cyber security exercise and need an explanation and answer to help me learn.
I would like to solve the questions based on the attached references
Please solve the questions in DETAILS !!
if the solution is not found in the reference, you can looking the answer from the Internet search
Why is phishing so effective of an attack? explain?
What is ISO27001? What is its importance?
List and explain 5 recent breaches, explain what types of breaches these were and what was the impact?
What are the 4 goals of controls management & why is each one important in your opinion?
Explain the methods for performing cost benefit analysis in managing risk?
List and explain 5 cyber risks that could be identified during an assessment?
What is the first step in performing a risk assessment ?
What are the 7 goals of asset management? Explain each of the goals in your response and why is it important?
List and explain the 5 risks control strategies for termination strategy?
What is tor and what can it be used for?
Which is not a CIS critical controls?
List and 3 examples for the risk control strategy for termination strategy?
Week 1 SECURITY MEASURES: POLICIES AND PROCEDURES CS-628-A Security Management
Greg Kyrytschenko BioWork Experience•I have worked in Information Security industry for nearly 20 years.•Active in the information security field•Hold several industry related certificates including CISSP & CISM•I currently work at a Financial Services Firm. •I have worked at several companies prior to my current location including -consulting, large regional bank, and asset management firm, Stock Exchange, aerospace & defense•I have worked in numerous positions –•Information security analyst/admin, •Infosec advisor, •Infosec engineer, •Infosec architect, •IT Security managementEducation Experience•Bachelors of Science in Information Technology•Masters in Business Administration•Email Contact -firstname.lastname@example.org
Your Bio•Your Name•Why are you here?•What interests you about Cyber Security?•Where are you currently in your educational career?•Do you have any cybersecurity experience? If so what?•What would you like to get out of this class?
Course Objective•Provide students with an understanding of security management and how to build a team that can manage security controls & processes that mitigate the risks in today’s constantly changing dynamic threat landscape.
Security vs Convenience
Rules of Risk Calculation and Mitigating ControlsUnderstanding Impact & Likelihood Risk =Consequence x Probability
ISO/IEC 27000Introduction What is an ISMS? ISMS family of standards OverviewProcess approach Why an ISMS is importantEstablishing, monitoring, maintaining and improving an ISMSISMS critical success factors Benefits of the ISMS family of standards
What is an ISMS?An ISMS (Information Security Management System) provides a model for establishing, implementing, operating, monitoring, reviewing, maintaining and improving the protection of information assets to achieve business objectives based upon a risk assessment and the organization’s risk acceptance levels designed to effectively treat and manage risks. Analyzing requirements for the protection of information assets and applying appropriate controls to ensure the protection of these information assets, as required, contributes to the successful implementation of an ISMS. The following fundamental principles also contribute to the successful implementation of an ISMS: a) awareness of the need for information security; b) assignment of responsibility for information security; c) incorporating management commitment and the interests of stakeholders; d) enhancing societal values; e) risk assessments determining appropriate controls to reach acceptable levels of risk; f) security incorporated as an essential element of information networks and systems; g) active prevention and detection of information security incidents; h) ensuring a comprehensive approach to information security management; and i) continual reassessment of information security and making of modifications as appropriate.
The ISMS family of standardsInternational Standards for management systems provide a model to follow in setting up and operating a management system. This model incorporates the features on which experts in the field have reached a consensus as being the international state of the art. ISO/IEC JTC 1 SC 27 maintains an expert committee dedicated to the development of international management systems standards for information security, otherwise known as the Information Security Management System (ISMS) family of standards. The ISMS standards -Information technology —Security techniques: ⎯ISO/IEC 27000:2009, Information security management systems —Overview and vocabulary ⎯ISO/IEC 27001:2005, Information security management systems —Requirements ⎯ISO/IEC 27002:2005, Code of practice for information security management ⎯ISO/IEC 27003, Information security management system implementation guidance ⎯ISO/IEC 27004, Information security management —Measurement ⎯ISO/IEC 27005:2008, Information security risk management ⎯ISO/IEC 27006:2007, Requirements for bodies providing audit and certification of information security management systems ⎯ISO/IEC 27007, Guidelines for information security management systems auditing ⎯ISO/IEC 27011, Information security management guidelines for telecommunications organizations based on ISO/IEC 27002
Information Information is an asset that, like other important business assets, is essential to an organization’s business and consequently needs to be suitably protected. Information can be stored in many forms, including: digital form (e.g. data files stored on electronic or optical media), material form (e.g. on paper), as well as unrepresented information in the form of knowledge of the employees. Information may be transmitted by various means including: courier, electronic or verbal communication. Whatever form information takes, or the means by which the information is transmitted, it always needs appropriate protection. This information is exposed to a wider variety of threats and vulnerabilities. Information security Information security includes three main dimensions: confidentiality, availability and integrity. With the aim of ensuring sustained business success and continuity, and in minimizing impacts, information security involves the application and management of appropriate security measures that involves consideration of a wide range of threats. Information security is achieved through the implementation of an applicable set of controls, selected through the chosen risk management process and managed using an ISMS, including policies, processes, procedures, organizational structures, software and hardware to protect the identified information assets. These controls need to be specified, implemented, monitored, reviewed and improved where necessary, to ensure that the specific security and business objectives of the organization are met. Relevant information security controls are expected to be seamlessly integrated with an organization’s business processes. Overview
Overview (cont’d)Management Management involves activities to direct, control and continually improve the organization within appropriate structures. Management activities include the act, manner, or practice of organizing, handling, directing, supervising, and controlling resources. Management structures extend from one person in a small organization to management hierarchies consisting of many individuals in large organizations. In terms of an ISMS, management involves the supervision and making of decisions necessary to achieve business objectives through the protection of the organization’s information assets. Management of information security is expressed through the formulation and use of information security policies, standards, procedures and guidelines, which are then applied throughout the organization by all individuals associated with the organization. Management system A management system uses a framework of resources to achieve an organization’s objectives. The management system includes organizational structure, policies, planning activities, responsibilities, practices, procedures, processes and resources. In terms of information security, a management system allows an organization to: a)satisfy the security requirements of customers and other stakeholders; b)improve an organization’s plans and activities; c)meet the organization’s information security objectives; d)comply with regulations, legislation and industry mandates; and e)manage information assets in an organized way that facilitates continual improvement and adjustment to current organizational goals and to the environment.
Plan –Do –Check –Act (PDCA) process. Process approach Organizations need to identify and manage many activities in order to function effectively and efficiently. Any activity using resources needs to be managed to enable the transformation of inputs into outputs using a set of interrelated or interacting activities –this is also known as a process. The output from one process can directly form the input to another process and generally this transformation is carried out under planned and controlled conditions. The application of a system of processes within an organization, together with the identification and interactions of these processes, and their management, can be referred to as a “process approach”. The process approach for the ISMS presented in the ISMS family of standards is based on the operating principle adopted in ISO’s management system standards commonly known as the Plan –Do –Check –Act (PDCA) process. a) Plan –establish objectives and make plans (analyze the organization’s situation, establish the overall objectives and set targets, and develop plans to achieve them); b) Do–implement plans (do what was planned to do); c) Check–measure results (measure/monitor the extent to which achievements meet planned objectives); and d) Act–correct and improve activities (learn from mistakes to improve activities to achieve better results).
