CISSP Domain – Information Security and Risk Management

Milan Vlahović CISSP, PMP, MCSE, MCSD, MCDBA, ITIL Privredna komora Beograda
Based on Skillsoft IT Security KC CISSP Roadmap – Only as a course support material

Security Management
• Due to the increasing use of computer and network technology the risk of exposure to information system attacks is increasing • It is important for the enterprise to protect all its assets, such as resources and information • It is not possible to ensure complete security of all assets, but the possibility of an attack can be reduced by having security measures in place

• Security management includes
– – – – – – risk management, information security policies, procedures, standards, guidelines, baselines, information classification, security organization, and security education

• This components makes the foundation of a corporation’s security program • The objective of security, and a security program, is to protect the company and its assets

Core aspects of security management • Restricting access to a computer system or network • Identifying vulnerability points of the assets of an organization. possible threats that can exploit these vulnerabilities. impact of these threats and strategies that will help mitigate these threats • Understanding training needs of all employees about these strategies .

Goal of security management • To protect the propriety and confidential information of a company from being unintentionally altered by trusted individuals or intentionally altered by unauthorized individuals • CIA triad .three main objectives of security management – Confidentiality – Integrity – Availability • A security program should use a top-down approach. and then reach staff members . – the initiation. work their way through middle management. and direction come from top management. support.

Avialability Security objectives Integrity Confidentiality The CIA triad .

• Management’s responsibility is to provide protection for the resources (human.• Security management relies on – properly identifying and valuing a company’s assets. standards. and availability for those assets. confidentiality. . capital. procedures. and then – implementing security policies. and guidelines to provide integrity. • Management must concern itself with ensuring that a security program is set up that recognizes the threats that can affect these resources and be assured that the necessary protective measures are put into effect. and informational) it is responsible for and the company overall. hardware.

and once it reaches its destination • Attackers can thwart confidentiality mechanisms by network monitoring. shoulder surfing. stealing password files. as it is transmitted.Confidentiality • Confidentiality ensures that the necessary level of secrecy is enforced at each junction of data processing and prevents unauthorized disclosure • This level of confidentiality should prevail while data resides on systems and devices within the network. and social engineering .

. Social engineering can take many other forms. and data classification. • Confidentiality can be provided by encrypting data as it is stored and transmitted. by using network traffic padding.Confidentiality (continued) • Shoulder surfing is when a person looks over another person’s shoulder and watches their keystrokes or views data as it appears on a computer screen. and by training personnel on the proper procedures. • Social engineering is when one person tricks another person into sharing confidential information such as by posing as someone authorized to have access to that information. strict access control.

intrusion detection. and hashing can combat these threats . and any unauthorized modification is prevented • The systems and network should be protected from outside interference and contamination • Strict access controls.Integrity • Integrity ensures that the accuracy and reliability of the information and systems is provided.

Integrity (continued) • Security should restrict users’ capabilities and give them only certain choices and functionality – system-critical files should be restricted from viewing and access by users – applications should provide mechanisms that check for valid and reasonable input values – databases should let only authorized individuals modify data. and – data in transit should be protected by encryption or other mechanisms .

and the negative effects from environmental components should be prevented. backup measures should be taken. • They should be able to recover from disruptions in a secure and quick manner so productivity is not negatively affected. • Single points of failure should be avoided. . redundancy mechanisms should be in place when necessary.Availability • Availability ensures that authorized users are able to access data and resources whenever needed • The systems and networks should provide adequate capacity in order to perform with an acceptable level of performance.

data should be backed up on a regular basis and a disaster recovery plan should be in place . or malicious code that compromise the data processing capabilities of networks • heat. cold. and contaminants can also affect system availability – Loss of capabilities – Environmental issues • To ensure availability of data and provide an alternate means of processing.Availability (continued) • Threats to availability – Denial-of-service (DoS) • refers to attacks by intruders on network resources so that authorized users are unable to access them • to protect against such attacks. human actions such as bombs and strikes. static electricity. humidity. the network should validate all users and make available only the necessary resources • refers to natural disasters such as flood and earthquake.

conducting security-awareness training. and availability (CIA) are the three main principles of security • To meet the CIA triad objectives. protecting the perimeter of the facility and monitoring for intrusion • restricting access to a company's resources to only authorized individuals by using passwords. educating individuals about these policies and guidelines. identification and authentication methods. security devices. locking systems and removing unnecessary floppy or CD-ROM drives. configuration of the infrastructure and other logical access control mechanisms – physical – technical (or logical) . protecting a company's assets from environmental factors such as fire and water.Types of controls • Confidentiality. integrity. implementing change control procedures and screening all individuals that will use the information system • physically restricting access to a company's resources to only authorized individuals. three types of controls can be used: – administrative • creating and publishing of security policies. standards. risk management. and guidelines. procedures.

screening personnel. procedures. security devices. standards. locks. intrusion detection Technical controls: Logical access controls. guidelines. security guards. security-awareness training Company data and assets .encryption. environmental controls.Physical controls: Facility protection. identification and authentication Administrative controls: Policies. monitoring.

and tested • This can be achieved by having a change control management process in place – help deal with the changes effectively – ensures that all changes made in production systems.Change control management • Changes in the production phase can occur because of new requirements of products or systems. including system or application software. or because newly released patches or upgrades need to be installed • To avoid any loss of data and ensure smooth functioning of all tasks. will be integrated compatibly . the changes should be approved. documented.

Change control management process • Includes: – – – – – – submitting a change request form to the management analyzing the validity of the change request analyzing the ways to implement the change analyzing the cost of implementing the change documenting the change recommendations obtaining final approval from the change control board – making the accepted changes and documenting them – approving the changes by quality control .

procedures. • All models work in layers • Companies can use different types of technologies. methods. administrative. protection mechanisms. business processes.Organizational Security Model • An organizational security model – framework made up of many entities. and configurations that all work together to provide a security level for an environment – one layer provides support for the layer above it. and physical components. logical. and procedures to accomplish the necessary protection level for their environment . and protection for the layer below it.

Business objectives Vulnerability assessment Quantitative and qualitative risk assessment Penetration testing Risk analysis Risks and threats identification Protection Data Functionality requirements classification evaluation Legal Security System Policy and liabilities awareness reliability procedures Cost-effective solutions Safeguards Confidentiality Total security Countermeasures Availability Data integrity Integrated pieces of the security model .

. maintain and implement controls.) • include milestones within a project or projects that need to be completed within a year • include long-term goals that are generally broad statements (compliance with laws and regulations. security goals can be broken into three categories (planning horizon) – operational goals (short-term goals) • include daily tasks to ensure proper functioning of the operational environment (perform security risk assessment. ... create a maturity model. but it also has different types of goals to accomplish in different timeframes • Depending on the length of time that security model projects into the future.Security goals • A security model has various layers. .) – tactical goals (mid-term goals) – strategic goals (long-term goals ) ..

