Cism Domain 2 Information Risk Management and Compliance

CISM™
Certified Information
Security Manager
Firebrand Custom Designed Courseware
© 2016 Firebrand
5/6/2016
Chapter 2
Information Risk
Management and
Compliance
© 2016 Firebrand
5/6/2016
Exam Relevance
Ensure that the CISM candidate…
Manages information risk to an acceptable

level to meet the business and compliance
requirements of the organization
• The content area in this chapter will represent approximately
33% of the CISM examination(approximately 66 questions).
© 2016 Firebrand
ISACA CISM Review Manual Page 78
5/6/2016
Chapter 2 Task Statements
Establish an information asset classification

and ownership process
Ensure risk, threat and vulnerability

assessments are conducted periodically
Evaluate security controls
Identify gaps between current and desired

state
© 2016 Firebrand
5/6/2016
Chapter 2 Task Statements cont.
Integrate risk, threat and vulnerability

identification and management into the
organization
Monitor existing risk to ensure changes are

identified and managed appropriately
Report information risk management levels to

management.
© 2016 Firebrand
5/6/2016
Risk Management
© 2016 Firebrand
5/6/2016
Definition of Risk
Risk is a function of the likelihood of a

threat-source exercising a vulnerability
and the resulting impact of that adverse
event on the mission of the organization.
• Asset
• Threat
• Vulnerability
• Likelihood (probability)
• Impact (consequence)
NIST/CNSSI Definition
© 2016 Firebrand
5/6/2016
Why is Risk Important?
Risk management is a fundamental

function of Information Security
• Provides rationale and justification for virtually

all information security activities
Prioritization of Risk allows the

development of a security roadmap
© 2016 Firebrand
5/6/2016
Risk Management Definition
What is risk management?

• The systematic application of management policies, procedures and
practices to the tasks of:
Identifying
Analyzing
Evaluating
Treating
Monitoring,
Risk related to information and information systems
© 2016 Firebrand
5/6/2016
Risk Management Objective
The objective of risk management is to identify,

quantify and manage information security risk.
Reduce risk to an acceptable level through the

application of risk-based, cost-effective
controls.
© 2016 Firebrand
5/6/2016
Risk Management Overview
Risk is the probability of

occurrence of an event or
transaction causing financial loss
or damage to
• Organization
• Staff Quantitative and
• Assets Qualitative Measures
• Reputation
© 2016 Firebrand
5/6/2016
Risk Management Overview
Risk management is the process of ensuring that

the impact of threats exploiting vulnerabilities is
within acceptable limits at an acceptable cost
At a high level, this is accomplished by
• Balancing risk against mitigation costs

• Implementing appropriate countermeasures and controls
© 2016 Firebrand
5/6/2016
Risk Management Process
Risk
Identification
(Assessment Risk
and Analysis) Treatment
(Control
Selection) Evaluation
and
Assessment
© 2016 Firebrand
5/6/2016
Defining the Risk Environment
The most
critical • Key business drivers
prerequisite • The organization’s SWOT (strengths,
weaknesses, opportunities and
to a threats)
successful risk • Internal and external stakeholders
management • Organizational structure and culture
program is • Assets (resources, information,
customers, equipment)
understanding • Goals and objectives, and the
the strategies already in place to achieve
organization them
including:
© 2016 Firebrand
5/6/2016
Threats to Information and
Information Systems
Threats to information and

information systems are related
to:
•Availability
•Confidentiality
•Integrity
•Non-repudiation
© 2016 Firebrand
5/6/2016
Communicating Risk
Involve all stakeholders
Consistent communication in a defined
format
Create awareness and accountability
© 2016 Firebrand
5/6/2016
Effective Risk Management
Integrated with the business mission
Supported by Senior Management
Integration with other business areas
© 2016 Firebrand
5/6/2016
Developing a Risk Management Program
Establish context and purpose
Define scope
Define authority, structure and reporting
Ensure asset identification, classification and
ownership
Determine objectives
Determine risk methodology to be used
© 2016 Firebrand
5/6/2016
Alignment of Risk Assessment and BIA
Risk Assessment measures Impact and Likelihood
Business Impact Analysis measures Impact over