Establishing, monitoring, maintaining and improving an ISMS An organization needs to undertake the following steps in establishing, monitoring, maintaining and improving its ISMS: a) identify information assets and their associated security requirements b) assess information security risks c) select and implement relevant controls to manage unacceptable risks and d) monitor, maintain and improve the effectiveness of security controls associated with the organization’s information assets To ensure the ISMS is effectively protecting the organization’s information assets on an ongoing basis, it is necessary for steps (a) –(d) to be continuously repeated to identify changes in risks or in the organization’s strategies or business objectives. Identify information security requirements Within the overall strategy and business objectives of the organization, its size and geographical spread, information security requirements can be identified through an understanding of: a) identified information assets and their value; b) business needs for information processing and storage; and c) legal, regulatory, and contractual requirements.
ISMS critical success factors A large number of factors are critical to the successful implementation of an ISMS to allow an organization to meet its business objectives. Examples of critical success factors include: a) information security policy, objectives, and activities aligned with objectives; b) an approach and framework for designing, implementing, monitoring, maintaining, and improving information security consistent with the organizational culture; c) visible support and commitment from all levels of management, especially top management; d) an understanding of information asset protection requirements achieved through the application of information security risk management (see ISO/IEC 27005); e) an effective information security awareness, training and education program, informing all employees and other relevant parties of their information security obligations set forth in the information security policies, standards etc., and motivatingthem to act accordingly; f) an effective information security incident management process; g) an effective business continuity management approach; and h) a measurement system used to evaluate performance in information security management and feedback suggestions for improvement. An ISMS increases the likelihood that an organization will consistently achieve the critical success factors required to protect its information assets.
Benefits of the ISMS family of standards The benefits of implementing an ISMS will primarily result from a reduction in information security risks (i.e. reducing the probability of, and/or impact caused by, information security incidents). Specifically, benefits realized from the adoption of the ISMS family of standards include: a) support for the process of specifying, implementing, operating and maintaining a comprehensive and cost-effective integrated and aligned ISMS that meets the organization’s needs across different operations and sites; b) assistance for management in structuring their approach towards information security management, within the context of corporate risk management and governance, including educating and training business and system owners on the holistic management of information security; c) promotion of globally-accepted good information security practices in a non-prescriptive manner, giving organizations the latitude to adopt and improve relevant controls that suit their specific circumstances and to maintain them in the face of internal and external changes; and d) provision of a common language and conceptual basis for information security, making it easier to place confidence in business partners with a compliant ISMS, especially if they require certification against ISO/IEC 27001 by an accredited certification body.
ISO/IEC 27000Information technology —Security techniques —Information security management systems —Overview and vocabulary Scope: This International Standard provides to organizations and individuals: a) an overview of the ISMS family of standards; b) an introduction to information security management systems (ISMS); c) a brief description of the Plan-Do-Check-Act (PDCA) process; and d) terms and definitions used throughout the ISMS family of standards. Purpose: ISO/IEC 27000 describes the fundamentals of information security management systems, which form the subject of the ISMS family of standards, and defines related terms.
ISO/IEC 27001 Information technology —Security techniques —Information security management systems —RequirementsScope: This International Standard specifies the requirements for establishing, implementing, operating, monitoring, reviewing, maintaining and improving formalized information security management systems (ISMS) within the context of the organization’s overall business risks. It specifies requirements for the implementation of security controls customized to the needs of individual organizations or parts thereof. This International Standard is universal for all types of organizations (e.g. commercial enterprises, government agencies, non-profit organizations). Purpose: ISO/IEC 27001 provides normative requirements for the development and operation of an ISMS, including a set of controls for the control and mitigation of the risks associated with the information assets which the organization seeks to protect by operating its ISMS. Organizations operating an ISMS may have its conformity audited and certified. The control objectives and controls from Annex A (ISO/IEC 27001) shall be selected as part of this ISMS process as appropriate to cover the identified requirements. The control objectives and controls listed in Table A.1 (ISO/IEC 27001) are directly derived from and aligned with those listed in ISO/IEC 27002 Clauses 5 to 15.
ISO/IEC 27006 Information technology —Security techniques —Requirements for bodies providing audit and certification of information security management systems Scope: This International Standard specifies requirements and provides guidance for bodies providing audit and ISMS certification in accordance with ISO/IEC 27001, in addition to the requirements contained within ISO/IEC 17021. It is primarily intended to support the accreditation of certification bodies providing ISMS certification according to ISO/IEC 27001. Purpose: ISO/IEC 27006 supplements ISO/IEC 17021 in providing the requirements by which certification organizations are accredited, thus permitting these organizations to provide compliance certifications consistently against the requirements set forth in ISO/IEC 27001.
ISO/IEC 27002 Information technology —Security techniques —Code of practice for information security management Scope: This International Standard provides a list of commonly accepted control objectives and best practice controls to be used as implementation guidance when selecting and implementing controls for achieving information security. Purpose: ISO/IEC27002 provides guidance on the implementation of information security controls. Specifically Clauses 5 to 15 provides specific implementation advice and guidance on best practice in support of the controls specified in Clauses A.5 to A.15 of ISO/IEC 27001.
ISO/IEC 27003 Information technology —Security techniques —Information security management system implementation guidance Scope: This International Standard will provide practical implementation guidance and provide further information for establishing, implementing, operating, monitoring, reviewing, maintaining and improving an ISMS in accordance with ISO/IEC 27001. Purpose: ISO/IEC 27003 will provide a process oriented approach to the successful implementation of the ISMS in accordance with ISO/IEC 27001.
ISO/IEC 27004 Information technology —Security techniques —Information security management —Measurement Scope: This International Standard will provide guidance and advice on the development and use of measurements in order to assess the effectiveness of ISMS, control objectives, and controls used to implement and manage information security, as specified in ISO/IEC 27001. Purpose: ISO/IEC27004 will provide a measurement framework allowing an assessment of ISMS effectiveness to be measured in accordance with ISO/IEC 27001.
ISO/IEC 27005 Information technology —Security techniques —Information security risk management Scope: This International Standard provides guidelines for information security risk management. The approach described within this International Standard supports the general concepts specified in ISO/IEC 27001. Purpose: ISO/IEC27005 provides guidance on implementing a process oriented risk management approach to assist in satisfactorily implementing and fulfilling the information security risk management requirements of ISO/IEC 27001.
ISO/IEC 27007Information technology —Security techniques —Guidelines for information security management systems auditing Scope: This International Standard will provide guidance on conducting ISMS audits, as well as guidance on the competence of information security management system auditors, in addition to the guidance contained in ISO 19011, which is applicable to managements systems in general. Purpose: ISO/IEC 27007 will provide guidance to organizations needing to conduct internal or external audits of an ISMS or to manage an ISMS audit program against the requirements specified in ISO/IEC 27001.
