CISSP Cartoons: Identification vs Security Risk

Keep in a good mood while you study to CISSP exam. Chek this Information Security Cartoon that plays with Identification and Security Risk:

Please visit the site: http://www.glasbergen.com/

CISSP Terms and Definitions

Some definitions of Risk Management and Security Management that you need to know to CISSP exam:

Value of information
Cost to acquire + value to owners + what others are willing to pay

Asset
Something of value (resource, product, data)

Probability or Exposure
The chance or likelihood that an event (threat) will occur

Risk
The potential for harm or loss.
Total risk = asset value * vulnerabilities * threats

Safeguard (Control or Countermeasure)
Risk reducing measure (reducing both impact and likelihood) and must allow for auditability and accountability.

Safeguard Effectiveness (%)
Effective mitigation a vulnerability.

Threat
Defines an unfortunate event, undesirable impact on the well being of an asset.

Uncertainty (%)
Typically measured inversely with respect to confidence.

Exposure
Instance of being exposed to losses from specific threat.

Vulnerability
Absence or weakness of a safeguard (potential to allow a threat).

Risk Management

Risk Management
The processes of identifying, analyzing and assessing, mitigating or transferring risk.

1st phase Risk Analysis - represents the process of analyzing a target environment and the relationships of its risk-related attributes. The analysis should identify threat vulnerabilities; associate these vulnerabilities with affected assets, identify the potential for and nature of an undesirable result, and identify and evaluate risk-reducing countermeasures.
# The phase includes identifying risks, risk-reducing measures, and the budgetary impact of implementing decisions related to the acceptance, avoidance, or transfer of risk (more comprehensive than a Business Impact Analysis).

2nd phase Risk Assessment - represents the assignment of value to assets, threat frequency (annualized), consequence (i.e., exposure factors), and other elements of chance. The reported results of risk analysis can be said to provide an assessment or measurement of risk, regardless of the degree to which quantitative techniques are applied. For consistency in this chapter, the term "risk assessment" hereafter is used to characterize both the process and the result of analyzing and assessing risk.
# The phase includes the process of assigning priority to, budgeting, implementing, and maintaining appropriate risk-reducing measures.

Concept:
Vulnerabilities allow threats to occur with a greater frequency or greater impact. Intuitively it can be seen that the more vulnerabilities there are greater the risk of loss.

Terms and Definitions:
Value of information = cost to acquire + value to owners + what others are willing to pay
Asset - something of value (resource, product, data)
Probability or Exposure - the chance or likelihood that an event (threat) will occur
Risk - the potential for harm or loss. Total risk = asset value * vulnerabilities * threats
Safeguard (Control or Countermeasure) - risk reducing measure (reducing both impact and likelihood) and must allow for auditability and accountability.
Safeguard Effectiveness - (%) effective mitigation a vulnerability.
Threat - defines an unfortunate event, undesirable impact on the well being of an asset.
Uncertainty - (%) typically measured inversely with respect to confidence.
Exposure - instance of being exposed to losses from specific threat.
Vulnerability - absence or weakness of a safeguard (potential to allow a threat).

Calculation:
(ALE) Annualized Loss Expectancy ALE = SLE x ARO (To calculate the risk)
(ARO) Annualized Rate Occurrence frequency threat expected (0.0 never occurs)
(EF) Exposure Factor - factor of loss or impact magnitude (% of asset loss)
(SLE) Single Loss Exposure SLE = Asset Value x EF
ALE = (SLE = (Asset Value * Exposure Factor)) * ARO

Categories of Threats
• Data Classification - malicious code or logic
• Information Warfare - technically oriented terrorism
• Personnel - Unauthorized system access
• Application / Operational - ineffective security results in data entry errors
• Criminal - Physical destruction, or vandalism
• Environmental - utility outage, natural disaster
• Computer Infrastructure - Hardware failure, program errors
• Delayed Processing - reduced productivity, delayed collections processing

Central tasks of Information Risk Management - provides concerned management with the identification and assessment of risk as well as cost justified recommendation for risk reduction, thus allowing the decision (avoid, accept or transfer).
• Establish IRM Policy, fund an IRM team, IRM methodology and Tools; identify and Measure Risk; projecting sizing.

