Security and Risk Management

CISSP Guide to Security Essentials

Domain 1

Objectives
• How security supports organizational mission,
goals and objectives
• Risk management
• Security governance and management
• Security standards, policies, procedures and
guidelines
• Professional ethics
• Security awareness, education, and training
program
• Disaster Recovery /Business Continuity Plans

1
 Topics
• ISC Professional Ethics • Enforce personnel security
• Security Concepts policies and procedures
• Security Governance • Risk management
Principles concepts
• Legal, regulatory & • Threat modeling concepts
compliance issues to and methodologies
security • Supply chain risk
• Investigation types management (SCRM)
• Security policies, concepts
standards, procedures, and • Security awareness,
guidelines education, and training
program

Professional Ethics

2
 Professional Ethics
• (ISC) code of ethics
– Protect society, the commonwealth, and
the infrastructure.
– Act honorably, honestly, justly,
responsibly, and legally.
– Provide diligent and competent service to
principals.
– Advance and protect the profession.

Security Concepts &

Terminologies

3
 5 Pillars of Information Security

• Confidentiality,
• Integrity,
• Availability,
• Authenticity,
• Nonrepudiation

Key Information Security Concepts

CONFIDENTIALITY
The protection of information from
unauthorized disclosure

INTEGRITY
The accuracy and completeness of
information in accordance with
business values and expectations

AVAILABILITY
The ability to access information
and resources required by the
business process

4
 Confidentiality
• Preventing the information content from
being viewed by unauthorized unwanted
persons and processes
• Confidentiality breach can occur in many
ways.
• Confidentiality must be ensured in the
environment where information is stored,
transmitted and processed.

Loss Consequences and Preservation

Methods
CONFIDENTIALITY
The protection of information from
unauthorized disclosure

LOSS CONSEQUENCES INCLUDE: PRESERVATION METHODS

INCLUDE:
• Disclosure of information protected
by privacy laws • Access controls
• Loss of public confidence • File permissions
• Loss of competitive advantage • Encryption
• Legal action against the enterprise
• Interference with national security
• Loss of compliance

5
 Confidentiality
• Confidentially levels
– Sensitivity of information.
– Grant access based on the confidentiality levels
• Access Control mechanism is needed
– ACL ( Access Control List)
• Traceability and accountability is needed
– Who is accessed information
• Determine which information is sensitive
and at what level its confidentiality will be
protected.

Ensure Confidentiality
• Encryption
• Logical access controls
– Passwords, Biometric, other factors authentications
– File based access restrictions
– VTYS Views etc
• Physical access controls
– Protecting secure areas
– Guards, CCTV etc
• Administrative controls
– Employees security awareness programs
– Security policies, procedures

6
 Confidentiality Measures
• Encryption (on store, transmit, process)
• SSLv3, S/HTTP, IPSec, S/MIME, PEM, EFS’s, ssh, sRPC,....
• Nw Trafic Padding (adding or removing additional
information to real data)
• Strong Authentication
• Data Classification
• Security labels for data, users and processes
• Security awareness
• Secure destruction of media
• A breach of confidentiality is often followed by a breach of
information integrity.
• Information is generally not modified unauthoritively in a
confidentiality violation.

Integrity
• Preventing information from being changed by
unauthorized persons and processes, being
changed by authorized persons and processes
who do not have the right to change it, and
ensuring information consistency
• Threats to integrity
– Virus
– Logic Bomb
– Back Door
– Other malicious codes
– Hardware, software deficiencies
– User’s mistakes
– Wrongly configured server, nw components
– Weak access controls
– System and software vulnerabilities

7
Loss Consequences and Preservation Methods

INTEGRITY
The accuracy and completeness of information in
accordance with business values and expectations

LOSS CONSEQUENCES INCLUDE: PRESERVATION METHODS INCLUDE:

• Inaccuracy • Access controls

• Logging
• Erroneous decisions • Digital signatures
• Fraud • Hashes
• Failure of hardware • Backups
• Encryption
• Loss of compliance

15

Integrity Measures
• Access control
• Intrusion detection/response
• Anti-virus & malicious code software
• Correctly configured network and server components
• Digital Certificates
• Encryption
• Security Awareness
• Backup and restore
• Patch and release management
• Formal change management
• Application security controls
• Check sums, check digits, hash totals, reconciliations, DB controls, ...

8
 Availability
• Access the information when needed
• Measures
– Correctly configured and up-to-date patched nw elements
• Closing unnecessary services and ports
• Modification of default parameters
• Patch management
• Log management
– Clustered and fault tolerant systems and applications
– Data backup, replications, mirroring
– Disaster Recovery and Business Continuity Plans
– Application controls
• Buffer overflows, covert channel) controls, I/O controls
– Measures against TCP/IP protocol vulnerabilities
• TCP /IP secure configuration
– Recovery Strategies (warm site, reciprocal agreements etc)

Loss Consequences and Preservation

Methods
AVAILABILITY
The ability to access information and
resources required by the business process

LOSS CONSEQUENCES INCLUDE: PRESERVATION METHODS INCLUDE:

• Loss of functionality and operational • Redundancy of network, system,

effectiveness data
• Loss of productive time • Highly available system
• Fines from regulators or a lawsuit architectures
• Interference with enterprise’s • Data replication
objectives • Backups
• Loss of compliance • Access controls
• A well-designed disaster recovery
plan or business continuity plan

9
 Achieving CIA - Best Practices
• Separation of Duties
• Mandatory Vacations
• Job Rotation
• Least Privileges
• Need to know
• Dual Control

DAD (CIA Opposite)

• Disclosure
– Opposite of Confidentiality
• Alteration
– Opposite of Integrity
• Destruction
– Opposite of Availabililty

10
 Authenticity
• The ability to ensure that the information
originates or is endorsed from the source
which is attributed to that information.
• Measures
– Digital Signatures
– Logging
– Time Stamping

Non-repudiation
• Non-repudiation refers to the concept of
ensuring that a message or other information is
genuine.
• In cybersecurity, information received must be
verified as coming from the actual sending
source indicated.
• It is also important that neither sender nor
receiver can later deny that they sent or
received the information.
• Non-repudiation is implemented through digital
signatures and transactional logs.

11
 IAAAA
• Identification Unique user identification
• Authentication Validation of identification
• Authorization Verification of privileges and
permissions for authenticated user
• Accountability Only authorized users are
accessing and use the system accordingly
• Auditing Tools, processes, and activities used
to achieve and maintain compliance

Layered Defense
Deploying controls in layers is good practice
• Defense in depth

Uses:
• To provide additional protection in the event of a
control failure
• Because a single control is known to be inadequate

Controls tailored to specific threats may be more cost

effective

12
 Layered Security/Defence in Depth
The use of multiple controls in a series
• Level1: Network Layer Security
• Level2: Platform Layer Security
• Level3: Application Layer Security
• Level4: Data Layer Security
• Level5: Response Layer Security

Layered Defense

13
 Single Points of Failure
• A single point of failure (SPOF)
– Failure of a single component results in the failure of
the entire system

Fail Open / Fail Closed / Fail Soft

• When a security mechanism fails, there
are usually two possible outcomes:
– Fail open – the mechanism permits all activity
– Fail closed – the mechanism blocks all activity
• Fail Soft -- shutting down failed systems,
preserving some functionality
– Example: A server with a UPS and a shutdown script

14
 Fail Open / Fail Closed (cont.)
• Principles
– Different types of failures will have
different results
– Both fail open and fail closed
are undesirable, but sometimes one or
the other is catastrophic
– Security devices generally fail closed

COUNTERMEASURES

Designed to
reduce a single
vulnerability or
a threat

Should be
considered Can be
from a passive or
strategic active
perspective

15
? Review Question

Which of the following statements about

confidentiality is true?

A. Confidentiality is the protection of information from

unauthorized access or disclosure.
B. Confidentiality is the protection of information from
unauthorized modification.
C. Confidentiality ensures the timely and reliable
access to and use of information and systems.
D. Confidentiality ensures sufficient and appropriate
information is available for targeted users

31

? Review Question

Which of the following is the best

description of authenticity?
A. The process of validating if a claimed or
professed identity is genuine.
B. The result of preserving authorized restrictions
on information access and disclosure.
C. Confidence in the validity of a transmission, a
message, or message originator.
D. The inability to deny responsibility for performing
a specific act.

32

16
? Review Question

With respect to the adequacy of protecting an online

platform's confidentiality, authentication, non-repudiation,
and integrity, which is the best control mechanism from the
following?
A. Virtual Private Network (VPN)
B. Transport Layer Security (TLS)
C. Public Key Infrastructure (PKI)
D. Secure Sockets Layer (SSL).

33

? Review Question

Which factor is the most important item

when it comes to ensuring security is
successful in an organization?

A.Senior management support

B.Effective controls and implementation
methods
C.Updated and relevant security policies
and procedures
D.Security awareness by all employees

17
 Security Governance
Principles

Topics
• Alignment of the security function to business
strategy, goals, mission, and objectives
• Organizational processes (e.g., acquisitions,
divestitures, governance committees)
• Organizational roles and responsibilities
• Security control frameworks
• Due care/due diligence

18
 Information Security Governance Overview

• Information security governance

– Is becoming increasingly critical
– Is the responsibility of the board of directors and
executive management
– Is part of enterprise governance
– Consists of
• Leadership
• Organizational structures
• Processes

Importance of Information Security

Governance
– Addressing the increasing potential for civil or legal
liability inuring to the organization and senior
management as a result of information inaccuracy or
the absence of due care in its protection or
inadequate regulatory compliance
– Providing assurance of policy compliance
– Increasing predictability and reducing uncertainty of
business
– operations by lowering risks to definable and
acceptable levels

19
 Importance of Information Security
Governance
– Improving trust in customer relationships
– Protecting the organization’s reputation
– Providing accountability for safeguarding information
during critical business activities
– Reducing losses from security-related events
– Providing assurance that security incidents and
breaches are not catastrophic

Outcomes of Information Security Governance

• Strategic alignment
• Risk management
• Value delivery
• Resource management
• Performance measurement
• Integration

20
 Organizational Mission,
Objectives, and Goals

Mission
• Statement of its ongoing purpose and
reason for existence.
• Usually published, so that employees,
customers, suppliers, and partners are
aware of the organization’s stated
purpose.