Deliver and Support. test. certify. and Monitor and Evaluate • CobiT is broken down into four domains: • Each category is broken down into subcategories • CobiT framework provides goals and guidance to companies when they purchase. and accredit IT products . Acquire and Implement.Security Frameworks • CobiT (Control Objectives for Information and related Technology) – framework developed by the Information Systems Audit and Control Association (ISACA) and the IT Governance Institute (ITGI) – It defines goals for the controls that should be used to properly manage IT and ensure IT maps to business needs – – – – Plan and Organize. install.

and internal communication structures . financial accounting principles. board of director responsibility. as in company culture.• COSO (developed by the Committee of Sponsoring Organizations of the Treadway Commission) – framework. which was developed in 1985 to deal with fraudulent financial activities and reporting – COSO is a model for corporate governance while CobiT is a model for IT governance – COSO deals more at the strategic level while CobiT focuses more at the operational level • COSO deals with non-IT items also.

• The COSO framework is made up of the following components: – Control Environment • Management’s philosophy and operating style • Company culture as it pertains to ethics and fraud – Risk Assessment • Establishment of risk objectives • Ability to manage internal and external change – Control Activities • Policies. procedures. and practices put in place to mitigate risk – Information and Communication • Structure that ensures that the right people get the right information at the right time – Monitoring • Detecting and responding to control deficiencies .

which outlines control objectives and a range of controls that can be used to meet those objectives. and – BS7799 Part II.Standard ISO 17799 • Internationally recognized Information Security Management Standard that provides high-level conceptual recommendations on enterprise security • Derived from the de facto standard: British Standard 7799 (BS7799) • The British Standard actually has two parts: • BS7799 Part II also served as a baseline that organizations could be certified against – BS7799 Part 1. which outlines how a security program can be set up and maintained .

• An organization would choose to be certified against the ISO 17799 standard to provide confidence to their customers and partners and be used as a marketing tool • To become certified. an authorized third party would evaluate the organization against the requirements in ISO 17799 Part II • The organization could be certified against all of ISO 17799 Part II or just a portion of the standard • It is some kind of the benchmark used to indicate a correct IT infrastructure • It is made up of ten domains. which are very close to the CISSP Common Body of Knowledge (CBK) .

• ISO 17799 domains – Information security policy for the organization – Creation of information security infrastructure – Asset classification and control – Personnel security – Physical and environmental security – Communications and operations management – Access control – System development and maintenance – Business continuity management – Compliance .

and ISO 27001 describes a process for auditing (requirements) those best practices . to make it consistent with the 27000 series of ISO security standards – ISO 27001 is a related standard.• ISO 27000 Series – ISO 17799 was renumbered to ISO 27002 in 2005. formally called ISO/IEC 27001:2005 – ISO 27001 was based on BS 7799 Part 2 – ISO 27002 describes information security best practices (techniques).

• ITIL (Information Technology Infrastructure Library) – the de facto standard of best practices for IT Service Management – framework for providing best services in IT Service Management – ITIL was created because of the increased dependence on information technology to meet business needs – ITIL contains five core publications: • • • • • Service Strategy Service Design Service Transition Service Operation Continual Service Improvement .

Classifying Data .

without overspending time and money. such as value and age – enable a company to identify the number of resources needed to protect the various types of data and identify protection mechanisms and recovery processes for each type . you need to understand each data type and its importance to the organization. • Data classification • Data-classification scheme – means identifying the types of data and grouping them into different categories based on various criteria. To be able to effectively secure data.Classifying Data • Different organizations create and maintain different types of data.

Objectives of a data-classification scheme • Identify measures to ensure CIA for each type of data – to provide the appropriate level of security to the data in an organization. it is necessary to classify that data – data classification organizes data according to its level of availability and sensitivity to loss or disclosure • Identify the right protection mechanisms for various categories of data – after data is classified. according to its importance – more expensive measures are used to protect confidential data and the less expensive measures are used to secure public information . appropriate security controls are applied to the data.

the measures need to be identified that will secure each type of data • The data itself can have security identification or its security level can be defined by the location of its storage • Data owners are responsible for defining the security level of their data .) • Each class of data should have unique characteristics and there should be just the right number of classes – not too many and not too few • After classifying the data.Objectives of a data-classification scheme (cont.

Different organizations -different security models • Security models selected by a military organization will be different from that defined by a private sector business – military organization .more concerned with the confidentiality of data – private sector business . private sector businesses and military organizations adopt different data-classification schemes .more concerned with the integrity and availability of data • To address these different security concerns.

confidentiality.. information about upcoming projects. salary information. source code. such as profit earnings and forecasts – data that will not affect an organization adversely if disclosed – examples : number of people working on a project. and accuracy to protect it from unauthorized modifications and loss of data – examples : project details and financial information. and medical information intended for use within the organization – data that requires a higher than normal level of integrity.Classes that most private-sector businesses use • confidential • private – information that should be used only within the organization – disclosure of information outside the organization is not allowed to avoid adverse affects – examples : trade secrets. • sensitive • public . and employee information – personal data of employees – examples : work history. .. competition strategies.

and espionage data – data that is less critical than that included in the top secret class. the disclosure of which might cause serious damage – examples : medical data of employees and answers to tests – data that is not sensitive – examples : data pertaining to device manuals and recruiting information • confidential • • sensitive but unclassified unclassified . the disclosure of which will cause grave damage to national security – examples : blueprints of new weapons. spy satellite information. and the disclosure of information is not allowed to avoid adverse affects – examples : information about military personnel – private sector uses this class too – minor secret data. but the disclosure of secret data will also damage national security – examples : deployment plans of troops and bomb placements – information for use within the organization.Classes that most military organizations use • • top secret secret – highly critical data.

Data-classification scheme requirements • List of criteria against which data will be checked • Data can be classified based on the department it belongs to. the company needs to determine how many classes are needed. and determine the controls needed • After the criteria and classification levels have been finalized. or its validity period • All stakeholders in an organization need to agree on the criteria scheme • After gathering and analyzing the criteria scheme. data owners need to analyze their data and identify the level it will fit into. . create their definitions. the number of projects it caters to.

Common data-classification criteria parameters • • • • • • • • • • • • age of data data owners or manipulators data storage location effects of data on national security encryption status for the data individuals who have permission to backup data monetary value of the data regulatory laws required for specific data repercussion if data was altered or corrupted repercussion if data was disclosed separation of duties status for the data usefulness of data .

Data classification controls • strict and granular access control • identification and labeling • encryption of data when stored or in transmission • auditing and monitoring • identifying if separation of duties is required • providing backup and recovery • deploying change control procedures • defining file access permissions .

