Domain 1

Security Risk Management

Subramaniam Sankaran
CISSP, CEH, CCSK, ISO27001 LA, ITIL
CSSLP, Prince 2

CISSP – Domain1 - SRM - Subramaniam

1
Sankaran
 Note
• This presentation has been prepared by
Subramaniam Sankaran, for his CISSP program
delivery.
• Please do share this material as required.
• You can reach him on
[email protected]

CISSP – Domain1 - SRM - Subramaniam

2
Sankaran
 Goals
• Confidentiality
• Integrity
• Availability
• Non repudiation

CISSP – Domain1 - SRM - Subramaniam

3
Sankaran
 Confidentiality
• Supports principles of least privileges
• ‘Identity theft’ is the act of assuming one’s
identity through knowledge of confidential
information obtained from various sources.
• Data Classification ensures confidentiality
• Identification, authentication, authorization
and encryption ensures confidentiality

CISSP – Domain1 - SRM - Subramaniam

4
Sankaran
 Integrity
• Integrity is the principle that information
should be protected from intentional,
unauthorized, or accidental changes.

CISSP – Domain1 - SRM - Subramaniam

5
Sankaran
 Availability
• Availability is the principle that ensures that
information is available and accessible to users
when needed.
• Attacks of Availability
– Denial of Service
– Lack of Service due to disaster

CISSP – Domain1 - SRM - Subramaniam

6
Sankaran
Governance

CISSP – Domain1 - SRM - Subramaniam

7
Sankaran
 Definition
• “the responsibility of the board of directors
and executive management. It is an integral
part of enterprise governance and consists of
the leadership and organizational structures
and processes that ensure that the
organization’s IT sustains and extends the
organization’s strategies and objectives.”

CISSP – Domain1 - SRM - Subramaniam

8
Sankaran
 Categories control
• Administrative
• Physical
• Technical

CISSP – Domain1 - SRM - Subramaniam

9
Sankaran
 Administrative Controls
• Best defense for social engineering.
• Standards, Policy, Procedure and Guidelines.
• Employee Screening before on boarding.
• Change control procedures
• Risk Analysis
• Security training – The most important.

CISSP – Domain1 - SRM - Subramaniam

10
Sankaran
 Technical controls
• Devices, process, protocols and other
measures to protect C.I.A .
• They govern Authentication, Authorization,
Auditing and non repudiation technically.
• Examples are Antivirus, Firewall, IDPS devices
etc.

CISSP – Domain1 - SRM - Subramaniam

11
Sankaran
 Physical Control
• Ensures no individual has unauthorized access
into protected chambers, department, ODC’s
or office.
• Electrified Fencing, High walls, deterrent
hedges etc.
• Access control mechanisms using proximity
card, Security personals etc.

CISSP – Domain1 - SRM - Subramaniam

12
Sankaran
 Computer Incident Response Team
CIRT
• CIRTs are groups of individuals with the
necessary skills, including management,
technical staff, infrastructure, and
communications staff, for evaluating the
incident, evaluating the damage caused by an
incident, and providing the correct response
to repair the system and collect evidence for
potential prosecution or sanctions.

CISSP – Domain1 - SRM - Subramaniam

13
Sankaran
 Information Security Strategies
• Strategic
– Strategic plans are aligned with the strategic business and
information technology goals.
– These plans have a longer-term horizon (three to five years or
more) to guide the long term view of the security activities.
• Tactical
– Tactical plans provide the broad initiatives to support and achieve
the goals specified in the strategic plan.
• Operational
– Specific plans with milestones, dates, and accountabilities provide
the communication and direction to ensure that the individual
projects are completed.
CISSP – Domain1 - SRM - Subramaniam
14
Sankaran
 Oversight Committee
• Representation from multiple OU
• Representatives from Middle Management

CISSP – Domain1 - SRM - Subramaniam

15
Sankaran
 Security Council Vision Statement
• A clear security vision statement should exist
that is in alignment with, and supports, the
organizational vision.
• Derived from CIA
• Non Technical
• High Level
• Reviewed Annually

CISSP – Domain1 - SRM - Subramaniam

16
Sankaran
 Mission Statement
• Mission statements are objectives that
support the overall vision.
• These become the road map to achieving the
vision and help the council clearly view the
purpose for its involvement.
• Reviewed Annually

CISSP – Domain1 - SRM - Subramaniam

17
Sankaran
 Security Program Oversight
• Decide on project Initiatives
• Prioritise Information Security Efforts
• Review and Recommend Security Policies
• Review and Audit Information Security
Program
• Champion Organizational Security efforts
• Recommend Areas requiring investment.