21
 Mission (cont.)
• Should influence how we will approach
the need to protect the organization’s
assets.

Goals and Objectives

• Statements of activities or end-states
that the organization wishes to achieve.
• Support the organization’s mission and
describe how the organization will fulfill
its mission.
• Observable and measurable.
• Do not necessarily specify how they will
be completed, when, or by whom.

22
 Goals and Strategy
• Business goals are set by the
board of directors
• Senior management builds the strategy
to achieve these goals
• Governance ensures business
strategy remains consistent with
Goals
business goals
• Information security governance
Objectives provides strategic guidance for
security
• Information security strategy should be
linked to the overall business strategy

Strategy

Strategy Planning

• Strategy Plan: Long term (3-5) year plan to

achieve enterprise goals and objectives
• Tactical Plan: 1-2 year plan to achieve
strategic goals
• Operational Plan: Daily activities plans
Strategic

Tactical

Operational

4
6

23
Information Security Strategy Overview

• An information security strategy should:

– State objectives/purposes/goals
– Delineate principal policies and plans for achieving
objectives/purposes/goals
– Define the
• Range of business
• Desired state for the business
– Provide the basis for action plan(s)
• Action plan(s) must be based on available resources and
constraints
• Action plan(s) must contain provisions for monitoring and
metrics to determine the level of success

Question

Which of the following goals do you

expect to find in an organization's
strategic plan?

A. Short-term project plans for a new

planning system
B. Approved suppliers for products offered
by the company
C. Results of new software testing
D. An evaluation of information technology
needs

24
 Question

Which of the following security

governance good practices
improves strategic alignment?

A. Supplier and partner risk is managed.

B. A knowledge base on customers,
products, markets and processes is in
place.
C. A structure is provided that facilitates the
creation and sharing of business
information.
D. Top management mediates between the
imperatives of business and technology.

BREAK

25
ROLES AND RESPONSIBILITIES

• Need to be
aware of • Ensure needed
information functions/resour
assets ces are
available
• Provided with
high-level • Ensure
Board of
results of risk Senior resources are
Directors Management properly utilized
assessments
and BIAs. • Promote
• Exercise due cooperation,
care in arbitrate when
protecting key needed and set
assets priorities

ROLES AND RESPONSIBILITIES

Steering committee
• Comprised of senior representatives of groups impacted by
information security
• Ensures alignment of security program with business objectives
Common topics:
• Security strategy and integration efforts
• Specific actions and progress related to business unit support of
information security program functions
• Emerging risk, business unit security practices and compliance
issues

26
IS STEERING COMMITTEE

• Make decision of IS being centralized vs. decentralized, and assignment of

responsibility
• Makes recommendations for IS strategic plans
• Approves IS architecture
• Reviews and approves IS plans, budgets, priorities & milestones
• Monitors major IS project plans and delivery performance

53

ROLES AND RESPONSIBILITIES

Chief Information Chief Information

Chief Risk Officer Officer Security Officer

• Generally • Responsible for IT • Similar functions

responsible for all planning, as information
non-information budgeting and security manager
risk and overall performance with more
ERM strategic and
management
elements; IT
strategy

27
INTERNAL STAKEHOLDERS

Managers responsible for key business Boards

processes

Managers responsible for revenue- Risk

Management
Executive
Management
producing activities
Internal
Human resources Stakeholders

Legal and privacy

Assurance Business
Providers Managers

Note: The business case should be IT

Managers
updated to note requests, even if they are
not accepted.

EXTERNAL STAKEHOLDERS

Service providers

Critical vendors
Regulators
Outsourcing partners

Consumers/members External
Stakeholders
Regulatory bodies
Business
Partners

Information security may be affected by contracts.

IT Vendors

28
QUESTION

The MOST important requirement for gaining

management commitment to the information
security program is to:

A. benchmark a number of successful

organizations.
B. demonstrate potential losses and other impacts
that can result from a lack of support.
C. inform management of the legal requirements of
due care.
D. demonstrate support for desired outcomes.

QUESTION

Which of the following situations would MOST

inhibit the effective implementation of security
governance?

A. The complexity of technology

B. Budgetary constraints
C. Conflicting business priorities
D. Lack of high-level sponsorship

29
? Question

Many privacy laws dictate which of the

following rules?

A.Individuals have a right to remove any

data they do not want others to know.
B.Agencies do not need to ensure that the
data is accurate.
C.Agencies need to allow all government
agencies access to the data
D.Agencies cannot use collected data for a
purpose different from what they were
collected for

? Question

Who is accountable for the overall

enterprise strategy for risk
governance?

A. Senior management
B. Business unit management
C. Chief risk officer
D. Board of directors

30
 IS Standards, Policies and Procedures

POLICIES, STANDARDS AND CONTROLS

Policies Standards Controls

Part of
Governance Management
security
tools tools
architecture

“Constitution” “Laws” “Enforcement”

31
POLICIES, STANDARDS AND CONTROLS

POLICIES

Policies are the high-level statements of management intent,

expectations and direction.