Classification scheme will be effective only if : • the scheme has the right number of classes • the classes can be easily distinguished from each other – too many classes make them confusing and difficult to maintain while too few classes imply the low value of data – classes should be unique and not have any overlapping criteria • the scheme addresses how both information and software are handled – the scheme should outline how applications are controlled and handled through their life cycles. this helps evaluate the level of protection applicable to them. • the scheme reduces the cost of protecting information – too much money should not be spent on protecting trivial information .

Data classification criteria • Data classification provides a company with an understanding of the different types of data the company has and the value the data holds for the company • Different companies have different criteria. and senior-level approvals – useful life – personal association . based on which they classify data – value – age • valuable data have to be classified and protected • with the passage of time. government contracts. the value of data might decrease • outdated data does not usually need protection at all • data that contains the personal information of individuals need to be classified for situations arising because of court orders.

methods • • encryption review and approve – by public or private key algorithms so that the data can be accessed only by authorized users – any change in data is reviewed and approved by an authorized person. and this person should be different from the person who has performed this change – all data including critical data should be backed up – ensures that no individual has complete control over a process.Protection of data . updating. which avoids fraudulent activities – defines different access levels for different processes such as reading. altering. and deleting data – administration defines access rights for protected resources • • • backup and recovery separation of duties access control .

an individual may be required to perform the responsibilities of multiple roles • In a small organization.Information classification roles • Three major roles that are applicable to any type of organization: – Owner – Custodian – User • Depending on the type of organization. an individual may be required to perform the tasks of an owner as well as a custodian • For larger organizations. it is advisable to assign a role with each level of security .

) • Owner – usually part of an organization's management and is responsible for the protection and use of a particular set of data – responsibile for : • deciding the classification levels of data and for altering them according to changing business needs • defining security controls as per the data classification to ensure data protection • defining the access rights applicable to data as per the data classification and the value of the data • • • • approval of access requests backup and recovery tasks approval for data disclosure security violation notification dealings – delegates these tasks: .Information classification roles (cont.

Information classification roles (cont.) • Custodian – an IT person responsible for maintaining the integrity and availability of data for the data owner – responsibile for : • backing up data regularly according to the backup specifications provided by the data owner • restoring lost or corrupted data to provide normal functioning in case of system failure • ensuring that data is available for performing business activities • maintaining records of activity for the analysis of data to meet security policies and standards for data protection .

Information classification roles (cont.) • User – an employee or vendor of a company who uses data to perform work-related tasks – responsibile for : • maintaining the confidentiality of passwords and ensuring the security of the data used by him • following all security procedures and guidelines and promptly reporting any security violation to the company • using the data only to perform official duties and not for any personal gain .

and Guidelines . Standards.Policies.

Role of a security group • The objectives of a security management program implemented by an organization are defined by the CIA triad • Various threats affect the objectives of the security management program of an organization • A security management program consists of policies. and guidelines that help the organization lay down stringent security measures and secure the organization as a whole • It is necessary for each employee to understand the corporate security strategies laid down by the organization • The responsibility of drafting the security management program of an organization lies with the security group. standards. led by the information security officer . baselines.

procedures. acquisitions. and standards – – – – conflict of interest confidentiality duty of fairness corporate opportunity (requires an individual not to divulge any company information related to mergers. or patents for personal gain) • Duty of care • Some legal concepts associated with the duty of loyalty and the duty of care .Duties of security officer • Duty of loyalty – ensures that the senior management (including security officer) of an organization does not reveal or use the organization's protected information for personal gain – ensures that the organization is responsible for taking care of its employees and resources by developing and implementing security policies.

and guidelines – appointing a high-level manager to ensure that these policies. standards.Security management program • The security officer and the top management need to identify and evaluate the possible threats and risks within the organization and take proper remedial action. standards. and guidelines for employees – educating all employees about these policies. This process of risk assessment forms a part of due diligence To avoid threats and risks. the security officer and the top management need to specify functions to address these issues Basic functions in most security programs – establishing policies. standards. and guidelines – verifying that compliance policies are being implemented – implementing rectification procedures in case of violations – exercising care when authorizing employees • • . and guidelines are complied with by the employees – adopting appropriate disciplinary measures to enforce the policies. standards.

Security management program components • The security management program of an organization needs to be well defined and documented by the security officer along with the top management • It is the duty of the top management to ensure that all the employees in the organization are aware of the security management program • Core components – – – – Policies Standards Baselines Guidelines • To implement the security management program effectively within an organization. each employee should be aware of and be able to easily access the organization's policies. and guidelines . baselines. standards.

created by the top management. to protect the company's assets by implementing security measures and assigning responsibilities to meet securityrelated objectives • Effective security policy should be – – – – based on the business objectives of the company clear and acceptable to all the employees aimed to integrate security with all business processes upgraded regularly to include all parameters related to organizational changes – dated and have a version number for every change – aimed to eliminate the need of reading the entire policy material – accurately defined to outline resources and assign organizational responsibilities and authorities .Policies • A policy contains a company's directives.

they will be held accountable for their actions – are not enforceable and are meant for information purposes only – include laws. specific to a type of industry. which are enforced to meet compliance with local. and regulations.if the employees do so. and federal laws • Informative • Regulatory .Policy types • Advisory – define the behavioral requirements of employees and state ramifications in case of noncompliance – example : a banking organization expects its employees to not disclose any bank account details to any person other than the particular customer . state. bills.

Standards are mandatory regulations that support a policy . Standards define solutions to implement the measures stated in the policy. • Policies remain relevant until they need to be updated in case of changes in an organization's operations. without providing solutions to implement those measures.Standards • Standards – mandatory rules and actions that support and reinforce a policy • Policies state measures.

Baselines • Baselines – define the minimum level of security measures required by an organization to protect itself from internal and external threats • Baselines are established before standards are developed • Baselines provide platform-specific implementations for the standards .

Guidelines • Guidelines – general statements that recommend actions to be followed in case a standard does not apply • Guidelines are the recommended actions to be followed when a specific standard does not apply • Guidelines are general approaches while standards are specific mandatory activities .

Security management program components .

processes. and technology – to work together to achieve optimal levels of security . organization. and culture • Technology – this includes applications.Components of a security framework • People – this deals with roles and responsibilities. skills and training. attitudes. tools. and performance monitoring • Successful security framework requires all the components – people. and software • Processes – this includes procedures. hardware. standards. metrics.

