬ may jeopardize their future financial opportunities.
mation systems is often dependent on several factors: 0
Convertibility/negotiability—The theft of electronic funds
0
Cost to acquire, develop, and maintain—The cost of recov¬ transfer, or credit card information, and other negotiable
ering or rebuilding lost data or processing power. items such as checks, gift vouchers, and share certificates
may result in significant financial loss.

Quantitative Risk Analysis—Step One—This slide describes

QUANTITATIVE RISK the SLE calculation. You should study and learn this formula so
ANALYSIS-STEP ONE you can calculate SLE if needed. The calculation of SLE is
i simply the amount oXjMxagfi4exposure-la&tQr-)"that~an.asset
suffers due to a single event.
1 Estimate potential losses
SLE - Single Loss Expectancy ° Types of loss to consider—
3 SLE = Asset Value ($) x Exposure • Physical destruction/theft of assets
Factor (%)
* Loss of data
° Exposure Factor is percentage of • Theft of information
asset loss when threat is successful
0
Indirect theft of assets
3 Types of loss to consider
• Delayed processing
55

(ISC)3 — INFORMATION SECURITY AND RISK MANAGEMENT 41

 Quantitative Risk Analysis— Step Two—Pay close attention to
QUANTITATIVE RISK the difference between ARO and SLE. These are two different
ANALYSIS-STEP TWO things and one must be careful not to get them confused. ARO
is simply the number of times per year (incidents/year). SLE is
2 Conduct threat analysis the amount for a SINGLE loss. Let’s see how these work
together in our risk analysis.
•ARO—Annual Rate of Occurrence The ARO can be difficult to predict—it is often
— Number of exposures or incidents based on historical data but changes to the environ¬
that could be expected per year ment will often affect future predictions.

— Likelihood of an unwanted event

happening

56
7''
—
QUANTITATIVE RISK —
Quantitative Risk Analysis Step Three—This formula is very
important as it uses the ARO and SLE information to provide
ANALYSIS-STEP THREE us the ALE. Understanding ALE, cost/benefit analysis and quan¬
titative risk analysis is important to ensure that the security
3 Determine Annual Loss Expectancy (ALE) professional can obtain the support from senior management
; and users for security solutions and risk mitigation efforts.
•Combine potential loss and rate/year • The ALE provides an estimated amount of damage (in mone¬
I 9 Magnitude of risk = Annual Loss Expectancy tary terms) the organization can be expected to lose per year
due to a risk. It indicates, therefore, how much the organiza¬
//•Purpose of ALE tion is justified in spending on countermeasures to reduce
the likelihood or impact of an incident. A direct correlation
— Justify security countermeasures should be shown between the amount spent on security and
the amount of benefit realized through the reduction in risk.
ALE = SLE * ARO
au-A, ne'e 57
L-

QUALITATIVE RISK 9
Scenario Oriented—Qualitative risk analysis is scenario
oriented. Instead of applying monetary values, as done with
ANALYSIS-SECOND TYPE quantitative risk analysis, it evaluates the impact or effect of
threats on the business process or the goals of the organization.
i 9 Scenario Oriented
j — Does not attempt to [ I * Does not attempt to assign absolute numeric values
to risk components—Each threat is described in a
assign absolute threat scenario and the expected impact from that threat
I '
numeric values to is graded on a scale that indicates the severity of that
threat. Each risk is ranked per department according to
risk components
the effect of that risk on their business functions. The
| 9 Purely qualitative risk cumulative, weighted ranking of the risk across all
analysis is possible departments then indicates the severity of the total risk.
;

0
Purely qualitative risk analysis is possible—It is possible
I. to conduct a PURE qualitative risk analysis because the
impact on the assets is evaluated by a weighted ranking
instead of absolute dollar values.
Qualitative Risk Analysis—Second Type—The second method
of risk assessment is a “qualitative risk analysis.”