Well-developed high-level policies in a mature organization can

remain static for extended periods.

Management should review all policies periodically.

IS auditors should understand that policies are a part of the audit

scope and test the policies for compliance.

IS controls should flow from the enterprise’s policies and IS auditors

should use policies as a benchmark for evaluating compliance.

32
POLICIES

High level documents

Must be clear and concise

Set tone for organization as a whole (top down)

• Corporate Policies

Lower-level policies – defined by individual divisions and

departments

It is for all stakeholders, outsourced firms-third parties (through

contracts)

Must be reviewed periodically (review period to be in policy)

IS auditor reviews policies for compliance

POLICIES

Directly traceable to strategy elements

Broad enough to not require regular revision, but should be periodically reviewed

Approved at the highest level

Pave the way for effective implementation

33
POLICIES

Attributes of good policies:

• Should capture the intent, expectations and direction of management
• Must be clear and easily understood
• Includes just enough context to be useful
• Rarely number more than two dozen in total

INFORMATION SECURITY POLICY

A security policy for information and related technology is a first step toward building the
security infrastructure for technology-driven organizations.

It communicates a coherent security standard to users, management and technical staff.

This policy should be used by IS auditors as a reference framework for performing audit
assignments.

The adequacy and appropriateness of the policy is also an area of review during an IS
audit.

34
POLICY COMPONENTS

The information security policy may comprise a set of policies, generally addressing the
following concerns:
• High-level information security policy — Includes statements on confidentiality, integrity and
availability
• Data classification policy — Provides classifications and levels of control at each classification
• End-user computing policy — Identifies the parameters and usage of desktop, mobile and other
tools
• Access control policy — Describes methods for defining and granting access to users of various
IT resources
• Acceptable use policy (AUP) — Controls the use of information system resources through
defining how IT resources may be used by employees

SETTING STANDARDS

Provide measurement for compliance

Govern procedure and guideline creation

Set security baselines

Reflect acceptable risk and control objectives

Act as criteria for evaluating acceptable risk

Are unambiguous, consistent and precise

Are disseminated to those governed by them and those impacted

35
STANDARDS

A standard is a mandatory requirement, code of

practice or specification approved by a recognized
external standards organization.

Professional standards refer to standards issued by

professional organizations, such as ISACA, and
related guidelines and techniques that assist the
professional in implementing and complying with
other standards.

STANDARDS

• Support Policies

• Standards are part of the IS audit scope and

should be tested for compliance.

• IS hardening and service levels should be in

alignment with applicable standards, and
auditors should use the standards as a
benchmark for evaluating compliance.

• Like policies, the IS auditor must also consider

whether and to what extent standards pertain to
third parties and outsourcers, whether these
parties comply with the standards and whether
the standards of these parties conflict with
those of the organization.

36
PROCEDURES

The documented, defined steps in procedures aid in

achieving policy objectives.

Procedures documenting business and aligned IT processes

and their embedded controls are formulated by process
owners.

To be effective, procedures must:

• Be frequently reviewed and updated
• Be communicated to those affected by them

PROCEDURES

Procedures are detailed documents that:

• Document and define steps for achieving policy objectives
• Must be derived from the parent policy
• Must implement the spirit (intent) of the policy statement
• Must be written in a clear and concise manner
• More frequent reviews than policies
• Changing environments
• Operational and Administrative
• They must have intended users

37
PROCEDURES

A non-IT control direct precisely how something is to be done

Responsibility of operations staff

• Uses unambiguous language
• Include all necessary steps

Ensure an organization can continue operations even if regular staff are unavailable

GUIDELINES

Guidelines for executing procedures are also the responsibility of operations.

Guidelines should contain information that will be helpful in executing the
procedures. Including clarification of:
• Policies and standards
• Dependencies
• Suggestions and examples
• Narrative clarifying the procedures
• Background information that may be useful
• And tools that can be used

76

38
GUIDELINES

Contain information that will be helpful in executing procedures

Enable use of individual judgement

Can be helpful when an outcome needs to be achieved, but the how does not matter

QUESTION

The enactment of policies and procedures for

preventing hacker intrusions is an example of an
activity that belongs to:

A. risk management.
B. compliance.
C. IT management.
D. governance.

39
QUESTION

Which of the following represents the MOST correct

sequence of information security documentation to be
developed for an enterprise that wants to ensure that
information security is aligned with business
objectives?

A. High level policies, standards, baselines,

procedures
B. High level policies, standards, procedures,
baselines
C. Standards, high level policies, baselines,
procedures
D. Standards, baselines, high level policies,
procedures

QUESTION

Which of the following is a PRIMARY objective of

an acceptable use policy?

A. Creating awareness about the secure use

of proprietary resources
B. Ensuring compliance with information
security policies
C. Defining sanctions for noncompliance
D. Controlling how proprietary information
systems are used

40
QUESTION

Which person or group should have final approval of

an organization’s information technology (IT)
security policies?