Standards describing sector-specific guidelines ISO/IEC 27011 Information technology —Security techniques —Information security management guidelines for telecommunications organizations based on ISO/IEC 27002 Scope: This International Standard provides guidelines supporting the implementation of Information Security Management (ISM) in telecommunications organizations. Purpose: ISO/IEC27011 provides telecommunications organizations with an adaptation of the ISO/IEC 27002 guidelines unique to their industry sector which are additional to the guidance provided towards fulfilling the requirements of ISO/IEC 27001ISO 27799 Health informatics —Information security management in health using ISO/IEC 27002 Scope: This International Standard provides guidelines supporting the implementation of Information Security Management (ISM) in health organizations. Purpose: ISO/IEC 27799 provides health organizations with an adaptation of the ISO/IEC 27002 guidelines unique to their industry sector which are additional to the guidance provided towards fulfilling the requirements of ISO/IEC 27001
Policies and Procedures•Policies and Procedures•Security Awareness•Security Plan•Emergency Management Plan
Threat Analysis Group Risk Assessment ProcessThree types of security countermeasures to prevent, mitigate, and eliminate risk:•Policies and procedures•Physical security measures•Security personnel
Due Diligence•Documentation of the security program is a critical element and includes the identification of critical assets, threats, and vulnerabilities. •A Security Program evolves over time and the best way to demonstrate that is via due diligence that is documented
Due Diligence•Security policies and procedures refer to a wide variety of documents. In the security arena, these documents may include security manuals, standard operating procedures (SOPs), post orders, Occupant Emergency Plans (OEPs), security standards and guidelines, training standards, workplace violence policies, emergency management plans, and disaster recovery plans. •Procedures may include access control, weapon and other contraband searches, including the employees’ personal areas such as desks and lockers, and incident reporting methods.
Reduce Liability•Formal, written policies and procedures save security decision makers time, assist in adequate training, and reduce liability by demonstrating due diligence. •On a practical level, security policies describe the security functions at a facility or for an organization, including how security functions and measures are organized, deployed, and managed.
Security Awareness•A security program is effective when all employees take ownership. Security should be seen as a mission-critical element of the organization. •A top-down approach, with a written policy statement from senior management is a good first step in developing the requisite employee acceptance of the security program. •Management sets the tone for the level of adherence to the security measures utilized at the facility or within the organization. •Security is reinforced through employee orientation, continuing education, and close monitoring by dedicated security personnel.
Challenges to Security AwarenessAcceptance? Challenges? Global Issues?
SECURITY PLAN•A written document that defines the organization’s security mission, provides an overview of the complete security program, and identifies all methods in use for the protection of organizational assets.•The security plan documents the organization’s security policies, procedures, functions, measures, and strategies for providing a safe and secure environment and preventing crime and other security incidents.
SECURITY PLAN•The security plan articulates how the security program is usually organized through personnel and function organizational charts, flowcharts, and descriptions of specific countermeasures. •Security plans also describe the common security measures utilized throughout the facility or facilities, as the case may be, and how these measures operate on a daily, routine basis. Security responsibilities are clearly delineated, and regulatory compliance measures are described in detail.
Regulatory & Industry Requirements•http://ithandbook.ffiec.gov/•http://ithandbook.ffiec.gov/it-booklets.aspx•https://www.pcisecuritystandards.org•http://www.hhs.gov/ocr/privacy/•http://ec.europa.eu/justice/data-protection/•http://www.mas.gov.sg/regulations-and-financial-stability/regulatory-and-supervisory-framework/risk-management/technology-risk.aspx•https://www.gov.uk/government/publications/technology-and-information-risk-management
Sample Org Chart
EMERGENCY MANAGEMENT PLAN•An emergency management plan is a written document that communicates the policies and procedures to be followed in the event of an emergency. •It is typically referred to as a Business Continuity and/or Disaster Recovery Plan.•It is a reactive plan and should address an emergency that is imminent or has already occurred
EMERGENCY MANAGEMENT PLANChallenges?
CybersecurityReview Business Riskshttps://www.us-cert.gov/ccubedvp/self-service-crr
Operational resilience and cyber security practicesAsset ManagementControls ManagementConfiguration and Change ManagementVulnerability ManagementIncident ManagementService Continuity ManagementRisk ManagementExternal Dependencies ManagementTraining and AwarenessSituational Awareness
CIS Critical Controls
Asset ManagementPurpose: To identify, document, and manage assets during their life cycle to ensure sustained productivity to support critical services.The Asset Management domain establishes a method for an organization to plan, identify, document, and manage its assets. Assets are the raw materials that services need to operate. The CRR organizes assets into the following categories:• People to operate and monitor the service• Information and data to feed the process and to be produced by the service• Technology to automate and support the service• Facilities in which to perform services
•Goal 1 –Services are identified and prioritized.•Goal 2 –Assets are inventoried, and the authority and responsibility for these assets is established.•Goal 3 –The relationship between assets and the services they support is established.•Goal 4 –The asset inventory is managed.•Goal 5 –Access to assets is managed.•Goal 6 –Information assets are categorized and managed to ensure the sustainment and protection of the critical service.•Goal 7 –Facility assets supporting the critical service are prioritized and managed.Asset Management
1. Services are identified and prioritized.1. The organization’s services are identified.2. The organization’s services are prioritized based on analysis of the potential impact if the services are disrupted.2. Assets are inventoried, and the authority and responsibility for these assets is established.1. The assets that directly support the critical service are inventoried.2. Asset descriptions include protection and sustainment requirements.3. Owners and custodians of assets are documented in asset descriptions.4. The physical locations of assets (both within and outside the organization) are documented in the asset inventory.3. The relationship between assets and the services they support is established.1. The associations between assets and the critical service they support are documented.2. Confidentiality, integrity, and availability requirements are established for each servicer elated asset.4. The asset inventory is managed.1. Change criteria are established for asset descriptions.2. Asset descriptions are updated when changes to assets occur.Asset Management
5. Access to assets is managed.1. Access to assets is granted based on their protection requirements.2. Access requests are reviewed and approved by the asset owner.3. Access privileges are reviewed to identify excessive or inappropriate privileges.4. Access privileges are modified as a result of reviews.6. Information assets are categorized and managed to ensure the sustainment and protection of the critical service.1. Information assets are categorized based on sensitivity and potential impact to the critical service (such as public, internal use only, or secret).2. The categorization of information assets is monitored and enforced.3. Policies and procedures for the proper labeling and handling of information assets are created.4. All staff members who handle information assets (including those who are external to the organization, such as contractors) are trained in the use of information categories.5. High-value information assets are backed up and retained.6. Guidelines for properly disposing of information assets are created.7. Adherence to information asset disposal guidelines is monitored and enforced. 7. Facility assets supporting the critical service are prioritized and managed. 1. Facilities are prioritized based on their potential impact to the critical service, to identify those that should be the focus of protection and sustainment activities.2. The prioritization of facilities is reviewed and validated.3. Protection and sustainment requirements of the critical service are considered during the selection of facilities.Asset Management
Controls Management Purpose: To identify, analyze, and manage controls in a critical service’s operating environment.Internal control is a governance process used by an organization to ensure effective and efficientachievement of organizational objectives and to provide reasonable assurance of success. The ControlsManagement domain outlined in the CRR presents a way for the organization to identify controlobjectives and establish controls to meet those objectives. The Controls Management domain also addresses the importance of analyzing and assessing those controls to ensure that the process is constantly being improved.
Controls Management•Goal 1 –Control objectives are established.•Goal 2 –Controls are implemented.•Goal 3 –Control designs are analyzed to ensure they satisfy control objectives.•Goal 4 –The internal control system is assessed to ensure control objectives are met.
The Controls Management domain comprises four goals and seven practices1. Control objectives are established.1. Control objectives are established for assets required for delivery of the critical service.2. Control objectives are prioritized according to their potential to affect the critical service.2. Controls are implemented.1. Controls are implemented to achieve the control objectives established for the criticalservice.3. Control designs are analyzed to ensure they satisfy control objectives.1. Control designs are analyzed to identify gaps where control objectives are not adequatelysatisfied.2. As a result of the controls analysis, new controls are introduced or existing controls aremodified to address gaps.4. The internal control system is assessed to ensure control objectives are met.1. The performance of controls is assessed on a scheduled basis to verify they continue tomeet control objectives.2. As a result of scheduled assessments, new controls are introduced or existing controls aremodified to address problem areas.
