Risk assessment frameworks and methodologies

Chief Information Security Officer-Level Risk Assessment

The objective of this work in writing is to examine Chief Information Security Officer-Level Risk Assessment. Specifically, the scenario in this study is securing information for the local Emergency Management Agency in an Alabama County. The Director of Emergency Management in this County has tasked the Chief Information Security Officer with setting out a plan for information security of the Department's networking and computing systems.

Information Security Management involves the "identification of an organization's assets and the development, documentation, and implementation to policies, standards, procedures, and guidelines, which ensure their availability, integrity, and confidentiality." (Official ISC Guide to the CISSP Exam, nd) Threats are identified, assets classified and security controls implemented through use of "data classification, security awareness training, risk assessment, and risk analysis and as well their vulnerabilities are rated. (Official ISC Guide to the CISSP Exam, nd)

Risk management involves the "identification, measurement, control, and minimization of loss associated with uncertain events or risks." (Official ISC Guide to the CISSP Exam, nd) Included are over-all security reviews, risk analysis, evaluation, and selection of safeguards, cost/benefit analysis, management decisions, safeguard implementation, and effectiveness reviews." (Official ISC Guide to the CISSP Exam, nd)

I. Security Plans and Implementation

It is important that the CISSP understand the following:

(1) The planning, organization, and roles of individuals in identifying and securing an organization's information assets;

(2) The development of effective employment agreements; employee hiring practices, including background checks and job descriptions; security clearances; separation of duties and responsibilities; job rotation; and termination practices

(3) The development and use of policies stating management's views and position on particular topics and the use of guidelines, standards, baselines, and procedures to support those policies;

(4) The differences between policies, guidelines, standards, baselines, and procedures in terms of their application to information security management;

(5) The importance of security awareness training to make employees aware of the need for information security, its signi-cance, and the speci-c security-related requirements relative to the employees' positions;

(6) The importance of data classi-cation, including sensitive, con-dential, proprietary, private, and critical information;

(7) The importance of risk management practices and tools to identify, rate, and reduce the risk to speci-c information assets, such as:

(a) Asset identi-cation and evaluation

(b) Threat identi-cation and assessment

(c) Vulnerability and exposures identi-cation and assessment

(d) Calculation of single occurrence loss and annual loss expectancy

(e) Safeguards and countermeasure identi-cation and evaluation, including risk management practices and tools to identify, rate, and reduce the risk to speci-c information assets

(f) Calculation of the resulting annual loss expectancy and residual risk

(g) Communication of the residual risk to be assigned (i.e., insured against) or accepted by management

(h) The regulatory and ethical requirements to protect individuals from substantial harm, embarrassment, or inconvenience, due to the inappropriate collection, storage, or dissemination of personal information

(i) The principles and controls that protect data against compromise or inadvertent disclosure

(j) The principles and controls that ensure the logical correctness of an information system; the consistency of data structures; and the accuracy, precision, and completeness of the data stored

(k) The principles and controls that ensure that a computer resource will be available to authorized users when they need it

(l) The purpose of and process used for reviewing system records, event logs, and activities

(m) The importance of managing change and the change control process

(n) The application of commonly accepted best practices for system security administration, including the concepts of least privilege, separation of duties, job rotation, monitoring, and incident response

(o) The internal control standards reduce that risk; they are required to satisfy obligations with respect to the law, safeguard the organization's assets, and account for the accurate revenue and expense tracking;

(p) there are three categories of internal control standards -- general standards, speci-c standards, and audit resolution standards: (i) General standards must provide reasonable assurance, support the internal controls, provide for competent personnel, and assist in establishing control objectives and techniques (Official ISC Guide to the CISSP Exam, nd) (ii) Speci-c standards must be documented, clear, and available to personnel; they allow for the prompt recording of transactions, and the prompt execution of authorized transactions; speci-c standards establish separation of duties, quali-ed supervision, and accountability (Official ISC Guide to the CISSP Exam, nd) and (iii) Audit resolution standards require that managers promptly resolve audit ?ndings; they must evaluate the ?nding, determine the corrective action required, and take that action. (Official ISC Guide to the CISSP Exam, nd)

II. Risk Assessment

In the event that the Emergency Management Agency in the county at issue in this scenario is required to respond to a severe weather event, it is likely that the network and computing system of the agency will be using backup or generator power to run the system should the electrical power be knocked out during a severe weather event. The Information Security Manager is required to "establish and maintain a security program that ensures the "availability, integrity, and confidentiality of the organization's information resources. Availability is reported to be the assurance "that a computer system is accessible by authorized users whenever needed." (Official ISC Guide to the CISSP Exam, nd)

