• Risk management is the process of identifying risk, as represented by vulnerabilities, to an

organization’s information assets and infrastructure, and taking steps to reduce this risk to
an acceptable level.
• Risk management involves three major undertakings:
• risk identification
• risk assessment,
• risk control
• Risk identification is the examination and documentation of the security posture of an
organization’s information technology and the risks it faces.
• Risk assessment is the determination of the extent to which the organization’s information
assets are exposed or at risk.
• Risk control is the application of controls to reduce the risks to an organization’s data and
information systems.
3
 An Overview of Risk
Management
Know yourself:
 identify, examine, and understand the information and systems
currently in place : This is self-evident.
 To protect assets, which are defined here as information and the
systems that use, store, and transmit information, you must know
what they are, how they add value to the organization, and to which
vulnerabilities they are susceptible.
 Once you know what you have, you can identify what you are
already doing to protect it.
 Just because a control is in place does not necessarily mean that
the asset is protected.
 Frequently, organizations implement control mechanisms but then
neglect the necessary periodic review, revision, and maintenance.
 The policies, education and training programs, and technologies
that protect information must be carefully maintained and
administered to ensure that they remain effective.
4
Principles of Information Security, 4th Edition
 Know the enemy:
 identify, examine, and understand threats facing
the organization
 You must determine which threat aspects most
directly affect the security of the organization and
its information assets, and then use this
information to create a list of threats, each one
ranked according to the importance of the
information assets that it threatens

Principles of Information Security, 4th Edition

• All of the communities of interest must work together to address all
levels of risk, which range from disasters that can devastate the
whole organization to the smallest employee mis takes.

The communities of interest are also responsible for the

following:
* Evaluating the risk controls
*Determining which control options are cost effective
for the organization
* Acquiring or installing the needed controls
* Ensuring that the controls remain effective
Risk Identification
 Assets are targets of various threats and threat agents

 Risk management process of identifying and controlling risks

facing an organization

 Risk identification begins with identifying organization’s assets

and assessing their value

 A risk management strategy requires that information security

professionals know their organizations information assets—that
is, identify, classify, and prioritize them.

 Once the organizational assets have been identified, a threat

assessment process identifies and quantifies the risks facing
each asset. 7

Principles of Information Security, 4th Edition

 Components of Risk Identification

8
Plan and Organize the
Process
 First step in the Risk Identification process is to follow your
project management principles.
 You begin by organizing a team, typically consisting of
representatives of all affected groups.
 With risk identification, since risk can exist everywhere in the
organization, representatives will come from every
department from users, to managers, to IT and InfoSec
groups.
 The process must then be planned out, with periodic
deliverables, reviews, and presentations to management.
 Once the project is ready to begin, a meetings can be
conducted

Principles of Information Security, 4th Edition

Asset identification and inventory

 This iterative process begins with the enumeration of assets,

including all of the elements of an organization’s system, such
as people, procedures, data
 We classify and categorize the assets adding details as you dig
deeper into the analysis.
 The objective of this process is to establish the relative priority
of the assets to the success of the organization.

Principles of Information Security, 4th Edition

Table 4-1 - Categorizing
Components

11

Principles of Information Security, 4th Edition

 People, Procedures, and Data Asset
Identification
 Identifying human resources, documentation, and data assets is more
difficult than identifying hardware and software assets.

 People with knowledge ,experience, and judgment should be assigned

the task.

 As the people, procedures, and data assets are identified, they should
be recorded using a reliable data-handling process.