Configuration and Change Management•Goal 1 –The life cycle of assets is managed.•Goal 2 –The integrity of technology and information assets is managed.•Goal 3 –Asset configuration baselines are established.
•Purpose: To establish processes to ensure the integrity of assets, using change control and change control audits.•An organization’s asset infrastructure is constantly evolving as technology changes, information is updated, and new personnel are hired. The Configuration and Change Management domain addresses how an organization can implement processes and procedures that manage assets and ensure that changes made to those assets are minimally disruptive to the organization.Configuration and Change Management domain
Configuration and Change Management domain1. The life cycle of assets is managed.1. A change management process is used to manage modifications to assets.2. Resilience requirements are evaluated as a result of changes to assets.3. Capacity management and planning are performed for assets.4. Change requests are tracked to closure.5. Stakeholders are notified when they are affected by changes to assets.2. The integrity of technology and information assets is managed.1. Configuration management is performed for technology assets.2. Techniques are used to detect changes to technology assets.3. Modifications to technology assets are reviewed.4. Integrity requirements are used to determine which staff members are authorized to modify information assets.5. The integrity of information assets is monitored.6. Unauthorized or unexplained modifications to technology assets are addressed.7. Modifications to technology assets are tested before being committed to production systems.8. A process for managing access to technology assets is implemented.3. Asset configuration baselines are established.1. Technology assets configuration baselines are created.2. Approval is obtained for proposed changes to baselines.
•Purpose: To identify, analyze, and manage vulnerabilities in a critical service’s operating environment.•Vulnerability is the susceptibility of an asset, and the associated critical service, to disruption. Vulnerabilities can result in operational risks and must be identified and managed to avoid disruptions to the critical service’s operating environment. A vulnerability management process identifies and analyzes vulnerabilities before they are exploited and informs the organization of threats that must be analyzed in the risk management process to determine whether they pose tangible risk to the organization based on the organization’s risk tolerance. Vulnerability Management
Vulnerability Management•Goal 1 –Preparation for vulnerability analysis and resolution activities is conducted.•Goal 2 –A process for identifying and analyzing vulnerabilities is established and maintained.•Goal 3 –Exposure to identified vulnerabilities is managed.•Goal 4 –The root causes of vulnerabilities are addressed.
Vulnerability Management domain1. Preparation for vulnerability analysis and resolution activities is conducted.1. A vulnerability analysis and resolution strategy has been developed.2. There is a standard set of tools and/or methods in use to identify vulnerabilities in assets.2. A process for identifying and analyzing vulnerabilities is established and maintained.1. Sources of vulnerability information have been identified.2. The information from these sources is kept current.3. Vulnerabilities are being actively discovered.4. Vulnerabilities are categorized and prioritized.5. Vulnerabilities are analyzed to determine relevance to the organization.6. A repository is used for recording information about vulnerabilities and their resolution.3. Exposure to identified vulnerabilities is managed.1. Actions are taken to manage exposure to identified vulnerabilities.2. The effectiveness of vulnerability mitigation is reviewed.3. The status of unresolved vulnerabilities is monitored.4. The root causes of vulnerabilities are addressed.1. Underlying causes for vulnerabilities are identified (through root-cause analysis or othermeans) and addressed.
Incident Management•Goal 1 –A process for identifying, analyzing, responding to, and learning from incidents is established.•Goal 2 –A process for detecting, reporting, triaging, and analyzing events is established.•Goal 3 –Incidents are declared and analyzed•Goal 4 –A process for responding to and recovering from incidents is established.•Goal 5 –Post-incident lessons learned are translated into improvement strategies..
•Purpose: To establish processes to identify and analyze events, detect incidents, and determine an organizational response.•Disruptions to an organization’s operating environment regularly occur. The Incident Management domain examines an organization’s capability to recognize potential disruptions, analyze them, and determine how and when to respond.Incident Management domain
Incident Management domain1. A process for identifying, analyzing, responding to, and learning from incidents is established.1. The organization has a plan for managing incidents.2. The incident management plan is reviewed and updated.3. The roles and responsibilities in the plan are included in job descriptions.4. Staff has been assigned to the roles and responsibilities detailed in the incident management plan.2. A process for detecting, reporting, triaging, and analyzing events is established.1. Events are detected and reported.2. Event data is logged in an incident knowledgebase or similar mechanism.3. Events are categorized.4. Events are analyzed to determine if they are related to other events.5. Events are prioritized.6. The status of events is tracked.7. Events are managed to resolution.8. Requirements (rules, laws, regulations, policies, etc.) for identifying event evidence for forensic purposes are identified.9. A process to ensure event evidence is handled as required by law or other obligations is followed.3. Incidents are declared.1. Incidents are declared. 2. Criteria for the declaration of an incident are established.3. Incidents are analyzed to determine a response.4. A process for responding to and recovering from incidents is established.1. Incidents are escalated to stakeholders for input and resolution.2. Responses to declared incidents are developed and implemented according to pre-defined procedures.3. Incident status and response is communicated to affected parties.4. Incidents are tracked to resolution.5. Post-incident lessons learned are translated into improvement strategies.1. Analysis is performed to determine the root causes of incidents.2. A link between the incident management process and other related processes (problem management, risk management, change management, etc.) is established.3. Lessons learned from incident management are used to improve asset protection and service continuity strategies.
•Purpose: To ensure the continuity of essential operations of services and their associated assets if a disruption occurs as a result of an incident, disaster, or other event.•The process of assessing, prioritizing, planning and responding to, and improving plans to address disruptive events is known as service continuity. The goal of service continuity is to mitigate the impact of disruptive events by utilizing tested or exercised plans that facilitate predictable and consistent continuity of the critical services.Service Continuity Management domain
Service Continuity Management•Goal 1 –Service continuity plans for high-value services are developed.•Goal 2 –Service continuity plans are reviewed to resolve conflicts between plans.•Goal 3 –Service continuity plans are tested to ensure they meet their stated objectives.•Goal 4 –Service continuity plans are executed and reviewed
Service Continuity Management domain1. Service continuity plans for high-value services are developed.1. Service continuity plans are developed and documented for assets (people, information, technology, and facilities) required for delivery of the critical service.2. Service continuity plans are developed using established standards, guidelines, and templates.3. Staff members are assigned to execute specific service continuity plans.4. Key contacts are identified in the service continuity plans.5. Service continuity plans are stored in a controlled manner and available to all those who need to know.6. Availability requirements such as recovery time objectives and recovery point objectives are established.2. Service continuity plans are reviewed to resolve conflicts between plans.1. Plans are reviewed to identify and resolve conflicts.3. Service continuity plans are tested to ensure they meet their stated objectives.1. Standards for testing service continuity plans have been implemented. 2. A schedule for testing service continuity plans has been established.3. Service continuity plans are tested.4. Backup and storage procedures for high-value information assets are tested.5. Test results are compared with test objectives to identify needed improvements to service continuity plans.4. Service continuity plans are executed and reviewed.1. Conditions have been identified that trigger the execution of the service continuity plan.2. The execution of service continuity plans is reviewed.3. Improvements are identified as a result of executing service continuity plans.