Employment Policies and Practices .

or information technology • there can be multiple levels of security clearance in some organizations. which become more stringent for higher levels • an employee agreement document clearly outlines the expectation of the organization from its employees. details of the job description. rules.Securing your workplace • Basic steps – Background checks – Security clearance • the first line of defense in securing the workplace • checking the background of an employee ensures that the employee is qualified and reliable • procedure to authorize access to classified information • can be issued to individuals or groups working in the government. based on the types of information • different levels of security clearance have different access requirements. private industry. and the security policy • when an employee joins an organization. the employee needs to sign the employee agreement document • this document ensures that the employee will not violate the rules and regulations that affect the interest of the organization – Signing the employee agreement document . regulations.

Background check of an employee .

Employee agreement document .

Hiring and terminating • All the rules and guidelines related to hiring and terminating an employee should be approved by the top management • An organization should thoroughly evaluate a candidate's credentials to ensure that the candidate is appropriate for a particular job • After terminating an employee. the organization should ensure that it has revoked the employee's access to all company information and resources .

computers. rules. rules for behavior. and policies related to security and behavior – includes the acceptable-use policy (an outline of the access privileges.Good security practices after hiring a new employee • Provide the end-user document – what is expected from all the employees for a particular role – lists all the schemes. and any possible consequence of breaking rules when dealing with network resources. such as loss or misrepresentation of business data or damaging or removing business assets. or any other company resources) – this helps the organization safeguard its information from potential threats. intentionally or accidentally – security awareness program (the organization needs to ensure that all new employees are trained and educated on the security policies drafted by the top management) – the IT security officer should inform the employees about ways to create strong passwords and about access rights – information on how to create strong passwords and about the access rights is specified in the security policy document of the organization – access rights are granted based on job description • Inform about the need to know security policies • • Educate about the security program Inform about password creation and access rights .

Security awareness program .

Good security practices after hiring a new employee (cont. the security department assigns appropriate permissions and grants access rights to employees • Job descriptions help the human resources department advertise for jobs with similar roles and responsibilities • Periodic audit check for monitoring users need to be followed by an organization to validate the access controls for various roles and responsibilities based on job descriptions • To ensure information security.) • The organization needs to explain roles and responsibilities to the new employee • This is done by providing a job description to the employee • Based on the job description. a job description should always be formally and officially changed • Any change in the job description should be accompanied by relevant changes to the access control requirements and mechanisms defined for that role .

Good security practices when terminating an employee • restrict employees who will be terminated from accessing sensitive information • revoke the access of terminated employees to the network • disable the accounts of terminated employees • delete terminated employees after a specific period of time • make terminated employees surrender all the keys and company supplies they were using • ensure that terminated employees immediately leave the facility .

restrictions and permissions should be granted for each role • This ensures that each employee is responsible for maintaining the security of information that the employee has the right to access and use .Roles and job rotations • Every organization should define distinct roles and assign responsibilities pertaining to each role • Based on roles and the security policies set by the organization for these roles.

Typical roles and responsibilities • senior management • infosec officer • owner – has the overall and ultimate responsibility for security – responsible for the functional aspect of security – classifies information for implementing security – helps preserve the CIA of information – performs according to the security policy defined by the organization – examines if security is implemented properly in the organization • custodian • user • auditor .

Separation of duties • To implement security effectively in an organization. it is important to define a structure that helps in the separation of duties and responsibilities • Separation of duties assigns access to information according to job role • Benefits – introduces transparency in an organization (making it clear who does what in a situation) – ensures that no individual is solely responsible for a critical task (this prevents collusion and reduces the possibility of mistakes) – restricts access to information by job role (this helps prevent computer crimes) .

Job rotation • purpose .to limit the time spent by an individual on a task so that the individual does not have complete control over it • helps protect against frauds and misuse of information • benefits – a person does not have complete control over a task (reduces the security risk to information) – people working in sensitive areas are forced to take vacations (helps detect any fraudulent activities) .

Risk Management .

and implementing appropriate risk-reducing measures • The risk manager should be able to foresee risks and take appropriate measures to reduce those risks to a level that is acceptable by the organization • This can be achieved by following risk management principles . identifying the cost of securing the environment.Risk management principles • Risk management is the process of identifying and assessing risk.

Principles of risk management • identify risks • analyze the damage that can occur • plan and implement security measures to mitigate risk to an acceptable level • analyze the cost of implementing the security measures for mitigating risk .

input errors. or peripheral failure) – human errors (intentional or accidental human actions that adversely affect output) – internal and external attacks (misuse of data by hackers or crackers or unauthorized data access by internal users) – loss of data (permanent or temporary data loss or the data inaccessibility occurring due to unauthorized modifications) . or power failure) – disclosure (disclosure of critical information to unauthorized users) – equipment malfunctions (to system. fire. water. sabotage. and buffer overflows. network. causing an application or operating system to fail) – damage (physical damage caused to an asset because of natural disasters. monitor. and calculate the impact of the potential loss that might occur due to a risk factor Risk categories – application errors (computing errors.Risk categories • • • Risks are categorized based on various risk factors Categorizing risks helps the risk manager identify.

unpatched applications or operating system software. or procedural weakness that may provide an attacker the open door to enter a computer or network and have unauthorized access to resources within the environment – a vulnerability characterizes the absence or weakness of a safeguard that could be exploited – examples: • • • • • a service running on a server. unrestricted modem dial-in access. or • nonenforced password management on servers and workstations .Security Definitions • Vulnerability – software. lax physical security that allows anyone to enter a server room. an open port on a firewall. hardware.

• a process accessing data in a way that violates the security policy. will identify a specific vulnerability and use it against the company or individual • Threat agent – the entity that takes advantage of a vulnerability – examples: • an intruder accessing the network through a port on the firewall.• Threat – any potential danger to information or systems – the threat is that someone. or • an employee making an unintentional mistake that could expose confidential information or destroy a file’s integrity . • a tornado wiping out a facility. or something.

there is a higher likelihood that an intruder will use one to access the network in an unauthorized method • if users are not educated on processes and procedures. there is a higher likelihood that an employee will make an intentional or unintentional mistake that may destroy data • if an intrusion detection system (IDS) is not implemented on a network. there is a higher likelihood an attack will go unnoticed until it is too late – Risk ties the vulnerability.• Risk – the likelihood of a threat agent taking advantage of a vulnerability and the corresponding business impact – example: • if a firewall has several ports open. and likelihood of exploitation to the resulting business impact . threat.

• Exposure – an instance of being exposed to losses from a threat agent – a vulnerability exposes an organization to possible damages • if password management is lax and password rules are not enforced. the company is exposed to the possibility of having users’ passwords captured and used in an unauthorized manner • if a company does not have its wiring inspected and does not put proactive fire prevention steps into place. it exposes itself to potentially devastating fires .

• Countermeasure (safeguard) – is put into place to mitigate the potential risk – may be • a software configuration. or • a procedure that eliminates a vulnerability or reduces the likelihood a threat agent will be able to exploit a vulnerability – examples • • • • strong password management. • a hardware device. . access control mechanisms within an operating system. and • security-awareness training. a security guard. the implementation of basic input/output system (BIOS) passwords.