CISSP – Domain1 - SRM - Subramaniam

18
Sankaran
 User Roles
• End user
• Executive Management
• Information Systems Security Professional
• Data/Information/Business Owner
• Data/Information Custodian/Steward
• Information Security Auditor
• Business Continuity Planner
• IT Professionals
• Security Administrators
• Network Administrator
• Physical Security
• Administrative Assistants
• Service Desk Administrator

CISSP – Domain1 - SRM - Subramaniam

19
Sankaran
 Control Frameworks
• Standardized
• Consistent
• Measurable
• Modular
• Comprehensive

CISSP – Domain1 - SRM - Subramaniam

20
Sankaran
 Top Down approach
• Initiative must come from Senior
Management.
• The program must be tracked and measured.
• Must cover every one in organization from
new joiner to top most person at management
level.
• The seriousness must come from the top.

CISSP – Domain1 - SRM - Subramaniam

21
Sankaran
 Security Definition
• Vulnerability
– Weakness in software, hardware or/and procedure that may
provide an attacker an unauthorized access to computer or
network to access the resources in the environment.
• Threat and Threat Agent
– Threat is a potential danger to Information system and
Threat Agent is the attacker, could be individual, natural
calamity or program/s. d
• Risk
– Likelihood of being targeted for a given attack.

CISSP – Domain1 - SRM - Subramaniam

22
Sankaran
 Security Definitions
• Exposure
– Instance of being exposed to loss from a threat
agent.
• Countermeasure
– Compensating control in place to mitigate current
risk.

CISSP – Domain1 - SRM - Subramaniam

23
Sankaran
 Other Principles
• Non Repudiation
• Principles of least privileges
• Need to know

CISSP – Domain1 - SRM - Subramaniam

24
Sankaran
 Other controls
• Mandatory Vacation
• Job Separation or Segregation of duties.
• Job Rotation
• Dual Control
• Split Knowledge
• Defence in depth

CISSP – Domain1 - SRM - Subramaniam

25
Sankaran
 Governance
• Interlocking
• Due Diligence (Due care)
• Auditing
• Compliance

CISSP – Domain1 - SRM - Subramaniam

26
Sankaran
 Aspects of Security Governance
• Security Governance
• Third Party Governance
• Document Review

CISSP – Domain1 - SRM - Subramaniam

27
Sankaran
 Governance
COBIT
• Meeting the stakeholder needs
• Covering the enterprise end to end
• Applying single integrated framework
• Enabling holistic approach
• Separating governance from management

CISSP – Domain1 - SRM - Subramaniam

28
Sankaran
 Computer Crimes
• Computer Targeted
• Computer Assisted
• Computer is Incidental

CISSP – Domain1 - SRM - Subramaniam

29
Sankaran
 Evidence Types
• Real Evidence
• Direct Evidence
• Circumstantial Evidence
• Hearsay Evidence

CISSP – Domain1 - SRM - Subramaniam

30
Sankaran
 Laws
• Civil
• Common
• Criminal
• Tort

CISSP – Domain1 - SRM - Subramaniam

31
Sankaran
 IPR
• Patent
• Trademark
• Copyright
• Trade secret
• Licensing
– Freeware
– Shareware
– Commercial
– Academics
CISSP – Domain1 - SRM - Subramaniam
32
Sankaran
Never under estimate your opponent!
Security through Obscurity!