•Purpose: To identify, analyze, and mitigate risks to critical service assets that could adversely affect the operation and delivery of services.•Risk management is a foundational activity for any organization and is practiced at all levels, from the executives down to individuals within business units. The CRR focuses on risks to cyber-dependent operations that have the potential to interrupt delivery of the critical service being examined. While the CRR focuses on operational risk, it is important to note that operational risk management requires a comprehensive approach to be effective. Risk Management
Risk Management•Goal 1 –A strategy for identifying, analyzing, and mitigating risks is developed.•Goal 2 –Risk tolerances are identified, and the focus of risk management activities is established.•Goal 3 –Risks are identified.•Goal 4 –Risks are analyzed and assigned a disposition.•Goal 5 –Risks to assets and services are mitigated and controlled.
Risk Management domain1. A strategy for identifying, analyzing, and mitigating risks is developed.1. Sources of risk that can affect operations have been identified.2. Categories for risks have been established.3. A plan for managing operational risk has been established.4. The plan for managing operational risk has been communicated to stakeholders.2. Risk tolerances are identified, and the focus of risk management activities is established.1. Impact areas, such as reputation, financial health, and regulatory compliance, have beenidentified.2. Impact areas have been prioritized to determine their relative importance.3. Risk tolerance parameters have been established for each impact area.4. Risk tolerance thresholds, which trigger action, are defined for each category of risk.3. Risks are identified.1. Operational risks that could affect delivery of the critical service are identified.4. Risks are analyzed and assigned a disposition.1. Risks are analyzed to determine potential impact to the critical service.2. A disposition (accept, transfer, mitigate, etc.) is assigned to identified risks.5. Risks to assets and services are mitigated and controlled.1. Plans are developed for risks that the organization decides to mitigate.2. Identified risks are tracked to closure.
•Purpose: To establish processes to manage an appropriate level of controls to ensure the sustainment and protection of services and assets that are dependent on the actions of external entities.•The outsourcing of services, development, and production has become a normal and routine part of operations for many organizations because outsourcing can engage specialized skills and equipment at a cost savings over internal options. The External Dependencies Management domain of the CRR presents a method for an organization to identify and prioritize those external dependencies and then focuses on•managing and maintaining those dependencies.External Dependencies Management
External Dependencies Management•Goal 1 –External dependencies are identified and prioritized to ensure sustained operation of high-value services. •Goal 2 –Risks due to external dependencies are identified and managed.•Goal 3 –Relationships with external entities are formally established and maintained.•Goal 4 –Performance of external entities is managed.•Goal 5 –Dependencies on public services and infrastructure service providers are identified.
External Dependencies Management domain1. External dependencies are identified and prioritized to ensure operation of high-value services.1. Dependencies on external relationships that are critical to the service are identified.2. A process has been established for creating and maintaining a list of external dependencies.3. External dependencies are prioritized.2. Risks due to external dependencies are identified and managed.1. Risks due to external dependencies are identified and managed.3. Relationships with external entities are formally established and maintained.1. Resilience requirements of the critical service are established that apply specifically to each external dependency.2. These requirements are reviewed and updated.3. The ability of external entities to meet resilience requirements of the critical service are considered in the selection process.4. Resilience requirements are included in formal agreements with external entities.4. Performance of external entities is managed.1. The performance of external entities is monitored against resilience requirements.2. The responsibility for monitoring external entity performance is assigned (as related to resilience requirements).3. Corrective actions are taken as necessary to address issues with external entity performance (as related to resilience requirements).4. Corrective actions are evaluated to ensure issues are remedied.5. Dependencies on public services and infrastructure service providers are identified.1. Public services on which the critical service depends (fire response and rescue services, lawenforcement, etc.) are identified.2. Infrastructure providers on which the critical service depends (telecommunications andtelephone services, energy sources, etc.) are identified.
•Purpose: To promote awareness in and develop skills and knowledge of people in support of their roles in attaining and sustaining operational sustainment and protection.•Training and awareness focuses on the processes by which an organization plans, identifies needs for, conducts, and improves training and awareness to ensure the organization’s operational cyber resilience requirements and goals are known and met. An organization plans for and conducts training and awareness activities that make staff members aware of their role in the organization’s cyber resilience concerns and policies. Staff members also receive specific training to enable them to perform their roles in managing organizational cyber resilience. Training and Awareness
Training and Awareness•Goal 1 –Cyber security awareness and training programs are established.•Goal 2 –Awareness and training activities are conducted.
Training and Awareness domain1. Cybersecurityawareness and training programs are established.1. Cybersecurityawareness needs have been identified for the critical service.2. Required skills have been identified for specific roles (administrators, technicians, etc.) for the critical service.3. Skill gaps present in personnel responsible for cybersecurityare identified.4. Training needs have been identified.2. Awareness and training activities are conducted.1. Cybersecurityawareness activities for the critical service are conducted.2. Cybersecuritytraining activities for the critical service are conducted.3. The effectiveness of the awareness and training programs is evaluated.4. Awareness and training activities are revised as needed.
•Purpose: To actively discover and analyze information related to immediate operational stability and security and to coordinate such information across the enterprise to ensure that all organizational units are performing under a common operating picture.•Situational awareness activities are performed throughout the organization to provide timely and accurate information about the current state of operational processes. Activities must support communication with a variety of internal and external stakeholders to support the resilience requirements of the critical service.Situational Awareness
Situational Awareness•Goal 1 –Threat monitoring is performed.•Goal 2 –The requirements for communicating threat information are established.•Goal 3 –Threat information is communicated.
Situational Awareness domain 1. Threat monitoring is performed.1. Responsibility for monitoring sources of threat information has been assigned.2. Threat monitoring procedures have been implemented.3. Resources have been assigned and trained to perform threat monitoring.2. The requirements for communicating threat information are established.1. Internal stakeholders (such as the critical service owner and incident management staff) to whom threat information must be communicated have been identified. 2. External stakeholders (such as emergency management personnel, regulators, andinformation sharing organizations) to whom threat information must be communicatedhave been identified.3. Threat information is communicated.1. Threat information is communicated to stakeholders.2. Resources have been assigned authority and accountability for communicating threatinformation.3. Resources have been trained with respect to their specific role in communicating threatinformation.
What is an AssetSomething that has potential or actual value to an organization.So it can be Tangent or Intangent.Can have Present or Future Value. Value is what left after paying the price. And value created shall be in good fit with vision and strategic objectives of organization.
Nature of assetsHuman assets: The behaviors , knowledge and Competence of the workforce have a fundamental (influence on the performance of the physical assets)Financial assets: financial resources are required for infrastructure investments, operation, maintenance and materials;Information assets: good quality data and information are essential to develop, optimize and implement asset management plan(s);Intangible assets: the organization’s reputation and image can have a significant impact on infrastructure investment, operating strategies and associated costs.Physical Assets : Plants, Machinery, Building, vehicles, property and other items with distinct values.
What Is Asset ManagementSystematic and coordinated activities and practices through which an organization optimally and sustainably manages its assets and asset systems, their associated performance, risks and expenditures over their life cycles for the purpose of achieving its organizational strategic plan.
Enterprise Asset ManagementInfrastructure Asset ManagementPhysical Asset ManagementStrategic Asset ManagementProperty Asset ManagementFacilities Asset Management, and many othersThe emerging standards converge the opinion to the term Asset Management
Evolution of Asset Management Discipline.Asset Management is not new. People have been managing assets for thousands of years. What has changed, however, is the cumulative recognition that good Asset Management involves optimizing (within any absolute constraints) the mix of cost,riskand performance over whole asset life.The PAS 55 2004 British standard was originally produced in 2004 by a number of organizations under the leadership of theInstitute of Asset Management.PAS 55:2008 was released in Dec 2008 along with a toolkit for self-assessment against the specification.The International Standard ISO 55000/1/2 passed by international body in Dec 13 and likely to be released by Feb 2014.