Threat agent Gives rise to Threat Exploits Leads to Vulnerability Directly affects Risk Asset Exposure Safeguard Can damage And causes an Can be countermeasured by a The relationships among the different security components .

Threat analysis • Threat is an event that causes harm to an organization's assets • Threat analysis – the process of identifying threats and developing a cost-effective mitigation strategy for the identified threat to lower the risk level in an organizational environment – should be conducted during early system developmental stages and continually through the development lifecycle to facilitate change and problem management .

• involves identifying the assets an application uses to evaluate the possible threats to that application.) • Threat analysis involves – mapping assets • involves identifying all the assets of the company and mapping them to their business functions • assets whose business functions are more critical. • involves developing appropriate security measures to reduce the risk level – threat modeling – developing a mitigation plan . reducing vulnerability.Threat analysis (cont. are given priority.

caused by a loophole or an error. and criticality to the tangibles and intangibles in a business) . exposing the system to threats An organization needs to conduct a vulnerability analysis because most computer crimes are committed by people working in the organization The use of the Internet within the organization exposes the organization to more attackers Once the company's assets and relevant threats and vulnerabilities have been identified. or low (considering the organization's total cost incurred for the life cycle of the asset in terms of production.A point of weakness in a system. medium.Vulnerabilities and asset valuation • • • • Vulnerability . research and development. the risk manager needs to determine the value of those assets to determine the replacement cost and how best to safeguard them • Asset valuation process – determines the value of an asset – asset can be valued as high.

Vulnerability analysis techniques • • • • validating network access control rules using hacker tools testing platform misconfiguration using security penetration report .

which compares the annualized cost of safeguards to the potential cost of loss.Risk Analysis and Evaluation • Risks are associated with potential loss and cannot be eliminated from any business • Risk analysis . in most cases.method of identifying risks and assessing the possible damage that could be caused in order to justify security safeguards • Goals of risk analysis • Risk analysis provides a cost/benefit comparison. – A safeguard. should not be implemented unless the annualized cost of loss exceeds the annualized cost of the safeguard itself – Identify assets and their values – Identify vulnerabilities and threats – Quantify the probability and business impact of these potential threats – Provide an economic balance between the impact of the threat and the cost of the countermeasure .

calculating annualized threat frequency.Risk assessment • Process of measuring risk by assigning value to assets. and other elements of chance • Techniques to assess risks – Quantitative – Qualitative . consequence.

Methodologies for Risk Assessment • NIST SP 800-30 and 800-66 – methodologies that can be used by the general public. and from people within the organization. but their initial creation was designed to be implemented in the healthcare field (HIPAA clients ) or other regulated industries • The NIST SP 800=30 Risk Management methodology is commonly used by security consultants. and focuses mainly on computer systems • An individual or small team collects data from network and security practice assessments. This data is used as input values to the risk analysis steps . security officers and internal IT departments.

• The NIST approach is specific to IT threats and how they relate to information security risks • The steps of NIST approach: – System characterization – Threat identification – Vulnerability identification – Control analysis – Likelihood determination – Impact analysis – Risk determination – Control recommendations – Results documentation .

users to determine the areas that really demand and need risk analysis within an organization .• FRAP (Facilitated Risk Analysis Process) – Designed with the intention of exploring a qualitative risk assessment process in a manner that allows for tests to be conducted on different aspects and variations of the methodology – The intent of this methodology is to provide an organization with the means of deciding what course and actions must be taken in specific circumstances to deal with various issues (not only for IT) – This will allow. through the use of a prescreening process.

• OCTAVE – created by Carnegie Mellon University’s Software Engineering Institute – methodology that is intended to be used in situations where people manage and direct the risk evaluation for information security within their company – the people are able to make the decisions regarding what is the best approach for evaluating the security of their organization – idea • the people working in these environments best understand what is needed and what kind of risks they are facing .

human safety. and business decisions risks – although it can be used to analyze security risks. capital.• AS/NZS 4360 – takes a much broader approach to risk management (both the NIST and OCTAVE methodologies focus on IT threats and information security risks) – can be used to understand a company’s financial. the branches that do not apply can be removed . and as the risk analysis is conducted. it was not created specifically for this purpose • Spanning Tree Analysis – methodology that develops a tree of all the potential threats and faults that can disrupt a system – each of the branches is a general topic or category.

identifying functional failures. and assessing the causes of failure and their failure effects through a structured process – the application of this process to a chronic failure enables the determination of where exactly the failure is most likely to occur – FMEA was first developed for systems engineering – its purpose is to examine the potential failures in products and the processes involved with them – this approach proved to be successful and has been more recently adapted for use in evaluating of risk management priorities and mitigating known threatvulnerabilities .• FMEA (Failure and Fault Analysis) – method for determining functions.

• Fault tree analysis – a more useful approach to identifying failures that can take place within more complex environments and systems – follows this general process • first. • fault trees are then labeled with actual numbers pertaining to failure probabilities. an undesired effect is taken as the root or top event of a tree of logic. • then. each situation that has the potential to cause that effect is added to the tree as a series of logic expressions. • this is typically done by using computer programs that can calculate the failure probabilities from a fault tree. .

Failure Event A OR Top-level failure event is broken down into possible contributory failure events Failure Event B Failure Event C Failure Event D AND Failure Event E Failure Event F Fault tree and logic components .

Quantitative risk assessment • Is done by assigning real numbers to – the cost of countermeasures – the amount of damage caused by the risk – all other elements of risk assessment – the CIA of information and loss are better understood because of statistical data – a cost/benefit assessment of countermeasures can be done. which helps decide the security budget – the evaluation and tracking of the risk management process can be performed – the analyst need not be an expert but can use his basic knowledge and formulae to identify the financial loss • Advantages .

Quantitative risk assessment (cont.) • Disadvantages – calculations are complex and need to be explained to understand the results – an automated risk assessment tool is required because manual calculations are time consuming – a lot of information regarding the object and its environment needs to be collated to decipher risk points – there is no standard threat knowledgebase. as a result users need to entirely depend on their threat research .

based on surveys. which is not based on assigning monetary values but is done by ranking threats. and group discussions • Advantages – – – – calculations are simple and easily understood the monetary values of the CIA of information are usually not required threat frequency and impact of threat do not need quantification the cost of countermeasures does not need to be calculated because the process is not quantitative.Qualitative risk assessment • Is a subjective analysis of risk. so a cost/benefit analysis is not required – information about significant risk areas is provided . interviews. countermeasures. and damage caused • Qualitative risk assessment determines risk relative to its environment.

