Computer Security - Discussion

61

Chap ter 2 Per son nel Se cu rity and Risk Man age ment Con cepts

THE CISSP EXAM TOP ICS COV ERED IN THIS CHAP TER IN CLUDE:

Do main 1: Se cu rity and Risk Man age ment 1.8 Con trib ute to and en force per son nel se cu rity poli cies and pro ce dures

1.8.1 Can di date screen ing and hir ing

1.8.2 Em ploy ment agree ments and poli cies

1.8.3 On board ing and ter mi na tion pro cesses

1.8.4 Ven dor, con sul tant, and con trac tor agree ments and con trols

1.8.5 Com pli ance pol icy re quire ments

1.8.6 Pri vacy pol icy re quire ments

1.9 Un der stand and ap ply risk man age ment con cepts

1.9.1 Iden tify threats and vul ner a bil i ties

1.9.2 Risk as sess ment/anal y sis

1.9.3 Risk re sponse

1.9.4 Coun ter mea sure se lec tion and im ple men ta tion

1.9.5 Ap pli ca ble types of con trols (e.g., pre ven tive, de tec tive, cor rec tive)

1.9.6 Se cu rity Con trol As sess ment (SCA)

1.9.7 Mon i tor ing and mea sure ment

1.9.8 As set val u a tion

1.9.9 Re port ing

1.9.10 Con tin u ous im prove ment

1.9.11 Risk frame works

1.12 Es tab lish and main tain a se cu rity aware ness, ed u ca tion, and train ing pro gram

1.12.1 Meth ods and tech niques to present aware ness and train ing

1.12.2 Pe ri odic con tent re views

1.12.3 Pro gram ef fec tive ness eval u a tion

Do main 6: Se cu rity As sess ment and Test ing 6.3.5 Train ing and aware ness

The Se cu rity and Risk Man age ment do main of the Com mon Body of Knowl edge (CBK) for the CISSP cer ti fi ca tion exam deals with many of the foun da tional el e ments of se cu rity so lu tions. These in clude el e ments es sen tial to the de sign, im ple men ta tion, and ad min is tra tion of se cu rity mech a nisms.

Ad di tional el e ments of this do main are dis cussed in var i ous chap ters: Chap ter 1, “Se cu rity Gov er nance Through Prin ci ples and Poli cies”; Chap ter 3, “Busi ness Con ti nu ity Plan ning”; and Chap ter 4, “Laws, Reg u la tions, and Com pli ance.” Please be sure to re view all of these chap ters to have a com plete per spec tive on the top ics of this do main.

Be cause of the com plex ity and im por tance of hard ware and soft ware con trols, se cu rity man age ment for em ploy ees is of ten over looked in over all se cu rity plan ning. This chap ter ex plores the hu man side of se cu rity, from es tab lish ing se cure hir ing prac tices and job de scrip tions to de vel op ing an em ployee in fra struc ture. Ad di tion ally, we look at how em ployee train ing, man age ment, and ter mi na tion prac tices are con sid ered an in te gral part of cre at ing a se cure en vi ron ment. Fi nally, we ex am ine how to as sess and man age se cu rity risks.

62

Per son nel Se cu rity Poli cies and Pro ce dures Hu mans are the weak est el e ment in any se cu rity so lu tion. No mat ter what phys i cal or log i cal con trols are

de ployed, hu mans can dis cover ways to avoid them, cir cum vent or sub vert them, or dis able them. Thus, it is im por tant to take into ac count the hu man ity of your users when de sign ing and de ploy ing se cu rity so lu tions for your en vi ron ment. To un der stand and ap ply se cu rity gov er nance, you must ad dress the weak est link in your se cu rity chain—namely, peo ple.

Is sues, prob lems, and com pro mises re lated to hu mans oc cur at all stages of a se cu rity so lu tion de vel op ment. This is be cause hu mans are in volved through out the de vel op ment, de ploy ment, and on go ing ad min is tra tion of any so lu tion. There fore, you must eval u ate the ef fect users, de sign ers, pro gram mers, de vel op ers, man agers, and im ple menters have on the process.

Hir ing new staff typ i cally in volves sev eral dis tinct steps: cre at ing a job de scrip tion or po si tion de scrip tion, set ting a clas si fi ca tion for the job, screen ing em ploy ment can di dates, and hir ing and train ing the one best suited for the job. With out a job de scrip tion, there is no con sen sus on what type of in di vid ual should be hired. Thus, craft ing job de scrip tions is the first step in defin ing se cu rity needs re lated to per son nel and be ing able to seek out new hires. Some or ga ni za tions rec og nize a dif fer ence be tween a role de scrip tion and a job de scrip tion. Roles typ i cally align to a rank or level of priv i lege, while job de scrip tions map to specif i cally as signed re spon si bil i ties and tasks.

Per son nel should be added to an or ga ni za tion be cause there is a need for their spe cific skills and ex pe ri ence. Any job de scrip tion for any po si tion within an or ga ni za tion should ad dress rel e vant se cu rity is sues. You must con sider items such as whether the po si tion re quires the han dling of sen si tive ma te rial or ac cess to clas si fied in for ma tion. In ef fect, the job de scrip tion de fines the roles to which an em ployee needs to be as signed to per form their work tasks. The job de scrip tion should de fine the type and ex tent of ac cess the po si tion re quires on the se cured net work. Once these is sues have been re solved, as sign ing a se cu rity clas si fi ca tion to the job de scrip tion is fairly stan dard.

The Im por tance of Job De scrip tions

Job de scrip tions are im por tant to the de sign and sup port of a se cu rity so lu tion. How ever, many or ga ni za tions ei ther have over looked this or have al lowed job de scrip tions to be come stale and out-of- sync with re al ity. Try to track down your job de scrip tion. Do you even have one? If so, when was it last up dated? Does it ac cu rately re flect your job? Does it de scribe the type of se cu rity ac cess you need to per form the pre scribed job re spon si bil i ties? Some or ga ni za tions must craft job de scrip tions to be in com pli ance with Ser vice Or ga ni za tion Con trol (SOC) 2, while oth ers fol low ing ISO 27001 re quire an nual re views of job de scrip tions.

Im por tant el e ments in con struct ing job de scrip tions that are in line with or ga ni za tional pro cesses in clude sep a ra tion of du ties, job re spon si bil i ties, and job ro ta tion.

Sep a ra tion of Du ties Sep a ra tion of du ties is the se cu rity con cept in which crit i cal, sig nif i cant, and sen si tive work tasks are di vided among sev eral in di vid ual ad min is tra tors or high-level op er a tors (Fig ure 2.1). This pre vents any one per son from hav ing the abil ity to un der mine or sub vert vi tal se cu rity mech a nisms. Think of sep a ra tion of du ties as the ap pli ca tion of the prin ci ple of least priv i lege to ad min is tra tors. Sep a ra tion of du ties is also a pro tec tion against col lu sion. Col lu sion is the oc cur rence of neg a tive ac tiv ity un der taken by two or more peo ple, of ten for the pur poses of fraud, theft, or es pi onage. By lim it ing the pow ers of in di vid u als, sep a ra tion of du ties re quires em ploy ees to work with oth ers to com mit larger vi o la tions. The act of find ing oth ers to as sist in a vi o la tion and then the ac tions to per form that vi o la tion are more likely to leave be hind ev i dence and be de tectible, which di rectly re duces the oc cur rence of col lu sion (via de ter rence, the chance that they might get caught). Thus, col lu sion is dif fi cult and in creases risk to the ini tia tor prior to the com mis sion of the act.

63

FIG URE 2.1 An ex am ple of sep a ra tion of du ties re lated to five ad min tasks and seven ad min is tra tors

Job Re spon si bil i ties Job re spon si bil i ties are the spe cific work tasks an em ployee is re quired to per form on a reg u lar ba sis. De pend ing on their re spon si bil i ties, em ploy ees re quire ac cess to var i ous ob jects, re sources, and ser vices. On a se cured net work, users must be granted ac cess priv i leges for those el e ments re lated to their work tasks. To main tain the great est se cu rity, ac cess should be as signed ac cord ing to the prin ci ple of least priv i lege. The prin ci ple of least priv i lege states that in a se cured en vi ron ment, users should be granted the min i mum amount of ac cess nec es sary for them to com plete their re quired work tasks or job re spon si bil i ties. True ap pli ca tion of this prin ci ple re quires low-level gran u lar con trol over all re sources and func tions.

Job Ro ta tion Job ro ta tion, or ro tat ing em ploy ees among mul ti ple job po si tions, is sim ply a means by which an or ga ni za tion im proves its over all se cu rity (Fig ure 2.2). Job ro ta tion serves two func tions. First, it pro vides a type of knowl edge re dun dancy. When mul ti ple em ploy ees are all ca pa ble of per form ing the work tasks re quired by sev eral job po si tions, the or ga ni za tion is less likely to ex pe ri ence se ri ous down time or loss in pro duc tiv ity if an ill ness or other in ci dent keeps one or more em ploy ees out of work for an ex tended pe riod of time.

FIG URE 2.2 An ex am ple of job ro ta tion among man age ment po si tions

Sec ond, mov ing per son nel around re duces the risk of fraud, data mod i fi ca tion, theft, sab o tage, and mis use of in for ma tion. The longer a per son works in a spe cific po si tion, the more likely they are to be as signed ad di tional work tasks and thus ex pand their priv i leges and ac cess. As a per son be comes in creas ingly fa mil iar with their work tasks, they may abuse their priv i leges for per sonal gain or mal ice. If mis use or abuse is com mit ted by one em ployee, it will be eas ier to de tect by an other em ployee who knows the job po si tion and work re spon si bil i ties. There fore, job ro ta tion also pro vides a form of peer au dit ing and pro tects against col lu sion.

Job ro ta tion re quires that se cu rity priv i leges and ac cesses be re viewed to main tain the prin ci ple of least priv i lege. One con cern with job ro ta tion, cross-train ing, and long-ten ure em ploy ees is their con tin ued

64

col lec tion of priv i leges and ac cesses, many of which they no longer need. The as sign ment of priv i leges, per mis sions, rights, ac cess, and so on, should be pe ri od i cally re viewed to check for priv i lege creep or mis align ment with job re spon si bil i ties. Priv i lege creep oc curs when work ers ac cu mu late priv i leges over time as their job re spon si bil i ties change. The end re sult is that a worker has more priv i leges than the prin ci ple of least priv i lege would dic tate based on that in di vid ual’s cur rent job re spon si bil i ties.

Cross-train ing

Cross-train ing is of ten dis cussed as an al ter na tive to job ro ta tion. In both cases, work ers learn the re spon si bil i ties and tasks of mul ti ple job po si tions. How ever, in cross-train ing the work ers are just pre pared to per form the other job po si tions; they are not ro tated through them on a reg u lar ba sis. Cross- train ing en ables ex ist ing per son nel to fill the work gap when the proper em ployee is un avail able as a type of emer gency re sponse pro ce dure.

When sev eral peo ple work to gether to per pe trate a crime, it’s called col lu sion. Em ploy ing the prin ci ples of sep a ra tion of du ties, re stricted job re spon si bil i ties, and job ro ta tion re duces the like li hood that a co-worker will be will ing to col lab o rate on an il le gal or abu sive scheme be cause of the higher risk of de tec tion. Col lu sion and other priv i lege abuses can be re duced through strict mon i tor ing of spe cial priv i leges, such as those of an ad min is tra tor, backup op er a tor, user man ager, and oth ers.

Job de scrip tions are not used ex clu sively for the hir ing process; they should be main tained through out the life of the or ga ni za tion. Only through de tailed job de scrip tions can a com par i son be made be tween what a per son should be re spon si ble for and what they ac tu ally are re spon si ble for. It is a man age rial task to en sure that job de scrip tions over lap as lit tle as pos si ble and that one worker’s re spon si bil i ties do not drift or en croach on those of an other. Like wise, man agers should au dit priv i lege as sign ments to en sure that work ers do not ob tain ac cess that is not strictly re quired for them to ac com plish their work tasks.

Can di date Screen ing and Hir ing Em ploy ment can di date screen ing for a spe cific po si tion is based on the sen si tiv ity and clas si fi ca tion

de fined by the job de scrip tion. The sen si tiv ity and clas si fi ca tion of a spe cific po si tion is de pen dent on the level of harm that could be caused by ac ci den tal or in ten tional vi o la tions of se cu rity by a per son in the po si tion. Thus, the thor ough ness of the screen ing process should re flect the se cu rity of the po si tion to be filled.

Em ploy ment can di date screen ing, back ground checks, ref er ence checks, ed u ca tion ver i fi ca tion, and se cu rity clear ance val i da tion are es sen tial el e ments in prov ing that a can di date is ad e quate, qual i fied, and trust wor thy for a se cured po si tion. Back ground checks in clude ob tain ing a can di date’s work and ed u ca tional his tory; check ing ref er ences; ver i fy ing ed u ca tion; in ter view ing col leagues, neigh bors, and friends; check ing po lice and gov ern ment records for ar rests or il le gal ac tiv i ties; ver i fy ing iden tity through fin ger prints, driver’s li cense, and birth cer tifi cate; and hold ing a per sonal in ter view. This process could also in clude a poly graph test, drug test ing, and per son al ity test ing/eval u a tion.

Per form ing on line back ground checks and re view ing the so cial net work ing ac counts of ap pli cants has be come stan dard prac tice for many or ga ni za tions. If a po ten tial em ployee has posted in ap pro pri ate ma te ri als to their photo shar ing site, so cial net work ing bi ogra phies, or pub lic in stant mes sag ing ser vices, then they are not as at trac tive a can di date as those who did not. Our ac tions in the pub lic eye be come per ma nent when they are recorded in text, photo, or video and then posted on line. A gen eral pic ture of a per son’s at ti tude, in tel li gence, loy alty, com mon sense, dili gence, hon esty, re spect, con sis tency, and ad her ence to so cial norms and/or cor po rate cul ture can be gleaned quickly by view ing a per son’s on line iden tity.

Em ploy ment Agree ments and Poli cies When a new em ployee is hired, they should sign an em ploy ment agree ment. Such a doc u ment out lines the

rules and re stric tions of the or ga ni za tion, the se cu rity pol icy, the ac cept able use and ac tiv i ties poli cies, de tails of the job de scrip tion, vi o la tions and con se quences, and the length of time the po si tion is to be filled by the em ployee. These items might be sep a rate doc u ments. In such a case, the em ploy ment agree ment is used to ver ify that the em ploy ment can di date has read and un der stood the as so ci ated doc u men ta tion for their prospec tive job po si tion.

In ad di tion to em ploy ment agree ments, there may be other se cu rity-re lated doc u men ta tion that must be ad dressed. One com mon doc u ment is a nondis clo sure agree ment (NDA). An NDA is used to pro tect the con fi den tial in for ma tion within an or ga ni za tion from be ing dis closed by a for mer em ployee. When a per son signs an NDA, they agree not to dis close any in for ma tion that is de fined as con fi den tial to any one out side the or ga ni za tion. Vi o la tions of an NDA are of ten met with strict penal ties.

