CISM DOMAIN 2 : Information Security Risk Management
-
Risk Identification
-
External risks
-
Physical security breaches
-
Natural disasters
-
Supply chain disruptions
-
-
Internal risks
-
Human error
-
Insider threats
-
System vulnerabilities
-
-
Multiparty risks
-
Third-party vendor risks
-
Supply chain risks
-
Outsourcing risks
-
-
Legacy systems
-
Outdated software
-
Hardware compatibility issues
-
Security vulnerabilities
-
Lack of vendor support
-
Difficulty in patching
-
-
Intellectual property (IP) theft
-
Definition of intellectual property (IP)
-
Types of intellectual property (IP)
-
Trademarks
-
Copyrights
-
Patents
-
-
Methods of intellectual property (IP) theft
-
Hacking into systems to steal IP
-
Social engineering to extract IP
-
Insider threats stealing IP
-
-
-
Software compliance/licensing risks
-
Non-compliance with software licensing agreements
-
Use of unlicensed software
-
Failure to update software licenses
-
Impact of software audits
-
-
-
Disaster Recovery Planning
-
Disaster Types
-
Natural Disasters
-
Man-Made Disasters
-
Technological Disasters
-
-
Business Impact Analysis
-
4 core Matrix
-
The mean time between failures (MTBF)
-
MTBF is a measure of the average time that a device or system will operate successfully before failing.
-
It helps organizations understand the reliability of their systems and plan for potential downtime.
-
By calculating MTBF, businesses can make informed decisions about maintenance schedules and disaster recovery plans.
-
-
The mean time to repair (MTTR)
-
MTTR is the average time taken to repair a system or component after a failure occurs.
-
It is an important metric in disaster recovery planning to ensure minimal downtime and optimal system availability.
-
-
The recovery time objective (RTO)
-
The recovery time objective (RTO) is the maximum acceptable length of time that a system can be down after a disaster.
-
It helps in determining the criticality of systems and setting priorities for recovery in the event of a disaster.
-
RTO is crucial for planning the resources needed for disaster recovery and ensuring business continuity.
-
-
The recovery point objective (RPO)
-
The Recovery Point Objective (RPO) is the maximum targeted period in which data might be lost due to a major incident.
-
It helps in determining the acceptable amount of data loss in case of a disaster and guides the development of disaster recovery strategies.
-
The RPO is crucial for setting up backup frequency, storage capacity, and overall disaster recovery planning.
-
-
-
-
-
Risk Calculation
- Risk Severity = Likelihood × Impact
-
Incident Management Framework
-
Detection
- Identify -Monitoring tools, IPs, firewalls, users, notifications
-
Response
- Triage - is it really an incident? (decision to declare incident)
-
Mitigation
- Correction & containment
(Malware disconnect device)
- Correction & containment
-
Reporting
- to relevant stakeholders , customers, legal, and regulatory
-
Recovery
- Return to normal
operations
- Return to normal
-
Remediation
- Root cause
is addressed
Helps the
- Root cause
-
Lessons Learned
- Helps the org deal with
recurrence , improves the IR process
- Helps the org deal with
-
-
Risk Assessment
-
Quantitative Risk Analysis
-
Asset Value (AV)
-
Exposure Factor (EF)
-
Single Loss Expectancy (SLE) - (AV x EF)
-
Annual Rate of Occurance (ARO)
-
-
Qualitative Risk Analysis
-
-
Risk Treatment and Response
-
Risk Mitigation
-
Risk Acceptance
-
Risk Avoidance
-
Risk Transference
-
-
Risk Analysis
-
Types/ State of Risk
-
Inherent Risk
- The amount of risk that exists
in the absence of controls.
- The amount of risk that exists
-
Residual Risk
- The risk management has chosen
to accept rather than mitigate.
- The risk management has chosen
-
Total Risk
- The amount of risk an organization would
face if no safeguards were implemented.