Qualitative risk assessment (cont.) • Disadvantages – there is a high degree of guesswork because the assessment data is subjective and based on the opinion of experts – the subjective interpretation of risk may not reveal the actual value of the risk to assets – a cost/benefit analysis of risk mitigation measures cannot be done. determining the cost of countermeasures required to safeguard is not possible – the objective tracking of the risk management process cannot be done because of subjective processes and metrics . and as a result.

Medium (M). moderate risk require management notification. and Extreme Risk (E) . and drive them down to low likelihood/low consequence risks (lower left quadrant of Table) – Low (L). High (H).Risk Analysis Matrix • The Risk Analysis Matrix uses a quadrant to map the likelihood of a risk occurring against the consequences (or impact) that risk would have • The Risk Analysis Matrix allows you to perform Qualitative Risk Analysis based on likelihood (from “rare” to “almost certain”) and consequences (or impact). and extreme risks require immediate action including a detailed mitigation plan (and senior management notification) • The goal of the matrix is to identify high likelihood/high consequence risks (upper right quadrant of Table). high risks require senior management notification. from “insignificant” to “catastrophic” • The resulting scores are • Low risks are handled via normal processes.

Rare Minor 2 Moderate 3 Major 4 Catastrophic 5 H M L L L H H M L L E H H M M E E E H H E E E E H Likelihood . Possible 2.Risk Analysis Matrix Consequences Insignificant 1 5. Unlikely 1. Almost Certain 4. Likely 3.

Performing risk assessment • Terms – Exposure Factor (EF) – Single Loss Expectancy (SLE) • expressed as a percent • represents the magnitude of asset loss caused by the identified threat • represents the amount of loss incurred because of a single type of identified threat • represents the annual frequency of the occurrence of a threat • gives the value of loss that will be incurred annually in case of a threat • this value helps an organization decide the amount it needs to spend on protection against the threat – Annualized Rate of Occurrence (ARO) – Annualized Loss Expectancy (ALE) .

0 (at least once a year) to greater than one (several times a year) and anywhere in between – annualized loss expectancy = single loss expectancy * annualized rate of occurrence • Annualized Rate of Occurrence (ARO) • Annualized Loss Expectancy (ALE) .Performing risk assessment Calculations • Exposure Factor (EF) (%) • Single Loss Expectancy (SLE) ($) – exposure factor = percentage of asset loss caused by the identified threat – single loss expectancy = asset value * exposure factor – annualized rate of occurrence = annual frequency of occurrence of a threat – The range can be from 0.0 (never) to 1.

proximity of a firehouse. because of a sprinkler system and other fire controls.1 (indicating once in ten years). and so on). then what is the value of annualized loss expectancy (ALE) ? .000.Example 1 • Data warehouse has the asset value of $150. What is the value of single loss expectancy (SLE) ? • If the frequency of a fire taking place has an annualized rate of occurrence (ARO) value of 0. it was estimated that if a fire were to occur. 25 percent of the warehouse would be damaged (and not more.

1 = $3750 • The ALE value tells the company that if it wants to put in controls or safeguards to protect the asset from this threat.500 * 0.25 = $37.Answer • SLE = asset value * EF • SLE = $150. it can sensibly spend $3750 or less per year to provide the necessary level of protection .000 * 0.500 • SLE * annualized rate of occurrence (ARO) = ALE • ALE = $37.

which leads to different judgments – develop a number of alternatives – gather information for forming the basis of future agreements .Delphi method • Group discussion technique that requires each member to express his honest comments about a particular risk on a piece of paper • All these anonymous comments are then handed over to the analysis group and are compiled and redistributed again for further comments until consensus is reached • Can be used to – assess the impact of company growth – educate participants on all the different aspects of a topic – explore assumptions and discrete information.

Modified Delphi technique • Silent form of brainstorming • Participants develop ideas individually and silently with no group interaction • The ideas are submitted to a group of decision makers for consideration and action .

Selecting countermeasures
• The outcome of risk assessment helps the risk manager find countermeasures to safeguard the organization from identified risks • The risk manager needs to ensure that the cost incurred to safeguard the company from the identified risks is not greater than the potential loss • Cost/benefit analysis (CBA)
• • • process of finding out the most cost-effective countermeasures compares the ALE without the countermeasure, with the cost of protection, to the ALE after installing the countermeasure the formula to find the cost of a countermeasure :

– Value of countermeasure = ALE (without countermeasure) – (annual) Cost (safeguard) - ALE (with countermeasure)

Example 2
• If the ALE of the threat of a hacker bringing down a web server is $12,000 prior to implementing the suggested safeguard • the ALE is $3000 after implementing the safeguard • the annual cost of maintenance and operation of the safeguard is $650 • Value of countermeasure = ALE (without countermeasure) – (annual) Cost (safeguard) - ALE (with countermeasure • $12,000 - $650 - $3000 = $8350 • the value of this safeguard to the company is $8350 each year

Full cost of a countermeasure
• • • • • • • • • • • • Product costs Design/planning costs Implementation costs Environment modifications Compatibility with other countermeasures Maintenance requirements Testing requirements Repair, replacement, or update costs Operating and support costs Effects on productivity Subscription costs Extra man-hours for monitoring and responding to alerts

Total Risk and Residual Risk • Total risk – the risk a company faces if it chooses not to implement any type of safeguard – a company may choose to take on total risk if the cost/benefit analysis results indicate this is the best course of action – total risk = threats * vulnerability * asset value – the value of the risk after implementing a countermeasure – a company implements countermeasures to reduce its overall risk to an acceptable level – there is always some risk left over to deal with – controls gap – residual risk = total risk * controls gap – f( threats. and asset value ) = total risk – total risk – countermeasures = residual risk • protection the control cannot provide • Residual risk • Conceptual formulas . vulnerability.

it is time to decide how to handle identified risks • Options for handling the identified risk – risk acceptance – risk reduction • adopt countermeasures to reduce the risk – risk transfer • purchase insurance policies against the risk to transfer the loss incurred due to damage to the insurance company – risk avoidance • terminate the activity that is introducing the risk • accept the risk and the loss incurred due to the risk and will not act at all to protect against the risk .Risk handling • After completing the risk assessment process and finding the cost of countermeasures to safeguard the organization from the risks.

Risk mitigation 2.Identify tools 5.Uncertainty analysis DEFINE RECOMMENDATIONS 1.Identify method 4.PLAN 1.Assign value to assets 3.Calculate risks 5.Risk acceptance 4.Understand acceptable risk level COLLECT INFORMATION 1.Risk avoidance Management RISK MITIGATION •Control selection •Implementation •Monitoring RISK TRANSFERENCE •Purchase insurance RISK ACCEPTANCE •Do nothing RISK AVOIDANCE •Discontinue activity Risk management program .Cost/benefit analysis 6.Identify team 2.Identify vulnerabilities and threats 4.Identify scope 3.Risk transference 3.Identify assets 2.