 Whatever record keeping mechanism you use, be sure it has the

flexibility to allow the specification of attributes particular to the type
of asset.
12

 Principles of Information Security, 4th Edition

 When deciding which information assets to track, consider the
following asset attributes:
 Asset attributes for people: position name/number/ID;
supervisor; security clearance level; special skills
 Asset attributes for procedures: description; intended purpose;
what elements it is tied to; storage location for reference;
storage location for update
 Asset attributes for data: classification; owner/creator/ manager;
data structure size; data structure used; online/offline; location;
backup procedures employed

Principles of Information Security, 4th Edition

 Hardware, Software, and
Network Asset Identification
 What information attributes to track depends on:
 Needs of organization/risk management efforts
 Management needs of information security/information technology
communities

 Asset attributes to be considered are:

 Name IP address

 MAC address element type

 serial number manufacturer name

 model/part number software version

 physical or logical location

 14
controlling entity
Principles of Information Security, 4th Edition
Principles of Information Security, 4th Edition
Automated Asset
Inventory Tools
 Automated tools can sometimes identify the
system elements that make up hardware,
software, and network components.
 For example, many organizations use automated
asset inventory systems.
 The inventory listing is usually available in a
database or can be exported to a database for
custom information on security assets.
 Once stored, the inventory listing

Principles of Information Security, 4th Edition

Data Classification and
Management
 Information owners responsible for classifying their information
assets
 Information classifications must be reviewed periodically
 Most organizations do not need detailed level of classification
used by military or federal agencies;
 Instead organizations may use other data classification
schemes (e.g., confidential, internal, public data)
 Categories must be comprehensive and mutually exclusive

Principles of Information Security, 4th Edition

Principles of Information Security, 4th Edition
 In fact, many of the developments in data communications and information security are the
result of military sponsored research and development. For most information, the military uses a
five-level classification scheme: Unclassified, Sensitive But Unclassified (i.e., For Official Use
Only), Confidential, Secret, and Top Secret.

Principles of Information Security, 4th Edition

Principles of Information Security, 4th Edition
Principles of Information Security, 4th Edition
Security Clearances
 Corresponding to the data classification scheme is the personnel security
clearance structure.
 In organizations that require security clearances, each user of data must be
assigned a single authorization level that indicates the level of classification
he or she is authorized to view.
 This is usually accomplished by assigning each employee to a named role,
such as data entry clerk, development programmer, information security
analyst, or even CIO.
 Most organizations have a set of roles and their associated security
clearances

Principles of Information Security, 4th Edition

 Management of Classified Data
 Management of classified data includes its storage, distribution,
portability, and destruction.
 All information that is not unclassified or public must be clearly
marked.
 The military also uses color-coordinated cover sheets to protect
classified information from the casual observer.
 In addition, each classified document should contain the
appropriate designation at the top and bottom of each page.
 When classified data is stored, it must be avail able only to
authorized individuals.
 This usually requires locking file cabinets, safes, or other
protective devices for hard copies and systems.
.

Principles of Information Security, 4th Edition

 One control policy that can be difficult to enforce is the clean desk
policy.
 A clean desk policy requires that employees secure all information in
appropriate storage containers at the end of each day.
 When copies of classified information are no longer valuable or
excess copies exist, proper care should be taken to destroy them,
usually after double signature verification, by means of shredding,
burning, or transferring to a service offering authorized document
destruction.
 It is important to enforce policies to ensure that no classified
information is disposed of in trash or recycling areas.
 There are individuals who search trash and recycling bins—a practice
known as dumpster diving—to retrieve information that could
embarrass a company or compromise information security.

Principles of Information Security, 4th Edition

 Classifying and Prioritizing
Information Assets
 Some organizations further subdivide the components of IS.
 For example, the category “Internet components” can be
subdivided into servers, networking devices (routers, hubs,
switches), protection devices (firewalls, proxies), and cabling.
 Each of the other categories can be similarly subdivided as needed
by the organization.
 You should also include a dimension to represent the sensitivity and
security priority of the data and the devices that store, transmit, and
process the data—that is, a data classification scheme.
 Examples of data classification categories are confidential, internal,
and public.