65

 NCA: The NDA’s Evil Sib ling

The NDA has a com mon com pan ion con tract known as the non com pete agree ment (NCA). The non com pete agree ment at tempts to pre vent an em ployee with spe cial knowl edge of se crets from one or ga ni za tion from work ing in a com pet ing or ga ni za tion in or der to pre vent that sec ond or ga ni za tion from ben e fit ing from the worker’s spe cial knowl edge of se crets. NCAs are also used to pre vent work ers from jump ing from one com pany to an other com pet ing com pany just be cause of salary in creases or other in cen tives. Of ten NCAs have a time limit, such as six months, one year, or even three years. The goal is to al low the orig i nal com pany to main tain its com pet i tive edge by keep ing its hu man re sources work ing for its ben e fit rather than against it.

Many com pa nies re quire new hires to sign NCAs. How ever, fully en forc ing an NCA in court is of ten a dif fi cult bat tle. The court rec og nizes the need for a worker to be able to work us ing the skills and knowl edge they have in or der to pro vide for them selves and their fam i lies. If the NCA would pre vent a per son from earn ing a rea son able in come, the courts of ten in val i date the NCA or pre vent its con se quences from be ing re al ized.

Even if an NCA is not al ways en force able in court, how ever, that does not mean it doesn’t have ben e fits to the orig i nal com pany, such as the fol low ing:

The threat of a law suit be cause of NCA vi o la tions is of ten suf fi cient in cen tive to pre vent a worker from vi o lat ing the terms of se crecy when they seek em ploy ment with a new com pany.

If a worker does vi o late the terms of the NCA, then even with out specif i cally de fined con se quences be ing levied by court re stric tions, the time and ef fort, not to men tion the cost, of bat tling the is sue in court is a de ter rent.

Did you sign an NCA when you were hired? If so, do you know the terms and the po ten tial con se quences if you break that NCA?

Through out the em ploy ment life time of per son nel, man agers should reg u larly au dit the job de scrip tions, work tasks, priv i leges, and re spon si bil i ties for ev ery staff mem ber. It is com mon for work tasks and priv i leges to drift over time. This can cause some tasks to be over looked and oth ers to be per formed mul ti ple times. Drift ing or priv i lege creep can also re sult in se cu rity vi o la tions. Reg u larly re view ing the bound aries of each job de scrip tion in re la tion to what is ac tu ally oc cur ring aids in keep ing se cu rity vi o la tions to a min i mum.

A key part of this re view process is en forc ing manda tory va ca tions. In many se cured en vi ron ments, manda tory va ca tions of one to two weeks are used to au dit and ver ify the work tasks and priv i leges of em ploy ees. The va ca tion re moves the em ployee from the work en vi ron ment and places a dif fer ent worker in their po si tion, which makes it eas ier to de tect abuse, fraud, or neg li gence on the part of the orig i nal em ployee.

On board ing and Ter mi na tion Pro cesses On board ing is the process of adding new em ploy ees to the iden tity and ac cess man age ment (IAM) sys tem

of an or ga ni za tion. The on board ing process is also used when an em ployee’s role or po si tion changes or when that per son is awarded ad di tional lev els of priv i lege or ac cess.

Off board ing is the re verse of this process. It is the re moval of an em ployee’s iden tity from the IAM sys tem once that per son has left the or ga ni za tion. This can in clude dis abling and/or delet ing the user ac count, re vok ing cer tifi cates, can cel ing ac cess codes, and ter mi nat ing other specif i cally granted priv i leges. This may also in clude in form ing se cu rity guards and other phys i cal ac cess man age ment per son nel to dis al low en try into the build ing to the per son in the fu ture.

The pro ce dures for on board ing and off board ing should be clearly doc u mented in or der to en sure con sis tency of ap pli ca tion as well as com pli ance with reg u la tions or con trac tual obli ga tions.

On board ing can also re fer to or ga ni za tional so cial iza tion. This is the process by which new em ploy ees are trained in or der to be prop erly pre pared for per form ing their job re spon si bil i ties. It can in clude train ing, job skill ac qui si tion, and be hav ioral adap ta tion in an ef fort to in te grate em ploy ees ef fi ciently into ex ist ing or ga ni za tional pro cesses and pro ce dures. Well-de signed on board ing can re sult in higher lev els of job sat is fac tion, higher lev els of pro duc tiv ity, faster in te gra tion with ex ist ing work ers, a rise in or ga ni za tional loy alty, stress re duc tion, and a de creased oc cur rence of res ig na tion. An other ben e fit of well-de signed on board ing, in the con text of sep a ra tion of du ties and job re spon si bil i ties, is that it ap plies the prin ci ple of least priv i lege as pre vi ously dis cussed.

When an em ployee must be ter mi nated or off boarded, nu mer ous is sues must be ad dressed. A strong re la tion ship be tween the se cu rity de part ment and hu man re sources (HR) is es sen tial to main tain con trol and

66

min i mize risks dur ing ter mi na tion. An em ployee ter mi na tion process or pro ce dure pol icy is es sen tial to main tain ing a se cure en vi ron ment when a dis grun tled em ployee must be re moved from the or ga ni za tion. The re ac tions of ter mi nated em ploy ees can range from calm, un der stand ing ac cep tance to vi o lent, de struc tive rage. A sen si ble pro ce dure for han dling ter mi na tions must be de signed and im ple mented to re duce in ci dents.

The ter mi na tion of an em ployee should be han dled in a pri vate and re spect ful man ner. How ever, this does not mean that pre cau tions should not be taken. Ter mi na tions should take place with at least one wit ness, prefer ably a higher-level man ager and/or a se cu rity guard. Once the em ployee has been in formed of their re lease, they should be es corted off the premises and not al lowed to re turn to their work area with out an es cort for any rea son. Be fore the em ployee is re leased, all or ga ni za tion-spe cific iden ti fi ca tion, ac cess, or se cu rity badges as well as cards, keys, and ac cess to kens should be col lected (Fig ure 2.3). Gen er ally, the best time to ter mi nate an em ployee is at the end of their shift mid week. An early to mid week ter mi na tion pro vides the ex-em ployee with time to file for un em ploy ment and/or start look ing for new em ploy ment be fore the week end. Also, end-of-shift ter mi na tions al low the worker to leave with other em ploy ees in a more nat u ral de par ture, thus re duc ing stress.

FIG URE 2.3 Ex-em ploy ees must re turn all com pany prop erty

When pos si ble, an exit in ter view should be per formed. How ever, this typ i cally de pends on the men tal state of the em ployee upon re lease and nu mer ous other fac tors. If an exit in ter view is un fea si ble im me di ately upon ter mi na tion, it should be con ducted as soon as pos si ble. The pri mary pur pose of the exit in ter view is to re view the li a bil i ties and re stric tions placed on the for mer em ployee based on the em ploy ment agree ment, nondis clo sure agree ment, and any other se cu rity-re lated doc u men ta tion.

The fol low ing list in cludes some other is sues that should be han dled as soon as pos si ble:

Make sure the em ployee re turns any or ga ni za tional equip ment or sup plies from their ve hi cle or home.

Re move or dis able the em ployee’s net work user ac count.

No tify hu man re sources to is sue a fi nal pay check, pay any un used va ca tion time, and ter mi nate ben e fit cov er age.

Ar range for a mem ber of the se cu rity de part ment to ac com pany the re leased em ployee while they gather their per sonal be long ings from the work area.

In form all se cu rity per son nel and any one else who watches or mon i tors any en trance point to en sure that the ex-em ployee does not at tempt to reen ter the build ing with out an es cort.

In most cases, you should dis able or re move an em ployee’s sys tem ac cess at the same time as or just be fore they are no ti fied of be ing ter mi nated. This is es pe cially true if that em ployee is ca pa ble of ac cess ing con fi den tial data or has the ex per tise or ac cess to al ter or dam age data or ser vices. Fail ing to re strict re leased em ploy ees’ ac tiv i ties can leave your or ga ni za tion open to a wide range of vul ner a bil i ties, in clud ing theft and de struc tion of both phys i cal prop erty and log i cal data.

67

 Fir ing: Not Just a Pink Slip Any more

Fir ing an em ployee has be come a com plex process. Gone are the days of fir ing merely by plac ing a pink slip in an em ployee’s mail slot. In most IT-cen tric or ga ni za tions, ter mi na tion can cre ate a sit u a tion in which the em ployee could cause harm, putting the or ga ni za tion at risk. That’s why you need a well- de signed exit in ter view process.

How ever, just hav ing the process isn’t enough. It has to be fol lowed cor rectly ev ery time. Un for tu nately, this doesn’t al ways hap pen. You might have heard of some fi asco caused by a botched ter mi na tion pro ce dure. Com mon ex am ples in clude per form ing any of the fol low ing be fore the em ployee is of fi cially in formed of their ter mi na tion (thus giv ing the em ployee prior warn ing of their ter mi na tion):

The in for ma tion tech nol ogy (IT) de part ment re quest ing the re turn of a note book com puter

Dis abling a net work ac count

Block ing a per son’s per sonal iden ti fi ca tion num ber (PIN) or smart card for build ing en trance

Re vok ing a park ing pass

Dis tribut ing a com pany re or ga ni za tion chart

Po si tion ing a new em ployee in the cu bi cle

Al low ing lay off in for ma tion to be leaked to the me dia

It should go with out say ing that in or der for the exit in ter view and safe ter mi na tion pro cesses to func tion prop erly, they must be im ple mented in the cor rect or der and at the cor rect time (that is, at the start of the exit in ter view), as in the fol low ing ex am ple:

In form the per son that they are re lieved of their job.

Re quest the re turn of all ac cess badges, keys, and com pany equip ment.

Dis able the per son’s elec tronic ac cess to all as pects of the or ga ni za tion.

Re mind the per son about the NDA obli ga tions.

Es cort the per son off the premises.

Ven dor, Con sul tant, and Con trac tor Agree ments and Con trols Ven dor, con sul tant, and con trac tor con trols are used to de fine the lev els of per for mance, ex pec ta tion,

com pen sa tion, and con se quences for en ti ties, per sons, or or ga ni za tions that are ex ter nal to the pri mary or ga ni za tion. Of ten these con trols are de fined in a doc u ment or pol icy known as a ser vice-level agree ment (SLA).

Us ing SLAs is an in creas ingly pop u lar way to en sure that or ga ni za tions pro vid ing ser vices to in ter nal and/or ex ter nal cus tomers main tain an ap pro pri ate level of ser vice agreed on by both the ser vice provider and the ven dor. It’s a wise move to put SLAs in place for any data cir cuits, ap pli ca tions, in for ma tion pro cess ing sys tems, data bases, or other crit i cal com po nents that are vi tal to your or ga ni za tion’s con tin ued vi a bil ity. SLAs are im por tant when us ing any type of third-party ser vice provider, which would in clude cloud ser vices. The fol low ing is sues are com monly ad dressed in SLAs:

Sys tem up time (as a per cent age of over all op er at ing time)

Max i mum con sec u tive down time (in sec onds/min utes/and so on)

Peak load

Av er age load

Re spon si bil ity for di ag nos tics

Failover time (if re dun dancy is in place)

SLAs also com monly in clude fi nan cial and other con trac tual reme dies that kick in if the agree ment is not main tained. For ex am ple, if a crit i cal cir cuit is down for more than 15 min utes, the ser vice provider might agree to waive all charges on that cir cuit for one week.

SLAs and ven dor, con sul tant, and con trac tor con trols are an im por tant part of risk re duc tion and risk avoid ance. By clearly defin ing the ex pec ta tions and penal ties for ex ter nal par ties, ev ery one in volved knows

68

what is ex pected of them and what the con se quences are in the event of a fail ure to meet those ex pec ta tions. Al though it may be very cost ef fec tive to use out side providers for a va ri ety of busi ness func tions or ser vices, it does in crease po ten tial risk by ex pand ing the po ten tial at tack sur face and range of vul ner a bil i ties. SLAs should in clude a fo cus on pro tect ing and im prov ing se cu rity in ad di tion to en sur ing qual ity and timely ser vices at a rea son able price. Some SLAs are set and can not be ad justed, while with oth ers you may have sig nif i cant in flu ence over their con tent. You should en sure that an SLA sup ports the tenets of your se cu rity pol icy and in fra struc ture rather than be ing in con flict with it, which could in tro duce weak points, vul ner a bil i ties, or ex cep tions.

Com pli ance Pol icy Re quire ments Com pli ance is the act of con form ing to or ad her ing to rules, poli cies, reg u la tions, stan dards, or

re quire ments. Com pli ance is an im por tant con cern to se cu rity gov er nance. On a per son nel level, com pli ance is re lated to whether in di vid ual em ploy ees fol low com pany pol icy and per form their job tasks in ac cor dance to de fined pro ce dures. Many or ga ni za tions rely on em ployee com pli ance in or der to main tain high lev els of qual ity, con sis tency, ef fi ciency, and cost sav ings. If em ploy ees do not main tain com pli ance, it could cost the or ga ni za tion in terms of profit, mar ket share, recog ni tion, and rep u ta tion. Em ploy ees need to be trained in re gard to what they need to do (i.e., stay in line with com pany stan dards as de fined in the se cu rity pol icy and re main in com pli ance with any con trac tual obli ga tions such as Pay ment Card In dus try Data Se cu rity Stan dard (PCI DSS) to main tain the abil ity to per form credit card pro cess ing); only then can they be held ac count able for vi o la tions or lack ing com pli ance.

Pri vacy Pol icy Re quire ments

Pri vacy can be a dif fi cult con cept to de fine. The term is used fre quently in nu mer ous con texts with out much quan tifi ca tion or qual i fi ca tion. Here are some par tial def i ni tions of pri vacy:

Ac tive pre ven tion of unau tho rized ac cess to in for ma tion that is per son ally iden ti fi able (that is, data points that can be linked di rectly to a per son or or ga ni za tion)

Free dom from unau tho rized ac cess to in for ma tion deemed per sonal or con fi den tial

Free dom from be ing ob served, mon i tored, or ex am ined with out con sent or knowl edge

A con cept that comes up fre quently in dis cus sions of pri vacy is per son ally iden ti fi able

in for ma tion (PII). PII is any data item that can be eas ily and/or ob vi ously traced back to the per son of ori gin or con cern. A phone num ber, email ad dress, mail ing ad dress, so cial se cu rity num ber, and name are all PII. A MAC ad dress, In ter net Pro to col (IP) ad dress, OS type, fa vorite va ca tion spot, name of high school mas cot, and so forth are not typ i cally con sid ered to be PII. How ever, that is not a uni ver sally true state ment. In Ger many and other mem ber coun tries of the Eu ro pean Union (EU), IP ad dresses and MAC ad dresses are con sid ered PII in some sit u a tions (see https://www.white case.com/pub li ca tions/alert/court-con firms-ip-ad dresses-are-per sonal-data-some- cases).

