ISC(2) CISSP Revision Notes – Information Security Governance and Risk Management

governance-and-risk-management

Governance: System of policies, procedures, guidelines etc that help the day to day running of our organization

In NO way should these notes be used as your sole source of study for the CISSP exam.  These notes lack things completely that could be included on your exam.  I in no way provide any guarantee or assurance that these notes are correct or satisfactory for your learning.  For further information see my CISSP Study and Exam Tips.

ISC(2) CISSP Revision Notes – Study and Exam Tips
ISC(2) CISSP Revision Notes – Overarching Themes for the CISSP
ISC(2) CISSP Revision Notes – Access Control
ISC(2) CISSP Revision Notes – Business Continuity and Disaster Planning
ISC(2) CISSP Revision Notes – Cryptography
ISC(2) CISSP Revision Notes – Information Security Governance and Risk Management (You are here)
ISC(2) CISSP Revision Notes – Legal, Regulatory, Investigations and Compliance
ISC(2) CISSP Revision Notes – Operations Security
ISC(2) CISSP Revision Notes – Security Architectural Design
ISC(2) CISSP Revision Notes – Software Development Security
ISC(2) CISSP Revision Notes – Telecommunications and Network Security

Management is ultimately responsible for overall information security.  Information Security Professionals report security issues and make recommendations.

CIA Triad:

  • Confidentiality: Only those we allow to view can
  • Integrity: No modifications to the data and it is consistent
  • Availability: Reliable and timely

Defense in Depth: Holistic and multiple layers of protection

Data Classification: Assign a value to our data

  • Value (monetary or intrinsic)
  • Age or useful life
  • Regulatory compliance

Classification Levels

  • Unclassified: Disclosure won’t cause harm to national security (can also include “For Official Use Only” or “For Internal Use Only”)
  • Sensitive but Classified (SBU): Usually private or personal, eg HR records
  • Confidential: Could cause damage to national security
  • Secret: Could cause serious damage to national security
  • Top Secret: Could cause grave damage to national security

Mission – Long Term – Reason for Existence

Goals – Medium Term – What do we Hope to Accomplish

Objectives – Short Term – What we Hope to Accomplish

Governance: System of policies, procedures, guidelines etc that help the day to day running of our organization

Policies: Basis for Information Security Policy

Formal Statement

Senior Management

High Level Objectives, Responsibilities, Ethics and Beliefs, Requirements.

Regulatory: Mandated to do something

Advisory: Optional but highly recommend (most common kind)

Information: Optional for information

Standards: Specific mandated requirements, eg use Nginx for web servers

Baselines: Consistent basis

Guidelines: Recommendations, eg a document with HR information may be secret

Procedures: Detailed instructions and/or step by step guides

Information Security Governance Practice

3rd Party: Governance should address

SLAs: Minimum performance requirements

Personnel Security Policies & Practices

Background Checks

  • Reference checks, verification, criminal records, credit records, drug tests

Employment Agreements

  • NDAs, AUP, Job Descriptions

Hiring & Termination

  • Procedures to use (eg induction)
  • Return keys, tokens, disable accounts, etc

Job Description

  • Legal basis for authority or actions, basis of proving negligence

Techniques

Separation of Duties: Reduces opportunity for waste, abuse or fraud.  Reduces dependencies on individuals.

Job Rotation: Reduced collusion and the above

Security Roles & Responsibilities

Management: Set policy, lead by example, reward as appropriate, Overall Responsibility

Owner: Senior manage who is response for data safeguards, determines classification levels, access, inventories, may delegate day to day responsibilities

Custodian: Day to day responsibility, often IT teams responsible for backups, permissions, user setup, etc

Users: Comply with security requirements, due care, may need training and reporting

Risk Management Concepts

Threat: A circumstance that could have an undesirable impact on an asset

Vulnerability: Absence or weakness of a safeguard which increases the potential of a threat being more damaging

Asset: Resource, process, product or system which has value to the organization

Threat X Vulnerability = Risk

Risk Identification

Occurs during risk assessment

Asset valuation

  • Quantitative or Qualitative
  • Costs of; initial and maintenance costs, organization value, external (intangible) costs
  • Threat Analysis: Define the threat, identify consequences if threat occurs, frequency and probability
  • Threat can be natural or man-made

Vulnerability Assessment: baseline for determining appropriate safeguards

Risk Analysis

  • 1 – Asset Valuation: Identify assets needing protection
  • 2 – Threat Analysis: Specific threats, frequency and impact
  • 3 – Annualised Loss Expectancy (ALE): How must will a loss cost?
  • 4 – Annualised Rate of Occurrence (ARO): How often a year might it happen?
  • 5 – Single Loss Expectancy (SLE) = ALE X ARO
  • 6 – Risk Control: Identify and risk control
  • Qualitative Risk Analysis
    • Subjective (no complex calculations)
    • Low amount of work required
    • But no certainty
    • More difficult to communicate
    • Quantitative Risk Analysis
      • Cost benefit analysis is possible
      • Fewer assumptions and guesses
      • More complex and more work required
      • High volume of data required

Risk Treatment

  • Safeguards reduce risk
  • Reduction: Alter or eliminate a risk
  • Assignment/Transference: Transfer to a third party (eg insurance)
  • Acceptance: Do nothing (or nothing more)

Cost Effectiveness

  • ALE Before – ALE After – Cost of Safeguard = Value of Safeguard
  • Legal liability if value is less than cost
  • Operational Impact: How difficult will be it?
  • Technical Impact: Shouldn’t introduce additional vulnerabilities

Security Education, Training & Awareness

Senior Management Support, and how security supports our organization, user requirements and follow up

Awareness: Induction and orientation, printed materials and presentations

Training: Classroom, on the job, technical and vendor

Education: College, CISSP, etc

In NO way should these notes be used as your sole source of study for the CISSP exam.  These notes lack things completely that could be included on your exam.  I in no way provide any guarantee or assurance that these notes are correct or satisfactory for your learning.  For further information see my CISSP Study and Exam Tips.

 

Trackbacks for this post

  1. ISC(2) CISSP Revision Notes – Legal, Regulatory, Investigations and Compliance | Gyp the Cat dot Com
  2. ISC(2) CISSP Revision Notes – Cryptography | Gyp the Cat dot Com

Got something to say? Go for it!