42 (IS G)a — INFORMATION SECURITY AND RISK MANAGEMENT

 QUALITATIVE RISK ANALYSIS
0
Rank seriousness of threats and sensitivity of assets—
When conducting a qualitative risk analysis, the assessments il
CRITICAL FACTORS are ranked by criteria, such as high, medium, and low instead jf|
of numeric values. In addition, the likelihood of an event
® Rank seriousness occurring is ranked using criteria such as high, probable,
unlikely, etc. As will be seen from the ANZ 4360 standard,
of threats and
sensitivity of assets * this can be combined into a matrix that guides the risk miti¬
gation effort.
® Perform a carefully 5 Perform a carefully reasoned risk assessment—This is a
reasoned risk
assessment
A carefully reasoned process and requires a good deal of judge¬
ment. The input is often derived from many sources such as
s technical people as well as representatives of the business
functions. The advantage of this process is that it results in
greater understanding of the process by the system owners
59 and business units as well as improved communications
between the parties working on the risk analysis efforts.
9
When determining the impact of a risk through the scenario,
U the existing controls that are in place also need to be consid¬
y' - c-
tv; ered and measured for their effectiveness to address or miti¬
v A- gate the threat.
y - ;
i J*
0
L
V 0 V Vsr S'
'
v-
v-\
/ £i/ C e° tV
O''
(A
->

Risk Levels (ANZ 4360 Standard)—This is the matrix used in

RISK LEVELS (ANZ 6o the Australian/New Zealand Standard 4360 to determine risk
STANDARD) management priorities through placing risks assessments on a
table (matrix) and using this to highlight areas of most critical
£ Consequence: importance as compared to less critical risks.
j
Inntmfinn, MoinaX, Major
‘ Catastrophic

Likelihood:
Each risk is weighed both from the aspect of .impact
(consequence) with a rating of 1-5; and likelihood
B(Kktlj) with a rating from almost certain to rare. It is
C(po*Ms) U placed on the table according to its calculated risk
level..Those risks that fall into the extreme risk cat¬
B(nuo) egory are the first risks that should be addressed in
HHHGnaui Ritlc Immediate aeden retried t o m>h|ate die nik or decide Is not proceed the risk mitigation effort.

_
Hitil Ride Action thouldbe taken to compensate Tortile risk

M j Moderate Risk Actioniltouldbe taken to monitorl

Low Risk: Routine acceptance of the risk
6o

IA- 9ÿ 4- £
t, x iJ- )
J
<A £7
r y f
.
|; V 0° I®

Aÿ
/jj -
)/\s. o
C

(ISC)3 — INFORMATION SECURITY AND RISK MANAGEMENT 43

 Examine effects of failure at three levels.
OTHER RISK ANALYSIS
METHODS • Immediate level (part or module) DA
;./V.
• Intermediate level (process or package) r
•Failure Modes and Effects Analysis • Systeabwide '
— Examine potential failures of each part or module Ko ['jf>4
Fault Tree Analysis—
— Examine effects of failure at three levels
• Sometimes called ‘spanning tree analysis.'
3 Fault Tree Analysis
• Create a “tree” of all possible threats to or faults of the
— Sometimes called ‘spanning tree analysis’ system.

— Create a “tree” of all possible threats to, • ‘Branches’ are general categories such as network
or faults of the system threats, physical threats, component failures, etc.
61 • Prune ‘branches’ that do not apply.
Other Risk Analysis Methods—Failure modes and effects • Concentrate on remaining threats. v
analysis are often used in determining risk analysis of failures
in hardware. However, it is also applicable for other methods of * Fault tree analysis is straight forward and can be used by
risk analysis. itself or with other processes to avoid 'group think’ and
blind spots. The process normally starts with an effort to
• Failure Modes and Effects Analysis— “brainstorm” every possible threat. The threats that do not
apply are eliminated (or pruned) and analysis is conducted
0
Examine potential failures of each part or module. on the remaining branches. /
9
Isa cost decision often based on the cost required
RISK MITIGATION OPTIONS to reduce the risk when compared to the potential
! loss and the likelihood.
•Risk Acceptance • Is a pain decision often based on the tolerance of man¬
•Risk Reduction : agement to adverse events—For example how many
i;
; times would a businesses allow someone to deface
9 Risk Transference their web server if it is not core to the business
3 Risk Avoidance . n :
®
processes before it implements a more costly solution.
Is a visibility decision often based on the value of
the company’s reputation.

