[CISSP] Domain Security Management Practices

Domain Security Management Practices

The main goal of risk analysis

• Identify risks
• Quantify the impact of potential threats
• Provide an economic balance between the impact of the risk
• The cost of the safeguards

Security Policy
is a general statement produced by senior management.

Common development process of security policy

• Intial and evaluation
• Publication
• Development
• Implementation

Standard
specify how hardware and software products are to be used

Baselines
provide the minimum level of security necessary throughout the organization.

Guideline
are recommended actions and operational guides to users, IT staff, operations staff, and others when a specific satandard does not apply.

Procedure
are detailed step-by-step tasks that should be performed to achieve a certain goal.

Policies detail what should be done, and the standards detail how.

Due dilligence is the act of investigating and understanding the risks the company faces.

Due care by developing security policies, procedures, and standards.

Risk Analysis Definition

Exposure factor(EF) Percentage of asset loss caused by identified threat

Single loss expectancy(SLE) Asset value x exposure factor

Annualized rate of occurrence(ARO) Estimated frequency a threat will occur within a year

Annualized loss expectancy(ALE) Single loss expectancy x annualized rate of occurrence

Total Risk = Threats x vulnerability x asset value

Residual Risk = (Threats x vulnerability x asset value) x control gap

Value of safeguard to the company = (ALE before implementing safeguard) - (ALE after implementing safeguard) -(annual cost of safeguard)

The modified Delphi method is for brainstorming and consensus Delphi mehtod is for problems solving.

ISO 17799 is the internationally recognized Information Security Management Standard that provides high-level, conceptual recommendations on enterprise security. It was derived from BS 7799.

ISO 17799 /BS 7799 10 sections

• Scope
• Information security policy
• Security organisation
• Asset classification and control
• Personnel security
• Physical and environmental security
• Communications and operations management
• Access control
• Systems development and maintenance
• Business Continuity management

Risk analysis steps

• Idendify assets and their values
• Identify vulnerabilites and threats
• Quantify the probability and business impact of these potential threats
• Provide economical countermeasure recommendations
• Access control System development and maintenance
• Business continuity management
• Compliance

Security analyst is helping the company at a strategic level by developing policies and their supporting mechanisms.

Cost/benefits analysis is the most valuable technique when determining if a specific security control shuld be implementd.

Qualitative would be a subjective observation, while a quantitative approach defines statistical costs associated with a threat.

Health care information are considered sensitive but unclasified information(?)

Threat is a event or activity with potential to cause harm to information systems or networks.

Vulnerability is a system weakness that can be exploiterd by a threat.

Example: Your company has hired a risk management firm to evaluate the organization's overall health and risks. One area that is quickly identified is a small warehouse in a heavily populated area which holds valuable assets. The warehouse has no preimeter defenses. The lack of protection would be characterized as a vulnerability.

Exposure factor is a measure of the magnitude of loss or impact on the value of an asset.

Eaxmple: Cary is working on a risk management project and must determine the degree of damage to a manufacturing facility downtown in the event of a flood. This degree of damage is referred to as exposure factor.

A threat is that a threat agent will exploit a vulnerablilty. The probability of this happening is the risk. Once the vulnerability is exploited there is an exposure.

"Shoulder surfing" is an example of confidentiality security failure.

Example: Recording screen shots of another user's computer with a video recorder.

Business continutiy and disaster recovery fall under compensating security control.

Controls and resources can be put into place to mitigate identified business risks which can return on investment pertaining to the implementation of controls.

When an activity is carried out, either intentionally or accidentally, and it disrupts a computer, it can be referred to as a compromise.

Auditing logs should capture unique user identification information to be able to enforce true individual accountability.

Regulartory policy

is written to ensure that the organiztion is following standard set by a specific industry and is regulated by law. The policy type is detailed in nature and specific to a type of industry. This is used in financial institutions, health care facilities, and public utilities.

Advisory policy

is written to strongly suggest certain types of behaviors and activities which should take place within the organization. It also outlines possible ramifications for noncompliance activities to employees. This is used for handling medical information, financial transactions, and processing confidential information.

Informative policy

is written to inform employees of certain topics. It is not an enforceable policy, but one to teach individuals about specific issues relevant to the company. It could explain how the company interacts with partners, the company's goals and mission, and general reporting structure in different situations.