A. Business unit managers

B. Chief information security officer
C. Senior management
D. Chief information officer

QUESTION

Which of the following is the PRIMARY reason to

change policies during program development?

A. The policies must comply with new regulatory

and legal mandates.
B. Appropriate security baselines are no longer set
in the policies.
C. The policies no longer reflect management intent
and direction.
D. Employees consistently ignore the policies.

41
INFORMATION SECURITY CONTROL
FRAMEWORKS

INFORMATION SECURITY FRAMEWORKS, STANDRARDS

• International Organization for Standardization (ISO),

• National Institute of Standards and Technology (NIST),
• Control Objectives for Information and Related Technology (COBIT),
• Sherwood Applied Business Security Architecture (SABSA),
• Payment Card Industry (PCI),
• Federal Risk and Authorization Management Program (FedRAMP))

42
STRATEGY AND FRAMEWORK

A framework is a scaffold of interlinked items

• Strategy is the starting point of the framework

Ensures that information security is focused on the

right goals

FRAMEWORKS AND ARCHITECTURE

Frameworks are closely associated with enterprise

architecture
• Goals = conceptual architecture
• Framework = logical architecture

Physical architecture implements the logical

architecture through policies, standards and controls

43
RELATIONSHIP OF GOVERNANCE ELEMENTS

THIRD-PARTY RESOURCES

Variety of resources available to use as a basis

• COBIT, CMMI, ISO, etc.

Frameworks define relationships

May derive benefit from certified compliance with third-party standards (e.g., ISO)

44
SABSA SECURITY ARCHITECTURE MATRIX

Source: Copyright SABSA Institute, www.sabsa.org. Reproduced with permission.

THE STRUCTURE OF THE TOGAF DOCUMENT

Source: The Open Group; TOGAF, Version 9.1., United Kingdom 2011

45
BUILDING CONSISTENCY

Integration ensures consistency

When adding information security to an existing

governance structure, it is not necessary to use a
different framework

If no general framework is used, find a framework

that is comprehensive and can be used across the
organization

Due Care/Due Diligence

Due Care: Habitual actions, policies, and
procedures that are employed to maintain
security and avoid risks. Ongoing efforts an
organization makes to maintain and improve
its cybersecurity measures
Due Diligence: It refers to the comprehensive
process an organization undertakes to
understand and manage the cyber risks
associated with third-party partners,
vendors, and acquisitions

46
 Legal, regulatory, and
compliance issues that pertain
to information security

Licensing and Intellectual Property

Requirements
Disclosure Term of
Term Protects Protects Against
Requiered Protection

Potentially
Trade Secret Business information No Misappropriation
infinitive

Making, using, or
Functional innovations, novel idea,
Patent Yes Set period selling an
inventions
invention

Expression of an idea embodied in Copying or

Copyright a fixed medium (books, movies, Yes Set period of time substantially
songs, etc.) similar work

Color, sound, symbol, etc. used to

Potentially Creating
Trademark distinguish one product/company Yes
infinitive confusion
from another

47
 Import/Export Controls
• Import and export controls are country-based rules and
laws implemented to manage which products,
technologies, and information can move in and out of
those countries, usually meant to protect national security,
individual privacy, economic well-being, and so on.
• The Wassenaar Arrangement
– It allows certain countries to exchange and use cryptography systems of
any strength while also preventing the acquisition of these items by terrorists
• International Traffic in Arms Regulations (ITAR)
– US regulation that was built to ensure control over any export of items
such as missiles, rockets, bombs, or anything else existing in the
United States Munitions List (USML).
• Export Administration Regulations (EAR)
– Commercial use-related items like computers, lasers, marine items,
and more. However, it can also include items that may have been
designed for commercial use but actually have military applications.

Transborder Data Flow

• Transborder data flow laws restrict the transfer of data across country
borders. When sharing data across borders, applicable laws must be
considered.
• These laws primarily relate to personal data. The idea is to protect a
country/state/province/region's citizens' personal data. If an
organization is collecting citizens' data, then they are accountable for
the protection of that data.
• Given these laws, organizations must consider the potential
implications of the flow of data across physical borders. This can be
very challenging for organizations to keep track of with the proliferation
of service providers and global cloud services.

48
 Privacy Information

Personal data can be referred to as:

• PI: Personal Information

• PII: Personally Identifiable Information
• SPI: Sensitive Personal Information
• PHI: Personal Health Information

Common Privacy Laws and

Regulations
Some of the common privacy laws and regulations are:

HIPPA CCPA US State GLBA

GDPR

Protects individual’s Processing of Grants consumers Notifies individuals Institutions to share

medical records personal data of data privacy rights of security breaches information-sharing
European citizens practices

©2023 ISACA. All rights reserved.

49
 PRIVACY TERMS
Owners need to have clearly defined accountabilities, including:
•Defining classification
•Approving access
•Retention and destruction
Data owners Different types of owners:
•Data owners
•Process owners
•System owners
Companies that collect personal data about customers are accountable for the protection of the data

Need to have clearly defined responsibilities.