° It is important that the acceptance of risk should

never be a surprise resulting from accepting risk
without knowing what the risks really are or the
6ÿ damage that an incident could cause.

Risk Mitigation Options—Organizations should be able to

9
Risk acceptance is often the best choice when the
identify the risks that are exposed to, and should act conse¬ cost to mitigate the threat is very high or the
quently in order to moderate these risks. Several options can impact is very low.
be considered: 8 Risk Reduction—Involves selecting countermeasures that
0
Risk Acceptance—Accepting the risk and absorbing the cost will reduce our exposure or loss if the event occurs. We will
when and if it occurs. discuss some considerations for risk reduction and safeguard
selection in a couple of slides. Some countermeasures
• Risk acceptance is sometimes referred to as being include new technical, operational or management controls,
“self-insured,” but it is important to be careful not to changing the physical environment, better detection of inci¬
confuse this phrase with the act of “risk transference” dents, and better incident handling.
which is the act of taking out an insurance policy from
an authorized insurance agent for protection from loss. • Risk Transference—Transfer risk to another party, for exam¬
ple to purchase insurance.
When risk is accepted, then responsibility to absorb
the loss for any incident is also accepted. 3
Risk Avoidance—Is pretty simple, just don’t do the activity
that brings the risk. Decide not to continue with the activity s
• Security is the balance of protection measures against or not to support the situation that causes the risk. For exam¬
the acceptance of risk.
ple, to not venture into a line of business or operate in a
• Risk Acceptance: region of the world that poses an unacceptable level of risk.

44 (ISC)2 — INFORMATION SECURITY AND RISK MANAGEMENT

 Balance between the cost to protect and asset value —This
THE RIGHT AMOUNT
is the balance between the cost to protect an asset against
OF SECURITY the level of acceptable risk based on the value of the asset.
8
To answer this question, we must understand the:
® Cost/Benefit
Analysis—balance * Adversary, means, motives, and opportunity (we need
between the cost to to know our enemies—what is their motivation and
protect and asset value skill level)
9
Asset value (more than just cost)
• Threats
Security is a Balancing Act! 0
Vulnerabilities (we need to know our own weaknesses)

* Resulting Risk
63 * Countermeasures
The Right Amount of Security—Is based on several factors. 9
Risk tolerance (what is the risk appetite of our
Remember that all these items go into the thought process organization)
related to selecting the proper countermeasures to address
risk. It is not recommended to spend more to protect an asset
than it is worth. Additionally, budgets are frequently insuffi¬
cient. Therefore, hard decisions should be made on how to
protect the most valuable assets in the manner discussed in
the last slide.

COUNTERMEASURE * Construction and placement

SELECTION PRINCIPLES 9
Environment modification
9
Nontrivial operating cost
® Based on a cost/benefit
analysis
9
Maintenance, Testing

® Cost must be justified by

8
Potential side effects (vulnerabilities that are inherent
to the safeguard added)
the potential loss
0
Cost must be justified by the potential loss—Where cost
•Accountability must never exceed the benefit derived from the countermeasure.
® Absence of Design Secrecy • Accountability—
® Audit Capability 9
At least one person for each safeguard.
64. 8
Associate directly with performance reviews.
Countermeasure Selection Principles—The total cost of a 0
Absence of Design Secrecy—
control measure should be considered during analysis. The
total cost is much more than just the initial purchase price. 9
Changeability of safeguards, interoperability with other
This gives some additional considerations when determining safeguards, confidence in the design (common criteria
the cost of a countermeasure. Remember, it is not recom¬ evaluation).
mended to spend more to protect an asset than it is worth.
Additionally, countermeasures should be implemented accord¬
8
Audit Capability—
ing to the value .expected to derive from having it in place. 9
Must be testable.
These principles are at the heart of “Risk-based; Cost Effective"
control analysis. 9
Include auditors in design and implementation.
9
Based on a cost/benefit analysis—
9
Total cost of safeguard:
9 Selection /
0
Acquisition (materials and mechanisms)
(ISC)” — INFORMATION SECURITY AND RISK MANAGEMENT 45
 COUNTERMEASURE • Universal Application—
SELECTION PRINCIPLES • Impose safeguards uniformly.
(CONT. . .) 8
Minimize exceptions.
• Compartmentalization and Defense in Depth—
•Vendor Trustworthiness I
; 9 Safeguard’s role
•Independence of Control and Subject
•Universal Application
:i * Relative to environment and other safeguards.
9
Compartmentalization localizes vulnerability.
•Compartmentalization and Defense in Depth
•Isolation, Economy, and least Common
1•
I <4j
Depth establishes serial hurdles.