ISO 55000 Standard Incorporated Guidance from Following Standards•ISO_20815-Production assurance and reliability management•PAS55-2-2008 Asset management (a specification)•API_RP_580 Risk Based Inspection•ISO 31000:2009 Risk management -Principles and guidelines•ISO 9001-2008 Quality management systems –Requirements•ISO/IEC15288:2008 Systems and software engineering -System life cycle processes•ISO/IEC12207:2008 Systems and software engineering -Software life cycle processes
Principles of Good Asset Management}Holistic: looking at the whole picture, i.e. the combined implications of managing all aspects.}Systematic: a methodical approach, promoting consistent, repeatable and auditable decisions and actions;}Systemic: considering the assets in their asset system context and optimizing the asset systems value}Risk-based: focusing resources and expenditure, and setting priorities, appropriate to the identified risks and the associated cost/benefits;
Principles of Good Asset Management}Optimal: establishing the best value compromise between competing factors, such as performance, cost and risk, associated with the assets over their life cycles;}Sustainable: considering the long-term consequences of short-term activities to ensure that adequate provision is made for future requirements and obligations (such as economic or environmental sustainability, system performance, societal responsibility and other long-term objectives)}Integrated: recognizing that interdependencies and combined effects are vital to success. This requires a combination of the above attributes, coordinated to deliver a joined-up approach and net value.
Asset Management SystemSource: PAS55-2-2008 Idea CreationApprovalDetail DesignProcurementConstructionCommissionDecommissionAsset Life CycleProject Phase of Life CycleProductive Phase of Life CycleEndFeasibilityOperationDisposalPreliminary Design
Asset Management System shall answer following questions}Do you understand the risk profile associated with your asset portfolio and how this will changeover time?}Do you understand the business consequences of reducing your capital investment or maintenance budgets by 10% over the next five years?}Can you justify your planned asset expenditures to external stakeholders?
}Can you easily identify which investment projects to defer when there are funding problems or cash flow constraints?}Do you have the appropriate asset data and information to support your Asset Management decision-making?}Do you know if your people have the right competences and capabilities to manage your assets? }Do you know which Asset Management activities to out-source?
Focus and business context of this International Standardin relation to other categories of assets
Elements of Asset Management
PDCA CYCLE OF ASSET MANAGEMENT
Elements of Asset Management
Asset Management PolicyPrinciples and mandated requirements derived from, and consistent with, the organizational strategic plan, providing a framework for the development and implementation of the asset management strategy and the setting of the asset management objectives.}The asset management policy plays a leading part in driving the asset management system. The asset management policy is a means for top management }to communicate to its managers, employees and stakeholders the organization’s position and intentions with regard to asset management. }It provides a high level statement of the organization’s principles, approach and expectations relating to asset management. }The asset management policy should be seen as the same level of commitment as an organization’s safety policy.
Asset Management StrategyThe organization shall establish, document, implement and maintain a long term asset management strategy which shall be authorized by top management.}The asset management strategy should set out how the asset management policy will be achieved.}It is the coordinating mechanism for ensuring that activities carried out on physical assets are aligned to optimally achieve the organizational strategic plan. This requires a high level plan or scheme for converting the asset management policy into specific asset management objectives and activity plans across the whole asset portfolio.}Example
The Asset Management Decision-Making Group is made up of the following Subjects:}Capital Investment Decision-Making}Operations and Maintenance Decision-Making}Lifecycle Cost and Value Optimisation}Resourcing Strategy and Optimisation}Shutdowns & Outage Strategy and Optimisation}Ageing Assets Strategy
Asset Management ObjectiveIt is necessary to ensure that measurable asset management objectives are established throughout relevant parts of the organization to enable the asset management policy to be implemented and the asset management strategy to be achieved.}specific and measurable outcome or achievement required of asset system(s) in order to implement the asset management policy and asset management strategy; }Detailed and measurable level of performance or condition required of the assets; and/or}Specific and measurable outcome or achievement required of the asset management system.
Asset management PlansThe organization shall establish, document and maintain asset management plan(s) to achieve the asset management strategy and deliver the asset management objectives across the following life cycle activities:}Creation, acquisition or enhancement of assets;}Utilization of assets;}Maintenance of assets;}Decommissioning and/or disposal of assets.}Example:
Asset management PlansThe Lifecycle Delivery Activities Group contains the following Asset Management Subjects:}Technical Standards and Legislation}Asset Creation and Acquisition}Systems Engineering}Maintenance Delivery}Reliability Engineering & Root Cause Analysis}Asset Operations}Resource Management}Shutdown/Outage Management}Incident Response}Asset Rationalization and Disposal
Asset Management contingency PlansThe organization shall establish, implement, and maintain plan(s) and/or procedure(s) for identifying and responding to incidents and emergency situations, and maintaining the continuity of critical asset management activities.}significant failure of critical assets resulting in the loss of service or supply to customers or a hazardous}condition arisingextreme weather conditions, e.g. strong winds, floods, heavy snowfall, lightning strikes;}⎯unplanned release of hazardous liquids or gases;}⎯explosion or fire;}⎯loss of power supply or control systems;}⎯a combination of events or risks which may result in an emergency situation
Enablers of Asset Management
Asset management enablers and controlsStructure, Authority and ResponsibilitiesThe organization shall establish and maintain an organizational structure of roles, responsibilities and authorities, consistent with the achievement of its asset management policy, strategy, objectives and plans. These roles, responsibilities and authorities shall be defined, documented and communicated to the relevant individuals.
Asset management enablers and controlsOutsourcing of asset management activitiesWhere an organization chooses to outsource any aspect of asset management that affects conformity with the requirements , the organization shall ensure control over such aspects. The organization shall determine and document how these parts will be controlled and integrated into the organizations’ asset management system. The organization shall also identify and document
Asset management enablers and controlsTraining, Awareness and CompetenceThe organization shall ensure that any person(s) under its direct control undertaking asset management related activities has an appropriate level of competence in terms of education, training or experience.The organization shall establish, implement and maintain process(es) and/or procedure(s) to make persons working under its control aware of:}the asset management related risks associated with their work activities and the asset management benefits of personal performance;}their roles and responsibilities and the importance in complying with the asset management policy , process(es) and/or procedure(s) and plan(s);}the potential consequences of departure from specified asset management process(es) and/or procedure(s)
Asset management enablers and controlsAsset management system documentationThe organization shall establish, implement and maintain up-to-date documentation to ensure that its asset management system can be adequately understood, communicated and operated.