When ad dress ing pri vacy in the realm of IT, there is usu ally a bal anc ing act be tween in di vid ual rights and the rights or ac tiv i ties of an or ga ni za tion. Some claim that in di vid u als have the right to con trol whether in for ma tion can be col lected about them and what can be done with it. Oth ers claim that any ac tiv ity per formed in pub lic view—such as most ac tiv i ties per formed over the LC in ter net or ac tiv i ties per formed on com pany equip ment—can be mon i tored with out knowl edge of or per mis sion from the in di vid u als be ing watched and that the in for ma tion gath ered from such mon i tor ing can be used for what ever pur poses an or ga ni za tion deems ap pro pri ate or de sir able.

Pro tect ing in di vid u als from un wanted ob ser va tion, di rect mar ket ing, and dis clo sure of pri vate, per sonal, or con fi den tial de tails is usu ally con sid ered a wor thy ef fort. How ever, some or ga ni za tions pro fess that de mo graphic stud ies, in for ma tion glean ing, and fo cused mar ket ing im prove busi ness mod els, re duce ad ver tis ing waste, and save money for all par ties.

There are many leg isla tive and reg u la tory com pli ance is sues in re gard to pri vacy. Many US reg u la tions— such as the Health In sur ance Porta bil ity and Ac count abil ity Act (HIPAA), the Sar banes-Ox ley Act of 2002 (SOX), the Fam ily Ed u ca tional Rights and Pri vacy Act (FERPA), and the Gramm-Leach-Bliley Act—as well as the EU’s Di rec tive 95/46/EC (aka the Data Pro tec tion Di rec tive), the Gen eral Data Pro tec tion Reg u la tion (GDPR) (Reg u la tion (EU) 2016/679), and the con trac tual re quire ment Pay ment Card In dus try Data Se cu rity Stan dard (PCI DSS)—in clude pri vacy re quire ments. It is im por tant to un der stand all gov ern ment reg u la tions that your or ga ni za tion is re quired to ad here to and en sure com pli ance, es pe cially in the ar eas of pri vacy pro tec tion.

69

What ever your per sonal or or ga ni za tional stance is on the is sue of on line pri vacy, it must be ad dressed in an or ga ni za tional se cu rity pol icy. Pri vacy is an is sue not just for ex ter nal vis i tors to your on line of fer ings but also for your cus tomers, em ploy ees, sup pli ers, and con trac tors. If you gather any type of in for ma tion about any per son or com pany, you must ad dress pri vacy.

In most cases, es pe cially when pri vacy is be ing vi o lated or re stricted, the in di vid u als and com pa nies must be in formed; oth er wise, you may face le gal ram i fi ca tions. Pri vacy is sues must also be ad dressed when al low ing or re strict ing per sonal use of email, re tain ing email, record ing phone con ver sa tions, gath er ing in for ma tion about surf ing or spend ing habits, and so on.

Se cu rity Gov er nance Se cu rity gov er nance is the col lec tion of prac tices re lated to sup port ing, defin ing, and di rect ing the

se cu rity ef forts of an or ga ni za tion. Se cu rity gov er nance is closely re lated to and of ten in ter twined with cor po rate and IT gov er nance. The goals of these three gov er nance agen das of ten in ter re late or are the same. For ex am ple, a com mon goal of or ga ni za tional gov er nance is to en sure that the or ga ni za tion will con tinue to ex ist and will grow or ex pand over time. Thus, the goal of all three forms of gov er nance is to main tain busi ness pro cesses while striv ing to ward growth and re siliency.

Third-party gov er nance is the sys tem of over sight that may be man dated by law, reg u la tion, in dus try stan dards, con trac tual obli ga tion, or li cens ing re quire ments. The ac tual method of gov er nance may vary, but it gen er ally in volves an out side in ves ti ga tor or au di tor. These au di tors might be des ig nated by a gov ern ing body or might be con sul tants hired by the tar get or ga ni za tion.

An other as pect of third-party gov er nance is the ap pli ca tion of se cu rity over sight on third par ties that your or ga ni za tion re lies on. Many or ga ni za tions choose to out source var i ous as pects of their busi ness op er a tions. Out sourced op er a tions can in clude se cu rity guards, main te nance, tech ni cal sup port, and ac count ing ser vices. These par ties need to stay in com pli ance with the pri mary or ga ni za tion’s se cu rity stance. Oth er wise, they present ad di tional risks and vul ner a bil i ties to the pri mary or ga ni za tion.

Third-party gov er nance fo cuses on ver i fy ing com pli ance with stated se cu rity ob jec tives, re quire ments, reg u la tions, and con trac tual obli ga tions. On-site as sess ments can pro vide first hand ex po sure to the se cu rity mech a nisms em ployed at a lo ca tion. Those per form ing on-site as sess ment or au dits need to fol low au dit ing pro to cols (such as Con trol Ob jec tives for In for ma tion and Re lated Tech nol ogy [CO BIT]) and have a spe cific check list of re quire ments to in ves ti gate.

In the au dit ing and as sess ment process, both the tar get and the gov ern ing body should par tic i pate in full and open doc u ment ex change and re view. An or ga ni za tion needs to know the full de tails of all re quire ments it must com ply with. The or ga ni za tion should sub mit se cu rity pol icy and self-as sess ment re ports back to the gov ern ing body. This open doc u ment ex change en sures that all par ties in volved are in agree ment about all the is sues of con cern. It re duces the chances of un known re quire ments or un re al is tic ex pec ta tions. Doc u ment ex change does not end with the trans mis sion of pa per work or elec tronic files. In stead, it leads into the process of doc u men ta tion re view.

Doc u men ta tion re view is the process of read ing the ex changed ma te ri als and ver i fy ing them against stan dards and ex pec ta tions. The doc u men ta tion re view is typ i cally per formed be fore any on-site in spec tion takes place. If the ex changed doc u men ta tion is suf fi cient and meets ex pec ta tions (or at least re quire ments), then an on-site re view will be able to fo cus on com pli ance with the stated doc u men ta tion. How ever, if the doc u men ta tion is in com plete, in ac cu rate, or oth er wise in suf fi cient, the on-site re view is post poned un til the doc u men ta tion can be up dated and cor rected. This step is im por tant be cause if the doc u men ta tion is not in com pli ance, chances are the lo ca tion will not be in com pli ance ei ther.

In many sit u a tions, es pe cially re lated to gov ern ment or mil i tary agen cies or con trac tors, fail ing to pro vide suf fi cient doc u men ta tion to meet re quire ments of third-party gov er nance can re sult in a loss of or a void ing of au tho riza tion to op er ate (ATO). Com plete and suf fi cient doc u men ta tion can of ten main tain ex ist ing ATO or pro vide a tem po rary ATO (TATO). How ever, once an ATO is lost or re voked, a com plete doc u men ta tion re view and on-site re view show ing full com pli ance is usu ally nec es sary to reestab lish the ATO.

A por tion of the doc u men ta tion re view is the log i cal and prac ti cal in ves ti ga tion of the busi ness pro cesses and or ga ni za tional poli cies. This re view en sures that the stated and im ple mented busi ness tasks, sys tems, and method olo gies are prac ti cal, ef fi cient, and cost ef fec tive and most of all (at least in re la tion to se cu rity gov er nance) that they sup port the goal of se cu rity through the re duc tion of vul ner a bil i ties and the avoid ance, re duc tion, or mit i ga tion of risk. Risk man age ment, risk as sess ment, and ad dress ing risk are all meth ods and tech niques in volved in per form ing process/pol icy re view.

Un der stand and Ap ply Risk Man age ment Con cepts Se cu rity is aimed at pre vent ing loss or dis clo sure of data while sus tain ing au tho rized ac cess. The

pos si bil ity that some thing could hap pen to dam age, de stroy, or dis close data or other re sources is known as

70

risk. Un der stand ing risk man age ment con cepts is not only im por tant for the CISSP exam, it’s also es sen tial to the es tab lish ment of a suf fi cient se cu rity stance, proper se cu rity gov er nance, and le gal proof of due care and due dili gence.

Man ag ing risk is there fore an el e ment of sus tain ing a se cure en vi ron ment. Risk man age ment is a de tailed process of iden ti fy ing fac tors that could dam age or dis close data, eval u at ing those fac tors in light of data value and coun ter mea sure cost, and im ple ment ing cost-ef fec tive so lu tions for mit i gat ing or re duc ing risk. The over all process of risk man age ment is used to de velop and im ple ment in for ma tion se cu rity strate gies. The goal of these strate gies is to re duce risk and to sup port the mis sion of the or ga ni za tion.

The pri mary goal of risk man age ment is to re duce risk to an ac cept able level. What that level ac tu ally is de pends on the or ga ni za tion, the value of its as sets, the size of its bud get, and many other fac tors. One or ga ni za tion might con sider some thing to be an ac cept able risk, while an other or ga ni za tion might con sider the very same thing to be an un rea son ably high level of risk. It is im pos si ble to de sign and de ploy a to tally risk-free en vi ron ment; how ever, sig nif i cant risk re duc tion is pos si ble, of ten with lit tle ef fort.

Risks to an IT in fra struc ture are not all com puter based. In fact, many risks come from non com puter sources. It is im por tant to con sider all pos si ble risks when per form ing risk eval u a tion for an or ga ni za tion. Fail ing to prop erly eval u ate and re spond to all forms of risk will leave a com pany vul ner a ble. Keep in mind that IT se cu rity, com monly re ferred to as log i cal or tech ni cal se cu rity, can pro vide pro tec tion only against log i cal or tech ni cal at tacks. To pro tect IT against phys i cal at tacks, phys i cal pro tec tions must be erected.

The process by which the goals of risk man age ment are achieved is known as risk anal y sis. It in cludes ex am in ing an en vi ron ment for risks, eval u at ing each threat event as to its like li hood of oc cur ring and the cost of the dam age it would cause if it did oc cur, as sess ing the cost of var i ous coun ter mea sures for each risk, and cre at ing a cost/ben e fit re port for safe guards to present to up per man age ment. In ad di tion to these risk- fo cused ac tiv i ties, risk man age ment re quires eval u a tion, as sess ment, and the as sign ment of value for all as sets within the or ga ni za tion. With out proper as set val u a tions, it is not pos si ble to pri or i tize and com pare risks with pos si ble losses.

Risk Ter mi nol ogy Risk man age ment em ploys a vast ter mi nol ogy that must be clearly un der stood, es pe cially for the CISSP

exam. This sec tion de fines and dis cusses all the im por tant risk-re lated ter mi nol ogy:

As set An as set is any thing within an en vi ron ment that should be pro tected. It is any thing used in a busi ness process or task. It can be a com puter file, a net work ser vice, a sys tem re source, a process, a pro gram, a prod uct, an IT in fra struc ture, a data base, a hard ware de vice, fur ni ture, prod uct recipes/for mu las, in tel lec tual prop erty, per son nel, soft ware, fa cil i ties, and so on. If an or ga ni za tion places any value on an item un der its con trol and deems that item im por tant enough to pro tect, it is la beled an as set for the pur poses of risk man age ment and anal y sis. The loss or dis clo sure of an as set could re sult in an over all se cu rity com pro mise, loss of pro duc tiv ity, re duc tion in prof its, ad di tional ex pen di tures, dis con tin u a tion of the or ga ni za tion, and nu mer ous in tan gi ble con se quences.

As set Val u a tion As set val u a tion is a dol lar value as signed to an as set based on ac tual cost and non mon e tary ex penses. These can in clude costs to de velop, main tain, ad min is ter, ad ver tise, sup port, re pair, and re place an as set; they can also in clude more elu sive val ues, such as pub lic con fi dence, in dus try sup port, pro duc tiv ity en hance ment, knowl edge eq uity, and own er ship ben e fits. As set val u a tion is dis cussed in de tail later in this chap ter.

Threats Any po ten tial oc cur rence that may cause an un de sir able or un wanted out come for an or ga ni za tion or for a spe cific as set is a threat. Threats are any ac tion or in ac tion that could cause dam age, de struc tion, al ter ation, loss, or dis clo sure of as sets or that could block ac cess to or pre vent main te nance of as sets. Threats can be large or small and re sult in large or small con se quences. They can be in ten tional or ac ci den tal. They can orig i nate from peo ple, or ga ni za tions, hard ware, net works, struc tures, or na ture. Threat agents in ten tion ally ex ploit vul ner a bil i ties. Threat agents are usu ally peo ple, but they could also be pro grams, hard ware, or sys tems. Threat events are ac ci den tal and in ten tional ex ploita tions of vul ner a bil i ties. They can also be nat u ral or man-made. Threat events in clude fire, earth quake, flood, sys tem fail ure, hu man er ror (due to a lack of train ing or ig no rance), and power out age.

Vul ner a bil ity The weak ness in an as set or the ab sence or the weak ness of a safe guard or coun ter mea sure is a vul ner a bil ity.

In other words, a vul ner a bil ity is a flaw, loop hole, over sight, er ror, lim i ta tion, frailty, or sus cep ti bil ity in the IT in fra struc ture or any other as pect of an or ga ni za tion. If a vul ner a bil ity is ex ploited, loss or dam age to as sets can oc cur.

Ex po sure Ex po sure is be ing sus cep ti ble to as set loss be cause of a threat; there is the pos si bil ity that a vul ner a bil ity can or will be ex ploited by a threat agent or event. Ex po sure doesn’t mean that a re al ized threat (an event that re sults in loss) is ac tu ally oc cur ring (the ex po sure to a re al ized threat is called ex pe ri enced ex po sure). It just means that if there is a vul ner a bil ity and a threat that can ex ploit it, there is the pos si bil ity

71

that a threat event, or po ten tial ex po sure, can oc cur. An other way of think ing about ex po sure is to an swer the ques tion “What is the worst that could hap pen?” You are not stat ing that harm has oc curred or that it will ac tu ally oc cur, only that there is the po ten tial for harm and how ex ten sive or se ri ous that harm might be. The quan ti ta tive risk anal y sis value of ex po sure fac tor (EF) is de rived from this con cept.

Risk Risk is the pos si bil ity or like li hood that a threat will ex ploit a vul ner a bil ity to cause harm to an as set. It is an as sess ment of prob a bil ity, pos si bil ity, or chance. The more likely it is that a threat event will oc cur, the greater the risk. Ev ery in stance of ex po sure is a risk. When writ ten as a for mula, risk can be de fined as fol lows:

risk = threat * vulnerability

Thus, re duc ing ei ther the threat agent or the vul ner a bil ity di rectly re sults in a re duc tion in risk.