CISSP – Domain1 - SRM - Subramaniam

33
Sankaran
Enterprise Security Architecture

CISSP – Domain1 - SRM - Subramaniam

34
Sankaran
 Notes
• Subset of enterprise architecture
• Must align itself for benefit of organization.
• The comprehensive architecture to cover up
every aspect of security in the organization
• Must have
– Operational Goals – Daily operations
– Tactical Goals – Mid term
– Strategic Goals – long term

CISSP – Domain1 - SRM - Subramaniam

35
Sankaran
 Roles and Responsibilities
• CEO
• CTO
• COO
• CISO (Chief Information Security Officer)

CISSP – Domain1 - SRM - Subramaniam

36
Sankaran
 CISO
• Develop and provide security awareness
program
• Reporting to higher management and manage
documentation (Policies, procedure, baseline
and Standards).
• Audit readiness.
• Must report to highest level in org chart i.e
CEO.
CISSP – Domain1 - SRM - Subramaniam
37
Sankaran
 Why do we need to secure?
• Information Protection
• Regulations

CISSP – Domain1 - SRM - Subramaniam

38
Sankaran
 Security Controls
• Directive - Administrative
• Deterrent – Discourage, eg. walls
• Preventive – Avoidance, eg: User ids
• Corrective – Post math, eg. auditing
• Recovery – Bring back to original state
• Detective – Investigative
• Compensating - Alternative

CISSP – Domain1 - SRM - Subramaniam

39
Sankaran
Security is always supporting service!?!

CISSP – Domain1 - SRM - Subramaniam

40
Sankaran
Information Risk Management

CISSP – Domain1 - SRM - Subramaniam

41
Sankaran
Risk Assessment Process Flow

CISSP – Domain1 - SRM - Subramaniam

42
Sankaran
 Risk Management
• Process of identifying the risk
• Mitigating the risk to acceptable level.
• Maintain the level by right mechanism.

CISSP – Domain1 - SRM - Subramaniam

43
Sankaran
 Layers of Risk
• People
• Software/Application/data
• Physical/Hardware

CISSP – Domain1 - SRM - Subramaniam

44
Sankaran
 IRM Policy
• Must be inline with organizational risk policy.
• Must be supported by top management, with
well documented policies, and dedicated IRM
team.

CISSP – Domain1 - SRM - Subramaniam

45
Sankaran
 Information Risk assessment
• It is the veritable, first and fundamental tool to
identify Risks, Threats and impact due to them.
• The output of the risk assessment is analyzed
(risk analysis) and will lead to risk prioritization
and mitigation plans.
• Risk Analysis will ensure, which risks to address
first, in a manner relevant, quick and cost
effective.

CISSP – Domain1 - SRM - Subramaniam

46
Sankaran
 Approach
• First step is to define the scope of the devices, threats and
vulnerabilities.
• Senior management to approve this list before assessment.
• Must be in line with business strategy and objectives.
• Risk analysis team must be a mix of departments.
• Value the information and assets.
– To buy
– To maintain
– To replace
– Loss due to unavailability
– Value of asset to owner, user and adversaries.
– Organizational impact in absence of asset.

CISSP – Domain1 - SRM - Subramaniam

47
Sankaran
 Possible vulnerabilities
• Intricacies of software development.
• Improper authentications
• Unmonitored and uncontrolled network
traffic.
• Software without proper updates.
• Etc

CISSP – Domain1 - SRM - Subramaniam

48
Sankaran
 Identification of vulnerabilities
• Brain storming sessions
• Interviews
• Experience
• External consultant
• Industry specific
• etc

CISSP – Domain1 - SRM - Subramaniam

49
Sankaran
 Loss factors to be considered
• Loss potential is immediate loss due to non
availability of a asset.
• Delayed loss, is more an impact that is carried
over because of asset taken offline.

CISSP – Domain1 - SRM - Subramaniam

50
Sankaran
 Risk Analysis
• Identify assets and their value to organization.
• Identify vulnerabilities and threats.
• Measure the impact and probability
• Arrive at value of counter measure to mitigate
the risk.