Information Protection Environment (reports)
• Threat analysis - identification of threats that may impact the target environment;
• Asset identification and valuation - identify the assets (tangible and intangible), their replacement costs, further valuing of information asset (CIA);
• Vulnerability analysis - identify vulnerabilities that could increase the frequency or impact of threats.
• Risk evaluation - evaluation of all collected information regarding threats, vulnerabilities, assets and asset values in order to measure the associated chance and magnitude of loss (ALE).

Establish Risk Acceptance Criteria (Resistance - Ignorance, Arrogance and Fear)
• Mitigate Risk
• Safeguard Selection and Risk Mitigation Analysis
• Cost Benefit analysis
• Final Report
• Monitor Information Risk Management Performance

Elements of Risk Metrics
• Asset Value
• Threat Frequency and Exposure Factor (EF)
• Safeguard Effectiveness and Cost
• Uncertainty

Remedies
• Risk Reduction - implementation of safeguards to mitigate risk
• Risk Transference - insurance, transfer cost of loss to insurance company
• Risk Acceptance - accept the risk, affront the chance of loss

Value Assessment - Asset valuation necessary to perform cost/benefit analysis, necessary for insurance or supports safeguard choices

Safeguard Selection
• Asset valuation necessary to perform cost/benefit analysis
• Perform cost/benefit analysis
o ALE(PreControl) - ALE(PostControl) = Annualized Value Control
• Costs of safeguards need to be considered including
o Purchase, development and licensing costs
o Installation costs
o Disruption to production
o Normal operating costs

Methods of Risk Analysis
Quantitative - assigns objective numerical values ($ money).
Value to be protected, threat and corresponding risk, loss potential, frequency, controls, predict money loss. (Major project that requires a detailed process plan)
Preliminary Security Examination (PSE) - Often conducted before the quantitative analysis, PSE helps gather elements that will be needed for current Risk Analysis
Pros: assessment and results based metrics (statistical analysis supported); the CIA value expressed in monetary terms credible basis for cost/benefit assessment or risk mitigation; RM performance can be tracked and evaluated; management language.
Cons: complex calculation; not practical; substantial amount of information must be gathered; no standard knowledge base.

Qualitative - intangible values of data loss and other issues that aren't pure hard costs. Ranking threats in different scenarios or sensitivity assets.
Judgment, intuition and experience. (high subjective level)
Methods - Delphi, brainstorming, story boards
• List the threat and the frequency
• Create exposure rating scale for each scenario
• Scenario written that address each major threat
• Scenario reviewed by business users for reality check
• Risk Analysis team evaluates and recommends safeguards
• Work through each finalized scenario
• Submit findings to management
Pros: simple calculations; not necessary to determine the monetary value of information; not necessary to determine quantitative threat frequency and impact data; not necessary to estimate the cost of recommended risk mitigation (and cost/benefit); general indication of significant areas of risk.
Cons: risk assessment and result are subjective; value may not reflect actual value of risk; no cost/benefit analysis of risk mitigation; no track risk management performance.

Tasks of Risk Assessment
• Projecting sizing (Background, purpose, scope, constraints, objective, responsibilities, approach)
• Threat Analysis (automated tools)
• Asset Identification and Valuation
• Replacement Costs Risk Management (RM): security controls to reduce effects of threats and vulnerabilities to a level that is tolerable (mitigate risk). (Asset, threat and vulnerability).

References:
Official (ISC)2 Guide to the CISSP Exam
CISSP All-in-One Exam Guide, Third Edition (All in One)
CISSP ® : Certified Information Systems Security Professional Study Guide, Third Edition