When a risk is re al ized, a threat agent, a threat ac tor, or a threat event has taken ad van tage of a vul ner a bil ity and caused harm to or dis clo sure of one or more as sets. The whole pur pose of se cu rity is to pre vent risks from be com ing re al ized by re mov ing vul ner a bil i ties and block ing threat agents and threat events from jeop ar diz ing as sets. As a risk man age ment tool, se cu rity is the im ple men ta tion of safe guards.

Safe guards A safe guard, se cu rity con trol, or coun ter mea sure is any thing that re moves or re duces a vul ner a bil ity or pro tects against one or more spe cific threats. A safe guard can be in stalling a soft ware patch, mak ing a con fig u ra tion change, hir ing se cu rity guards, al ter ing the in fra struc ture, mod i fy ing pro cesses, im prov ing the se cu rity pol icy, train ing per son nel more ef fec tively, elec tri fy ing a perime ter fence, in stalling lights, and so on. It is any ac tion or prod uct that re duces risk through the elim i na tion or less en ing of a threat or a vul ner a bil ity any where within an or ga ni za tion. Safe guards are the only means by which risk is mit i gated or re moved. It is im por tant to re mem ber that a safe guard, se cu rity con trol, or coun ter mea sure need not in volve the pur chase of a new prod uct; re con fig ur ing ex ist ing el e ments and even re mov ing el e ments from the in fra struc ture are also valid safe guards.

At tack An at tack is the ex ploita tion of a vul ner a bil ity by a threat agent. In other words, an at tack is any in ten tional at tempt to ex ploit a vul ner a bil ity of an or ga ni za tion’s se cu rity in fra struc ture to cause dam age, loss, or dis clo sure of as sets. An at tack can also be viewed as any vi o la tion or fail ure to ad here to an or ga ni za tion’s se cu rity pol icy.

Breach A breach is the oc cur rence of a se cu rity mech a nism be ing by passed or thwarted by a threat agent. When a breach is com bined with an at tack, a pen e tra tion, or in tru sion, can re sult. A pen e tra tion is the con di tion in which a threat agent has gained ac cess to an or ga ni za tion’s in fra struc ture through the cir cum ven tion of se cu rity con trols and is able to di rectly im peril as sets.

The el e ments as set, threat, vul ner a bil ity, ex po sure, risk, and safe guard are re lated, as shown in Fig ure 2.4. Threats ex ploit vul ner a bil i ties, which re sults in ex po sure. Ex po sure is risk, and risk is mit i gated by safe guards. Safe guards pro tect as sets that are en dan gered by threats.

FIG URE 2.4 The el e ments of risk

Iden tify Threats and Vul ner a bil i ties

An es sen tial part of risk man age ment is iden ti fy ing and ex am in ing threats. This in volves cre at ing an ex haus tive list of all pos si ble threats for the or ga ni za tion’s iden ti fied as sets. The list should in clude threat agents as well as threat events. It is im por tant to keep in mind that threats can come from any where. Threats to IT are not lim ited to IT sources. When com pil ing a list of threats, be sure to con sider the fol low ing:

72

Viruses

Cas cade er rors (a se ries of es ca lat ing er rors) and de pen dency faults (caused by re ly ing on events or items that don’t ex ist)

Crim i nal ac tiv i ties by au tho rized users (es pi onage, IP theft, em bez zle ment, etc.)

Move ment (vi bra tions, jar ring, etc.)

In ten tional at tacks

Re or ga ni za tion

Au tho rized user ill ness or epi demics

Ma li cious hack ers

Dis grun tled em ploy ees

User er rors

Nat u ral dis as ters (earth quakes, floods, fire, vol ca noes, hur ri canes, tor na does, tsunamis, and so on)

Phys i cal dam age (crush ing, pro jec tiles, ca ble sev er ing, and so on)

Mis use of data, re sources, or ser vices

Changes or com pro mises to data clas si fi ca tion or se cu rity poli cies

Gov ern ment, po lit i cal, or mil i tary in tru sions or re stric tions

Pro cess ing er rors, buf fer over flows

Per son nel priv i lege abuse

Tem per a ture ex tremes

En ergy anom alies (static, EM pulses, ra dio fre quen cies [RFs], power loss, power surges, and so on)

Loss of data

In for ma tion war fare

Bank ruptcy or al ter ation/in ter rup tion of busi ness ac tiv ity

Cod ing/pro gram ming er rors

In trud ers (phys i cal and log i cal)

En vi ron men tal fac tors (pres ence of gases, liq uids, or gan isms, and so on)

Equip ment fail ure

Phys i cal theft

So cial en gi neer ing

In most cases, a team rather than a sin gle in di vid ual should per form risk as sess ment and anal y sis. Also, the team mem bers should be from var i ous de part ments within the or ga ni za tion. It is not usu ally a re quire ment that all team mem bers be se cu rity pro fes sion als or even net work/sys tem ad min is tra tors. The di ver sity of the team based on the de mo graph ics of the or ga ni za tion will help to ex haus tively iden tify and ad dress all pos si ble threats and risks.

The Con sul tant Cav alry

Risk as sess ment is a highly in volved, de tailed, com plex, and lengthy process. Of ten risk anal y sis can not be prop erly han dled by ex ist ing em ploy ees be cause of the size, scope, or li a bil ity of the risk; thus, many or ga ni za tions bring in risk man age ment con sul tants to per form this work. This pro vides a high level of ex per tise, does not bog down em ploy ees, and can be a more re li able mea sure ment of real-world risk. But even risk man age ment con sul tants do not per form risk as sess ment and anal y sis on pa per only; they typ i cally em ploy com plex and ex pen sive risk as sess ment soft ware. This soft ware stream lines the over all task, pro vides more re li able re sults, and pro duces stan dard ized re ports that are ac cept able to in sur ance com pa nies, boards of di rec tors, and so on.

Risk As sess ment/Anal y sis Risk man age ment/anal y sis is pri mar ily an ex er cise for up per man age ment. It is their re spon si bil ity to

ini ti ate and sup port risk anal y sis and as sess ment by defin ing the scope and pur pose of the en deavor. The ac tual pro cesses of per form ing risk anal y sis are of ten del e gated to se cu rity pro fes sion als or an eval u a tion

73

team. How ever, all risk as sess ments, re sults, de ci sions, and out comes must be un der stood and ap proved by up per man age ment as an el e ment in pro vid ing pru dent due care.

All IT sys tems have risk. There is no way to elim i nate 100 per cent of all risks. In stead, up per man age ment must de cide which risks are ac cept able and which are not. De ter min ing which risks are ac cept able re quires de tailed and com plex as set and risk as sess ments.

Once you de velop a list of threats, you must in di vid u ally eval u ate each threat and its re lated risk. There are two risk as sess ment method olo gies: quan ti ta tive and qual i ta tive. Quan ti ta tive risk anal y sis as signs real dol lar fig ures to the loss of an as set. Qual i ta tive risk anal y sis as signs sub jec tive and in tan gi ble val ues to the loss of an as set. Both meth ods are nec es sary for a com plete risk anal y sis. Most en vi ron ments em ploy a hy brid of both risk as sess ment method olo gies in or der to gain a bal anced view of their se cu rity con cerns.

Quan ti ta tive Risk Anal y sis

The quan ti ta tive method re sults in con crete prob a bil ity per cent ages. That means the end re sult is a re port that has dol lar fig ures for lev els of risk, po ten tial loss, cost of coun ter mea sures, and value of safe guards. This re port is usu ally fairly easy to un der stand, es pe cially for any one with knowl edge of spread sheets and bud get re ports. Think of quan ti ta tive anal y sis as the act of as sign ing a quan tity to risk—in other words, plac ing a dol lar fig ure on each as set and threat. How ever, a purely quan ti ta tive anal y sis is not suf fi cient; not all el e ments and as pects of the anal y sis can be quan ti fied be cause some are qual i ta tive, sub jec tive, or in tan gi ble.

The process of quan ti ta tive risk anal y sis starts with as set val u a tion and threat iden ti fi ca tion. Next, you es ti mate the po ten tial and fre quency of each risk. This in for ma tion is then used to cal cu late var i ous cost func tions that are used to eval u ate safe guards.

The six ma jor steps or phases in quan ti ta tive risk anal y sis are as fol lows (Fig ure 2.5):

1. In ven tory as sets, and as sign a value (as set value, or AV). (As set value is de tailed fur ther in a later sec tion of this chap ter named “As set Val u a tion.”)

2. Re search each as set, and pro duce a list of all pos si ble threats of each in di vid ual as set. For each listed threat, cal cu late the ex po sure fac tor (EF) and sin gle loss ex pectancy (SLE).

3. Per form a threat anal y sis to cal cu late the like li hood of each threat be ing re al ized within a sin gle year—that is, the an nu al ized rate of oc cur rence (ARO).

4. De rive the over all loss po ten tial per threat by cal cu lat ing the an nu al ized loss ex pectancy (ALE).

5. Re search coun ter mea sures for each threat, and then cal cu late the changes to ARO and ALE based on an ap plied coun ter mea sure.

6. Per form a cost/ben e fit anal y sis of each coun ter mea sure for each threat for each as set. Se lect the most ap pro pri ate re sponse to each threat.

FIG URE 2.5 The six ma jor el e ments of quan ti ta tive risk anal y sis

The cost func tions as so ci ated with quan ti ta tive risk anal y sis in clude the ex po sure fac tor, sin gle loss ex pectancy, an nu al ized rate of oc cur rence, and an nu al ized loss ex pectancy:

74

Ex po sure Fac tor The ex po sure fac tor (EF) rep re sents the per cent age of loss that an or ga ni za tion would ex pe ri ence if a spe cific as set were vi o lated by a re al ized risk. The EF can also be called the loss po ten tial. In most cases, a re al ized risk does not re sult in the to tal loss of an as set. The EF sim ply in di cates the ex pected over all as set value loss be cause of a sin gle re al ized risk. The EF is usu ally small for as sets that are eas ily re place able, such as hard ware. It can be very large for as sets that are ir re place able or pro pri etary, such as prod uct de signs or a data base of cus tomers. The EF is ex pressed as a per cent age.

Sin gle Loss Ex pectancy The EF is needed to cal cu late the SLE. The sin gle loss ex pectancy (SLE) is the cost as so ci ated with a sin gle re al ized risk against a spe cific as set. It in di cates the ex act amount of loss an or ga ni za tion would ex pe ri ence if an as set were harmed by a spe cific threat oc cur ring.

The SLE is cal cu lated us ing the fol low ing for mula:

SLE = as set value (AV) * ex po sure fac tor (EF)

or more sim ply:

SLE = AV * EF

The SLE is ex pressed in a dol lar value. For ex am ple, if an as set is val ued at $200,000 and it has an EF of 45 per cent for a spe cific threat, then the SLE of the threat for that as set is $90,000.

An nu al ized Rate of Oc cur rence The an nu al ized rate of oc cur rence (ARO) is the ex pected fre quency with which a spe cific threat or risk will oc cur (that is, be come re al ized) within a sin gle year. The ARO can range from a value of 0.0 (zero), in di cat ing that the threat or risk will never be re al ized, to a very large num ber, in di cat ing that the threat or risk oc curs of ten. Cal cu lat ing the ARO can be com pli cated. It can be de rived from his tor i cal records, sta tis ti cal anal y sis, or guess work. ARO cal cu la tion is also known as prob a bil ity de ter mi na tion. The ARO for some threats or risks is cal cu lated by mul ti ply ing the like li hood of a sin gle oc cur rence by the num ber of users who could ini ti ate the threat. For ex am ple, the ARO of an earth quake in Tulsa may be .00001, whereas the ARO of an earth quake in San Fran cisco may be .03 (for a 6.7+ mag ni tude), or you can com pare the ARO of an earth quake in Tulsa of .00001 to the ARO of an email virus in an of fice in Tulsa of 10,000,000.

An nu al ized Loss Ex pectancy The an nu al ized loss ex pectancy (ALE) is the pos si ble yearly cost of all in stances of a spe cific re al ized threat against a spe cific as set.

The ALE is cal cu lated us ing the fol low ing for mula:

ALE = sin gle loss ex pectancy (SLE) * an nu al ized rate of oc cur rence (ARO)

Or more sim ply:

ALE = SLE * ARO

For ex am ple, if the SLE of an as set is $90,000 and the ARO for a spe cific threat (such as to tal power loss) is .5, then the ALE is $45,000. On the other hand, if the ARO for a spe cific threat (such as com pro mised user ac count) is 15, then the ALE would be $1,350,000.

The task of cal cu lat ing EF, SLE, ARO, and ALE for ev ery as set and ev ery threat/risk is a daunt ing one. For tu nately, quan ti ta tive risk as sess ment soft ware tools can sim plify and au to mate much of this process. These tools pro duce an as set in ven tory with val u a tions and then, us ing pre de fined AROs along with some cus tomiz ing op tions (that is, in dus try, ge og ra phy, IT com po nents, and so on), pro duce risk anal y sis re ports. The fol low ing cal cu la tions are of ten in volved:

Cal cu lat ing An nu al ized Loss Ex pectancy with a Safe guard In ad di tion to de ter min ing the an nual cost of the safe guard, you must cal cu late the ALE for the as set if the safe guard is im ple mented. This re quires a new EF and ARO spe cific to the safe guard. In most cases, the EF to an as set re mains the same even with an ap plied safe guard. (Re call that the EF is the amount of loss in curred if the risk be comes re al ized.) In other words, if the safe guard fails, how much dam age does the as set re ceive? Think about it this way: If you have on body ar mor but the body ar mor fails to pre vent a bul let from pierc ing your heart, you are still ex pe ri enc ing the same dam age that would have oc curred with out the body ar mor. Thus, if the safe guard fails, the loss on the as set is usu ally the same as when there is no safe guard. How ever, some safe guards do re duce the re sul tant dam age even when they fail to fully stop an at tack. For ex am ple, though a fire might still oc cur and the fa cil ity may be dam aged by the fire and the wa ter from the sprin klers, the to tal dam age is likely to be less than hav ing the en tire build ing burn down.

Even if the EF re mains the same, a safe guard changes the ARO. In fact, the whole point of a safe guard is to re duce the ARO. In other words, a safe guard should re duce the num ber of times an at tack is suc cess ful in caus ing dam age to an as set. The best of all pos si ble safe guards would re duce the ARO to zero. Al though there are some per fect safe guards, most are not. Thus, many safe guards have an ap plied ARO that is smaller (you

75

hope much smaller) than the non-safe guarded ARO, but it is not of ten zero. With the new ARO (and pos si ble new EF), a new ALE with the ap pli ca tion of a safe guard is com puted.

With the pre-safe guard ALE and the post-safe guard ALE cal cu lated, there is yet one more value needed to per form a cost/ben e fit anal y sis. This ad di tional value is the an nual cost of the safe guard.