CISSP – Domain1 - SRM - Subramaniam

51
Sankaran
 Risk Assessment Methodologies
• NIST SP 800-30 - Risk management guide for
Information Technology Systems.
– Deals with IT
– Does not consider, non IT threats.
• FRAP – Facilitated Risk Analysis Process.
– Team formation with IT and non IT folks.
– Brain Storming
– Limited Budget methodologies
– Works on parts of the whole process at a time
– Dependant on experience of FRAP team members.
CISSP – Domain1 - SRM - Subramaniam
52
Sankaran
 Cntd (organization wide)
• OCTAVE – Operationally Critical Threat, Asset,
and Vulnerability Evaluation.
– SEI
– Individuals make decision on how to secure
– Individuals are made to undergo rounds of training
to make decisions.
– Wider scope compared to FRAP.
• IEC 27005 – Covers security related
documentation as well.
CISSP – Domain1 - SRM - Subramaniam
53
Sankaran
 Failure mode effect analysis
(FMEA)
• Steps
– Identify functions.
– Identify functional failures
– Asses the cause of functional failure
– Effect of the failure through the structures process.
• Identify single point of failures disrupting the network
as a whole.
• Initially developed by reliability engineers in early 50’s
and well used for IT Risk Analysis.
• Sometimes called FMECA to include criticality.
CISSP – Domain1 - SRM - Subramaniam
54
Sankaran
 FMEA types
• System FMEA: Used to analyze complete
systems and/or sub-systems during the
concept of design stage.
• Design FMEA: Used the analyze a product
design before it is released to manufacturing.
• Process FMEA: Used to analyze
manufacturing and/or assembly process.

CISSP – Domain1 - SRM - Subramaniam

55
Sankaran
 Steps for creating FMEA
1. List the key process steps in the first column.
2. List the potential failure mode for each process step.
3. List the effects of this failure mode.
4. Rate how severe this effect is with 1 being not severe at all and 10 being
extremely severe.
5. Identify the causes of the failure mode/effect
6. Identify the controls in place to detect the issue and rank
7. Multiply the severity, occurrence, and detection numbers and store this
value
8. Sort by value and identify most critical issues.
9. Assign specific actions with responsible persons
10.Once actions have been completed, re-score the occurrence and detection.

CISSP – Domain1 - SRM - Subramaniam

56
Sankaran
 Identifying root cause
Fault Tree Analysis
• Top level failure event is assumed and possible
causes is derived.
• Each cause is then discussed and steps to
mitigate the risk with controls in place is
arrived at.
• Each inputs can be analyzed with many
possible values, as in case of validations.

CISSP – Domain1 - SRM - Subramaniam

57
Sankaran
 Approaches to Risk Analysis
• Qualitative – Interviews, opinion polls,
scenario based discussions. RAG report.
• Quantitative - Numerical figures a in value of
loss.

CISSP – Domain1 - SRM - Subramaniam

58
Sankaran
 Quantitative Analysis
• Single Loss expectancy
– Expected Monetary loss every time the risk occurs.
– SLE = Asset Value (AV) * Exposure Factor (EF) (%)
– Portion or part of asset value likely to be destroyed by a
risk, expressed as percentage.
• Annual Loss expectancy
– Monetary loss, that can be expected for an asset due to
risk over one year period.
– ALE = SLE * Annualized rate of occurrence (ARO)
– Used in cost-benefit analysis.
CISSP – Domain1 - SRM - Subramaniam
59
Sankaran
 Output of Quantitative analysis
• Asset values
• Possible and significant threats
• Probability of occurrence
• Loss potential annualized
• Recommended controls

CISSP – Domain1 - SRM - Subramaniam

60
Sankaran
 Qualitative Analysis
• Risk Analysis through, storyboarding,
Brainstorming, interview, Surveys etc
• Values are used rather relative then absolute.
• This is a subjective approach hence error
prone.

CISSP – Domain1 - SRM - Subramaniam

61
Sankaran
 Which one to choose?
• In practice it is the combination of Qualitative
and Quantitative techniques are used.

CISSP – Domain1 - SRM - Subramaniam

62
Sankaran
 Selection of controls
• It is dependant on value of SafeGaurd to the
company.
• Value of SG = ALE without SG – ALE with SG –
Annual cost of SG.
• Cost of SG, is not only the product cost, but
maintenance, training to use it, cost of
support staff to maintain it, etc.