Asset management enablers and controlsCommunication, participation and consultationThe organization shall ensure that pertinent asset management information is effectively communicated toand from employees and other stakeholders, including contracted service providers.The organization shall ensure consultation with stakeholders that is relevant and appropriate to theirinvolvement in:a) the development of the asset management strategy, objectives and plan(s);b) the development of functional policies, engineering standards, process(es) and/or procedure(s);c) risk assessments and determination of controls;
Asset management enablers and controlsInformation managementThe organization shall identify the asset management information it requires to meet the requirements of specification considering all phases of the asset life cycle. The information shall be of a quality appropriate to the asset management decisions and activities it supports}The organization shall establish, implement and maintain procedure(s) for controlling all information required of this specification. These procedures shall ensure:}The adequacy of the information is approved by authorized personnel prior to use;}Information is maintained and adequacy assured through periodic review and revision, including version control where appropriate;}Allocation of appropriate roles, responsibilities and authorities regarding the origination, generation ,capture, maintenance, assurance, transmission, rights of access, retention, archiving and disposal of items of information;
Asset management enablers and controlsRisk managementThe organization shall establish, implement and maintain documented process(es) and/or procedure(s) for the ongoing identification and assessment of asset related and asset management-related risks, and the identification and implementation of necessary control measures throughout the life cycles of the assets .}Criticality, Risk Assessment and Management}Contingency Planning and Resilience Analysis}Sustainable Development}Weather and Climate Change}Assets & Systems Performance & Health Monitoring}Assets & Systems Change Management}Management Review, Audit & Assurance}Stakeholder Relations
Asset management enablers and controlsLegal and other requirementsThe organization shall establish, implement and maintain process(es)and/or procedure(s) for identifying and accessing the legal, regulatory, statutory and other applicable asset management requirements.
Asset management enablers and controlsManagement of change}Where existing arrangements are revised, or new arrangements are introduced that could have an impact on}Asset management activities, the organization shall assess the associated risks before the arrangements are implemented. The new or revised arrangements to be considered shall include}Revised organizational structure, roles or responsibilities;}Revised asset management policy, strategy, objectives or plans.
Elements of ISO55000
Implementation of asset management plan(s)Life cycle activitiesThe organization shall establish, implement and maintain process(es) and/or procedure(s) for the implementation of its asset management plan(s) and control of activities across the whole life cycle, including:}creation, acquisition or enhancement of assets;}utilization of assets;}maintenance of assets;}decommissioning and/or disposal of assets.
Implementation of asset management plan(s)Tools, facilities and equipmentThe organization shall ensure that tools, facilities and equipment are maintained and, where appropriate, calibrated. The organization shall establish and maintain process(es) and procedure(s) to control these maintenance and calibration activities, where such tools, facilities and equipment are essential for:}The implementation of its asset management plan(s);}Achieving the required function(s) and performance from its assets or asset systems;}The monitoring and measurement of performance and/or condition
Elements of ISO55000
Performance assessment and improvementPerformance and condition monitoring}The organization shall establish, implement and maintain process(es) and/or procedure(s) to monitor and measure the performance of the asset management system and the performance and/or condition of assets and/or asset systems. The process(es) and/or procedure(s) shall provide for the consideration of:}Reactive monitoring to identify past or existing nonconformities in the asset management system, and any asset-related deterioration, failures or incidents;}Proactive monitoring to seek assurance that the asset management system and assets and/or asset systems are operating as intended. This shall include monitoring to ascertain that the asset management policy, strategy and objectives are met, the asset management plan(s) are implemented, and that the process(es), procedure(s) or other arrangements to control asset life cycle activities are effective;
Performance Assessment and ImprovementInvestigation of asset-related failures, incidents and nonconformitiesThe organization shall establish, implement and maintain process(es) and/or procedure(s) for the handlingand investigation of failures, incidents and nonconformities associated with assets, asset systems and the asset management system. These process(es) and/or procedure(s) shall define responsibility and authority for:•Taking action to mitigate consequences arising from a failure, incident or nonconformity;•Investigating failures, incidents and nonconformities to determine their root cause(s);•Evaluating the need for preventive action(s) to avoid failures, incidents and nonconformities occurring;•Communicating, as appropriate to relevant stakeholders, the results of investigations and identified corrective action(s) and/or preventive action(s)
Performance Assessment and ImprovementEvaluation of compliance}The organization shall establish, implement and maintain process(es) and/or procedure(s) for evaluation of its compliance with applicable legal and other regulatory or absolute requirements, and shall determine the frequency of such evaluations .The organization shall keep records of the results of these evaluations.
Performance Assessment and ImprovementAuditThe organization shall ensure that audits of the asset management system are conducted to determine whether the asset management system:}Conforms to planned arrangements for asset management, including the requirements .}Has been implemented and is maintained.}Is effective in meeting the organization’s asset management policy, asset management strategy and asset management objectives.
Performance Assessment and ImprovementImprovement actionsCorrective and preventive action}The organization shall establish, implement and maintain process(es) and/or procedure(s) for instigating:}Corrective action(s) for eliminating the causes of observed poor performance and nonconformities}Identified from investigations, evaluations of compliance and audits to avoid their recurrence;}Preventive action(s) for eliminating the potential causes of nonconformities or poor performance.
Performance Assessment and ImprovementRecords}The organization shall establish and maintain records as necessary to demonstrate conformance to the requirements of its asset management system and Clause 4 of this International Standard.}Records shall be legible, identifiable and traceable.}Records shall be maintained in accordance with the requirements
Performance Assessment and ImprovementManagement reviewTop management shall review at intervals that it determines appropriate the organization’s asset management system to ensure its continuing suitability, adequacy and effectiveness. Reviews shall include assessing the need for changes to the asset management system, including asset management policy, asset management strategy and asset management objectives
zRisk Management: Controlling Risk In information SecurityGreg Kyrytschenko
zThe purpose of risk managementEnsure overall business and business assets are safe Protect against competitive disadvantageCompliance with laws and best business practicesMaintain a good public reputation
zSteps of a risk management plan▪Step 1: Identify Risk▪Step 2: Assess Risk▪Step 3: Control Risk▪Steps are similar regardless of context (InfoSec, Physical Security, Financial, etc.)▪This presentation will focus on controlling risk within an InfoSec context
zzRisk Identification▪The steps to risk identification are:▪Identify your organization’s information assets▪Classify and categorize said assets into useful groups▪Rank assets necessity to the organization ▪To the right is a simplified example of how a company may identify risksAssetAsset Type and SubcategoryAssetFunctionPriority Level (Low, Medium, High, Critical)BobWorkerPersonnel: InfoSec•Secure Networks•Penetration Testing•Make coffeeLowCisco UCSB460 M4 Blade ServerHardware: Networking•Database ServerHighCustomerPersonally Identifiable Information (PII)Data: Confidential Information•Provideinformation for all business transactionsCriticalWindows7 Software: Operating System •Employeeaccess to enterprise softwareMedium
zzRisk Assessment ▪The steps to risk assessment are:▪Identify threats and threat agents▪Prioritize threats and threat agents ▪Assess vulnerabilities in current InfoSec plan▪Determine risk of each threat ▪R = P * V –M + U▪R = Risk▪P = Probability of threat attack▪V = Value of Information Asset▪M = Mitigation by current controls▪U = Uncertainty of vulnerability▪The table to the right combines elements of all of these in a highly simplified formatThreat Agentand ThreatTargeted AssetThreat Level PossibleExploitsRisk (Scale of 1-5)DisgruntledInsider: Steal company informationto sellCompanydata (i.e. Customer PII)HighAccesscontrol credentials, knowledge of InfoSec policies, etc. 4.16Fire:Burn the facility down or cause major damageCompanyFacility, Personnel, EquipmentCriticalMishandledequipment2.78Hacktivists:Quality of service deviationCompanyHardware/SoftwareLowLack of effectivefiltering1.39
zRisk control ▪The steps to risk control are: •Cost-Benefit Analysis (CBA)•Single Loss Expectancy (SLE)•Annualized Rate of Occurrence (ARO)•Annual Loss Expectancy (ALE)•Annual Cost of the Safeguard (ASG)•Feasibility Analysis•Organizational Feasibility•Operational Feasibility•Technical Feasibility•Political Feasibility •Risk Control Strategy Implementation
zzCost-Benefit analysis▪Determine what risk control strategies are cost effective ▪Below are some common formulas used to calculate cost-benefit analysis ▪SLE = AV * EF▪AV = Asset Value, EF = Exposure factor (% of asset affected)▪ALE = SLE * ARO▪CBA = ALE (pre-control) –ALE (post-control) –ACE
zFeasibility analysis▪Organizational: Does the plan correspond to the organization’s objectives? What is in it for the organization? Does it limit the organization’s capabilities in any way? ▪Operational: Will shareholders (users, managers, etc.) be able/willing to accept the plan? Is the system compatible with the new changes? Have the possible changes been communicated to the employees? ▪Technical: Is the necessary technology owned or obtainable? Are our employees trained and if not can we afford to train them? Should we hire new employees? ▪Political: Can InfoSec acquire the necessary budget and approval to implement the plan? Is the budget required justifiable? Does InfoSec have to compete with other departments to acquire the desired budget?