Time
Related disciplines – but not the same
BIA must be done periodically to determine how

risk and impact levels increase over time
• Set priorities for critical business functions
© 2016 Firebrand
5/6/2016
Threat Analysis
Intentional versus Unintentional

attacks
• Natural
• Man-made
• Utility / Equipment
Threats affected by
• The skill and motivation of the attacker
• The existence of attack tools
© 2016 Firebrand
5/6/2016
Aggregate Risk
Aggregate risk must be

considered
• Aggregate risk is where several
smaller risk factors combine to
create a larger risk (the perfect
storm scenario)
© 2016 Firebrand
Added value in examination but not in Student Manual
5/6/2016
Cascading Risk
Cascading risks are the effect of

one incident leading to a chain of
adverse events (domino effect)
© 2016 Firebrand
Added value in examination but not in Student Manual
5/6/2016
Identification of Vulnerabilities
Weaknesses in security
controls
• Patches not applied
• Non-hardened systems
• Inappropriate access levels
• Unencrypted sensitive data
• Software bugs or coding issues
(buffer overflow)
• Physical security
© 2016 Firebrand
5/6/2016
The Effect of Risk
An exploit of a vulnerability by a threat may

lead to an exposure.
An exposure is measured by the impact it has on

the organization or the ability of the
organization to meet its mission.
© 2016 Firebrand
5/6/2016
Impact
• Direct loss of money (cash or
credit)
• Criminal or civil liability
• Loss of
reputation/goodwill/image
Examples of direct • Reduction of share value
and indirect • Conflict of interests to staff or
financial losses: customers or shareholders
© 2016 Firebrand
5/6/2016
Impact cont.
Examples of direct and indirect financial losses:
• Breach of confidence/privacy
• Loss of business opportunity/competition
• Loss of market share
• Reduction in operational
efficiency/performance
• Interruption of business activity
• Noncompliance with laws and regulations
resulting in penalties
© 2016 Firebrand
5/6/2016
Risk Assessment Methodology
Quantitative
• Determine the impact of a single event
• Single Loss Expectancy
• SLE = Asset Value x Exposure
Factor
• Calculate frequency of events
• Annualized rate of occurrence (ARO)
• ARO = Incidents per year
© 2016 Firebrand
5/6/2016
Annualized Loss
Expectancy (ALE)
ALE is the calculated cost of risk per year

from a single event
• ALE = SLE x ARO
Used to justify expense of implementing

controls to reduce risk levels
Cost of controls should not be greater than

benefit realized by implementing the control
© 2016 Firebrand
5/6/2016
Semiquantitative Analysis
Combination of qualitative analysis with
financial impact levels
Brings together the benefits of both
qualitative and quantitative analysis
Often used in workshops with representatives
of the business
© 2016 Firebrand
5/6/2016
Qualitative Risk Assessment
Determine risk levels through scenario-based analysis
Rank risk levels according to frequency and impact (Low

(1), Moderate (2), High (3))
Impact
Likelihood
Low Moderate High
High 3 6 9
Moderate 2 4 6
Low 1 2 3
© 2016 Firebrand
5/6/2016
Data Gathering Techniques
Surveys /
Questionnaires
Observation
Workshops
Delphi techniques
© 2016 Firebrand
5/6/2016
Risk Acceptance
The level of risk that senior management is
willing to accept – retention of the risk
Must include the calculation of the total risk
level being accepted to ensure management
has accurate data to work from.
© 2016 Firebrand
5/6/2016
Results of Risk Assessment
Documentation of risk levels

• Risk register
Determination of threat and vulnerability levels
Forecast of impact and frequency of events
Recommendations for risk mitigation

• Controls, safeguards, countermeasures
© 2016 Firebrand
5/6/2016
Risk Treatment
© 2016 Firebrand
5/6/2016
Risk Treatment
Risk Treatment takes the recommendations

from the risk assessment process and
selects the best choice for managing risk at
an acceptable level
• Residual Risk
• Risk Acceptance
• Cost / Benefit
• Priorities
• Balance between security and business
© 2016 Firebrand
5/6/2016
Risk Treatment
Risk Treatment Options