CISSP – Domain1 - SRM - Subramaniam

63
Sankaran
 Risk Types
• Total Risk = Risk without SG
Threat * Vulnerability * AssetValue = Total Risk
• Residual Risk = Risk with SG (because of gaps
in control)
Total Risk * Control Gaps = Residual Risk

CISSP – Domain1 - SRM - Subramaniam

64
Sankaran
 Risk Handling
• Transfer
• Mitigate
• Avoid
• Accept

CISSP – Domain1 - SRM - Subramaniam

65
Sankaran
 Threat Modelling
• Determine Scope and Objective
• Determine Threats
• Determine Vulnerabilities
• Outline Potential Attacks
• Perform Risk Reduction Analysis
• Create Mitigation Plans

CISSP – Domain1 - SRM - Subramaniam

66
Sankaran
 STRIDE
• Spoofing
• Tampering
• Repudiation
• Information Disclosure
• Denial of Service
• Elevation of Privileges

CISSP – Domain1 - SRM - Subramaniam

67
Sankaran
 Privacy
• OECD
– Consent of subject before data collection
– Personal should be relevant for the purpose used to
– Purpose of data collection must be specified not later
than time of collection of data
– Personal data must not be disclosed or used for other
purpose without the consent of the subject or by law.
– Data thus collected must be secured
– Security P&P must be disclosed to subject

CISSP – Domain1 - SRM - Subramaniam

68
Sankaran
 Definitions
• Incident – A security event that compromises
the integrity, confidentiality, or availability of
an information asset.
• Breach – An incident that results in the
disclosure or potential exposure of data.
• Data Disclosure – A breach for which it was
confirmed that data was actually disclosed
(not just exposed) to an unauthorized party.

CISSP – Domain1 - SRM - Subramaniam

69
Sankaran
 DR
&
BCP

CISSP – Domain1 - SRM - Subramaniam

70
Sankaran
 DR and BCP
• Disaster Recovery planning
• Business Continuity planning

CISSP – Domain1 - SRM - Subramaniam

71
Sankaran
 Steps
• Project Scope and Planning
• BIA
• Continuity Planning
• Approval and Implementation

CISSP – Domain1 - SRM - Subramaniam

72
Sankaran
 Business Continuity Management
• Compilation of processes that indentifies and evaluates potential risks to
an organization and develops resilience by ensuring critical objectives are
met and resources are available for this purpose.
• Business Continuity Management can best be described as dealing with a
sequence of events that can be put into place when something goes
wrong.
• The procedures that are put into place are set against each risk and should
be planned beforehand and if necessary practiced to see if they work.
• The BCP should be reviewed annually to ensure that the organization is
prepared for any new risks that have materialized, possibly due to Political,
Economic, Sociological, Technological, Legal and Environmental (PESTLE)
events.
• Addresses Availability, Reliability and Recoverability.

CISSP – Domain1 - SRM - Subramaniam

73
Sankaran
 Business Continuity planning
• Benefits
– Provide an immediate and appropriate response to
emergency situations
– Protect lives and ensure safety
– Reduce business impact
– Resume critical business functions
– Work with outside vendors and partners during the recovery
period
– Reduce confusion during a crisis
– Ensure survivability of the business
– Get “up and running” quickly after a disaster
CISSP – Domain1 - SRM - Subramaniam
74
Sankaran
 Steps to roll out BCP
• Develop business continuity planning policy
statement.
• Conduct BIA
• Identify preventive controls
• Develop recovery strategy
• Develop contingency plan
• Test the plan and conduct training and exercise.
• Maintain the plan
CISSP – Domain1 - SRM - Subramaniam
75
Sankaran
 Prerequisite
• Understand the organization, business and the
risk.
• Use the methods like Zachman business
enterprise frame work to arrive at critical
functions and then arrive at how to rebuild them
or supplement them in case of failures.
• BCP program must be always kept live by regular
reviews and change management policies
• Must be endorsed by top management.
CISSP – Domain1 - SRM - Subramaniam
76
Sankaran
 BCP Project
• Initiation
– BCP Coordinator needs to be identified. Will have authority to
define RnR for committee members.
– BCP committee must be formed with members with technical,
functional, business, legal and senior management.
– Decide on budget
– Kick off by senior management
– Creating awareness among employees
– Establishing skills training for BCP support
– Data collection
– Milestone indication
CISSP – Domain1 - SRM - Subramaniam
77
Sankaran
 BCP Project
• Scope
– Understand focus and direction.
– Facilities to be considered.
– Brain storming session
– Scope could be fragmented to have a clarified and
realistic picture.
– In larger organizations, having BCP for
organizational unit is more helpful.