Mechanism • Consider the improved security through layers of security.

65 When employed properly, this “defence in depth” principle
allows us to detect that something is happening and take
positive action prior to a threat affecting our assets.
9
Vendor Trustworthiness—
• When selecting our countermeasures it’s important that
* Review past performance. our safeguards are not layered in a manner such that if one
safeguard fails it defeats additional safeguards.
[° Independence of Control and Subject—Means that the
countermeasure is subject to segregation of duties so that • Naturally, it’s best if our safeguards are as simple as prac¬
the person maintaining the countermeasure is in a separate tically possible to reduce the possibility of configuration
I population group than the persons or activity being controlled errors.
' by the countermeasure.
* Isolation, Economy, and least Common Mechanism—
• Safeguards control/constrain subjects.
• Isolate from other safeguards.
• Controllers administer the safeguards.
• Minimize dependence on common mechanisms (common
• Controllers and subjects are from different populations. power supply, common network connections, etc.).
• Simple design is more cost effective and reliable.
0
/ Acceptanceand Tolerance by Personnel—Countermeasures
COUNTERMEASURE that are not acceptable to personnel (and-management) are
j.
SELECTION PRINCIPLES soon bypassed or defeated. An example of this is the imple¬
(CONT. . .) mentation of biometrics that are seen as a health risk or
unnecessarily intrusive.

•Acceptance and Tolerance by Personnel 9

Care must be taken to avoid implementing controls that
pose an unreasonable constraints.
i 13 Minimum Human Intervention
• Less intrusive controls are more acceptable.
® Sustainability
9
Minimum Human Intervention—
L]>
9
Reduces the possibility of errors and “exceptions” by
reducing the reliance on administrative staff to maintain
the control.
9
Sustainability—An effective control must be implemented
along with cost-effective maintenance and upgrade proce¬
dures and the assignment of responsibility for the control to
an individual or job role.

46 (ISC)1 — INFORMATION SECURITY AND RISK MANAGEMENT

 COUNTERMEASURE
®
The countermeasure must do the following when activated:

SELECTION PRINCIPLES 3
Avoids asset destruction and stops further damage. I
(CONT. . .) 9
Prevents disclosure of sensitive information through a
covert channel.
a
# 0
Reaction and Recovery 3
Maintains confidence in system security.
Q
Override and Fail-safe Defaults 3
Captures information related to the attack and attacker.
•Residuals and Reset 1
3
—
Override and Fail-safe Defaults In the event of a sus-
pectedjncident, the countermeasure should defaultto'"no
0 access’’ or presWelh¥ÿvstermmTÿcurrstate71n order to
preventTdeniaTofservice, there should be a way to disable
Li.* or override the control.
r 3

67 0
Residuals and Reset—During the recovery fromjm incident.
the countermeasure must be protected-fromiurtherÿ attacks
Reaction and Recovery—Is the ability of the countermeasure whilefbeing'reset it-must retunftb a secure condition and
to detect and react to an incident and capture the relevant
information related to the incident.
protect logs from destruction.- - —

I
DOMAIN AGENDA
3
Ethics—One of the most important areas for management
and CISSPs is that of sound ethical behavior. You will be
required to sign the (ISC)2 Code of Ethics before you can take
•Principles and Requirements the exam and become a CISSP. It’s essential that you under¬
stand it and can apply it to real-world situations. This section
•Policy will discuss ethics.
® Organizational Roles and Responsibilities
• Here are the objectives of this section:
® Risk Management and Analysis • Understand the ethical responsibilities of user groups
3
Ethics within the organization.
0
Understand the (ISC)2 codes of ethics for CISSPs and
how to abide by them.
0
Understand the ethical guidelines for proper usage of
68 the Internet.