• Reduction / mitigation – implement
changes
• Enhance managerial, technical,
physical and operational controls
• Acceptance
• Transference
• Avoidance /Terminate the activity
© 2016 Firebrand
5/6/2016
Residual Risk
The risk that remains after the application of
controls or countermeasures to reduce the
risk.
The objective is to reduce residual risk to a
level that is equal to, or below, the level of
acceptable risk
• Risk that exceeds acceptable risk levels
should be further mitigated
© 2016 Firebrand
5/6/2016
Risk Mitigation and Controls
• Existing controls and

countermeasures can
be evaluated
Controls (safeguards / • New controls and
countermeasures) are countermeasures can
implemented in order to
reduce a specified risk be designed
© 2016 Firebrand
5/6/2016
Control Recommendations
• Cost-benefit analysis
Factors to be • Anticipated effectiveness
considered • Compatibility with other controls,
systems, and processes
when
• Legislation and regulation
recommending • Organizational policy, standards,
new or and culture
enhanced • Impact of control on business
controls are: processes
• Control reliability
© 2016 Firebrand
5/6/2016
Cost Benefit
Analysis of Controls
Cost-benefit analysis must consider the

cost of the control throughout the full
life cycle of the control or
countermeasure including:
• Acquisition / purchase costs
• Deployment and implementation costs
• Recurring maintenance costs
• Testing and assessment costs
© 2016 Firebrand
5/6/2016
Cost Benefit
Analysis of Controls cont.
• Compliance monitoring and

enforcement
• Inconvenience to users
• Reduced throughput of
controlled processes
Cost benefit • Training in new procedures or
analysis includes technologies as applicable
costs of: • End of life decommissioning
© 2016 Firebrand
5/6/2016
Risk Mitigation Schematic
Owners
Wish to minimize Value
Countermeasures
Impose
To
Reduce
Risk
To
Threat Agents That
increase
Give Rise to
Threats Assets
To
Wish to abuse and/or may damage
© 2016 Firebrand
5/6/2016 From the Common Criteria
Control Types
Controls may be:

•Managerial
•Technical
•Physical
© 2016 Firebrand
5/6/2016
Control Types and Categories cont.
Controls may be:
• Directive
• Deterrent
• Preventative
• Detective
• Recovery
• Corrective
• Compensating
© 2016 Firebrand
Added value in the examination but not in Student Manual
5/6/2016
Security Control Baselines
Creating baselines of control can assist in

developing a consistent security
infrastructure
Principles for developing baselines include
• Assessing the level of security that is appropriate for

the organization
• Mandating a configuration for all systems and
components attached to the organization’s network
© 2016 Firebrand
5/6/2016
Information Asset Classification
© 2016 Firebrand
5/6/2016
Information
Asset Classification
Need to
know what
information
to protect
Need to •Ownership
know who is
responsible •Roles and
to protect it responsibilities
© 2016 Firebrand
5/6/2016
Roles and Responsibilities
Information protection requires clear

assignment of responsibilities
• Information owner
• Information System owner
• Board of Directors / Chief Executive
Officer
• Users
• Information Custodians
• Third Party Suppliers
© 2016 Firebrand
5/6/2016
Roles and Responsibilities
Information security risk management

is an integral part of security
governance
• Is the responsibility of the board of directors or
the equivalent to ensure that these efforts are
visible
Management must be involved in and

sign off on acceptable risk levels and
risk management objectives
© 2016 Firebrand
5/6/2016
Information Classification Considerations
Business Impact and reliance of

business on information and
information systems
• Understand business objectives
• Availability of data / systems
• Sensitivity of data / systems
© 2016 Firebrand
5/6/2016
Regulations and Legislation
Information asset protection may

be required by legislation
•Privacy
•Consumer data
•Employee data
•Financial accuracy
•SOX-type laws
© 2016 Firebrand
5/6/2016
Asset Valuation
Information Asset valuation may

be based on:
• Financial considerations
• Liability for lost data
• Cost to create or restore data
• Impact on business mission
• Reputation
• Customer or supplier confidence
© 2016 Firebrand
5/6/2016
Valuation Process
Determine ownership
Determine number of
classification levels
Develop labeling scheme
Identify all information

types and locations
De-classify when data no

longer needs protection
© 2016 Firebrand
5/6/2016
Information Protection
Ensure that data is protected consistently across

all systems
Protect data in all forms – paper, electronic,

optical, fax,
Protect data at all times:

• Storage
• Transmission
• Processing
• Destruction
© 2016 Firebrand
5/6/2016
Information Asset Protection
• Communicated
• Enforced
Policies • Clean desk / Clear screen
• Need to know – Least privilege
• Labeling
Procedures • Destruction
© 2016 Firebrand
5/6/2016
Recovery Time Objectives (RTO)
Business needs determine recovery time
objectives
The RTO indicates the time by which critical
services should be restored
Includes identification of dependencies
between systems and processes
Calculated as part of Business Impact Analysis
(BIA)
© 2016 Firebrand
5/6/2016
Recovery Point Objectives (RPO)
Based on acceptable data loss in case of a
crisis or major failure
Drives the frequency of backups as well as
the type of backup used to enable recovery
of systems within acceptable timeframes.
© 2016 Firebrand
5/6/2016
Service Delivery Objectives (SDO)
Defined as the minimal level of service that
must be restored to meet business
requirements until normal levels of business
can be restored.
© 2016 Firebrand
5/6/2016
Third Party Providers
External support functions
Adequate controls and monitoring in place
Ensure that controls are addressed in
contracts
Obtain assurance that control requirements
are being met
• SLAs, SOC2 report, ISO27001
Remember that liability for a breach remains
with the outsourcing organization
© 2016 Firebrand
5/6/2016
Risk Related to Physical Controls
Unsecure physical environment
Poor environmental controls
Shared premises
External parties on site
© 2016 Firebrand
5/6/2016
Risk Related
to Change Control
Uncontrolled / Unauthorized changes
Changes implemented incorrectly

• Backup
• Rollback
Changes that bypass / overwrite controls
Interruption to service
© 2016 Firebrand
5/6/2016
Controlling Risk
in Change Control
Oversight / Steering Committee
Formal Change control process

• Documentation of changes
• Approvals
• Testing
Review of all proposed / implemented

changes for impact on security controls
© 2016 Firebrand
5/6/2016
Risk Management
During SDLC
Integrate risk management throughout the

SDLC
• Review risk levels as system is designed, developed,
tested and implemented
• Test the implemented security controls
• Ensure the ability to log and monitor events is built into
all systems
Review all new systems for correct operation

of controls and associated risk levels
© 2016 Firebrand
5/6/2016
Risk in Project Management
Risk of “Scope Creep”
Risk of project overrun

• Budget
• Time
• Failure to deliver expected results
• Vendor compliance with requirements
© 2016 Firebrand
5/6/2016
Ongoing Risk Management Monitoring
and Analysis
Do risk assessment annually

• More frequently in event of:
• Organizational changes
• Regulation
• Incidents
Monitor controls frequently and report to

management
• Standardized reporting (format)
• Trend analysis
© 2016 Firebrand
5/6/2016
Audit and Risk Management
Audit validates that risk is being

managed correctly
•Compared with culture of
organization
•Policy
•Regulation
•Best practices
© 2016 Firebrand
5/6/2016
Audit and
Risk Management cont.
Validate that risk is within acceptable levels

• Risk appetite
Threat and vulnerability analysis was done correctly
Controls are working correctly

• Mitigating risk effectively
• Validate compliance with controls
Reporting and recommendations
© 2016 Firebrand
5/6/2016
Ongoing Risk Assessment
Monitor controls to ensure that

they are working effectively
• Implemented as designed
• Operating properly
• Producing the desired outcome
(mitigating the risk they were
installed to address)
© 2016 Firebrand
5/6/2016
Measuring Control Effectiveness
Determine metrics to measure control

effectiveness
• Do regular monitoring and reporting
Aggregate data from several control points

• Security Event Incident Monitoring (SEIM)
Measure control effectiveness in comparison

to business goals and objectives
© 2016 Firebrand
5/6/2016
New Employee Initiation
Require signing of
•Non-disclosure agreements (NDA)
•Non-compete agreements
•Ethics statement
Review security policy
•Awareness training
© 2016 Firebrand
5/6/2016
Risk During Employment
Access Creep – adding more and more

access
• Violation of least privilege / need to know
Enforce compliance with controls
Regular awareness sessions
© 2016 Firebrand
5/6/2016
Risk at
Termination of Employment
Need to remove all access
Recover all organizational assets