CISSP – Domain1 - SRM - Subramaniam

78
Sankaran
 BCP Project
• Policy
– Framework and governance for BCP efforts.
– It must refer to any existing old policy or best
industry practice

CISSP – Domain1 - SRM - Subramaniam

79
Sankaran
 BCP Project
• Roll out of policy
– Document components of the policy
– Analyze the impact of policy to organizational policies, legislation,
regulatory and standards.
– Refer to good practices.
– Perform GAP analysis and way forward
– Draft policy and submit for review to different departments.
– Revise the policy to include feedback.
– Submit to top management for approval
– Publish the approved policy document.
– The policy document must be version controlled.
– Review at regular intervals and modify the policy in line with business
requirements.
CISSP – Domain1 - SRM - Subramaniam
80
Sankaran
 BCP Project
• Project management team
– A team must be formed to execute the BCP
– Team might not be dedicated and hence it must be
well understood at the outset.
– SWOT Analysis must be made before the start.
– WBS must be put in place to identify resources, their
responsibilities, start and end dates for tasks,
sequence of tasks, milestones and complete project
completion.

CISSP – Domain1 - SRM - Subramaniam

81
Sankaran
 Business Impact Analysis
• Functional Analysis
• Data collection through interviews and
documentary sources
• Documents business functions, activities and
transaction
• Develop hierarchy of business functions.
• Arrive at criticality level for every function.

CISSP – Domain1 - SRM - Subramaniam

82
Sankaran
 BIA - Risk Assessment
• Must consider organizational tolerance to
continuity risk.
• Must identify
– vulnerabilities of organizational time sensitive resources
and activities.
– Threats and hazards
– Measure the potential loss due to disruption of any of
these time sensitive resources and activities.
– Single point of failures
– Continuity risks
CISSP – Domain1 - SRM - Subramaniam
83
Sankaran
 BIA Risk Assessment evaluation
• Identifying and documenting single point of
failure (as we already saw)
• Prioritize the risk already identified based on
their impact.
• Develop strategy, action and plan for
addressing the risk.
• Document accepted and avoided risks.

CISSP – Domain1 - SRM - Subramaniam

84
Sankaran
 Recovery Phase
• RTO – Recovery time objective. This is with in MTD
• The recovery time objective (RTO) is the duration of time and a service level
within which a business process must be restored after a disaster (or
disruption) in order to avoid unacceptable consequences associated with a
break in business continuity.
• It can include the time for trying to fix the problem without a recovery, the
recovery itself, testing, and the communication to the users.
• WRT (Work recovery time) – remainder of overall MTD. RTO gets the system
back to running and WRT is required to restore data, testing and making it live.
• RPO (Recovery Point Objective) - It is the maximum tolerable period in which
data might be lost from an IT service due to a major incident. It is it 3 hours,
there must be funds incoming to put measures in place to ensure RPO is 3
hours.
• RTO is the amount of time it takes to recover from a disaster event, and an
RPO is the amount of data, measured in time, that you can lose from that same
event. CISSP – Domain1 - SRM - Subramaniam
85
Sankaran
Recovery Types

CISSP – Domain1 - SRM - Subramaniam

86
Sankaran
 Business Process Recovery
• Understand the business.
• Breakdown business process into tasks
• Evaluate each task for business continuity.
• Understand, required roles and resources,
understand input and output mechanism,
workflow, time for completion of tasks, and
interfaces.

CISSP – Domain1 - SRM - Subramaniam

87
Sankaran
 Facility recovery
• The disruption to facility can be
– Non disaster
– Disaster
– Catastrophe
• Alternatives for recovery
– Dedicated site to operate itself
– Lease a commercial facility
– Agreement with another facility

CISSP – Domain1 - SRM - Subramaniam

88
Sankaran
 Facilities recovery
• Offsite facility types
– Hot Site: Replica of the primary
– Warm site: Hot Site - Data
– Cold Site: No system, no data, no power, no users
only room
– Tertiary Site : Back up to a backup
– Reciprocal arrangements.
– Redundant site
– Rolling hot site (Truck)
CISSP – Domain1 - SRM - Subramaniam
89
Sankaran
 Supply and Technology recovery
• Networks, network plan must be reviewed regularly
• Computers – hardware and software backups, using images for
installation, lead-time for delivery of a equipment after disaster
(SLA), Software Escrow, and proper documentation.
• Human resources, the most valuable entity in the scenario, plan for
mishaps, retirements etc.
• Data – Backup, storage area and cabinets, electronic vaulting,
remote journaling, Disk mirroring, tape vaulting, Synchronous and
Asynchronous replication.
• HVAC
• Transportation
• Supplies (paper, water, forms , cabling etc)