Cal cu lat ing Safe guard Costs For each spe cific risk, you must eval u ate one or more safe guards, or coun ter mea sures, on a cost/ben e fit ba sis. To per form this eval u a tion, you must first com pile a list of safe guards for each threat. Then you as sign each safe guard a de ploy ment value. In fact, you must mea sure the de ploy ment value or the cost of the safe guard against the value of the pro tected as set. The value of the pro tected as set there fore de ter mines the max i mum ex pen di tures for pro tec tion mech a nisms. Se cu rity should be cost ef fec tive, and thus it is not pru dent to spend more (in terms of cash or re sources) pro tect ing an as set than its value to the or ga ni za tion. If the cost of the coun ter mea sure is greater than the value of the as set (that is, the cost of the risk), then you should ac cept the risk.

Nu mer ous fac tors are in volved in cal cu lat ing the value of a coun ter mea sure:

Cost of pur chase, de vel op ment, and li cens ing

Cost of im ple men ta tion and cus tomiza tion

Cost of an nual op er a tion, main te nance, ad min is tra tion, and so on

Cost of an nual re pairs and up grades

Pro duc tiv ity im prove ment or loss

Changes to en vi ron ment

Cost of test ing and eval u a tion

Once you know the po ten tial cost of a safe guard, it is then pos si ble to eval u ate the ben e fit of that safe guard if ap plied to an in fra struc ture. As men tioned ear lier, the an nual costs of safe guards should not ex ceed the ex pected an nual cost of as set loss.

Cal cu lat ing Safe guard Cost/Ben e fit One of the fi nal com pu ta tions in this process is the cost/ben e fit cal cu la tion or cost/ben e fit anal y sis to de ter mine whether a safe guard ac tu ally im proves se cu rity with out cost ing too much. To make the de ter mi na tion of whether the safe guard is fi nan cially eq ui table, use the fol low ing for mula:

ALE be fore safe guard – ALE af ter im ple ment ing the safe guard – an nual cost of safe guard (ACS) = value of the safe guard to the com pany

If the re sult is neg a tive, the safe guard is not a fi nan cially re spon si ble choice. If the re sult is pos i tive, then that value is the an nual sav ings your or ga ni za tion may reap by de ploy ing the safe guard be cause the rate of oc cur rence is not a guar an tee of oc cur rence.

The an nual sav ings or loss from a safe guard should not be the only con sid er a tion when eval u at ing safe guards. You should also con sider the is sues of le gal re spon si bil ity and pru dent due care. In some cases, it makes more sense to lose money in the de ploy ment of a safe guard than to risk le gal li a bil ity in the event of an as set dis clo sure or loss.

In re view, to per form the cost/ben e fit anal y sis of a safe guard, you must cal cu late the fol low ing three el e ments:

The pre-coun ter mea sure ALE for an as set-and-threat pair ing

The post-coun ter mea sure ALE for an as set-and-threat pair ing

The ACS (an nual cost of the safe guard)

With those el e ments, you can fi nally ob tain a value for the cost/ben e fit for mula for this spe cific safe guard against a spe cific risk against a spe cific as set:

(pre-coun ter mea sure ALE – post-coun ter mea sure ALE) – ACS

Or, even more sim ply:

(ALE1 – ALE2) – ACS

The coun ter mea sure with the great est re sult ing value from this cost/ben e fit for mula makes the most eco nomic sense to de ploy against the spe cific as set-and-threat pair ing.

Ta ble 2.1 il lus trates the var i ous for mu las as so ci ated with quan ti ta tive risk anal y sis.

76

TA BLE 2.1 Quan ti ta tive risk anal y sis for mu las

Con cept For mula Ex po sure fac tor (EF) % Sin gle loss ex pectancy (SLE) SLE = AV * EF An nu al ized rate of oc cur rence (ARO) # / year An nu al ized loss ex pectancy (ALE) ALE = SLE * ARO or ALE = AV * EF * ARO An nual cost of the safe guard (ACS) $ / year Value or ben e fit of a safe guard (ALE1 – ALE2) – ACS

Yikes, So Much Math!

Yes, quan ti ta tive risk anal y sis in volves a lot of math. Math ques tions on the exam are likely to in volve ba sic mul ti pli ca tion. Most likely, you will be asked def i ni tion, ap pli ca tion, and con cept syn the sis ques tions on the CISSP exam. This means you need to know the def i ni tion of the equa tions/for mu las and val ues, what they mean, why they are im por tant, and how they are used to ben e fit an or ga ni za tion. The con cepts you must know are AV, EF, SLE, ARO, ALE, and the cost/ben e fit for mula.

It is im por tant to re al ize that with all the cal cu la tions used in the quan ti ta tive risk as sess ment process, the end val ues are used for pri or i ti za tion and se lec tion. The val ues them selves do not truly re flect real-world loss or costs due to se cu rity breaches. This should be ob vi ous be cause of the level of guess work, sta tis ti cal anal y sis, and prob a bil ity pre dic tions re quired in the process.

Once you have cal cu lated a cost/ben e fit for each safe guard for each risk that af fects each as set, you must then sort these val ues. In most cases, the cost/ben e fit with the high est value is the best safe guard to im ple ment for that spe cific risk against a spe cific as set. But as with all things in the real world, this is only one part of the de ci sion-mak ing process. Al though very im por tant and of ten the pri mary guid ing fac tor, it is not the sole el e ment of data. Other items in clude ac tual cost, se cu rity bud get, com pat i bil ity with ex ist ing sys tems, skill/knowl edge base of IT staff, and avail abil ity of prod uct as well as po lit i cal is sues, part ner ships, mar ket trends, fads, mar ket ing, con tracts, and fa voritism. As part of se nior man age ment or even the IT staff, it is your re spon si bil ity to ei ther ob tain or use all avail able data and in for ma tion to make the best se cu rity de ci sion for your or ga ni za tion.

Most or ga ni za tions have a lim ited and all-too-fi nite bud get to work with. Thus, ob tain ing the best se cu rity for the cost is an es sen tial part of se cu rity man age ment. To ef fec tively man age the se cu rity func tion, you must as sess the bud get, the ben e fit and per for mance met rics, and the nec es sary re sources of each se cu rity con trol. Only af ter a thor ough eval u a tion can you de ter mine which con trols are es sen tial and ben e fi cial not only to se cu rity, but also to your bot tom line.

Qual i ta tive Risk Anal y sis

Qual i ta tive risk anal y sis is more sce nario based than it is cal cu la tor based. Rather than as sign ing ex act dol lar fig ures to pos si ble losses, you rank threats on a scale to eval u ate their risks, costs, and ef fects. Since a purely quan ti ta tive risk as sess ment is not pos si ble, bal anc ing the re sults of a quan ti ta tive anal y sis is es sen tial. The method of com bin ing quan ti ta tive and qual i ta tive anal y sis into a fi nal as sess ment of or ga ni za tional risk is known as hy brid as sess ment or hy brid anal y sis. The process of per form ing qual i ta tive risk anal y sis in volves judg ment, in tu ition, and ex pe ri ence. You can use many tech niques to per form qual i ta tive risk anal y sis:

Brain storm ing

Del phi tech nique

Sto ry board ing

Fo cus groups

Sur veys

Ques tion naires

Check lists

One-on-one meet ings

In ter views

De ter min ing which mech a nism to em ploy is based on the cul ture of the or ga ni za tion and the types of risks and as sets in volved. It is com mon for sev eral meth ods to be em ployed si mul ta ne ously and their re sults com pared and con trasted in the fi nal risk anal y sis re port to up per man age ment.

77

Sce nar ios

The ba sic process for all these mech a nisms in volves the cre ation of sce nar ios. A sce nario is a writ ten de scrip tion of a sin gle ma jor threat. The de scrip tion fo cuses on how a threat would be in sti gated and what ef fects its oc cur rence could have on the or ga ni za tion, the IT in fra struc ture, and spe cific as sets. Gen er ally, the sce nar ios are lim ited to one page of text to keep them man age able. For each sce nario, one or more safe guards are de scribed that would com pletely or par tially pro tect against the ma jor threat dis cussed in the sce nario. The anal y sis par tic i pants then as sign to the sce nario a threat level, a loss po ten tial, and the ad van tages of each safe guard. These as sign ments can be grossly sim ple—such as High, Medium, and Low or a ba sic num ber scale of 1 to 10—or they can be de tailed es say re sponses. The re sponses from all par tic i pants are then com piled into a sin gle re port that is pre sented to up per man age ment. For ex am ples of ref er ence rat ings and lev els, please see Ta ble 3-6 and Ta ble 3-7 in Na tional In sti tute of Tech nol ogy (NIST) Spe cial Pub li ca tion (SP) 800-30:

http://csrc.nist.gov/pub li ca tions/nist pubs/800-30/sp800-30.pdf

The use ful ness and va lid ity of a qual i ta tive risk anal y sis im proves as the num ber and di ver sity of the par tic i pants in the eval u a tion in creases. When ever pos si ble, in clude one or more peo ple from each level of the or ga ni za tional hi er ar chy, from up per man age ment to end user. It is also im por tant to in clude a cross sec tion from each ma jor de part ment, di vi sion, of fice, or branch.

Del phi Tech nique

The Del phi tech nique is prob a bly the only mech a nism on the pre vi ous list that is not im me di ately rec og niz able and un der stood. The Del phi tech nique is sim ply an anony mous feed back-and-re sponse process used to en able a group to reach an anony mous con sen sus. Its pri mary pur pose is to elicit hon est and un in flu enced re sponses from all par tic i pants. The par tic i pants are usu ally gath ered into a sin gle meet ing room. To each re quest for feed back, each par tic i pant writes down their re sponse on pa per anony mously. The re sults are com piled and pre sented to the group for eval u a tion. The process is re peated un til a con sen sus is reached.

Both the quan ti ta tive and qual i ta tive risk anal y sis mech a nisms of fer use ful re sults. How ever, each tech nique in volves a unique method of eval u at ing the same set of as sets and risks. Pru dent due care re quires that both meth ods be em ployed. Ta ble 2.2 de scribes the ben e fits and dis ad van tages of these two sys tems.

TA BLE 2.2 Com par i son of quan ti ta tive and qual i ta tive risk anal y sis

Char ac ter is tic Qual i ta tive Quan ti ta tive Em ploys com plex func tions No Yes Uses cost/ben e fit anal y sis No Yes Re sults in spe cific val ues No Yes Re quires guess work Yes No Sup ports au to ma tion No Yes In volves a high vol ume of in for ma tion No Yes Is ob jec tive No Yes Uses opin ions Yes No Re quires sig nif i cant time and ef fort No Yes Of fers use ful and mean ing ful re sults Yes Yes

Risk Re sponses The re sults of risk anal y sis are many:

Com plete and de tailed val u a tion of all as sets

An ex haus tive list of all threats and risks, rate of oc cur rence, and ex tent of loss if re al ized

A list of threat-spe cific safe guards and coun ter mea sures that iden ti fies their ef fec tive ness and ALE

A cost/ben e fit anal y sis of each safe guard

This in for ma tion is es sen tial for man age ment to make ed u cated, in tel li gent de ci sions about safe guard im ple men ta tion and se cu rity pol icy al ter ations.

Once the risk anal y sis is com plete, man age ment must ad dress each spe cific risk. There are sev eral pos si ble re sponses to risk:

Re duce or mit i gate

As sign or trans fer

78

Ac cept

De ter

Avoid

Re ject or ig nore

You need to know the fol low ing in for ma tion about the pos si ble risk re sponses:

Risk Mit i ga tion Re duc ing risk, or risk mit i ga tion, is the im ple men ta tion of safe guards and coun ter mea sures to elim i nate vul ner a bil i ties or block threats. Pick ing the most cost-ef fec tive or ben e fi cial coun ter mea sure is part of risk man age ment, but it is not an el e ment of risk as sess ment. In fact, coun ter mea sure se lec tion is a post-risk-as sess ment or post-risk-anal y sis ac tiv ity. An other po ten tial vari a tion of risk mit i ga tion is risk avoid ance. The risk is avoided by elim i nat ing the risk cause. A sim ple ex am ple is re mov ing the File Trans fer Pro to col (FTP) pro to col from a server to avoid FTP at tacks, and a larger ex am ple is to move to an in land lo ca tion to avoid the risks from hur ri canes.

Risk As sign ment As sign ing risk or trans fer ring risk is the place ment of the cost of loss a risk rep re sents onto an other en tity or or ga ni za tion. Pur chas ing in sur ance and out sourc ing are com mon forms of as sign ing or trans fer ring risk.

Risk Ac cep tance Ac cept ing risk, risk tol er ance, or ac cep tance of risk is the re sult af ter a cost/ben e fit anal y sis shows coun ter mea sure costs would out weigh the pos si ble cost of loss due to a risk. It also means that man age ment has agreed to ac cept the con se quences and the loss if the risk is re al ized. In most cases, ac cept ing risk re quires a clearly writ ten state ment that in di cates why a safe guard was not im ple mented, who is re spon si ble for the de ci sion, and who will be re spon si ble for the loss if the risk is re al ized, usu ally in the form of a sign-off let ter. An or ga ni za tion’s de ci sion to ac cept risk is based on its risk tol er ance. This is also known as risk tol er ance or risk ap petite which is the abil ity of an or ga ni za tion to ab sorb the losses as so ci ated with re al ized risks.

Risk De ter rence Risk de ter rence is the process of im ple ment ing de ter rents to would-be vi o la tors of se cu rity and pol icy. Some ex am ples in clude im ple men ta tion of au dit ing, se cu rity cam eras, se cu rity guards, in struc tional sig nage, warn ing ban ners, mo tion de tec tors, strong au then ti ca tion, and mak ing it known that the or ga ni za tion is will ing to co op er ate with au thor i ties and pros e cute those who par tic i pate in cy ber crime.

Risk Avoid ance Risk avoid ance is the process of se lect ing al ter nate op tions or ac tiv i ties that have less as so ci ated risk than the de fault, com mon, ex pe di ent, or cheap op tion. For ex am ple, choos ing to fly to a des ti na tion in stead of driv ing to it is a form of risk avoid ance. An other ex am ple is to lo cate a busi ness in Ari zona in stead of Flor ida to avoid hur ri canes.

Risk Re jec tion A fi nal but un ac cept able pos si ble re sponse to risk is to re ject risk or ig nore risk. Deny ing that a risk ex ists and hop ing that it will never be re al ized are not valid or pru dent due-care re sponses to risk.

Once coun ter mea sures are im ple mented, the risk that re mains is known as resid ual risk. Resid ual risk com prises threats to spe cific as sets against which up per man age ment chooses not to im ple ment a safe guard. In other words, resid ual risk is the risk that man age ment has cho sen to ac cept rather than mit i gate. In most cases, the pres ence of resid ual risk in di cates that the cost/ben e fit anal y sis showed that the avail able safe guards were not cost-ef fec tive de ter rents.