Roles and Responsibilities • The management is not only responsible for creating security policies but also for educating employees about the security policies • Security awareness training – educates employees on the importance of security policies and makes them aware of their roles and responsibilities in securing the organization as a whole – should be realistic and achievable – communication plays a crucial role in the security awareness training program – a trainer should be appointed who can clearly understand the security policies of the organization and cen communicate them to the employees with ease .

Roles and Responsibilities (cont. 1) • Examples of different types of security awareness training programs – advanced infosec training for information system security officers and auditors – awareness training for employees holding securitysensitive positions or for training employees on new applications – security-related job training for security personnel – security training for senior. and business managers – technical support training for IT personnel . functional.

2) • Organizational roles – security awareness training program should be first targeted at three specific groups of employees within the organization because these groups are often present in every organization • Individuals • Stewards (Application owners) • Custodians .Roles and Responsibilities (cont.

Individuals – Each individual in an organization is responsible for protecting the organization's assets – An individual can perform different roles within the organization – data owner – – – – • usually part of the senior management who is responsible for classifying data reviewing data to meet changing business needs ensuring the implementation of security controls determining access rights. security. and backup requirements for data – acting on security violation notifications .

) • security administrator – responsible for • • • • configuring security access controls according to data environments creating or deleting system user accounts and issuing passwords assigning access control privileges implementing and testing security software and patches • security professional • security analyst • senior manager – holds the functional responsibility of security and performs the sensitive operations stated by his immediate manager – is not part of the implemention team for security but determines the strategies and guidelines for the overall security design of the organization – holds the responsibility of multiple departments for protecting the company's assets by performing a cost/benefit analysis of the security practices followed by the company. .Individuals (cont.

maintenance. and availability of data • Steward – senior business managers responsible for the creation.Stewards • The user is any person who uses data for performing job-related activities • The user is responsible for protecting the data by adhering to the security policies and maintaining the confidentiality. and performance of information systems related to specific business units – responsibilities • • • • • categorizing data based on the data-classification scheme classifying critical data effectively to meet contingencies defining validation rules for correct data input ensuring the training of data users understanding the uses and risks associated with data in order to provide appropriate data access permissions . integrity.

Custodians • Custodian – IT personnel responsible for the security and maintenance of the information provided to them by stewards – protecting information from unauthorized access and modifications – performing backups or restoring data according to the requirements specified by the organization – monitoring information systems to ensure compliance with company policies and standards – providing stewards with reports about information system usage • Responsibilities .

Other roles in an organization • change control analyst – takes care of all the changes that take place in the organization's information system – responsibilities • • • • approving or rejecting change requests analyzing the impact of changes ensuring that changes do not lead to vulnerabilities testing all changes before they are rolled out • data analyst • • • • – ensures that an organization's data is properly structured and comprehensible – responsibilities designing data structures and data models in compliance with business objectives designing the physical database structure helping the data owner develop data architectures recording metadata to manage databases .

) • process owner – ensures that all processes in an organization are well defined to meet business needs – responsibilities • defining data requirements and improving data quality for business processes • defining. improving. and monitoring processes to make the processes effective • resolving the data issues related to complex processes and the processes associated with different application types • product line manager • • • • • • – ensures that all products meet the business requirements of the organization – responsibilities translating business requirements into product requirements evaluating the need for product enhancement planning and implementing new releases ensuring that products comply with license agreements monitoring production performance per business objectives analyzing product usage and the technology required for product usage .Other roles in an organization (cont.

purchase decisions.) • solution provider – works with the business managers to develop and deploy solutions for improving business processes or solving problems – responsibilities • ensuring that applications and data work together to meet business needs • giving technical requirements to improve the process • system owner – incorporates security considerations into applications. and projects – responsibilities • assessing systems for vulnerabilities • ensuring that proper security measures are adopted • reporting security incidents to the data owner .Other roles in an organization (cont.

Other roles in an organization (cont.) • supervisor – also called the user manager – holds the complete responsibility of employee activities and the assets used by the employees – also takes care of nonemployee activities and the company assets used by these individuals – responsibilities • informing the security administration for revoking the user IDs of terminated employees • informing the administration about the transfer of an employee • reporting security violation incidents • receiving and assigning user IDs to new employees • ensuring that the user ID and account information of an employee are synchronized • educating the employees about the security policies they are accountable for .

Questions .

The user C. One of the responsibilities that goes into protecting this information is properly classifying it. The owner – D. A company can have one specific data owner or different data owners who have been delegated the responsibility of protecting specific sets of data. The functional manager – B.• 1. . Who has the primary responsibility of determining the classification level for information? – A. Senior management – C.

• 2. Which group causes the most risk of fraud and computer compromises?
– A. Employees – B. Hackers – C. Attackers – D. Contractors

A. It is commonly stated that internal threats comprise 70–80 percent of the overall threat to a company. This is because employees already have privileged access to a wide range of company assets. The outsider who wants to cause damage must obtain this level of access before she can carry out the type of damage internal personnel could dish out. A lot of the damages caused by internal employees are brought about by mistakes and system misconfigurations.

• 3. If different user groups with different security access levels need to access the same information, which of the following actions should management take?
– A. Decrease the security level on the information to ensure accessibility and usability of the information. – B. Require specific written approval each time an individual needs to access the information. – C. Increase the security controls on the information. – D. Decrease the classification label on the information.

C. If data is going to be available to a wide range of people, more granular security should be implemented to ensure that only the necessary people access the data and that the operations they carry out are controlled. The security implemented can come in the form of authentication and authorization technologies, encryption, and specific access control mechanisms.

• 4. What should management consider the most when classifying data?
– A. The type of employees, contractors, and customers who will be accessing the data. – B. Availability, integrity, and confidentiality. – C. Assessing the risk level and disabling countermeasures. – D. The access controls that will be protecting the data.
B. The best answer to this question is B, because to properly classify data, the data owner must evaluate the availability, integrity, and confidentiality requirements of the data. Once this evaluation is done, it will dictate which employees, contractors, and users can access the data, which is expressed in answer A. This assessment will also help determine the controls that should be put into place.

it must continually ensure that data and resources are being properly protected. Users – C. it is ultimately responsible for everything that takes place within a company. . Administrators – D. Who is ultimately responsible for making sure data is classified and protected? – A. The key to this question is the use of the word “ultimately. Management D.• 5.” Though management can delegate tasks to others. Data owners – B. Therefore.

they are compulsory. Guidelines are recommendations. Rules on how software and hardware must be used within the environment – B. Standards are rules that must be followed.• 6. thus. Compulsory actions B. . Step-by-step directions on how to accomplish a task – C. Guidelines on how to approach security situations not covered by standards – D. while procedures are step-by-step instructions. What is a procedure? – A.