There are two aspects of availability including: (1) denial of service; and (2) loss of processing capabilities as a result of natural disasters, or human actions. (Official ISC Guide to the CISSP Exam, nd) Denial of service relates to user or intruder actions that result in computing services being tied up resulting in the system being unable to be utilized by users who are authorized to use the system. (Official ISC Guide to the CISSP Exam, nd, paraphrased)

III. Contingency Planning

Contingency planning is reported to involve: (1) business resumption planning; (2) alternative-site processing; or (3) simple disaster recovery planning results in another method of processing so that availability is ensured. (Official ISC Guide to the CISSP Exam, nd, paraphrased) Important aspects of security considerations are: (1) physical; (2) technical; and (3) administrative controls. (Official ISC Guide to the CISSP Exam, nd)

Physical controls include unauthorized persons coming into contact with computing resources and include "fault-tolerance mechanisms and access control software to prevent unauthorized users from disrupting services." (Official ISC Guide to the CISSP Exam, nd) Physical controls are those set in place to prevent individuals who are not authorized to come in contact with resources including computing resources, fire and water controls, as well as processing and off-site backup facilities used for storage. (Official ISC Guide to the CISSP Exam, nd, paraphrased)

Technical controls are reported to be inclusive of fault-tolerance mechanisms as well as electronic vaulting and access control software so that users that are not authorized are unable to disrupt services. Administrative controls include "access control policies, operating procedures, contingency planning, and user training." (Official ISC Guide to the CISSP Exam, nd) It is important that operators, programmers, and security personnel are trained so that they can assist in the avoidance of computing errors causing availability loss.

Integrity is reported as the "protection of system information or processes from intentional or accidental unauthorized changes." (Official ISC Guide to the CISSP Exam, nd) While the security program in place is unable to ensure or improve the data accuracy in terms of that which is input into the system, it is such that can assist in making sure that changes are intended and that intended changes are effectively applied to the system. There are three basic principles to the establishment of integrity controls including:

(1) Granting access on a need-to-know basis;

(2) Separation of duties; and (3) Rotation of duties. (Official ISC Guide to the CISSP Exam, nd)

The 'need-to-know' access principle is that users should be only granted access to files and programs that are required for the users to effectively perform their assigned tasks. The access of users to production data and programs should be restricted "through use of well-formed transactions" that serve to ensure that "users can change data or programs only in controlled ways that maintain integrity." (Official ISC Guide to the CISSP Exam, nd)

Separation of duties ensures that no one employee has control of a transaction "from beginning to end" and that at least two individuals or more are responsible for performing the transaction. Rotation of duties involves changing job assignments on a periodical basis so that users are not able to gain complete control of a transaction collaboratively subverting it for some fraudulent reason.

IV. Confidentiality

Confidentiality protects the system information barring users that are not authorized as well as barring resources and processes from information access. It is reported "Con-dentiality must be well de-ned, and procedures for maintaining con-dentiality must be carefully implemented. Crucial aspects of con-dentiality are user identi-cation, authentication, and authorization." (Official ISC Guide to the CISSP Exam, nd)

Threats to confidentiality are stated to be inclusive of the following threats:

(1) Hackers. A hacker or cracker is someone who bypasses the system's access controls by taking advantage of security weaknesses that the system's developers have left in the system. In addition, many hackers are adept at discovering the passwords of authorized users who choose passwords that are easy to guess or appear in dictionaries. The activities of hackers represent serious threats to the con-dentiality of information in computer systems. Many hackers have created copies of inadequately protected ?les and placed them in areas of the system where they can be accessed by unauthorized persons;

(2) Masqueraders. A masquerader is an authorized, or unauthorized, user of the system who has obtained the password of another user and thus gains access to ?les available to the other user by pretending to be the authorized user. Masqueraders are often able to read and copy con-dential ?les. Masquerading, therefore, can be de-ned as an attempt to gain access to a system by posing as an authorized user.

(3) Unauthorized user activity. This type of activity occurs when authorized, or unauthorized, system users gain access to ?les they are not authorized to access. Weak access controls often enable such unauthorized access, which can compromise con-dential ?les;

(4) Unprotected downloaded ?les. Downloading can compromise con-dential information if, in the process, ?les are moved from the secure environment of a host computer to an unprotected microcomputer for local processing. While on the microcomputer, unprotected con-dential information could be accessed by unauthorized users.