• ID cards
• Laptops
• Remote access tokens
• Blackberry/ cellphone
• Documents
Review NDAs
© 2016 Firebrand
5/6/2016
Risk During
Employment Process
Hiring Procedures
• Correct skills and experience

• Background checks
•Criminal
•Financial
•References from former employers
/ associates
© 2016 Firebrand
5/6/2016
Risks During Procurement
• Improper buying
Need to practices
purchase • Influence
the ‘right’ • Kickbacks
equipment • Piracy / imitations
at the
• Inappropriate relations
right price / selection of vendors
© 2016 Firebrand
5/6/2016
Risk During Procurement cont.
Equipment not delivered according to

specifications /contract terms
Equipment not configured / installed properly
Vendor not providing contracted maintenance

according to maintenance agreements
Maintain correct patch levels
© 2016 Firebrand
5/6/2016
Reporting to Management
Regular reporting
• Standard format
• Scheduled basis
Consistent metrics to allow comparison of

results over time
Reporting on an exceptional basis

• Following an event
© 2016 Firebrand
5/6/2016
Training and Awareness
The most effective control to mitigate risk is

training of all personnel
• Awareness
• Training
• Education
Educate on policies, standards, practices
Creates accountability
© 2016 Firebrand
5/6/2016
Training and Awareness
• The importance of adhering to

information security policies,
standards, and procedures
• Clean desk policy
• Responding to incidents and
emergencies
End users • Privacy and confidentiality
should receive requirements
• The security implications of logical
training on access in an IT environment
© 2016 Firebrand
5/6/2016
Training for End Users
• Clean desk policy

• Responding to incidents and
Practical emergencies
• Privacy and confidentiality
training requirements
• Handling sensitive data and
topics intellectual property
• The security requirements for
access to IT systems
© 2016 Firebrand
5/6/2016
Documentation
• A risk register
• An inventory of information assets
• Threat and vulnerability analysis
• Control effectiveness report
Typical risk • Initial risk rating
management • Risk report - consequences and
likelihood of compromise
documentation • A risk mitigation and action plan
includes:
© 2016 Firebrand
5/6/2016

Cism Domain 2 Information Risk Management and Compliance

Uploaded by

Document Information

Original Description:

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Cism Domain 2 Information Risk Management and Compliance

Uploaded by

Copyright:

Available Formats

CISM™

Ensure that the CISM candidate…

Manages information risk to an acceptable

Establish an information asset classification

Ensure risk, threat and vulnerability

Evaluate security controls

Identify gaps between current and desired

Integrate risk, threat and vulnerability

Monitor existing risk to ensure changes are

Report information risk management levels to

Risk is a function of the likelihood of a

Risk management is a fundamental

• Provides rationale and justification for virtually

Prioritization of Risk allows the

What is risk management?

Risk related to information and information systems

The objective of risk management is to identify,

Reduce risk to an acceptable level through the

Risk is the probability of

Risk management is the process of ensuring that

At a high level, this is accomplished by

• Balancing risk against mitigation costs

Threats to information and

Risk Assessment measures Impact and Likelihood

Business Impact Analysis measures Impact over

Related disciplines – but not the same

BIA must be done periodically to determine how

Intentional versus Unintentional

Aggregate risk must be

Cascading risks are the effect of

An exploit of a vulnerability by a threat may

An exposure is measured by the impact it has on

Examples of direct and indirect financial losses:

ALE is the calculated cost of risk per year

Used to justify expense of implementing

Cost of controls should not be greater than

Determine risk levels through scenario-based analysis

Rank risk levels according to frequency and impact (Low

Low Moderate High

Documentation of risk levels

Determination of threat and vulnerability levels

Forecast of impact and frequency of events

Recommendations for risk mitigation

Risk Treatment takes the recommendations

Risk Treatment Options

• Existing controls and

Cost-benefit analysis must consider the

• Compliance monitoring and

Controls may be:

Controls may be:

Creating baselines of control can assist in

Principles for developing baselines include

• Assessing the level of security that is appropriate for

Information protection requires clear

Information security risk management

Management must be involved in and

Business Impact and reliance of

Information asset protection may

Information Asset valuation may

Develop labeling scheme

Identify all information

De-classify when data no

Ensure that data is protected consistently across