zRisk control Strategies▪Defense ▪Transferal▪Mitigation▪Acceptance (Abandonment) ▪Termination
zzRisk control Strategy: defense▪Defense: Prevent the exploitation of the system via application of policy, training/education, and technology. Preferably layered security (defense in depth) ▪Counter threats▪Remove vulnerabilities from assess▪Limit access to assets▪Add protective safeguards
zzRisk control Strategy: transferal▪Transferal: Shift risks to other areas or outside entities to handle▪Can include:▪Purchasing insurance▪Outsourcing to other organizations▪Implementing service contracts with providers▪Revising deployment models
zzRisk control Strategy: Mitigation▪Mitigation: Creating plans and preparations to reduce the damage of threat actualization▪Preparation should include a:▪Incidence Response Plan▪Disaster Recovery Plan▪Business Continuity Plan
zzRisk control Strategy: Acceptance▪Acceptance: Properly identifying and acknowledging risks, and choosing to not control them▪Appropriate when:▪The cost to protect an asset or assets exceeds the cost to replace it/them▪When the probability of risk is very low and the asset is of low priority▪Otherwise acceptance = negligence
zzRisk control Strategy: Termination▪Termination: Removing or discontinuing the information asset from the organization ▪Examples include: ▪Equipment disposal ▪Discontinuing a provided service▪Firing an employee
zPros and cons of each strategyProsConsDefense: Preferred all round approachTransferal: Easy and effectiveMitigation: Effective when all else failsAcceptance: Cheap and easyTermination: Relatively cheap and safeDefense: Expensive and laboriousTransferal: Dependence on external entitiesMitigation: Guarantees company lossAcceptance: Rarely appropriate, unsafeTermination: Rarely appropriate, requires company loss
zstandard approaches to risk management▪U.S CERT’s Operationally Critical Threat Assessment Vulnerability Evaluation (OCTAVE) Methods (Original, OCTAVE-S, OCTAVE-Allegro)▪ISO 27005 Standard for InfoSec Risk Management▪NIST Risk Management Model ▪Microsoft Risk Management Approach▪Jack A. Jones’ Factor Analysis of Information Risk (FAIR)▪Delphi Technique
zRisk management software▪https://www.youtube.com/watch?v=zovrF9F_C5s▪https://www.youtube.com/watch?v=x8BcE7T_Nb4
zRegulatory Organization18The organization’s objectives in its’ risk management plan are : :▪To face any risk ▪concerned with loss of customer confidence, as well as monetary and productivity losses.▪Risk assessments have always been a part of doing business that leads to determine the level of risk associated with a business function or process in order to determine the applicable security controls.▪The organization consists of a ▪central officewho issues organization wide information security risk assessment guidelinesand establishes minimum control requirements▪regional officesthroughout the United States with , who facilitates the process in its geographic area; and individual business units are responsible for conducting the assessments.▪The organization’s policy guidelines require ▪business units to conduct risk assessment at least once a year. ▪when a new business operation is established or when significant operational changes occur.
zzRisk Assessment Process19
z01/10/144320Conducting and Documenting the AssessmentThe central office has incorporated these elements into a set of detailed guidelines for conducting information security risk assessments , complementary training manual elaborating on the guidelinesand providing more detailed step-by-step procedures.
zDetermining Risk Level21▪The team’s first step is to evaluate possible threats to information security that may affect the unit’s operations.▪The team assigns a risk level of high, moderate, or low for each area of vulnerability to show the possible effect of damage if the threat were to occur. ▪The team uses a matrix to assist in its analysis of risk as shown in the following table:
zRisk Assessment Table2301/10/1443▪After completing the matrix, the team summarizes its findings by assigning a composite risk level to each of the five areas of vulnerability on the matrix.
zIdentifying Needed Controls Based on Predetermined Requirements24▪After determining the overall risk level for each area of vulnerability, the team identifies the minimum applicable controls that are prescribed in its organizational guidelines.
z25Reporting and Ensuring That Agreed Actions Are TakenAfter determining the minimum set of controls, the team compares those required controls with controls already in place and identifies any gaps. The team prepares a short statement summarizing the outcome and documenting its decisions and decision making process. It then provides the regional office a copy of the risk assessment table.
z01/10/144326Identification and Assessment of Risks to Customer Information▪Organization recognizes that it has both internal and external risks. These risks include, but are not limited to:▪Unauthorized access of protected Information by someone other than the owner of the covered data and information ▪Unauthorized access of covered data and information by employees ▪Unauthorized requests for covered data and information ▪Unauthorized access through hardcopy files or reports ▪Unauthorized transfer of covered data and information through third parties ▪Compromised system security as a result of system access by an unauthorized person ▪Interception of data during transmission ▪Loss of data integrity▪Errors introduced into the system ▪Corruption of data or systems ▪Physical loss of data in a disaster Human( internal & External)
z27Who has the responsibility of assessing the risk ▪The Security Technology Officer, in consultation with an advisory committee, is responsible for the maintenance of information security and privacy. ▪The advisory committee will include representatives from the departments primarily responsible for safeguarding Protected Information. ▪Each department responsible for safeguarding Protected Information will provide an annual update report indicating the status of its safeguarding procedures. ▪The Coordinators, in conjunction with the advisory committee, are responsible for assessing the risks associated with unauthorized transfers of Protected Information and implementing procedures to minimize those
z28Design and Implementation of Safeguards Program▪Minimizing risk and safeguarding covered data and information security can be achieved by Employee Management and Training▪Physical Security can be achieved by limiting access to only those employees who have a business reason to know such information and requiring signed acknowledgement of the requirement to keep Protected Information private▪Information systems include network and software design, as well as information processing, storage, transmission, retrieval, and disposal. Organizations have policies, standards, and guidelines governing the use of electronic resources and firewall and wireless policies ▪The Organization maintain effective systems to prevent, detect, and respond to attacks, intrusions and other system failures. Such systems may include maintaining and implementing current anti-virus software; checking with software vendors and others to regularly obtain and install patches to correct software vulnerabilities; maintaining appropriate filtering or firewall technologies …
zNSF CSF Risk Assessment
zNIST CSF Risk Assessment▪https://www.nist.gov/document/supplementnicespecialtyareasandworkroleksasandtasksxlsx
zSources▪M. Whitman, H. Mattford. ,Management of information security, Fourth Edition, Stamford, CT: Cengage Learning, 2014, p. 279-313.▪www.youtube.com▪www.bing.com/images▪www.duckduckgo.com