(5) Networks. Networks present a special con-dentiality threat because data ?owing through networks can be viewed at any node of the network, whether or not the data is addressed to that node. This is particularly signi-can't because the unencrypted user IDs and secret passwords of users logging on to the host are subject to compromise by the use of "sniffers" as this data travels from the user's workstation to the host. Any con-dential information not intended for viewing at every node should be protected by encryption techniques;

(6) Trojan horses. Trojan horses can be programmed to copy con-dential ?les to unprotected areas of the system when they are unknowingly executed by users who have authorized access to those ?les. Once executed, the Trojan horse can become resident on the user's system and can routinely copy con-dential ?les to unprotected resources.

(7) Social engineering. Social engineering is a term that describes a nontechnical kind of intrusion that relies heavily on human interaction and often involves tricking other people to break normal security procedures. For example, a person using social engineering to break into a computer network would try to gain the con-dence of someone who is authorized to access the network in order to get him to reveal information that compromises the network's security. (Official ISC Guide to the CISSP Exam, nd)

The central tasks of information risk assessment includes the establishment of an Information Risk Management Policy. It is reported that a sound Information Risk Management Policy has as its foundation a "well-thought-out IRM policy infrastructure that effectively addresses all elements of information security." (Official ISC Guide to the CISSP Exam, nd) The starting point is a "high-level policy statement and supporting objectives, scope, constraints, responsibilities and approach." (Official ISC Guide to the CISSP Exam, nd) The IRM policy must be communicated and enforced effectively with security of the facilities and planning for contingency. (Official ISC Guide to the CISSP Exam, nd, paraphrased) This requires the establishment and funding of an IRM team with functionalities including logical access control as well as contingency planning.

Allocation of funds for IRM policy planning and staffing should be according to "above minimum staffing and to make acquisition and training in the use of an automated risk assessment tool. It is necessary to establish IRM methodology and tools.

There are reported to be two applications of risk assessment that are fundamental: (1) determination of the current status of information security in the target environment(s) and ensuring that associated risk is managed (accepted, mitigated, or transferred) according to policy, and (2) assessing risk strategically. (Official ISC Guide to the CISSP Exam, nd) Risk must be identified and measures with the first risk assessment conducted with a broad scope to ensure that management "gets a good sense of the current status of information security and that management has a sound basis for establishing initial risk acceptance criteria and risk mitigation. (Official ISC Guide to the CISSP Exam, nd)

Project sizing is a task that includes "the identi-cation of background, scope, constraints, objectives, responsibilities, approach, and management support. Clear project-sizing statements are essential to a well de-ned and well-executed risk assessment project. It should also be noted that a clear articulation of project constraints (what is not included in the project) is very important to the success of a risk assessment." (Official ISC Guide to the CISSP Exam, nd)

The information protection environment includes threat analysis, which is a task that identifies threats that may affect the target environment adversely. Asset identification and valuation is a task that involves assets being identified and this means both that assets that are tangible and intangible including costs for replacement and the value of information asset availability, integrity, as well as confidentiality. Vulnerability analysis is a task involving the "…identi-cation of vulnerabilities that could increase the frequency or impact of threat event(s) affecting the target environment." (Official ISC Guide to the CISSP Exam, nd)

Risk evaluation is a tasks that involves "evaluation of all collected information regarding threats, vulnerabilities, assets, and asset values in order to measure the associated chance of loss and the expected magnitude of loss for each of an array of threats that could occur. Results are usually expressed in monetary terms on an annualized basis (ALE) or graphically as a probabilistic "risk curve" for a quantitative risk assessment. For a qualitative risk assessment, results are usually expressed through a matrix of qualitative metrics such as ordinal ranking (low, medium, high, or 1, 2, 3) and a scenario description of the threat and potential consequences." (Official ISC Guide to the CISSP Exam, nd)

Interim reports and recommendations are key reports used in documenting activity, decisions, and agreements that are significant including:

(1) Project sizing. This report presents the results of the project-sizing task. The report is issued to senior management for their review and concurrence. This report, when accepted, assures that all parties understand and concur in the nature of the project before it is launched. (Official ISC Guide to the CISSP Exam, nd)

(2) Asset identi-cation and valuation. This report may detail (or summarize) the results of the asset valuation task, as desired. It is issued to management for their review and concurrence. Such review helps prevent con-ict about value later in the process. This report often provides management with its ?rst insight into the value of the availability, con-dentiality, or integrity of the information assets.

(3) Risk evaluation. This report presents management with a documented assessment of risk in the current environment. Management may choose to accept that level of risk (a legitimate management decision) with no further action or proceed with risk mitigation analysis." (Official ISC Guide to the CISSP Exam, nd)