Principles of Information Security, 4th Edition

 Any system component classification method must be specific
enough to enable determination of priority levels, because the next
step in risk assessment is to rank the components.
 It is also important that the categories be comprehensive and
mutually exclusive.
 Comprehensive means that all information assets must fit in the list
somewhere, and mutually exclusive means that an information
asset should fit in only one category.
 For example, suppose an organization has a public key
infrastructure certificate authority, which is a software application
that provides cryptographic key management services.
 Using a purely technical standard, an analysis team could
categorize the certificate authority in the asset list of Table 4-1 as
soft ware, and within the software category as either an application
or a security component.
 A certificate authority should actually be categorized as a software
security component, since it is part of the security infrastructure
and must be protected carefully.
Principles of Information Security, 4th Edition
Information Asset
Valuation
 To assign value to information assets for risk assessment
purposes, you can pose a number of questions and collect your
answers on a worksheet
 Before beginning the inventory process, the organization should
determine which criteria can best establish the value of the
information assets.
 Among the criteria to be considered are:
 Which information asset is the most critical to the success of the
organization? When determining the relative importance of each
asset, refer to the organization’s mission statement

Principles of Information Security, 4th Edition

Principles of Information Security, 4th Edition
Principles of Information Security, 4th Edition
Information Asset Valuation
 Questions help develop criteria for asset valuation

 Which information asset:

 is most critical to organization’s success?

 generates the most revenue/profitability?

 would be most expensive to replace or protect?

 would be the most embarrassing or cause greatest liability if revealed?

30

Principles of Information Security, 4th Edition

Information Asset Prioritization
 Create weighting for each category based on the answers to
questions

 Calculate relative importance of each asset using weighted

factor analysis

 List the assets in order of importance using a weighted factor

analysis worksheet

31

Principles of Information Security, 4th Edition

Table 4-2 – Example Weighted
Factor Analysis

32

Principles of Information Security, 4th Edition

Threat Identification
 Realistic threats need investigation; unimportant threats are set
aside

 Threat assessment:

 Which threats present danger to assets?

 Which threats represent the most danger to information?

 How much would it cost to recover from attack?

 Which threat requires greatest expenditure to prevent?

33

Principles of Information Security, 4th Edition

 Table 4-3 Threats to Information Security5

34
Vulnerability Identification
 Specific avenues threat agents can exploit to attack an
information asset are called vulnerabilities
 Examine how each threat could be perpetrated and list
organization’s assets and vulnerabilities
 Process works best when people with diverse backgrounds within
organization work iteratively in a series of brainstorming sessions
 At end of risk identification process, list of assets and their
vulnerabilities is achieved

35

Principles of Information Security, 4th Edition

Risk Assessment
 Risk assessment evaluates the relative risk for each vulnerability

 Assigns a risk rating or score to each information asset

 The goal at this point: create a method for evaluating the

relative risk of each listed vulnerability.

36

Principles of Information Security, 4th Edition

Principles of Information Security, 4th Edition
Principles of Information Security, 4th Edition
Likelihood
 The probability that a specific vulnerability will be the object of a
successful attack
 Assign numeric value: number between 0.1 (low) and 1.0 (high),
or a number between 1 and 100
 Zero not used since vulnerabilities with zero likelihood removed
from asset/vulnerability list
 Use selected rating model consistently
 Use external references for values that have been
reviewed/adjusted for your circumstances

39

Principles of Information Security, 4th Edition

Risk Determination
 For the purpose of relative risk assessment, risk equals:

 Likelihood of vulnerability occurrence TIMES value (or impact)

 MINUS percentage risk already controlled

 PLUS an element of uncertainty

40

Principles of Information Security, 4th Edition

Identify Possible Controls
 For each threat and associated vulnerabilities that have residual
risk, create preliminary list of control ideas

 Residual risk is risk that remains to information asset even after

existing control has been applied

 There are three general categories of controls:

 Policies
 Programs
 Technologies

41

Principles of Information Security, 4th Edition

 Policies are documents that specify an organization’s approach to
security.
 There are four types of security policies:
 general security policies
 program security policies
 issue-specific policies
 systems-specific policies
 The general security policy is an executive-level document that
outlines the organization’s approach and attitude toward information
security and relates the strategic value of information security
within the organization.
 This document, typically created by the CIO in conjunction with the
CEO and CISO, sets the tone for all subsequent security activities. x
Principles of Information Security, 4th Edition
 The program security policy is a planning document that outlines the
process of implementing security in the organization.
 This policy is the blueprint for the analysis, design, and
implementation of security.
 Issue-specific policies address the specific implementations or
applications of which users should be aware.
 These policies are typically developed to provide detailed
instructions and restrictions associated with security issues.
 Examples include policies for Internet use, e-mail, and access to the
building.
 Systems-specific policies address the particular use of certain
systems.
 This could include firewall configuration policies, systems access
policies, and other technical configuration areas.
 Programs are activities performed within the organization to improve
security. These include security education, training, and awareness
programs.

Principles of Information Security, 4th Edition

Documenting the Results
of Risk Assessment
 Ranked vulnerability risk worksheet
 Worksheet details asset, asset impact,
vulnerability, vulnerability likelihood, and risk-
rating factor
 Ranked vulnerability risk worksheet is initial
working document for next step in risk
management process: assessing and controlling
risk

Principles of Information Security, 4th Edition

 The goal so far has been to identify the information assets that
have specific vulnerabilities and list them, ranked according to
those most needing protection.
 In preparing this list, you collected and preserved a wealth of
factual information about the assets, the threats they face, and the
vulnerabilities they expose.
 You should also have collected some information about the controls
that are already in place.

Principles of Information Security, 4th Edition

 Table 4-9 Ranked Vulnerability Risk
Worksheet
46
 Deliverable Purpose

Information asset classification Assembles information about

worksheet information assets and their
impact

Weighted criteria analysis Assigns ranked value or impact

worksheet weight to each information asset

Ranked vulnerability risk Assigns ranked value of risk rating

worksheet for each uncontrolled asset-
vulnerability pair

Table 4-10 Risk Identification and Assessment

Deliverables
47
Risk Control
 Once ranked vulnerability risk worksheet complete, must choose
one of five strategies to control each risk:

 Apply safeguards (defend)

 Transfer the risk (transfer)

 Reduce impact (mitigate)

 Understand consequences and accept risk (acceptance)

 Avoid activities that are too risky (terminate)

48

Principles of Information Security, 4th Edition

Defend
 Attempts to prevent exploitation of the vulnerability
 Preferred approach; accomplished through countering threats,
removing asset vulnerabilities, limiting asset access, and adding
protective safeguards
 Three common methods of risk avoidance:
 Application of policy
 Training and education
 Applying technology

49

Principles of Information Security, 4th Edition

Transfer
 Control approach that attempts to shift risk to other assets,
processes, or organizations

 If lacking, organization should hire individuals/firms that provide

security management and administration expertise

 Organization may then transfer risk associated with management

of complex systems to another organization experienced in
dealing with those risks

 This can be accomplished by rethinking how services are offered,

revising deployment models, outsourcing to other organizations,
purchasing insurance, or implementing service contracts with
providers.

50

Principles of Information Security, 4th Edition

 This principle should be considered whenever an organization begins
to expand its operations, including information and systems
management and even information security.
 If an organization does not already have quality security
management and administration experience, it should hire individuals
or firms that provide such expertise.
 For example, many organizations want Web services, including Web
presences, domain name registration, and domain and Web hosting.
 Rather than implementing their own servers and hiring their own
Webmasters, Web systems administrators, and specialized security
experts, savvy organizations hire an ISP or a consulting organization
to provide these products and services for them.
 This allows the organization to transfer the risks associated with the
management of these complex systems to another organization that
has experience in dealing with those risks.
 A side benefit of specific contract arrangements is that the provider
is responsible for disaster recovery, and through service level
agreements is responsible for guaranteeing server and Web site
availability.
Principles of Information Security, 4th Edition
Mitigate
 Attempts to reduce impact of vulnerability exploitation
through planning and preparation

 The mitigate control strategy attempts to reduce the impact

caused by the exploitation of vulnerability through planning
and preparation.

