ISC(2) CISSP Revision Notes – Information Security Governance and Risk Management
Governance: System of policies, procedures, guidelines etc that help the day to day running of our organization
[alert style=”red”]In NO way should these notes be used as your sole source of study for the CISSP exam. These notes lack things completely that could be included on your exam. I in no way provide any guarantee or assurance that these notes are correct or satisfactory for your learning. For further information see my CISSP Study and Exam Tips.[/alert]
ISC(2) CISSP Revision Notes – Study and Exam Tips
ISC(2) CISSP Revision Notes – Overarching Themes for the CISSP
ISC(2) CISSP Revision Notes – Access Control
ISC(2) CISSP Revision Notes – Business Continuity and Disaster Planning
ISC(2) CISSP Revision Notes – Cryptography
ISC(2) CISSP Revision Notes – Information Security Governance and Risk Management (You are here)
ISC(2) CISSP Revision Notes – Legal, Regulatory, Investigations and Compliance
ISC(2) CISSP Revision Notes – Operations Security
ISC(2) CISSP Revision Notes – Security Architectural Design
ISC(2) CISSP Revision Notes – Software Development Security
ISC(2) CISSP Revision Notes – Telecommunications and Network Security
Management is ultimately responsible for overall information security. Information Security Professionals report security issues and make recommendations.
CIA Triad:
- Confidentiality: Only those we allow to view can
- Integrity: No modifications to the data and it is consistent
- Availability: Reliable and timely
Defense in Depth: Holistic and multiple layers of protection
Data Classification: Assign a value to our data
- Value (monetary or intrinsic)
- Age or useful life
- Regulatory compliance
Classification Levels
- Unclassified: Disclosure won’t cause harm to national security (can also include “For Official Use Only” or “For Internal Use Only”)
- Sensitive but Classified (SBU): Usually private or personal, eg HR records
- Confidential: Could cause damage to national security
- Secret: Could cause serious damage to national security
- Top Secret: Could cause grave damage to national security
Mission – Long Term – Reason for Existence
Goals – Medium Term – What do we Hope to Accomplish
Objectives – Short Term – What we Hope to Accomplish
Governance: System of policies, procedures, guidelines etc that help the day to day running of our organization
Policies: Basis for Information Security Policy
Formal Statement
Senior Management
High Level Objectives, Responsibilities, Ethics and Beliefs, Requirements.
Regulatory: Mandated to do something
Advisory: Optional but highly recommend (most common kind)
Information: Optional for information
Standards: Specific mandated requirements, eg use Nginx for web servers
Baselines: Consistent basis
Guidelines: Recommendations, eg a document with HR information may be secret
Procedures: Detailed instructions and/or step by step guides
Information Security Governance Practice
3rd Party: Governance should address
SLAs: Minimum performance requirements
Personnel Security Policies & Practices
Background Checks
- Reference checks, verification, criminal records, credit records, drug tests
Employment Agreements
- NDAs, AUP, Job Descriptions
Hiring & Termination
- Procedures to use (eg induction)
- Return keys, tokens, disable accounts, etc
Job Description
- Legal basis for authority or actions, basis of proving negligence
Techniques
Separation of Duties: Reduces opportunity for waste, abuse or fraud. Reduces dependencies on individuals.
Job Rotation: Reduced collusion and the above
Security Roles & Responsibilities
Management: Set policy, lead by example, reward as appropriate, Overall Responsibility
Owner: Senior manage who is response for data safeguards, determines classification levels, access, inventories, may delegate day to day responsibilities
Custodian: Day to day responsibility, often IT teams responsible for backups, permissions, user setup, etc
Users: Comply with security requirements, due care, may need training and reporting
Risk Management Concepts
Threat: A circumstance that could have an undesirable impact on an asset
Vulnerability: Absence or weakness of a safeguard which increases the potential of a threat being more damaging
Asset: Resource, process, product or system which has value to the organization
Threat X Vulnerability = Risk
Risk Identification
Occurs during risk assessment
Asset valuation
- Quantitative or Qualitative
- Costs of; initial and maintenance costs, organization value, external (intangible) costs
- Threat Analysis: Define the threat, identify consequences if threat occurs, frequency and probability
- Threat can be natural or man-made
Vulnerability Assessment: baseline for determining appropriate safeguards
Risk Analysis
- 1 – Asset Valuation: Identify assets needing protection
- 2 – Threat Analysis: Specific threats, frequency and impact
- 3 – Annualised Loss Expectancy (ALE): How must will a loss cost?
- 4 – Annualised Rate of Occurrence (ARO): How often a year might it happen?
- 5 – Single Loss Expectancy (SLE) = ALE X ARO
- 6 – Risk Control: Identify and risk control
- Qualitative Risk Analysis
- Subjective (no complex calculations)
- Low amount of work required
- But no certainty
- More difficult to communicate
- Quantitative Risk Analysis
- Cost benefit analysis is possible
- Fewer assumptions and guesses
- More complex and more work required
- High volume of data required
Risk Treatment
- Safeguards reduce risk
- Reduction: Alter or eliminate a risk
- Assignment/Transference: Transfer to a third party (eg insurance)
- Acceptance: Do nothing (or nothing more)
Cost Effectiveness
- ALE Before – ALE After – Cost of Safeguard = Value of Safeguard
- Legal liability if value is less than cost
- Operational Impact: How difficult will be it?
- Technical Impact: Shouldn’t introduce additional vulnerabilities
Security Education, Training & Awareness
Senior Management Support, and how security supports our organization, user requirements and follow up
Awareness: Induction and orientation, printed materials and presentations
Training: Classroom, on the job, technical and vendor
Education: College, CISSP, etc
[alert style=”red”]In NO way should these notes be used as your sole source of study for the CISSP exam. These notes lack things completely that could be included on your exam. I in no way provide any guarantee or assurance that these notes are correct or satisfactory for your learning. For further information see my CISSP Study and Exam Tips.[/alert]
2 Comments
[…] Notes – Business Continuity and Disaster Planning ISC(2) CISSP Revision Notes – Cryptography ISC(2) CISSP Revision Notes – Information Security Governance and Risk Management ISC(2) CISSP Revision Notes – Legal, Regulatory, Investigations and Compliance (You are here) […]
[…] Continuity and Disaster Planning ISC(2) CISSP Revision Notes – Cryptography (You are here) ISC(2) CISSP Revision Notes – Information Security Governance and Risk Management ISC(2) CISSP Revision Notes – Legal, Regulatory, Investigations and Compliance ISC(2) CISSP […]