3
CISSPs “set the example”—CISSPs not only know where
ETHICAL RESPONSIBILITIES
the ethical boundaries are, but also must set the example for
others to follow. This often means making hard decisions and
1
©
CISSPs “set the example” demonstrating strong ethical principals in their daily activi¬
ties. (ISC)2 has provided good ethical guidelines to provide
3 CISSPs encourage direction, and the security professional should adopt them
adoption of ethical and encourage others to do the same. Awareness training is
guidelines and standards a great place to conduct initial ethics training and refresher
j training for users.
0
CISSPs inform users
through security
0
CISSPs encourage adoption of ethical guidelines and
awareness training standards—Through the creation of statements of ethics,
especially in relation to ethical use of internet access, email,
and other computer systems.
-1 3
CISSPs inform users through security awareness
J training—About ethical responsibilities.

j (180“ — INFORMATION SECURITY AND RISK MANAGEMENT 47

 BASIS AND ORIGIN OF ETHICS * Basis and Origin of Ethics—This slide highlights the basis
and origins of ethics and ethical behavior. From looking at
;
r0 ' 0 '• ’ '
r - these, it seems easy to understand why there are so many
® Religion ® Enlightened self interest different beliefs about what is “good ethical behavior.”
® Law •Professional • The problem is that ethics are open to a lot of interpre¬ f
ethics/practices tation and outside influence. In many cases a person’s
® National Interest ethics is influenced by their situation and needs.
®
Individual Rights •Standards of good 0
This means that not everyone see ethics in the same
practice
® Common way which requires organizations to provide ethical
•Tradition/culture boundaries and interpretation for their employees.

m
good/interest

FORMAL ETHICAL THEORIES Formal Ethical Theories—There are formal ethical theories
beyond mere tradition or law. Most of these theories fall into
one of two categories.
® Teleology
3
Teleology—Teleological theories and approaches are based
— Ethics in terms of goals, on outcomes. They try to provide the greatest good for the
purposes, or ends gÿp* greatest number of individuals.

•Deontology • Utilitarianism, the most good for the most people.

— Ethical behavior is a iduty 3
Deontology—Deontological theories subscribe to the belief
that each person has pre-existing requirements to do good.
(L-' S4 ‘
It is their duty to do so.

y
• Many religions are deontological in their teachings.
71

COMMON ETHICAL FALLACIES 3

Law-abiding Citizen—In some legal systems you may
have the right to write viruses as a form of free speech/
expression.
•Computers are a game
Law-abiding Citizen * Hactivism—People feel that they have the right to
* attack a firm or deface a website due to the policies of
that organization.
•Shatterproof
Candy-from-a-baby
3
Shatterproof—Action could only hurt a few files, little
* damage won’t bother anyone.
® Hackers
• Candy-from-a-baby—If it was easy to break in to a com¬
9 Free Information puter it must be acceptable since the host organization
would have secured the system properly if they did not
want people to break in.

72 • Hackers—Learning motives makes nonprofit hacking OK.

If I gain experience and more knowledge about comput¬
Common Ethical Fallacies—Here are some of the common ers, I’m not guilty of a crime.
ethical fallacies seen almost daily: 9
Free Information—“Information wants to be free,” infor¬
0
Computers are a game—No one really gets hurt when mation should be free; therefore, it must be OK to look
VL
attacking a computer—it is just a game, a challenge for the through somebody’s system to obtain information.
attacker.

48 (ISC)3 — INFORMATION SECURITY AND RISK MANAGEMENT

 a Relevant Professional Codes of Ethics—There are several
CODES OF ETHICS IS
codes of ethics that apply to this discussion. However, we
will focus on the (ISC)2 code of ethics over the next few ||
£
® Relevant Professional Codes slides. We will also note the published statements from the
of Ethics include: Internet Activities Board (IAB) has explaining what they m
t — (ISC)2 and other professional
consider ethical and appropriate behavior.

codes of ethics
Internet Activities Board (IAB)
77-Ji
Auditors - s

— Professional codes may have

legal importance

)
73

(ISC)2 CODE OF ETHICS

3
(ISC)2 Code of Ethics Preamble—You will be asked to sign
a statement agreeing to follow this code before you will be
PREAMBLE allowed to take the exam. Therefore, it’s wise to understand it
as you will likely be asked to apply it in situations as you go
® “Safety of the commonwealth, duty to our through your daily activities.
_ principals, and to each other requires that
we adhere, and be seen to adhere, to the
highest ethical standards of behavior”
)