CISSP – Domain1 - SRM - Subramaniam

90
Sankaran
 High Availability
• Redundancy must be in place to switch to
other site in case of disaster.
• Fault tolerance - database (roll back & commit
), TCP (ack) and RAID (parity)
• Failover – Based on heart beat

CISSP – Domain1 - SRM - Subramaniam

91
Sankaran
 Insurance
• Business interruption insurance.
• Cyber insurance
• Must plan if the insurance must be bought for
a particular threat or what the coverage is
after discussion with management.

CISSP – Domain1 - SRM - Subramaniam

92
Sankaran
 Recovery and restoration
• Multiple teams are responsible for recovery and
restoration.
• Restoration team is for BCP and Salvage team is for DR
• Damage Assessment must be performed immediately
after disaster
• Damage assessment is followed by decision on
activation of disaster recovery plan.
• The organization enters into a recovery phase.
• Once salvage team get the original site ready and fit to
be made operational again, reconstitution phase begin.
CISSP – Domain1 - SRM - Subramaniam
93
Sankaran
 Implementing strategies
• Plan must be available at more than one
location, means at primary and secondary.
• Call tree must be published at personal badges
and must be kept in valet.

CISSP – Domain1 - SRM - Subramaniam

94
Sankaran
 Testing and revising
• None of implementation of roll out is complete or
perfect or near to perfect without testing. Same is in
security.
• The disaster recovery drills must be performed at least
once a year to ensure things are what we think they
are.
• Lessons learnt from these drill must be incorporated
into DR plan to revise the existing plan.
• Exercise can be made up in sections if complete testing
is not possible due to dependant outage.
CISSP – Domain1 - SRM - Subramaniam
95
Sankaran
 Types of testing
• Checklist test
• Structured Walk through
• Simulation test
• Parallel test (Onsite and Offsite)
• Full interruption test

CISSP – Domain1 - SRM - Subramaniam

96
Sankaran
 Emergency Response
• People must be trained to act during emergencies.
• They must know safe assembly area and fire exits to use
during emergency
• Designated person from the group must guide the people to
safety
• Police, Fire department, emergency rescue etc, must be
notified by designated personal.
• Designated personnel must take care of press before rumors
spread out.
• The company after a disaster must be taken care physically as
they are normally targeted for vandalism.
CISSP – Domain1 - SRM - Subramaniam
97
Sankaran
 Maintaining the plan
• Plan must be integrated with change
management process.
• Any infrastructure changes must ensure the
plan is updated accordingly
• Reorganization , business operations changes
must reflect in the plan.

CISSP – Domain1 - SRM - Subramaniam

98
Sankaran
Security Documentation

CISSP – Domain1 - SRM - Subramaniam

99
Sankaran
CISSP – Domain1 - SRM - Subramaniam
100
Sankaran
 Security Policy
• Document describes the organizational commitment
towards security and how the assets are protected.
• In line with business and legal requirements.
• Is a Configurable Item (CI).
• Must be easily understandable.
• Could be Organizational (master) or issue specific policy
(child) or System specific policy (child).
• Can be regulatory, advisory or informative.
• Organization security policies are also called as
Enterprise Information Security Policy (EISP).
CISSP – Domain1 - SRM - Subramaniam
101
Sankaran
 Example-password policy

• All system-level passwords (e.g., root, enable, NT admin, application

administration accounts, etc.) must be changed on at least a quarterly
basis.
• All production system-level passwords must be part of the InfoSec
administered global password management database.
• All user-level passwords (e.g., email, web, desktop computer, etc.) must be
changed at least every six months. The recommended change interval is
every four months.
• User accounts that have system-level privileges granted through group
memberships or programs such as "sudo" must have a unique password
from all other accounts held by that user.
• Passwords must not be inserted into email messages or other forms of
electronic communication.
• Where SNMP is used, the community strings must be defined as something
other than the standard defaults of "public," "private" and "system" and
must be different from the passwords used to log in interactively. A keyed
hash must be used where available (e.g., SNMPv2).
CISSP – Domain1 - SRM - Subramaniam
102
• All user-level and system-level passwords
Sankaran must conform to the guidelines
 Standards
• It is a thorough statement to mandate what
employees need to do to adhere to security
policy.
• Could be procedural specific or system specific.
• This is a next level to policy. If Policy says must
be protected, standard states what it must be
protected with.
• Examples, ISO27001, PCI DSS etc.