- The amount of risk an organization would
-
-
Risk Reporting
-
Risk Register
-
Risk Matrix
-
-
-
Privacy
-
Sensitive Information
-
Personally identifiable information (PII)
-
Protected health information (PHI)
-
Financial information
-
Government information
-
-
Information Classification
-
Top Secret
-
Secret
-
Confidential
-
Unclassified
-
-
Data Roles and Responsibilities
-
Data controllers
-
Data stewards
-
Data custodians
-
Data processors
-
Data subjects
-
-
Privacy-Enhancing Technologies
-
Hashing
-
Tokenization
-
Data masking
-
-
-
Risk Management Frameworks
-
Frameworks
-
ISO/IEC 27001
-
ISO/IEC 27005
-
ISO/IEC 31010
-
NIST Special Publication 800-37
-
NIST SP 800-39
-
Multitier Risk Management
-
Enterprise-level risks
-
Process-level risk
-
Asset-level risks
-
-
-
COBIT 2019
-
Risk IT framework
-
RIMS Risk Maturity Model
-
-
Framework Components
-
Program scope
-
Information risk objectives
-
Information risk policy
-
Risk appetite/tolerance
-
Roles and responsibilities
-
Risk management life-cycle process
-
Risk management documentation
-
Management review
-
-
-
Cybersecurity Threats
-
Classifying Cybersecurity Threats
-
Threat Identification
-
Internal Threats
-
External Threats
-
Example of Internal & External Human-made Threats
-
Leak data via e-mail
-
Leak data via upload to unauthorized system
-
Leak data via external USB storage device or medium
-
Leak information face-to-face with unauthorized person
-
Perform a programming error
-
Misconfigure a system or device
-
Shut down an application, system, or device
-
Error perpetrated by any internal staff
-
Phishing attack
-
Social engineering attack
-
Share login credential with another person
-
Install or run unauthorized software program
-
Copy sensitive data to unauthorized device or system
-
Destroy or remove sensitive or critical information
-
Retrieve discarded, recycled, or shredded information
-
Conduct security scan
-
Conduct denial-of-service attack
-
Conduct physical attack on systems or facilities
-
Conduct credential-guessing attack
-
Eavesdrop on a sensitive communication
-
Impersonate another individual
-
Obtain sensitive information through illicit means
-
Cause data integrity loss through any action
-
Intercept network traffic
-
Obtain sensitive information through programmatic data leakage
-
Perform reconnaissance as part of an attack campaign
-
Conduct a social engineering attack
-
Power anomaly or failure
-
Communications failure
-
Heating, venting, or air-conditioning failure
-
Degradation of electronic media
-
Fire
-
Smoke damage
-
Fire retardant damage
-
Flood due to water main break or drainage failure
-
Vandalism
-
Demonstrations/protests/picketing
-
Terrorist attack
-
Electromagnetic pulse
-
Explosion
-
Bombing
-
-
Example of Internal & External Natural Threats
-
Forest fire or range fire
-
Smoke damage from forest fire or range fire
-
River flood
-
Landslide
-
Avalanche
-
Tornado
-
Hurricane
-
Wind storm
-
Hailstorm
-
Earthquake
-
Tsunami
-
Lightning
-
Epidemic
-
Explosion of naturally occurring substances
-
Solar storm
-
-
-
Threat Actors
-
Threat Vectors
-
Threat Data and Intelligence
-
Open Source Intelligence
-
Proprietary and Closed Source Intelligence
-
Threat Indicator Management and Exchange
-
-
-
Risk Management Life Cycle
-
Risk Management Methodologies
-
NIST Standards
-
NIST SP 800-30
-
Steps
-
Step 1: Prepare for assessment
-
Step 2: Conduct assessment
-
Identify threat sources and events
-
Identify vulnerabilities and predisposing conditions
-
Determine likelihood of occurrence
-
Determine magnitude of impact
-
Determine risk
-
-
Step 3: Communicate results
-
Step 4: Maintain assessment
-
-
-
7 steps of NIST 800-37
-
Prepare to execute the RMF
-
Categorize information systems
-
Select Security Controls
-
Implement Security controls
-
Assess the security controls
-
Authorize the system
-
Monitor security controls
-
-
NIST SP 800-39
-
3 Tiers
-
Tier 1: Organization view
-
Tier 2: Mission/business process view
-
Tier 3: Information systems view
-
-
Risk Management Process
-
Step 1: Risk framing
-
Step 2: Risk assessment
-
Step 3: Risk response
-
Step 4: Risk monitoring
-
-
-
-
ISO Standards
-
ISO/IEC 27005
-
Step 1: Establish context
-
Scope of the risk assessment
-
Purpose of the risk assessment
-
Risk evaluation criteria
-
Impact criteria
-
Risk acceptance criteria
-
Logistical plan
-
-
Step 2: Risk assessment
-
Asset identification
-
Threat identification
-
Control identification
-
Vulnerability identification
-
Consequences identification
-
-
Step 3: Risk evaluation
-
Step 4: Risk treatment
-
Risk reduction (aka risk mitigation)
-
Risk retention (aka risk acceptance)
-
Risk avoidance
-
Risk transfer
-
-
Step 5: Risk communication
-
Step 6: Risk monitoring and review
-
-
-
Factor Analysis of Information Risk (FAIR)
-
6 types of loss
-
• Productivity
- Lost productivity caused by the incident
-
• Response
- The cost expended in incident response
-
• Replacement
- The expense required to rebuild or replace an asset
-
• Fines and judgments
- All forms of legal costs resulting from the incident
-
• Competitive advantage
- Loss of business to other organizations
-
• Reputation
- Loss of goodwill and future business
-
-
Guides
-
• Access
- Reading data without authorization
-
• Misuse
- Using an asset differently from intended usage
-
• Disclose
- Sharing data with other unauthorized parties
-
• Modify
- Modifying assets
-
• Deny use
- Preventing legitimate subjects from accessing assets
-
-
-
ISACA’s Risk IT Framework
-
Collect Data (RE1)
-
Analyze Risk (RE2)
-
Maintain Risk Profile (RE3)
-
-