•“Therefore, strict adherence to this code is

a condition of certification”

1 r d t/—
r &*•****¥
74
' C c- P A — *1

... £ * <$ . .

j 3
(ISC)2 Code of Ethics Canons—These canons are expressed
(ISC)2 CODE OF ETHICS
in the priority that they should be followed. Sometimes it
CANONS becomes impossible to apply all of the canons as they may
J conflict in a particular situation. Therefore, we must remem¬
° “Protect society, the commonwealth, and the ber that these are in the order that we should apply them to
j infrastructure" work through difficult ethical challenges.
© “Act honorably, honestly, justly, responsibly, and
legally”
0 “Provide diligent and competent service to
principals”
0 “Advance and protect the profession”
75
J

9
,J

(ISC)’ — INFORMATION SECURITY AND RISK MANAGEMENT 49

 0
Ethics and the Internet—
RFC 1087
3
Access and use of the Internet is a PRIVILEGE and
® Ethics and the Internet should be treated as such by all users—The Internet
Activities Board (IAB) provides recommendations con¬
— Access and use of
the Internet is a
PRIVILEGE and
should be treated as
1 cerning the proper use of the resources of the Internet.
It highlights that access to the Internet is a PRIVILEGE
not a right.

such by all users I

;
—L &
'ÿ
C

76
3
Internet Activities Board (IAB)—Has provided this list of
INTERNET ACTIVITIES unethical and unacceptable practices. These are self-explanatory
BOARD (IAB) and worth your understanding.

® Any activity is unethical & unacceptable

that purposely:
— Seeks to gain unauthorized access to Internet
resources
— Disrupts the intended use of the Internet
— Wastes resources (people, capacity, computer)
through such actions

11

INTERNET ACTIVITIES
BOARD (IAB)

Destroys the integrity of computer-based

:
information
Compromises the privacy of users
® Involves negligence in the conduct of
Internet-wide experiments

78

50 (ISC)’ — INFORMATION SECURITY AND RISK MANAGEMENT

 Ethical Environments—This slide provides a good starting point
m
i
ETHICAL ENVIRONMENTS to form a discussion about ethics and the challenges faced in
; incorporating ethics into our organization’s policies, programs, $j$j
® Ethics are difficult to and procedures. It’s an interesting point to note that your PER¬
define SONAL ethics may be different than your PROFESSIONAL ethjcs.
i§ 0 Begin with senior
| That’s OK if your personal ethics sets a higher standard than your
professional ethical baseline. HOWEVER, your professional ethical
management baseline must never be compromised.
0
Ethics are difficult to define—The primary concept of ethi¬
i cal behavior is, “do no harm.” The ethics of an organization
must be clearly defined and communicated to all employees.
: Every person has a different set of ethical beliefs and those
ethical beliefs may be subject to influence depending on the
! environment. The organization must describe “their” ethical
position so that an employee can make the appropriate
79 decision in a situation.
)
Begin with senior management—By creating an overall cul¬
!
ture of ethical behavior. The Ethical standards of the organi¬
zation need to be communicated:
• Corporate ethics includes ethical use of computer
assets.
)
• Ethics covered as part of regular awareness training
and condition of employment.
• Ethics included in functional policies (Privacy, Email,
Acceptable Use, etc.)
• Active monitoring of network activities combined with
l
good investigations and enforcement.

1 • Handbooks, guides.
• Training.
• Reviews

DOMAIN SUMMARY

a This domain sets the foundation for a respected and

solid Information Security Management Program:
— Policies, Procedures, Baselines, Guidelines c £ i
. — Roles and Responsibilities f-;
— Risk Management /

J — Ethics «T

lWe M

t
(ISC)3 — INFORMATION SECURITY AND RISK MANAGEMENT 5i

,
 im
W§.I V
n n
i:
mm
jjnfhf
i.

;
L

A k mm .