To tal risk is the amount of risk an or ga ni za tion would face if no safe guards were im ple mented. A for mula for to tal risk is as fol lows:

threats * vul ner a bil i ties * as set value = to tal risk

(Note that the * here does not im ply mul ti pli ca tion, but a com bi na tion func tion; this is not a true math e mat i cal for mula.) The dif fer ence be tween to tal risk and resid ual risk is known as the con trols gap. The con trols gap is the amount of risk that is re duced by im ple ment ing safe guards. A for mula for resid ual risk is as fol lows:

to tal risk – con trols gap = resid ual risk

As with risk man age ment in gen eral, han dling risk is not a one time process. In stead, se cu rity must be con tin u ally main tained and reaf firmed. In fact, re peat ing the risk as sess ment and anal y sis process is a mech a nism to as sess the com plete ness and ef fec tive ness of the se cu rity pro gram over time. Ad di tion ally, it helps lo cate de fi cien cies and ar eas where change has oc curred. Be cause se cu rity changes over time, re assess ing on a pe ri odic ba sis is es sen tial to main tain ing rea son able se cu rity.

Coun ter mea sure Se lec tion and Im ple men ta tion Se lect ing a coun ter mea sure or con trol (short for se cu rity con trol) within the realm of risk man age ment

re lies heav ily on the cost/ben e fit anal y sis re sults. How ever, you should con sider sev eral other fac tors when as sess ing the value or per ti nence of a se cu rity con trol:

79

The cost of the coun ter mea sure should be less than the value of the as set.

The cost of the coun ter mea sure should be less than the ben e fit of the coun ter mea sure.

The re sult of the ap plied coun ter mea sure should make the cost of an at tack greater for the per pe tra tor than the de rived ben e fit from an at tack.

The coun ter mea sure should pro vide a so lu tion to a real and iden ti fied prob lem. (Don’t in stall coun ter mea sures just be cause they are avail able, are ad ver tised, or sound cool.)

The ben e fit of the coun ter mea sure should not be de pen dent on its se crecy. This means that “se cu rity through ob scu rity” is not a vi able coun ter mea sure and that any vi able coun ter mea sure can with stand pub lic dis clo sure and scru tiny.

The ben e fit of the coun ter mea sure should be testable and ver i fi able.

The coun ter mea sure should pro vide con sis tent and uni form pro tec tion across all users, sys tems, pro to cols, and so on.

The coun ter mea sure should have few or no de pen den cies to re duce cas cade fail ures.

The coun ter mea sure should re quire min i mal hu man in ter ven tion af ter ini tial de ploy ment and con fig u ra tion.

The coun ter mea sure should be tam per proof.

The coun ter mea sure should have over rides ac ces si ble to priv i leged op er a tors only.

The coun ter mea sure should pro vide fail-safe and/or fail-se cure op tions.

Keep in mind that se cu rity should be de signed to sup port and en able busi ness tasks and func tions. Thus, coun ter mea sures and safe guards need to be eval u ated in the con text of a busi ness task.

Se cu rity con trols, coun ter mea sures, and safe guards can be im ple mented ad min is tra tively, log i cally/tech ni cally, or phys i cally. These three cat e gories of se cu rity mech a nisms should be im ple mented in a de fense-in-depth man ner in or der to pro vide max i mum ben e fit (Fig ure 2.6).

FIG URE 2.6 The cat e gories of se cu rity con trols in a de fense-in-depth im ple men ta tion

Tech ni cal

Tech ni cal or log i cal con trols in volve the hard ware or soft ware mech a nisms used to man age ac cess and to pro vide pro tec tion for re sources and sys tems. As the name im plies, it uses tech nol ogy. Ex am ples of log i cal or tech ni cal con trols in clude au then ti ca tion meth ods (such as user names, pass words, smart cards, and bio met rics), en cryp tion, con strained in ter faces, ac cess con trol lists, pro to cols, fire walls, routers, in tru sion de tec tion sys tems (IDSs), and clip ping lev els.

Ad min is tra tive

Ad min is tra tive con trols are the poli cies and pro ce dures de fined by an or ga ni za tion’s se cu rity pol icy and other reg u la tions or re quire ments. They are some times re ferred to as man age ment con trols. These con trols fo cus on per son nel and busi ness prac tices. Ex am ples of ad min is tra tive con trols in clude poli cies, pro ce dures,

80

hir ing prac tices, back ground checks, data clas si fi ca tions and la bel ing, se cu rity aware ness and train ing ef forts, va ca tion his tory, re ports and re views, work su per vi sion, per son nel con trols, and test ing.

Phys i cal

Phys i cal con trols are items you can phys i cally touch. They in clude phys i cal mech a nisms de ployed to pre vent, mon i tor, or de tect di rect con tact with sys tems or ar eas within a fa cil ity. Ex am ples of phys i cal con trols in clude guards, fences, mo tion de tec tors, locked doors, sealed win dows, lights, ca ble pro tec tion, lap top locks, badges, swipe cards, guard dogs, video cam eras, mantraps, and alarms.

Ap pli ca ble Types of Con trols The term se cu rity con trol refers to a broad range of con trols that per form such tasks as en sur ing that only

au tho rized users can log on and pre vent ing unau tho rized users from gain ing ac cess to re sources. Con trols mit i gate a wide va ri ety of in for ma tion se cu rity risks.

When ever pos si ble, you want to pre vent any type of se cu rity prob lem or in ci dent. Of course, this isn’t al ways pos si ble, and un wanted events oc cur. When they do, you want to de tect the events as soon as pos si ble. And once you de tect an event, you want to cor rect it.

As you read the con trol de scrip tions, no tice that some are listed as ex am ples of more than one ac cess- con trol type. For ex am ple, a fence (or perime ter-defin ing de vice) placed around a build ing can be a pre ven tive con trol (phys i cally bar ring some one from gain ing ac cess to a build ing com pound) and/or a de ter rent con trol (dis cour ag ing some one from try ing to gain ac cess).

De ter rent

A de ter rent con trol is de ployed to dis cour age vi o la tion of se cu rity poli cies. De ter rent and pre ven tive con trols are sim i lar, but de ter rent con trols of ten de pend on in di vid u als de cid ing not to take an un wanted ac tion. In con trast, a pre ven tive con trol ac tu ally blocks the ac tion. Some ex am ples in clude poli cies, se cu rity- aware ness train ing, locks, fences, se cu rity badges, guards, mantraps, and se cu rity cam eras.

Pre ven tive

A pre ven tive con trol is de ployed to thwart or stop un wanted or unau tho rized ac tiv ity from oc cur ring. Ex am ples of pre ven tive con trols in clude fences, locks, bio met rics, mantraps, light ing, alarm sys tems, sep a ra tion of du ties, job ro ta tion, data clas si fi ca tion, pen e tra tion test ing, ac cess-con trol meth ods, en cryp tion, au dit ing, pres ence of se cu rity cam eras or closed-cir cuit tele vi sion (CCTV), smart cards, call back pro ce dures, se cu rity poli cies, se cu rity-aware ness train ing, an tivirus soft ware, fire walls, and in tru sion pre ven tion sys tems (IPSs).

De tec tive

A de tec tive con trol is de ployed to dis cover or de tect un wanted or unau tho rized ac tiv ity. De tec tive con trols op er ate af ter the fact and can dis cover the ac tiv ity only af ter it has oc curred. Ex am ples of de tec tive con trols in clude se cu rity guards, mo tion de tec tors, record ing and re view ing of events cap tured by se cu rity cam eras or CCTV, job ro ta tion, manda tory va ca tions, au dit trails, hon ey pots or hon eynets, in tru sion de tec tion sys tems (IDSs), vi o la tion re ports, su per vi sion and re views of users, and in ci dent in ves ti ga tions.

Com pen sat ing

A com pen sa tion con trol is de ployed to pro vide var i ous op tions to other ex ist ing con trols to aid in en force ment and sup port of se cu rity poli cies. They can be any con trols used in ad di tion to, or in place of, an other con trol. For ex am ple, an or ga ni za tional pol icy may dic tate that all PII must be en crypted. A re view dis cov ers that a pre ven tive con trol is en crypt ing all PII data in data bases, but PII trans ferred over the net work is sent in clear t ext. A com pen sa tion con trol can be added to pro tect the data in tran sit.

Cor rec tive

A cor rec tive con trol mod i fies the en vi ron ment to re turn sys tems to nor mal af ter an un wanted or unau tho rized ac tiv ity has oc curred. It at tempts to cor rect any prob lems that oc curred as a re sult of a se cu rity in ci dent. Cor rec tive con trols can be sim ple, such as ter mi nat ing ma li cious ac tiv ity or re boot ing a sys tem. They also in clude an tivirus so lu tions that can re move or quar an tine a virus, backup and re store plans to en sure that lost data can be re stored, and ac tive IDs that can mod ify the en vi ron ment to stop an at tack in progress. The con trol is de ployed to re pair or re store re sources, func tions, and ca pa bil i ties af ter a vi o la tion of se cu rity poli cies.

Re cov ery

Re cov ery con trols are an ex ten sion of cor rec tive con trols but have more ad vanced or com plex abil i ties. Ex am ples of re cov ery con trols in clude back ups and re stores, fault-tol er ant drive sys tems, sys tem imag ing,

81

server clus ter ing, an tivirus soft ware, and data base or vir tual ma chine shad ow ing. In re la tion to busi ness con ti nu ity and dis as ter re cov ery, re cov ery con trols can in clude hot sites, warm sites, cold sites, al ter nate pro cess ing fa cil i ties, ser vice bu reaus, re cip ro cal agree ments, cloud providers, rolling mo bile op er at ing cen ters, and mul ti site so lu tions.

Di rec tive

A di rec tive con trol is de ployed to di rect, con fine, or con trol the ac tions of sub jects to force or en cour age com pli ance with se cu rity poli cies. Ex am ples of di rec tive con trols in clude se cu rity pol icy re quire ments or cri te ria, posted no ti fi ca tions, es cape route exit signs, mon i tor ing, su per vi sion, and pro ce dures.

Se cu rity Con trol As sess ment A se cu rity con trol as sess ment (SCA) is the for mal eval u a tion of a se cu rity in fra struc ture’s in di vid ual

mech a nisms against a base line or re li a bil ity ex pec ta tion. The SCA can be per formed in ad di tion to or in de pen dently of a full se cu rity eval u a tion, such as a pen e tra tion test or vul ner a bil ity as sess ment.

The goals of an SCA are to en sure the ef fec tive ness of the se cu rity mech a nisms, eval u ate the qual ity and thor ough ness of the risk man age ment pro cesses of the or ga ni za tion, and pro duce a re port of the rel a tive strengths and weak nesses of the de ployed se cu rity in fra struc ture.

Gen er ally, an SCA is a process im ple mented by fed eral agen cies based on the NIST Spe cial Pub li ca tion 800-53A ti tled “Guide for As sess ing the Se cu rity Con trols in Fed eral In for ma tion Sys tems” (https://csrc.nist.gov/pub li ca tions/de tail/sp/800-53a/rev-4/fi nal). How ever, while de fined as a gov ern ment process, the con cept of eval u at ing the re li a bil ity and ef fec tive ness of se cu rity con trols should be adopted by ev ery or ga ni za tion that is com mit ted to sus tain ing a suc cess ful se cu rity en deavor.

Mon i tor ing and Mea sure ment

Se cu rity con trols should pro vide ben e fits that can be mon i tored and mea sured. If a se cu rity con trol’s ben e fits can not be quan ti fied, eval u ated, or com pared, then it does not ac tu ally pro vide any se cu rity. A se cu rity con trol may pro vide na tive or in ter nal mon i tor ing, or ex ter nal mon i tor ing might be re quired. You should take this into con sid er a tion when mak ing ini tial coun ter mea sure se lec tions.

Mea sur ing the ef fec tive ness of a coun ter mea sure is not al ways an ab so lute value. Many coun ter mea sures of fer de grees of im prove ment rather than spe cific hard num bers as to the num ber of breaches pre vented or at tack at tempts thwarted. Of ten to ob tain coun ter mea sure suc cess or fail ure mea sure ments, mon i tor ing and record ing of events both prior to and af ter safe guard in stal la tion is nec es sary. Ben e fits can only be ac cu rately mea sured if the start ing point (that is, the nor mal point or ini tial risk level) is known. Part of the cost/ben e fit equa tion takes coun ter mea sure mon i tor ing and mea sure ment into ac count. Just be cause a se cu rity con trol pro vides some level of in creased se cu rity does not nec es sar ily mean that the ben e fit gained is cost ef fec tive. A sig nif i cant im prove ment in se cu rity should be iden ti fied to clearly jus tify the ex pense of new coun ter mea sure de ploy ment.

As set Val u a tion and Re port ing An im por tant step in risk anal y sis is to ap praise the value of an or ga ni za tion’s as sets. If an as set has no

value, then there is no need to pro vide pro tec tion for it. A pri mary goal of risk anal y sis is to en sure that only cost-ef fec tive safe guards are de ployed. It makes no sense to spend $100,000 pro tect ing an as set that is worth only $1,000. The value of an as set di rectly af fects and guides the level of safe guards and se cu rity de ployed to pro tect it. As a rule, the an nual costs of safe guards should not ex ceed the ex pected an nual cost of as set loss.

When the cost of an as set is eval u ated, there are many as pects to con sider. The goal of as set val u a tion is to as sign to an as set a spe cific dol lar value that en com passes tan gi ble costs as well as in tan gi ble ones. De ter min ing an ex act value is of ten dif fi cult if not im pos si ble, but nev er the less, a spe cific value must be es tab lished. (Note that the dis cus sion of qual i ta tive ver sus quan ti ta tive risk anal y sis in the next sec tion may clar ify this is sue.) Im prop erly as sign ing value to as sets can re sult in fail ing to prop erly pro tect an as set or im ple ment ing fi nan cially in fea si ble safe guards. The fol low ing list in cludes some of the tan gi ble and in tan gi ble is sues that con trib ute to the val u a tion of as sets:

Pur chase cost

De vel op ment cost

Ad min is tra tive or man age ment cost

Main te nance or up keep cost

Cost in ac quir ing as set

Cost to pro tect or sus tain as set

Value to own ers and users

82

Value to com peti tors

In tel lec tual prop erty or eq uity value

Mar ket val u a tion (sus tain able price)

Re place ment cost

Pro duc tiv ity en hance ment or degra da tion

Op er a tional costs of as set pres ence and loss

Li a bil ity of as set loss

Use ful ness

As sign ing or de ter min ing the value of as sets to an or ga ni za tion can ful fill nu mer ous re quire ments. It serves as the foun da tion for per form ing a cost/ben e fit anal y sis of as set pro tec tion through safe guard de ploy ment. It serves as a means for se lect ing or eval u at ing safe guards and coun ter mea sures. It pro vides val ues for in sur ance pur poses and es tab lishes an over all net worth or net value for the or ga ni za tion. It helps se nior man age ment un der stand ex actly what is at risk within the or ga ni za tion. Un der stand ing the value of as sets also helps to pre vent neg li gence of due care and en cour ages com pli ance with le gal re quire ments, in dus try reg u la tions, and in ter nal se cu rity poli cies.