Protect data based on the input from the owners.
Data custodians
Custodians also need tools, training, resources, etc.
And who provides all this. Typically, the owners.

Need to have clearly defined responsibilities.

Data processors Processes personal data on behalf of the controller/owner.
Protects critical assets based on value to ensure organizational assets are available when required by stakeholders.

Data subjects Individuals to whom personal data relates.

PRIVACY PRINCIPLES

• Consent
• Collection limitation principle
• Data quality principle
• Purpose specification principle
• Use limitation principle
• Security safeguards principle
• Openness principle
• Individual participation principle
• Accountability principle

50
 PRIVACY IMPACT ASSESSMENT

• Privacy Impact Assessment (PIA) is a process undertaken on behalf of

an organization to determine if personal data is being protected
appropriately and to minimize risks to personal data where appropriate
These are the PIA steps:
– Identify the need for a DPIA
– Describe the data processing
– Assess necessity and proportionality
– Consult interested parties
– Identify and assess risks
– Identify measures to mitigate the risks
– Sign off and record outcomes
– Monitor and review

QUESTION

A company wishes to implement safeguards to help prevent loss,

disclosure, exposure use or destruction of covered data. Which Privacy
Principle does this fall under?

A. Use Limitation Principle

B. Security Safeguard Principle
C. Collection Limitation Principle
D. Accountability Principle

51
 BREAK

Business Continuity

52
BCP PROCESS

The BCP process can be divided into life cycle phases, as shown here.

Business Continuity Planning Life Cycle

Project Planning BC Plan Monitoring, BC

(BC Policy, Project Maintenance and Plan
Scope) Updating Testing

BC
Awareness
Training

Risk Assessment and

Analysis

BC
Plan
Development
Business
Impact BC Strategy
Development
Analysis Strategy
Execution (Risk
Countermeasures
Implementation)

BUSINESS CONTINUITY POLICY

A business continuity policy should be proactive, delivering the message that all possible
controls to both detect and prevent disruptions should be used.

The policy is a document approved by top management; it serves several purposes:

• It carries a message to internal stakeholders that the organization is committed to business
continuity.
• As a statement to the organization, it empowers those who are responsible for business
continuity.
• It communicates to external stakeholders that obligations, such as service delivery and
compliance, are being taken seriously.

53
BUSINESS IMPACT ANALYSIS

107

BUSINESS IMPACT ANALYSIS

BIA is a process used to determine the impact of losing the support of any resource.

It is an important adjunct to the risk analysis, often uncovering vital but less visible
components that support critical processes.

Three primary questions must be considered during a BIA process:

• What are the different business processes?
• What are the critical information resources related to an organization’s critical business
processes?
• In the event of an impact on critical business processes, under what time frame will significant or
unacceptable losses be sustained?

The IS auditor should be able to evaluate the BIA, requiring a knowledge of BIA
development methods.

54
BUSINESS IMPACT ANALYSIS

• BIA Inputs
• BCP Policy
• Risk Assessment (BCP based)
• Business Process Owners List
• Business Objectives and Goals

• BIA Outputs:
• List of critical business processes and important tasks
• Recovery Time Objective RTO
• Recovery Point Objective RPO
• Maximum Tolerable Outage MTO

CLASSIFICATION OF OPERATIONS AND CRITICALITY ANALYSIS

Critical Vital Sensitive Nonsensitive

110

55
RPO AND RTO DEFINED

Recovery point Recovery time

objective (RPO) objective (RTO)

• Determined based on • The amount of time

the acceptable data loss allowed for the recovery
in case of a disruption of of a business function or
operations. It indicates resource after a disaster
the earliest point in time occurs.
that is acceptable to
recover the data.
• The RPO effectively
quantifies the
permissible amount of
data loss in case of
interruption.

RPO AND RTO RESPONSES

Both RPO and RTO are based on time parameters. The nearer the time requirements
are to the center, the more costly the recovery strategy. Note the strategies employed at
each time mark in the graphic below.

Recovery Point Objective Recovery Time Objective

4-24 hrs 1-4 hrs 0-1 hr 0-1 hr 1-4 hrs 4-24 hrs
• Tape • Disk-based • Mirroring • Active- • Active- • Cold
backups backups • Real-time active passive standby
• Log • Snapshots replication clustering clustering
shipping • Delayed • Hot standby
replication
• Log
shipping

56
RECOVERY ALTERNATIVES

Hot sites

Reciprocal
arrangements
with other Warm sites
organizations

Reciprocal
arrangements Cold sites

Mobile sites Mirrored sites

BCP PLAN COMPONENTS

Continuity of Disaster Business

operations plan recovery plan resumption plan

IT contingency Crisis Incident Transportation

plan communications response plan plan
plan

Occupant Emergency
Evacuation plan
emergency plan relocation plan

57
PLAN TESTING

The critical components of a BCP should be tested under simulated conditions to

accomplish objectives such as these:
• Verify the accuracy of the BCP.
• Evaluate the performance of involved personnel.
• Evaluate coordination among response team members and external parties.
• Measure the ability and capacity of any backup site to perform as expected.

Assessing the results and value of the BCP tests is an important responsibility for the IS
auditor.