. funds. Updated and relevant security policies and procedures – D. Senior management support – B. Which factor is the most important item when it comes to ensuring security is successful in an organization? – A. resources. a security program will not receive the necessary attention. and enforcement capabilities. Effective controls and implementation methods – C. Without senior management’s support. Security awareness by all employees A.• 7.

– B. but these are not reasons to not implement a countermeasure. – D.• 8. and there are almost always political issues surrounding different risks. When is it acceptable to not take action on an identified risk? – A. When political issues prevent this type of risk from being addressed. Never. When the necessary countermeasure is complex. – C. . Companies may decide to live with specific risks they are faced with if the cost of trying to protect themselves would be greater than the potential loss if the threat were to become real. Good security addresses and reduces all risks. D. When the cost of the countermeasure outweighs the value of the asset and potential loss. Countermeasures are usually complex to a degree.

A security policy captures senior management’s perspectives and directives on what role security should play within the company. Detailed documents explaining how security incidents should be handled C. Security policies are usually general and use broad terms so they can cover a wide range of items. General guidelines used to accomplish a specific security level – C. high-level statements from the management – D.• 9. Step-by-step directions on how to accomplish security tasks – B. Broad. . What are security policies? – A.

B is the best answer here. Although the other answers may seem correct. All the data captured in answers A. The ALE value will go into the cost/benefit analysis. Identifying the vulnerabilities and threats causing the risk B. Which is the most valuable technique when determining if a specific security control should be implemented? – A. This is because a risk analysis is performed to identify risks and come up with suggested countermeasures. Cost/benefit analysis – C. but the ALE does not address the cost of the countermeasure and the benefit of a countermeasure. Risk analysis – B. ALE results – D. The ALE tells the company how much it could lose if a specific threat became real.• 10. C. and D are inserted into a cost/benefit analysis. .

• 11. Which best describes the purpose of the ALE calculation?
– A. Quantifies the security level of the environment – B. Estimates the loss possible for a countermeasure – C. Quantifies the cost/benefit result – D. Estimates the loss potential of a threat in a span of a year
D. The ALE calculation estimates the potential loss that can affect one asset from a specific threat within a one-year time span. This value is used to figure out the amount of money that should be earmarked to protect this asset from this threat.

• 12. Tactical planning is:
– A. Midterm – B. Long term – C. Day-to-day – D. Six months

A. Three types of goals make up the planning horizon: operational, tactical, and strategic. Tactical goals are midterm goals that must be accomplished before the overall strategic goal is accomplished.

• 13. What is the definition of a security exposure?
– A. An instance of being exposed to losses from a threat – B. Any potential danger to information or systems – C. An information security absence or weakness – D. A loss potential of a threat

A. An exposure is an instance of being exposed to losses from a threat agent. A vulnerability can cause an organization to be exposed to possible damages. For example, if password management is lax and password rules are not enforced, the company can be exposed to the possibility of having users’ passwords captured and used in an unauthorized manner.

a security policy. but rather a mix of the two. Security is not defined by a firewall. Procedural security and encryption A. company procedures. Physical security and technical controls – D. Countermeasures and safeguards – C. It is defined by all of these and how they integrate together within an environment. . Security is neither purely technical nor purely procedural.• 14. Technical and nontechnical methods – B. an access control mechanism. An effective security program requires a balanced application of: – A. or authentication technologies. employee conduct.

The cost/benefit relationship C. and assurance defines: – A. . their functionality and assurance should be examined and tested individually. This may have nothing to do with the actual protection it provides. The security functionality defines the expected activities of a security mechanism. The confidence of the security the mechanism is providing – D. When systems and mechanisms are evaluated. Assurance is the level of confidence in the protection level a mechanism will provide. The controls the security mechanism will enforce – B.• 15. The data classification after the security mechanism has been implemented – C. The functionality describes how a mechanism will work and behave.

whereas the military is most concerned with integrity. The military has a rich history of having to keep its secrets secret. B. it is a subjective answer. The military requires higher levels of security because the risks are so much higher. The business sector usually cares most about data availability and confidentiality. – C. Although answer C may seem correct to you. Which statement is true when looking at security objectives in the private business sector versus the military sector? – A. – B. Only the military has true security.• 16. . Businesses usually care more about data integrity and availability. whereas the military is more concerned with confidentiality. – D. Businesses will see their threats and risks as being more important than another organization’s threats and risks. This is usually not as important in the commercial sector relative to the military.

as well as the controls gap (what the specific countermeasure cannot protect against). It is hard to assign a number to a vulnerability and a threat individually. SLE × frequency = ALE – D. which is what is left over after a countermeasure is implemented. What remains is the residual risk. How do you calculate residual risk? – A. (Threats × vulnerability × asset value) × controls gap D. Threats × risks × asset value – B. (Threats × asset value × vulnerability) × risks – C. The equation is more conceptual than practical. This equation enables you to look at the potential loss of a specific asset. .• 17.

Which of the following is not a purpose of doing a risk analysis? – A. Identifying risks – D. Delegating responsibility – B. Quantifying the impact of potential threats – C. An analysis is not carried out to delegate responsibilities. Management will take on this responsibility once the results of the analysis are reported to it and it understands what actually needs to be carried out. The other three answers are the main reasons to carry out a risk analysis. . Defining the balance between the impact of a risk and the cost of the necessary countermeasure A.• 18.

Performing risk analysis – C. Support – B. Management also delegates who does what pertaining to security. Which of the following is not a management role in the process of implementing and maintaining security? – A.• 19. It does not carry out the analysis. Management should define the role and scope of security and allocate the funds and resources. . The number one ingredient management must provide when it comes to security is support. but rather is responsible for making sure one is done and that management acts on the results it provides. Defining purpose and scope – D. Delegating responsibility B.

C. – D. Because the people in the different departments are the ones causing the risks. and may have possible solutions to specific threats that affect its part of the company. An analysis is only as good as the data that goes into it. Each department understands its own threats and resources. Data pertaining to risks the company faces should be extracted from the people who understand best the business functions and environment of the company. – B. . It shouldn’t. Thus. Why should the team that will perform and review the risk analysis information be made up of people in different departments? – A. so they should be the ones held accountable. To make sure the process is fair and that no one is left out. it ensures the data going into the analysis is as close to reality as possible. It should be a small group brought in from outside the organization because otherwise the analysis is biased and unusable.• 20. – C. Because people in different departments understand the risks of their department.

Sign up to vote on this title
UsefulNot useful

Master Your Semester with Scribd & The New York Times

Special offer for students: Only $4.99/month.

Master Your Semester with a Special Offer from Scribd & The New York Times

Cancel anytime.