Risk re port ing is a key task to per form at the con clu sion of a risk anal y sis. Risk re port ing in volves the pro duc tion of a risk re port and a pre sen ta tion of that re port to the in ter ested/rel e vant par ties. For many or ga ni za tions, risk re port ing is an in ter nal con cern only, whereas other or ga ni za tions may have reg u la tions that man date third-party or pub lic re port ing of their risk find ings.

A risk re port should be ac cu rate, timely, com pre hen sive of the en tire or ga ni za tion, clear and pre cise to sup port de ci sion mak ing, and up dated on a reg u lar ba sis.

Con tin u ous Im prove ment Risk anal y sis is per formed to pro vide up per man age ment with the de tails nec es sary to de cide which risks

should be mit i gated, which should be trans ferred, which should be de terred, which should be avoided, and which should be ac cepted. The re sult is a cost/ ben e fit com par i son be tween the ex pected cost of as set loss and the cost of de ploy ing safe guards against threats and vul ner a bil i ties. Risk anal y sis iden ti fies risks, quan ti fies the im pact of threats, and aids in bud get ing for se cu rity. It helps in te grate the needs and ob jec tives of the se cu rity pol icy with the or ga ni za tion’s busi ness goals and in ten tions. The risk anal y sis/risk as sess ment is a “point in time” met ric. Threats and vul ner a bil i ties con stantly change, and the risk as sess ment needs to be re done pe ri od i cally in or der to sup port con tin u ous im prove ment.

Se cu rity is al ways chang ing. Thus any im ple mented se cu rity so lu tion re quires up dates and changes over time. If a con tin u ous im prove ment path is not pro vided by a se lected coun ter mea sure, then it should be re placed with one that of fers scal able im prove ments to se cu rity.

Risk Frame works

A risk frame work is a guide line or recipe for how risk is to be as sessed, re solved, and mon i tored. The pri mary ex am ple of a risk frame work ref er enced by the CISSP exam is that de fined by NIST in Spe cial Pub li ca tion 800-37 (http://nvlpubs.nist.gov/nist pubs/Spe cialPub li ca tions/NIST.SP.800-37r1.pdf). We en cour age you to re view this pub li ca tion in its en tirety, but here are a few ex cerpts of rel e vance to CISSP:

83

This pub li ca tion pro vides guide lines for ap ply ing the Risk Man age ment Frame work (RMF) to fed eral in for ma tion sys tems. The six-step RMF in cludes se cu rity cat e go riza tion, se cu rity con trol se lec tion, se cu rity con trol im ple men ta tion, se cu rity con trol as sess ment, in for ma tion sys tem au tho riza tion, and se cu rity con trol mon i tor ing. The RMF pro motes the con cept of near real-time risk man age ment and on go ing in for ma tion sys tem au tho riza tion through the im ple men ta tion of ro bust con tin u ous mon i tor ing pro cesses, pro vides se nior lead ers the nec es sary in for ma tion to make cost-ef fec tive, risk-based de ci sions with re gard to the or ga ni za tional in for ma tion sys tems sup port ing their core mis sions and busi ness func tions, and in te grates in for ma tion se cu rity into the en ter prise ar chi tec ture and sys tems de vel op ment life cy cle (SDLC). Ap ply ing the RMF within en ter prises links risk man age ment pro cesses at the in for ma tion sys tem level to risk man age ment pro cesses at the or ga ni za tion level through a risk ex ec u tive (func tion) and es tab lishes lines of re spon si bil ity and ac count abil ity for se cu rity con trols de ployed within or ga ni za tional in for ma tion sys tems and in her ited by those sys tems (i.e., com mon con trols). The RMF has the fol low ing char ac ter is tics:

Pro motes the con cept of near real-time risk man age ment and on go ing in for ma tion sys tem au tho riza tion through the im ple men ta tion of ro bust con tin u ous mon i tor ing pro cesses;

En cour ages the use of au to ma tion to pro vide se nior lead ers the nec es sary in for ma tion to make cost- ef fec tive, risk-based de ci sions with re gard to the or ga ni za tional in for ma tion sys tems sup port ing their core mis sions and busi ness func tions;

In te grates in for ma tion se cu rity into the en ter prise ar chi tec ture and SDLC;

Pro vides em pha sis on the se lec tion, im ple men ta tion, as sess ment, and mon i tor ing of se cu rity con trols, and the au tho riza tion of in for ma tion sys tems;

Links risk man age ment pro cesses at the in for ma tion sys tem level to risk man age ment pro cesses at the or ga ni za tion level through a risk ex ec u tive (func tion); and

Es tab lishes re spon si bil ity and ac count abil ity for se cu rity con trols de ployed within or ga ni za tional in for ma tion sys tems and in her ited by those sys tems (i.e., com mon con trols)

The RMF steps in clude [(see Fig ure 2.7)]:

Cat e go rize the in for ma tion sys tem and the in for ma tion pro cessed, stored, and trans mit ted by that sys tem based on an im pact anal y sis.

Se lect an ini tial set of base line se cu rity con trols for the in for ma tion sys tem based on the se cu rity cat e go riza tion; tai lor ing and sup ple ment ing the se cu rity con trol base line as needed based on an or ga ni za tional as sess ment of risk and lo cal con di tions.

Im ple ment the se cu rity con trols and de scribe how the con trols are em ployed within the in for ma tion sys tem and its en vi ron ment of op er a tion.

As sess the se cu rity con trols us ing ap pro pri ate as sess ment pro ce dures to de ter mine the ex tent to which the con trols are im ple mented cor rectly, op er at ing as in tended, and pro duc ing the de sired out come with re spect to meet ing the se cu rity re quire ments for the sys tem.

Au tho rize in for ma tion sys tem op er a tion based on a de ter mi na tion of the risk to or ga ni za tional op er a tions and as sets, in di vid u als, other or ga ni za tions, and the Na tion re sult ing from the op er a tion of the in for ma tion sys tem and the de ci sion that this risk is ac cept able.

Mon i tor the se cu rity con trols in the in for ma tion sys tem on an on go ing ba sis in clud ing as sess ing con trol ef fec tive ness, doc u ment ing changes to the sys tem or its en vi ron ment of op er a tion, con duct ing se cu rity im pact analy ses of the as so ci ated changes, and re port ing the se cu rity state of the sys tem to des ig nated or ga ni za tional of fi cials.”

[From NIST SP 800-37]

84

FIG URE 2.7 The six steps of the risk man age ment frame work

There is sig nif i cantly more de tail about RMF in the NIST pub li ca tion; please re view that doc u ment for a com plete per spec tive on risk frame works.

The NIST RMF is the pri mary fo cus of the CISSP exam, but you might want to re view other risk man age ment frame works for use in the real world. Please con sider op er a tionally crit i cal threat, as set, and vul ner a bil ity eval u a tion (OC TAVE), Fac tor Anal y sis of In for ma tion Risk (FAIR), and Threat Agent Risk As sess ment (TARA). For fur ther re search, you’ll find a use ful ar ti cle here: www.csoon line.com/ar ti cle/2125140/met rics-bud gets/it-risk-as sess ment-frame works–real-world- ex pe ri ence.html. Un der stand ing that there are a num ber of well-rec og nized frame works and that se lect ing one that fits your or ga ni za tion’s re quire ments and style is im por tant.

Es tab lish and Main tain a Se cu rity Aware ness, Ed u ca tion, and Train ing Pro gram

The suc cess ful im ple men ta tion of a se cu rity so lu tion re quires changes in user be hav ior. These changes pri mar ily con sist of al ter ations in nor mal work ac tiv i ties to com ply with the stan dards, guide lines, and pro ce dures man dated by the se cu rity pol icy. Be hav ior mod i fi ca tion in volves some level of learn ing on the part of the user. To de velop and man age se cu rity ed u ca tion, train ing, and aware ness, all rel e vant items of knowl edge trans fer ence must be clearly iden ti fied and pro grams of pre sen ta tion, ex po sure, syn ergy, and im ple men ta tion crafted.

A pre req ui site to se cu rity train ing is aware ness. The goal of cre at ing aware ness is to bring se cu rity to the fore front and make it a rec og nized en tity for users. Aware ness es tab lishes a com mon base line or foun da tion of se cu rity un der stand ing across the en tire or ga ni za tion and fo cuses on key or ba sic top ics and is sues re lated to se cu rity that all em ploy ees must un der stand and com pre hend. Aware ness is not ex clu sively cre ated through a class room type of ex er cise but also through the work en vi ron ment. Many tools can be used to cre ate aware ness, such as posters, no tices, news let ter ar ti cles, screen savers, T-shirts, rally speeches by man agers, an nounce ments, pre sen ta tions, mouse pads, of fice sup plies, and memos as well as the tra di tional in struc tor- led train ing cour ses.

Aware ness es tab lishes a min i mum stan dard com mon de nom i na tor or foun da tion of se cu rity un der stand ing. All per son nel should be fully aware of their se cu rity re spon si bil i ties and li a bil i ties. They should be trained to know what to do and what not to do.

The is sues that users need to be aware of in clude avoid ing waste, fraud, and unau tho rized ac tiv i ties. All mem bers of an or ga ni za tion, from se nior man age ment to tem po rary in terns, need the same level of aware ness. The aware ness pro gram in an or ga ni za tion should be tied in with its se cu rity pol icy, in ci dent- han dling plan, busi ness con ti nu ity, and dis as ter re cov ery pro ce dures. For an aware ness-build ing pro gram to be ef fec tive, it must be fresh, cre ative, and up dated of ten. The aware ness pro gram should also be tied to an un der stand ing of how the cor po rate cul ture will af fect and im pact se cu rity for in di vid u als as well as the

85

or ga ni za tion as a whole. If em ploy ees do not see en force ment of se cu rity poli cies and stan dards, es pe cially at the aware ness level, then they may not feel ob li gated to abide by them.

Train ing is teach ing em ploy ees to per form their work tasks and to com ply with the se cu rity pol icy. Train ing is typ i cally hosted by an or ga ni za tion and is tar geted to groups of em ploy ees with sim i lar job func tions. All new em ploy ees re quire some level of train ing so they will be able to com ply with all stan dards, guide lines, and pro ce dures man dated by the se cu rity pol icy. New users need to know how to use the IT in fra struc ture, where data is stored, and how and why re sources are clas si fied. Many or ga ni za tions choose to train new em ploy ees be fore they are granted ac cess to the net work, whereas oth ers will grant new users lim ited ac cess un til their train ing in their spe cific job po si tion is com plete. Train ing is an on go ing ac tiv ity that must be sus tained through out the life time of the or ga ni za tion for ev ery em ployee. It is con sid ered an ad min is tra tive se cu rity con trol.

Meth ods and tech niques to present aware ness and train ing should be re vised and im proved over time to max i mize ben e fits. This will re quire that train ing met rics be col lected and eval u ated. This may in clude post- learn ing test ing as well as mon i tor ing for job con sis tency im prove ments and re duc tions in down time, se cu rity in ci dents, or mis takes. This can be seen as a pro gram ef fec tive ness eval u a tion.

Aware ness and train ing are of ten pro vided in-house. That means these teach ing tools are cre ated and de ployed by and within the or ga ni za tion it self. How ever, the next level of knowl edge dis tri bu tion is usu ally ob tained from an ex ter nal third-party source.

Ed u ca tion is a more de tailed en deavor in which stu dents/users learn much more than they ac tu ally need to know to per form their work tasks. Ed u ca tion is most of ten as so ci ated with users pur su ing cer ti fi ca tion or seek ing job pro mo tion. It is typ i cally a re quire ment for per son nel seek ing se cu rity pro fes sional po si tions. A se cu rity pro fes sional re quires ex ten sive knowl edge of se cu rity and the lo cal en vi ron ment for the en tire or ga ni za tion and not just their spe cific work tasks.

An as sess ment of the ap pro pri ate lev els of aware ness, train ing, and ed u ca tion re quired within the or ga ni za tion should be re vised on a reg u lar ba sis us ing pe ri odic con tent re views. Train ing ef forts need to be up dated and tuned as the or ga ni za tion evolves over time. Ad di tion ally, new bold and sub tle means of aware ness should be im ple mented as well to keep the con tent fresh and rel e vant. With out pe ri odic re views for con tent rel e vancy, ma te ri als will be come stale and work ers will likely re sort to mak ing up their own guide lines and pro ce dures. It is the re spon si bil ity of the se cu rity gov er nance team to es tab lish se cu rity rules as well as pro vide train ing and ed u ca tion to fur ther the im ple men ta tion of those rules.

Man age the Se cu rity Func tion To man age the se cu rity func tion, an or ga ni za tion must im ple ment proper and suf fi cient se cu rity

gov er nance. The act of per form ing a risk as sess ment to drive the se cu rity pol icy is the clear est and most di rect ex am ple of man age ment of the se cu rity func tion.

Se cu rity must be cost ef fec tive. Or ga ni za tions do not have in fi nite bud gets and thus must al lo cate their funds ap pro pri ately. Ad di tion ally, an or ga ni za tional bud get in cludes a per cent age of monies ded i cated to se cu rity just as most other busi ness tasks and pro cesses re quire cap i tal, not to men tion pay ments to em ploy ees, in sur ance, re tire ment, and so on. Se cu rity should be suf fi cient to with stand typ i cal or stan dard threats to the or ga ni za tion but not when such se cu rity is more ex pen sive than the as sets be ing pro tected. As dis cussed in “Un der stand and Ap ply Risk Man age ment Con cepts” ear lier in this chap ter, a coun ter mea sure that is more costly than the value of the as set it self is not usu ally an ef fec tive so lu tion.

Se cu rity must be mea sur able. Mea sur able se cu rity means that the var i ous as pects of the se cu rity mech a nisms func tion, pro vide a clear ben e fit, and have one or more met rics that can be recorded and an a lyzed. Sim i lar to per for mance met rics, se cu rity met rics are mea sure ments of per for mance, func tion, op er a tion, ac tion, and so on as re lated to the op er a tion of a se cu rity fea ture. When a coun ter mea sure or safe guard is im ple mented, se cu rity met rics should show a re duc tion in un wanted oc cur rences or an in crease in the de tec tion of at tempts. Oth er wise, the se cu rity mech a nism is not pro vid ing the ex pected ben e fit. The act of mea sur ing and eval u at ing se cu rity met rics is the prac tice of as sess ing the com plete ness and ef fec tive ness of the se cu rity pro gram. This should also in clude mea sur ing it against com mon se cu rity guide lines and track ing the suc cess of its con trols. Track ing and as sess ing se cu rity met rics are part of ef fec tive se cu rity gov er nance. How ever, it is worth not ing that choos ing in cor rect se cu rity met rics can cause sig nif i cant prob lems, such as choos ing to mon i tor or mea sure some thing the se cu rity staff has lit tle con trol over or that is based on ex ter nal driv ers.