CISSP – Domain1 - SRM - Subramaniam

103
Sankaran
 Example-Password protection standard
• Don’t reveal a password over the phone to ANYONE
• Don’t reveal a password in an email message
• Don’t reveal a password to the boss
• Don’t talk about a password in front of others
• Don’t hint at the format of a password (e.g., "my family
name")
• Don’t reveal a password on questionnaires or security
forms
• Don’t share a password with family members
• Don’t reveal a password to co-workers while on vacation
CISSP – Domain1 - SRM - Subramaniam
104
Sankaran
 Baseline
• Minimum protection and standard security
measure for IT System.
• Reference to the state of system at some
point of time.

CISSP – Domain1 - SRM - Subramaniam

105
Sankaran
 Guidelines
• Address part of security where in the
Standards cannot cover.
• It is a recommends action.

CISSP – Domain1 - SRM - Subramaniam

106
Sankaran
 Example - Passwords
• Password must be minimum 8 characters in
length
• Must contain a digit
• Must contain a special characters
• Cannot be one of last 16 passwords
• Cannot have two same characters next to each
other
• Cannot begin with a numeric
CISSP – Domain1 - SRM - Subramaniam
107
Sankaran
 Procedures
• Lowest level in chain.
• Step by step instruction to achieve goal
towards securing the assets.

CISSP – Domain1 - SRM - Subramaniam

108
Sankaran
 Information Classification
• This is required to ensure we secure correct
information correctly and appropriate.
• This is subjective to industry and company.
• Ensures cost effectiveness.

CISSP – Domain1 - SRM - Subramaniam

109
Sankaran
 Information Classification Types
• Public – Disclosure not affect company
• Sensitive – Needs to be protected
• Private – Unauthorized disclosure will impact
personal or company adversely.
• Confidential – Unauthorized disclosure would
seriously impact company

CISSP – Domain1 - SRM - Subramaniam

110
Sankaran
 Positional responsibility
• CEO and CFO – former leads the organization and later
manages the financial program. Are responsible for
any deviation from compliance and appropriations.
• CIO – responsible for security program.
• CPO – Protection of information to comply with legal,
private and regulatory norms.
• CSO – Responsible for risk identification and mitigation
could be from business point of view.
• CISO – CSO + Technical. Reports to CEO.

CISSP – Domain1 - SRM - Subramaniam

111
Sankaran
 Measurable
• Finally everything needs to be measured and
quantified.
• This helps in improvement plans and to
evaluate current controls.

CISSP – Domain1 - SRM - Subramaniam

112
Sankaran
 How to measure security effectiveness

• Lesser call volumes to helpdesk on a security

problem.
• Audit results
• Less number of incidents on a particular
category
• Lower total number of hours lost in fire
fighting a aftermath.
• User feedback.
CISSP – Domain1 - SRM - Subramaniam
113
Sankaran
 VA&PT
• External Testing
• Internal Testing
• Blind Testing
• Double Blind testing
• Targeted Testing
• Zero Knowledge
• Partial Knowledge
• Full Knowledge
CISSP – Domain1 - SRM - Subramaniam
114
Sankaran
 Other Testing’s
• Application Security
• Denial of Service
• War dialling
• Wireless Network testing
• Social Engineering
• PBX and IP Telephony testing

CISSP – Domain1 - SRM - Subramaniam

115
Sankaran
Penetration Testing Methodologies
• Reconnaissance
• Enumeration
• Vulnerability Analysis
• Execution
• Document Finding

CISSP – Domain1 - SRM - Subramaniam

116
Sankaran
 Some attacks
• Social Engineering
• Pre-texting Attack
• Phishing Attack
• Baiting Attack
• Tailgating Attack

CISSP – Domain1 - SRM - Subramaniam

117
Sankaran
 End

CISSP – Domain1 - SRM - Subramaniam

118
Sankaran