- --
-".ji'V
•-ÿ

.
Emi m
I' T-
--- ,
-
I
m
-,rj««w”

SSIBi |
m 3
mm ,

!
Si*
Ife
•
.

*
..

:.-V?
:: U
in ::
mz .
!

ll
r M—
fetSl
-•ÿ

i
mm
i m mm

52 (ISC)a — INFORMATION SECURITY AND RISK MANAGEMENT

F'W'

Review Questions

|1. Which of the following is not a functional policy example 7. Which one of the following is not a primary step in
1
covered in this domain? Quantitative risk analysis?
jr. Data Classification
’

-
0 b - it

I b. Access Control b. Conduct a threat analysis.

c. Privacy c. Determine annual loss expectancy.
f7
i k Alternate courses of action d. Estimate potential losses.
I2. Best practices include: 8. Guidelines are:
a. ISO 27001 /10 Recommendations

j 'b. “Taking candy from a baby.” b. The same as standards

c. Hiding risks. c. Mandatory
d. Understanding that ethics are situational. d. The same as the least privilege principle
I
3. Which of the following is correct? 9. It is possible to:
a. ALE = ARO a. Totally eliminate risk.
,M. ARO = ALE x ALO (15) Do a totally Qualitative risk assessment.
W SLE X ARO = ALE 0 c. Do a totally Quantitative risk assessment.
, d. SRO = ALE x ALE d. Have ARO equal a negative number when doing a
qualitative risk assessment.
4. Who normally operates IT systems?
, a. Auditors 10. When establishing the value of information
| b) Custodians the LEAST important factor is:
c. CISSPs a. Trade Secrets
d. Management b. Operational Impact
I
c. Value of information to others
5. From a security perspective, mandatory vacations: C cD Quantity of information
, jf. Make it easier to detect fraud.
b. Keep employees fresh. 11. Which of the following is the FIRST (ISC)2 canon?
i a. Advance and protect the profession.
c. Make it easier to find out who can be replaced.
/'"’b. Protect society, the commonwealth, and the
I d. Comply with least privilege principle. infrastructure.
6. Security awareness: c. Provide competent service to principals.
a. Is the same a professional education. V- ( d./Act honorably, honestly, justly, responsibly, and legally.
b. Is the same as background checks and verifying
12. Risk management principles include all the following EXCEPT:
education.
c. Makes it easy to find out who is a security risk. a. Avoidance
j Cb? Ignorance
j d, Begins the first day of employment.
c. Acceptance
d. Mitigation
j®

(ISC)3 — INFORMATION SECURITY AND RISK MANAGEMENT 57

13. Assurance mechanisms provides us with: 17. Information classification is the responsibility of:
Confidence in the appropriateness of controls a. Executive management
'
b. The SLE during risk assessment %. Information owner
c. A measure of the likelihood of security breaches
d. The degree of compliance with policy
c. Data custodians
d. IT system owner
14. When selecting countermeasures:
a. We should almost always select the most expensive 18. Which of the following is not one of the three main parts of n
Governance?
countermeasure because they provide better security.
b. Cost must be equal than the benefit obtained. a. Structure
c. Cost of the countermeasure should be less than the b. Leadership
value of the asset. c. Incidents ;
d. Technical countermeasures are better than operational
ones. tAFrocesses
19. Which of the following is not correct?
15. The basis for personal ethics could be all the following a. Risk Acceptance: Accepting the risk and absorbing the cosi
except: when and if it occurs.
a. Mandated actions b. Risk Transference: Pass risk to another party. Example:
b. Law/justice/sense of fairness Insurance.
cJRisk Avoidance: Decide to continue with the activity despite
v' c. Religious beliefs '
the identified risk.
d. Almost anything could be the basis for personal ethics
d. Risk Reduction: Provide countermeasures to reduce the ris
16. The right amount of security is: and strengthen the security posture.
a. The more secure the better
20. Qualitative risk assessments are scenario-based and are
b. Based on the analysis of the users ranked by:
c. Determined by the level of acceptable risk a. Percentages
d. As long as threats exist, we can not have the right amount ti. Calculation of ARO
of security c: High/Med/Low
d. Dollar values

t-

58 (ISC)3 — INFORMATION SECURITY AND RISK MANAGEMENT