Re sources will be con sumed both by the se cu rity mech a nisms them selves and by the se cu rity gov er nance pro cesses. Ob vi ously, se cu rity mech a nisms should con sume as few re sources as pos si ble and im pact the pro duc tiv ity or through put of a sys tem at as low a level as fea si ble. How ever, ev ery hard ware and soft ware coun ter mea sure as well as ev ery pol icy and pro ce dure users must fol low will con sume re sources. Be ing aware of and eval u at ing re source con sump tion be fore and af ter coun ter mea sure se lec tion, de ploy ment, and tun ing is an im por tant part of se cu rity gov er nance and man ag ing the se cu rity func tion.

86

Man ag ing the se cu rity func tion in cludes the de vel op ment and im ple men ta tion of in for ma tion se cu rity strate gies. Most of the con tent of the CISSP exam, and hence this book, ad dresses the var i ous as pects of de vel op ment and im ple men ta tion of in for ma tion se cu rity strate gies.

Sum mary When plan ning a se cu rity so lu tion, it’s im por tant to con sider the fact that hu mans are of ten the weak est

el e ment in or ga ni za tional se cu rity. Re gard less of the phys i cal or log i cal con trols de ployed, hu mans can dis cover ways to avoid them, cir cum vent or sub vert them, or dis able them. Thus, it is im por tant to take users into ac count when de sign ing and de ploy ing se cu rity so lu tions for your en vi ron ment. The as pects of se cure hir ing prac tices, roles, poli cies, stan dards, guide lines, pro ce dures, risk man age ment, aware ness train ing, and man age ment plan ning all con trib ute to pro tect ing as sets. The use of these se cu rity struc tures pro vides some pro tec tion from the threat hu mans present against your se cu rity so lu tions.

Se cure hir ing prac tices re quire de tailed job de scrip tions. Job de scrip tions are used as a guide for se lect ing can di dates and prop erly eval u at ing them for a po si tion. Main tain ing se cu rity through job de scrip tions in cludes the use of sep a ra tion of du ties, job re spon si bil i ties, and job ro ta tion.

A ter mi na tion pol icy is needed to pro tect an or ga ni za tion and its ex ist ing em ploy ees. The ter mi na tion pro ce dure should in clude wit nesses, re turn of com pany prop erty, dis abling net work ac cess, an exit in ter view, and an es cort from the prop erty.

Third-party gov er nance is a sys tem of over sight that is some times man dated by law, reg u la tion, in dus try stan dards, or li cens ing re quire ments. The method of gov er nance can vary, but it gen er ally in volves an out side in ves ti ga tor or au di tor. Au di tors might be des ig nated by a gov ern ing body, or they might be con sul tants hired by the tar get or ga ni za tion.

The process of iden ti fy ing, eval u at ing, and pre vent ing or re duc ing risks is known as risk man age ment. The pri mary goal of risk man age ment is to re duce risk to an ac cept able level. De ter min ing this level de pends on the or ga ni za tion, the value of its as sets, and the size of its bud get. Al though it is im pos si ble to de sign and de ploy a com pletely risk-free en vi ron ment, it is pos si ble to sig nif i cantly re duce risk with lit tle ef fort. Risk anal y sis is the process by which risk man age ment is achieved and in cludes an a lyz ing an en vi ron ment for risks, eval u at ing each risk as to its like li hood of oc cur ring and the cost of the re sult ing dam age, as sess ing the cost of var i ous coun ter mea sures for each risk, and cre at ing a cost/ben e fit re port for safe guards to present to up per man age ment.

For a se cu rity so lu tion to be suc cess fully im ple mented, user be hav ior must change. Such changes pri mar ily con sist of al ter ations in nor mal work ac tiv i ties to com ply with the stan dards, guide lines, and pro ce dures man dated by the se cu rity pol icy. Be hav ior mod i fi ca tion in volves some level of learn ing on the part of the user. There are three com monly rec og nized learn ing lev els: aware ness, train ing, and ed u ca tion.

Exam Es sen tials Un der stand the se cu rity im pli ca tions of hir ing new em ploy ees. To prop erly plan for se cu rity,

you must have stan dards in place for job de scrip tions, job clas si fi ca tion, work tasks, job re spon si bil i ties, pre vent ing col lu sion, can di date screen ing, back ground checks, se cu rity clear ances, em ploy ment agree ments, and nondis clo sure agree ments. By de ploy ing such mech a nisms, you en sure that new hires are aware of the re quired se cu rity stan dards, thus pro tect ing your or ga ni za tion’s as sets.

Be able to ex plain sep a ra tion of du ties. Sep a ra tion of du ties is the se cu rity con cept of di vid ing crit i cal, sig nif i cant, sen si tive work tasks among sev eral in di vid u als. By sep a rat ing du ties in this man ner, you en sure that no one per son can com pro mise sys tem se cu rity.

Un der stand the prin ci ple of least priv i lege. The prin ci ple of least priv i lege states that in a se cured en vi ron ment, users should be granted the min i mum amount of ac cess nec es sary for them to com plete their re quired work tasks or job re spon si bil i ties. By lim it ing user ac cess only to those items that they need to com plete their work tasks, you limit the vul ner a bil ity of sen si tive in for ma tion.

Know why job ro ta tion and manda tory va ca tions are nec es sary. Job ro ta tion serves two func tions. It pro vides a type of knowl edge re dun dancy, and mov ing per son nel around re duces the risk of fraud, data mod i fi ca tion, theft, sab o tage, and mis use of in for ma tion. Manda tory va ca tions of one to two weeks are used to au dit and ver ify the work tasks and priv i leges of em ploy ees. This of ten re sults in easy de tec tion of abuse, fraud, or neg li gence.

Un der stand ven dor, con sul tant, and con trac tor con trols. Ven dor, con sul tant, and con trac tor con trols are used to de fine the lev els of per for mance, ex pec ta tion, com pen sa tion, and con se quences for en ti ties, per sons, or or ga ni za tions that are ex ter nal to the pri mary or ga ni za tion. Of ten these con trols are de fined in a doc u ment or pol icy known as a ser vice-level agree ment (SLA).

87

Be able to ex plain proper ter mi na tion poli cies. A ter mi na tion pol icy de fines the pro ce dure for ter mi nat ing em ploy ees. It should in clude items such as al ways hav ing a wit ness, dis abling the em ployee’s net work ac cess, and per form ing an exit in ter view. A ter mi na tion pol icy should also in clude es cort ing the ter mi nated em ployee off the premises and re quir ing the re turn of se cu rity to kens and badges and com pany prop erty.

Know how pri vacy fits into the realm of IT se cu rity. Know the mul ti ple mean ings/def i ni tions of pri vacy, why it is im por tant to pro tect, and the is sues sur round ing it, es pe cially in a work en vi ron ment.

Be able to dis cuss third-party gov er nance of se cu rity. Third-party gov er nance is the sys tem of over sight that may be man dated by law, reg u la tion, in dus try stan dards, or li cens ing re quire ments.

Be able to de fine over all risk man age ment. The process of iden ti fy ing fac tors that could dam age or dis close data, eval u at ing those fac tors in light of data value and coun ter mea sure cost, and im ple ment ing cost- ef fec tive so lu tions for mit i gat ing or re duc ing risk is known as risk man age ment. By per form ing risk man age ment, you lay the foun da tion for re duc ing risk over all.

Un der stand risk anal y sis and the key el e ments in volved. Risk anal y sis is the process by which up per man age ment is pro vided with de tails to make de ci sions about which risks are to be mit i gated, which should be trans ferred, and which should be ac cepted. To fully eval u ate risks and sub se quently take the proper pre cau tions, you must an a lyze the fol low ing: as sets, as set val u a tion, threats, vul ner a bil ity, ex po sure, risk, re al ized risk, safe guards, coun ter mea sures, at tacks, and breaches.

Know how to eval u ate threats. Threats can orig i nate from nu mer ous sources, in clud ing IT, hu mans, and na ture. Threat as sess ment should be per formed as a team ef fort to pro vide the widest range of per spec tives. By fully eval u at ing risks from all an gles, you re duce your sys tem’s vul ner a bil ity.

Un der stand quan ti ta tive risk anal y sis. Quan ti ta tive risk anal y sis fo cuses on hard val ues and per cent ages. A com plete quan ti ta tive anal y sis is not pos si ble be cause of in tan gi ble as pects of risk. The process in volves as set val u a tion and threat iden ti fi ca tion and then de ter min ing a threat’s po ten tial fre quency and the re sult ing dam age; the re sult is a cost/ben e fit anal y sis of safe guards.

Be able to ex plain the con cept of an ex po sure fac tor (EF). An ex po sure fac tor is an el e ment of quan ti ta tive risk anal y sis that rep re sents the per cent age of loss that an or ga ni za tion would ex pe ri ence if a spe cific as set were vi o lated by a re al ized risk. By cal cu lat ing ex po sure fac tors, you are able to im ple ment a sound risk man age ment pol icy.

Know what sin gle loss ex pectancy (SLE) is and how to cal cu late it. SLE is an el e ment of quan ti ta tive risk anal y sis that rep re sents the cost as so ci ated with a sin gle re al ized risk against a spe cific as set. The for mula is SLE = as set value (AV) * ex po sure fac tor (EF).

Un der stand an nu al ized rate of oc cur rence (ARO). ARO is an el e ment of quan ti ta tive risk anal y sis that rep re sents the ex pected fre quency with which a spe cific threat or risk will oc cur (in other words, be come re al ized) within a sin gle year. Un der stand ing AROs fur ther en ables you to cal cu late the risk and take proper pre cau tions.

Know what an nu al ized loss ex pectancy (ALE) is and how to cal cu late it. ALE is an el e ment of quan ti ta tive risk anal y sis that rep re sents the pos si ble yearly cost of all in stances of a spe cific re al ized threat against a spe cific as set. The for mula is ALE = sin gle loss ex pectancy (SLE) * an nu al ized rate of oc cur rence (ARO).

Know the for mula for safe guard eval u a tion. In ad di tion to de ter min ing the an nual cost of a safe guard, you must cal cu late the ALE for the as set if the safe guard is im ple mented. Use the for mula: ALE be fore safe guard – ALE af ter im ple ment ing the safe guard – an nual cost of safe guard = value of the safe guard to the com pany, or (ALE1 – ALE2) – ACS.

Un der stand qual i ta tive risk anal y sis. Qual i ta tive risk anal y sis is based more on sce nar ios than cal cu la tions. Ex act dol lar fig ures are not as signed to pos si ble losses; in stead, threats are ranked on a scale to eval u ate their risks, costs, and ef fects. Such an anal y sis as sists those re spon si ble in cre at ing proper risk man age ment poli cies.

Un der stand the Del phi tech nique. The Del phi tech nique is sim ply an anony mous feed back-and- re sponse process used to ar rive at a con sen sus. Such a con sen sus gives the re spon si ble par ties the op por tu nity to prop erly eval u ate risks and im ple ment so lu tions.

Know the op tions for han dling risk. Re duc ing risk, or risk mit i ga tion, is the im ple men ta tion of safe guards and coun ter mea sures. As sign ing risk or trans fer ring a risk places the cost of loss a risk rep re sents onto an other en tity or or ga ni za tion. Pur chas ing in sur ance is one form of as sign ing or trans fer ring risk. Ac cept ing risk means the man age ment has eval u ated the cost/ben e fit anal y sis of pos si ble safe guards and has de ter mined that the cost of the coun ter mea sure greatly out weighs the pos si ble cost of loss due to a risk. It also means that man age ment has agreed to ac cept the con se quences and the loss if the risk is re al ized.

Be able to ex plain to tal risk, resid ual risk, and con trols gap. To tal risk is the amount of risk an or ga ni za tion would face if no safe guards were im ple mented. To cal cu late to tal risk, use this for mula: threats *

88

vul ner a bil i ties * as set value = to tal risk. Resid ual risk is the risk that man age ment has cho sen to ac cept rather than mit i gate. The dif fer ence be tween to tal risk and resid ual risk is the con trols gap, which is the amount of risk that is re duced by im ple ment ing safe guards. To cal cu late resid ual risk, use the fol low ing for mula: to tal risk – con trols gap = resid ual risk.

Un der stand con trol types. The term con trol refers to a broad range of con trols that per form such tasks as en sur ing that only au tho rized users can log on and pre vent ing unau tho rized users from gain ing ac cess to re sources. Con trol types in clude pre ven tive, de tec tive, cor rec tive, de ter rent, re cov ery, di rec tive, and com pen sa tion. Con trols can also be cat e go rized by how they are im ple mented: ad min is tra tive, log i cal, or phys i cal.

Know how to im ple ment se cu rity aware ness train ing and ed u ca tion. Be fore ac tual train ing can take place, aware ness of se cu rity as a rec og nized en tity must be cre ated for users. Once this is ac com plished, train ing, or teach ing em ploy ees to per form their work tasks and to com ply with the se cu rity pol icy, can be gin. All new em ploy ees re quire some level of train ing so they will be able to com ply with all stan dards, guide lines, and pro ce dures man dated by the se cu rity pol icy. Ed u ca tion is a more de tailed en deavor in which stu dents/users learn much more than they ac tu ally need to know to per form their work tasks. Ed u ca tion is most of ten as so ci ated with users pur su ing cer ti fi ca tion or seek ing job pro mo tion.

Un der stand how to man age the se cu rity func tion. To man age the se cu rity func tion, an or ga ni za tion must im ple ment proper and suf fi cient se cu rity gov er nance. The act of per form ing a risk as sess ment to drive the se cu rity pol icy is the clear est and most di rect ex am ple of man age ment of the se cu rity func tion. This also re lates to bud get, met rics, re sources, in for ma tion se cu rity strate gies, and as sess ing the com plete ness and ef fec tive ness of the se cu rity pro gram.

Know the six steps of the risk man age ment frame work. The six steps of the risk man age ment frame work are: Cat e go rize, Se lect, Im ple ment, As sess, Au tho rize, and Mon i tor.

Writ ten Lab

1. Name six dif fer ent ad min is tra tive con trols used to se cure per son nel.

2. What are the ba sic for mu las used in quan ti ta tive risk as sess ment?

3. De scribe the process or tech nique used to reach an anony mous con sen sus dur ing a qual i ta tive risk as sess ment.

4. Dis cuss the need to per form a bal anced risk as sess ment. What are the tech niques that can be used and why is this nec es sary?