 Each of these plans depends on the ability to detect and

respond to an attack as quickly as possible and relies on the
quality of the other plans.

 Mitigation begins with the early detection that an attack is in

progress and a quick, efficient, and effective response.

 Approach

52

Principles of Information Security, 4th Edition

includes three types of plans:

 Incident response plan (IRP)

 Disaster recovery plan (DRP)

 Business continuity plan (BCP)

Principles of Information Security, 4th Edition

 Incident Response Plan
 The actions an organization can and perhaps should take while an
incident is in progress should be specified in a document called the
incident response (IR) plan.
 The IR plan provides answers to questions victims might pose in
the midst of an incident, such as “What do I do now?”
 For example, a systems administrator may notice that someone is
copying information from the server without authorization,
signaling violation of policy by a potential hacker or an
unauthorized employee.
 What should the administrator do first? Whom should he or she
contact? What should he or she document? The IR plan supplies
the answers.
 In the event of a serious virus or worm outbreak, the IR plan can be
used to assess the likelihood of imminent damage and to inform
key decision makers in the various communities of interest (IT,
information security, organization management, and users).
 The IR plan also enables the organization to take coordinated
action that is either predefined and specific, or ad hoc and
Principles of Information Security, 4th Edition
 Disaster Recovery Plan
 The most common of the mitigation procedures is the disaster
recovery (DR) plan.
 Although media backup strategies are an integral part of the DR
plan, the overall program includes the entire spectrum of activities
used to recover from an incident.
 The DR plan can include strategies to limit losses before and during
the disaster.
 DR plans usually include all preparations for the recovery process,
strategies to limit losses during the disaster, and detailed steps to
follow when the smoke clears, the dust settles, or the floodwaters
recede.
 The DR plan and the IR plan overlap to a degree.
 In many respects, the DR plan is the sub section of the IR plan that
covers disastrous events.

Principles of Information Security, 4th Edition

 Business Continuity Plan
 Business Continuity Plan The business continuity (BC) plan is the
most strategic and long term of the three plans.
 It encompasses the continuation of business activities if a
catastrophic event occurs, such as the loss of an entire database,
building, or operations center.
 The BC plan includes planning the steps necessary to ensure the
continuation of the organization when the scope or scale of a
disaster exceeds the ability of the DR plan to restore operations.
 This can include preparation steps for activation of secondary data
centers, hot sites, or business recovery
 These systems enable the organization to continue operations with
minimal disruption of service.

Principles of Information Security, 4th Edition

Accept
 Doing nothing to protect a vulnerability and accepting the
outcome of its exploitation

 Valid only when the particular function, service, information, or

asset does not justify cost of protection

 Risk appetite describes the degree to which organization is

willing to accept risk as trade-off to the expense of applying
controls

57

Principles of Information Security, 4th Edition

 The only industry-recognized valid use of this strategy occurs
when the organization has done the following:

 Determined the level of risk Assessed the probability of attack

 Estimated the potential damage that could occur from attacks

 Performed a thorough cost benefit analysis

 Evaluated controls using each appropriate type of feasibility

 Decided that the particular function, service, information, or

asset did not justify the cost of protection

 This strategy is based on the conclusion that the cost of

protecting an asset does not justify the security expenditure.

Principles of Information Security, 4th Edition

Terminate
 Directs the organization to avoid those business activities that
introduce uncontrollable risks

 May seek an alternate mechanism to meet customer needs.