QUESTION

In which of the following phases of business continuity planing (BCP),

business unit involvement should be MOST useful?

A. Business plan execution

B. Business impact analysis
C. Recovery strategy development
D. Business plan maintenance

58
 Personnel Security

Personnel / Staffing Security

• Hiring practices and procedures
• Periodic performance evaluation
• Disciplinary action policy and procedures
• Termination procedures

59
Hiring Practices and Procedures

• Effective assessment of qualifications

• Background verification
(prior employment, education, criminal
history, financial history)
• Non-disclosure agreement (NDA)
• Non-compete agreement
• Intellectual property agreement

Hiring Practices and

Procedures (cont.)
• Employment agreement
• Employee Handbook
• Formal job descriptions

60
 Termination
• Immediate termination of all logical and
physical access
• Change passwords known to the
employee
• Recovery of all company assets
• Notification of the termination to affected
staff, customers, other third parties
• And possibly: code reviews, review of
recent activities prior to the termination

Work Practices
• Separation of duties
– Designing sensitive processes so that two
or more persons are required to
complete them
• Job rotation
– Good for cross-training, and also reduces
the likelihood that employees will collude
for personal gain
• Mandatory vacations
– Detect / prevent irregularities that violate policy
and practices

61
 Risk Management

Risk Management Overview

Realize Reduce potential

Minimize
opportunities for loss
vulnerabilities
for gain

62
 Enterprise Risk Management

Risk Terminology
• A derived value that refers to the
likelihood (frequency) and magnitude
Risk (impact) of loss that exists from a
combination of assets, threats, and control
conditions.

Threat • Actions or actors that may act in a manner

that can result in loss or harm.

• A weakness in design, implementation,

Vulnerability operation or internal control.

63
 Risk Terminology
• Risk Level: Threat Probability x Risk
Impact
• Inherent Risk= Risk without controls
applied
• Residual Risk= Risk after controls applied
• Risk Profile= Current overall risk

Risk Identification
Process used to determine and examine type and nature of viable
threats to enterprise vulnerabilities
Identify :
• Enterprises operate in a
constantly changing environment all information assets including
third-party assets (service
• Potential threats and resulting risk providers, outsourcers,
also evolve contractors)
• Only identified risk can be •Viable threats (potential and
assessed and treated realized)
appropriately

• Effective risk management cannot

exist without effective risk
identification

64
 Risk Identification Methods and
Techniques
Methods and Tools
• Threat modeling
• Checklists
Techniques
• Judgements based on experience
• Flowcharts • Workshops

• Brainstorming • Structured approaches

• Systems analysis • What-if and scenario analysis
• Scenario analysis • Mapping threats to identified and
• Systems engineering techniques suspected vulnerabilities

Vulnerabilities and Threats

Vulnerabilities Threats

Circumstances or events
with potential to cause
Technical Business harm
Weaknesses Processes
Internal External

Anywhere
Employees
Lack of Outsourced Legal,
Awareness Services Intentional or
Environmental
Unintentional
or Technical

65
 Identifying Vulnerabilities
Derive from: Approaches include:

Technical Weaknesses Audits

Business Processes Security Reviews

Unmonitored Procedures Vulnerability Scans

Lack of Staff Awareness Penetration Tests

Outsourced Services

Threat Model Methods

Combine to create a robust May be not be Abstract or Focus on risk or

view of potential threats comprehensive people-centric privacy concerns

MODEL BENEFITS
STRIDE (Spoofing identity, Tampering with • Helps identify relevant mitigating techniques
data, Repudiation, Information disclosure, • Most mature
Denial of service, Elevation of privilege) • Easy to use but time consuming
PASTA (Process for Attack Simulation and • Helps identify relevant mitigating techniques
Threat Analysis) • Directly contributes to risk management
• Encourages collaboration among stakeholders
• Contains built-in prioritization of threat mitigation
• Laborious, but has rich documentation
LINDDUN (Linkability, Identifiability, • Helps identify relevant mitigating techniques
Nonrepudiation, Detectability, Disclosure of • Contains built-in prioritization of threat mitigation
information, Unawareness, Noncompliance) • Can be labor intensive and time consuming
Attack Trees • Helps identify relevant mitigating techniques
• Has consistent results when repeated
• Easy to use if a thorough understanding of the system is already in place
132

66
 Risk Assessment Process

Risk
Analysis

Risk Risk
Identificatio Evaluation
n Risk
Assessment

Risk Assessment and Analysis

Methodologies

• COBIT • ITIL®
• OCTAVE® • CRAMM
• NIST 800-39 • FAIR
• HB 158-2010 • HARM
• ISO • VAR
27005:2022
• ISO/IEC 31000

67
 Using Risk Analysis Methods

• Vary in detail, purpose and required

protection level.
• Type performed should be consistent with
criteria developed:

Gap Analysis

Qualitative Analysis

Semi-Quantitative (Hybrid) Analysis

Quantitative Analysis

Annual Loss Expectancy

Value at Risk

Other Analysis Methods

Bayesian Analysis

Bow Tie Analysis

Delphi Method

Event Tree Analysis

Fault Tree Analysis

Markov Analysis

Monte-Carlo Analysis

68
 Qualitative Risk Assessment
• For a given scope of assets, identify:
– Vulnerabilities
– Threats
– Threat probability (Low / medium / high)
– Impact (Low / medium / high)
– Countermeasures

Example of Qualitative Risk

Assessment
Threat Impact Initial Counter- Residual
Probability measure Probability
Flood H L Water alarms L
damage
Theft H L Key cards, L
surveillance,
guards
Logical H M Intrusion L
intrusion prevention
system

69
 Quantitative Risk Assessment
• Extension of a qualitative risk
assessment. Metrics for each risk are:
– Asset value: replacement cost and/or income
derived through the use of an asset
– Exposure Factor (EF): portion of asset's value lost
through a threat (also called impact)
– Single Loss Expectancy (SLE) = Asset ($) x EF (%)

Quantitative Risk Assessment

• Metrics (cont.)
– Annualized Rate of Occurrence (ARO)
• Probability of loss in a year, %
– Annual Loss Expectancy (ALE) =
SLE x ARO

70
 Example of Quantitative Risk
Assesment
• Theft of a laptop computer, with the data
encrypted
• Asset value: $4,000
• Exposure factor: 100%
• SLE = $4,000 x 100% = $4,000
• ARO = 10% chance of theft in a year
• ALE = 10% x $4,000 = $400

Example of Quantitative Risk

Assesment
• Dropping a laptop computer and breaking
the screen
• Asset value: $4,000
• Exposure factor: 50%
• SLE = $4,000 x 100% = $2,000
• ARO = 25% chance of theft in a year
• ALE = 25% x $2,000 = $500

71
 Quantifying Countermeasures
• Goal: reduction of ALE
(or the qualitative losses)
• Impact of countermeasures:
– Cost of countermeasure
– Changes in Exposure Factor (EF)
– Changes in Single Loss Expectancy (SLE)
– Benefit of countermeasure
• Always cost/benefit analysis when
selecting countermeasures

Determining Risk Capacity and Risk Appetite

Objective amount of loss an Amount of risk an enterprise

enterprise can tolerate without its is willing to accept in pursuit
Risk Capacity
continued existence being called of its mission
into question
Risk Appetite

Risk
Acceptance
Should not exceed Risk appetite deviations
the risk appetite of that are not desirable but
the enterprise, but it sufficiently below risk
must not exceed the capacity
risk capacity

72
 Risk Treatment/Response
• One or more outcomes from a
risk assessment
– Risk Acceptance
• “yeah, we can live with that”
– Risk Avoidance/termination
• Discontinue the risk-related activity -- the most extreme form of
risk treatment
– Risk Reduction (also called Risk Mitigation)
• Using countermeasures such as firewalls, IDS systems, etc., to
reduce risks
– Risk Transfer/Share
• Buy insurance

Residual Risk
• After risk treatment, some risk remains
• Risk can never be eliminated entirely
• The remaining risk is called Residual
Risk

73
 Security Management Concepts

ISO 27001
• Standard for Information Security
Management System
• Plan-Do-Check-Act cycle
– Plan = define requirements, assess risks, decide
which controls are applicable
– Do = implement and operate the ISMS
– Check = monitor and review the ISMS
– Act = maintain and continuously improve the ISMS
• Documents and records are required

74
 ISO 27001

Security Controls
• Detective (records events)
• Deterrent (scares evil-doers away)
• Preventive (stops attacks)
• Corrective (after an attack, prevents another
attack)
• Recovery (after an attack, restores operations)
• Compensating (substitutes for some other
control that is inadequate)

75
 Service Level Agreements
• SLAs define a formal level of service
• SLAs for security activities
– Security incident response
– Security alert / advisory delivery
– Security investigation
– Policy and procedure review

Secure Outsourcing
• Outsourcing risks
– Control of confidential information
– Loss of control of business activities
– Accountability – the organization that outsources
activities is still accountable for their activities and
outcomes

76
Data Classification and Protection
• Components of a classification and
protection program
– Sensitivity levels
• “confidential”, “restricted”, “secret”, etc.
– Criticality levels (importance)
– Marking procedures
• How to indicate sensitivity on various forms of information
– Access procedures
– Handling procedures
• E-mailing, faxing, mailing, printing, transmitting, destruction

Certification and Accreditation

• Two-step process for the formal
evaluation and approval for use of
a system
– Certification is the process of evaluating a
system against a set of formal standards,
policies, or specifications.
– Accreditation is the formal approval for
the use of a certified system
– for a defined period of time (and possibly
other conditions).

77
 Internal Audit
• Evaluation of security controls and
policies to measure their effectiveness
– Performed by internal staff
– Objectivity is of vital importance
– Formal methodology
– Required by some regulations, laws and external
standards

Security Education, Training,

and Awareness
• Training on security policy, guidelines,
standards
• Upon hire and periodically thereafter
• Various types of messaging
– E-mail, intranet, posters, flyers, trinkets,
training classes
• Testing – to measure employee
knowledge of policy and practices

78