59

Principles of Information Security, 4th Edition

Principles of Information Security, 4th Edition
Selecting a Risk Control
Strategy
 Level of threat and value of asset play major role in selection of
strategy

 Rules of thumb on strategy selection can be applied:

 When a vulnerability exists

 When a vulnerability can be exploited

 When attacker’s cost is less than potential gain

 When potential loss is substantial

61

Principles of Information Security, 4th Edition

 Figure 4-8 Risk Handling Decision Points
62
Feasibility Studies
 Before deciding on strategy, all information about
economic/noneconomic consequences of vulnerability of
information asset must be explored

 A number of ways exist to determine advantage of a specific

control

63

Principles of Information Security, 4th Edition

Cost Benefit Analysis (CBA)
 Most common approach for deciding on information security
controls is economic feasibility of implementation

 CBA is begun by evaluating worth of assets to be protected and

the loss in value if those assets are compromised

 The formal process to document this is called cost benefit

analysis or economic feasibility study

64

Principles of Information Security, 4th Edition

Cost Benefit Analysis (CBA)
(continued)
 Once value of assets is estimated, potential loss from
exploitation of vulnerability is studied
 Process result is estimate of potential loss per risk
 Expected loss per risk stated in the following equation:
Annualized loss expectancy (ALE) equals
Single loss expectancy (SLE) TIMES
Annualized rate of occurrence (ARO)
 SLE is equal to asset value times exposure factor (EF)

65

Principles of Information Security, 4th Edition

The Cost Benefit Analysis (CBA)
Formula
 CBA determines if alternative being evaluated is worth cost
incurred to control vulnerability
 CBA is most easily calculated using ALE from earlier
assessments, before implementation of proposed control:
CBA = ALE(prior) – ALE(post) – ACS
 ALE(prior) is annualized loss expectancy of risk before
implementation of control
 ALE(post) is estimated ALE based on control being in place for a
period of time
 ACS is the annualized cost of the safeguard

66

Principles of Information Security, 4th Edition

Evaluation, Assessment,
and Maintenance of Risk
Controls
Selection and implementation of control strategy
is not end of process
 Strategy and accompanying controls must be
monitored/reevaluated on ongoing basis to
determine effectiveness and to calculate more
accurately the estimated residual risk
 Process continues as long as organization
continues to function

Principles of Information Security, 4th Edition

 Figure 4-9 Risk Control Cycle

68
Quantitative versus Qualitative
Risk Control Practices

 Performing the previous steps using actual values

or estimates is known as quantitative assessment
 Possible to complete steps using evaluation
process based on characteristics using
nonnumerical measures; called qualitative
assessment
 Utilizing scales rather than specific estimates
relieves organization from difficulty of determining
exact values

Principles of Information Security, 4th Edition

Benchmarking and Best
Practices
 An alternative approach to risk management

 Benchmarking is process of seeking out and studying practices

in other organizations that one’s own organization desires to
duplicate

 One of two measures typically used to compare practices:

 Metrics-based measures

 Process-based measures

70

Principles of Information Security, 4th Edition

Benchmarking and Best
Practices (continued)
 Standard of due care: when adopting levels of security for a
legal defense, organization shows it has done what any prudent
organization would do in similar circumstances
 Due diligence: demonstration that organization is diligent in
ensuring that implemented standards continue to provide
required level of protection
 Failure to support standard of due care or due diligence can
leave organization open to legal liability

71

Principles of Information Security, 4th Edition

Benchmarking and Best
Practices (continued)
 Best business practices: security efforts that provide a superior
level of information protection

 When considering best practices for adoption in an organization,

consider:

 Does organization resemble identified target with best practice?

 Are resources at hand similar?

 Is organization in a similar threat environment?

72

Principles of Information Security, 4th Edition

Problems with the Application
of Benchmarking and Best
Practices
Organizations don’t talk to each other (biggest problem)

 No two organizations are identical

 Best practices are a moving target

 Knowing what was going on in information security industry in

recent years through benchmarking doesn’t necessarily prepare
for what’s next

73

Principles of Information Security, 4th Edition

Baselining
 Analysis of measures against established standards

 In information security, baselining is comparison of security

activities and events against an organization’s future
performance

 Useful during baselining to have a guide to the overall process

74

Principles of Information Security, 4th Edition